p5t2vspoqqw 6 years ago
commit 4b657b3822

@ -1,3 +1,38 @@
# 2019-05-25
## Support for exposing container ports publicly (not just to the host)
Until now, various roles supported a `matrix_*_expose_port` variable, which would expose their container's port to the host. This was mostly useful for reverse-proxying manually (in case `matrix-nginx-proxy` was disabled). It could also be used for installing some playbook services (e.g. bridges, etc.) and wiring them to a separate (manual) Matrix setup.
`matrix_*_expose_port` variables were not granular enough - sometimes they would expose one port, other times multiple. They also didn't provide control over **where** to expose (to which port number and to which network interface), because they would usually hardcode something like `127.0.0.1:8080`.
All such variables have been superseded by a better (more flexible) way to do it.
**Most** people (including those not using `matrix-nginx-proxy`), **don't need** to bother with this.
Porting examples follow for people having more customized setups:
- **from** `matrix_synapse_container_expose_client_api_port: true` **to** `matrix_synapse_container_client_api_host_bind_port: '127.0.0.1:8008'`
- **from** `matrix_synapse_container_expose_federation_api_port: true` **to** `matrix_synapse_container_federation_api_plain_host_bind_port: '127.0.0.1:8048'` and possibly `matrix_synapse_container_federation_api_tls_host_bind_port: '8448'`
- **from** `matrix_synapse_container_expose_metrics_port: true` **to** `matrix_synapse_container_metrics_api_host_bind_port: '127.0.0.1:9100'`
- **from** `matrix_riot_web_container_expose_port: true` **to** `matrix_riot_web_container_http_host_bind_port: '127.0.0.1:8765'`
- **from** `matrix_mxisd_container_expose_port: true` **to** `matrix_mxisd_container_http_host_bind_port: '127.0.0.1:8090'`
- **from** `matrix_dimension_container_expose_port: true` **to** `matrix_dimension_container_http_host_bind_port: '127.0.0.1:8184'`
- **from** `matrix_corporal_container_expose_ports: true` **to** `matrix_corporal_container_http_gateway_host_bind_port: '127.0.0.1:41080'` and possibly `matrix_corporal_container_http_api_host_bind_port: '127.0.0.1:41081'`
- **from** `matrix_appservice_irc_container_expose_client_server_api_port: true` **to** `matrix_appservice_irc_container_http_host_bind_port: '127.0.0.1:9999'`
- **from** `matrix_appservice_discord_container_expose_client_server_api_port: true` **to** `matrix_appservice_discord_container_http_host_bind_port: '127.0.0.1:9005'`
As always, if you forget to remove usage of some outdated variable, the playbook will warn you.
# 2019-05-23 # 2019-05-23
## Ansible 2.8 compatibility ## Ansible 2.8 compatibility

@ -9,7 +9,7 @@ For an Integration Manager like [Dimension](https://dimension.t2bot.io) to work,
Other important prerequisite is the `dimension.<your-domain>` DNS record being set up correctly. See [Configuring your DNS server](configuring-dns.md) on how to set up DNS record correctly. Other important prerequisite is the `dimension.<your-domain>` DNS record being set up correctly. See [Configuring your DNS server](configuring-dns.md) on how to set up DNS record correctly.
## Enable ## Enable
[Dimension integrations manager](https://dimension.t2bot.io) installation is disabled by default. You can enable it in your configuration file (`inventory/matrix.<your-domain>/vars.yml`): [Dimension integrations manager](https://dimension.t2bot.io) installation is disabled by default. You can enable it in your configuration file (`inventory/host_vars/matrix.<your-domain>/vars.yml`):
```yaml ```yaml
matrix_dimension_enabled: true matrix_dimension_enabled: true
@ -18,7 +18,7 @@ matrix_dimension_enabled: true
## Define admin users ## Define admin users
These users can modify the integrations this Dimension supports. Admin interface is accessible by opening Dimension in Riot and clicking the settings icon. These users can modify the integrations this Dimension supports. Admin interface is accessible by opening Dimension in Riot and clicking the settings icon.
Add this to your configuration file (`inventory/matrix.<your-domain>/vars.yml`): Add this to your configuration file (`inventory/host_vars/matrix.<your-domain>/vars.yml`):
```yaml ```yaml
matrix_dimension_admins: ['@user1:domain.com', '@user2:domain.com'] matrix_dimension_admins: ['@user1:domain.com', '@user2:domain.com']
@ -37,7 +37,7 @@ To get an access token, follow these steps:
**Access tokens are sensitive information. Do not include them in any bug reports, messages, or logs. Do not share the access token with anyone.** **Access tokens are sensitive information. Do not include them in any bug reports, messages, or logs. Do not share the access token with anyone.**
Add access token to your configuration file (`inventory/matrix.<your-domain>/vars.yml`): Add access token to your configuration file (`inventory/host_vars/matrix.<your-domain>/vars.yml`):
```yaml ```yaml
matrix_dimension_access_token: "YOUR ACCESS TOKEN HERE" matrix_dimension_access_token: "YOUR ACCESS TOKEN HERE"

@ -3,7 +3,7 @@
By default, this playbook would set up a PostgreSQL database server on your machine, running in a Docker container. By default, this playbook would set up a PostgreSQL database server on your machine, running in a Docker container.
If that's alright, you can skip this. If that's alright, you can skip this.
If you'd like to use an external PostgreSQL server that you manage, you can edit your configuration file (`inventory/matrix.<your-domain>/vars.yml`). If you'd like to use an external PostgreSQL server that you manage, you can edit your configuration file (`inventory/host_vars/matrix.<your-domain>/vars.yml`).
It should be something like this: It should be something like this:
```yaml ```yaml

@ -6,7 +6,7 @@ That is, people on your server can communicate with people on any other Matrix s
## Federating only with select servers ## Federating only with select servers
To make your server only federate with servers of your choosing, add this to your configuration file (`inventory/matrix.<your-domain>/vars.yml`): To make your server only federate with servers of your choosing, add this to your configuration file (`inventory/host_vars/matrix.<your-domain>/vars.yml`):
```yaml ```yaml
matrix_synapse_federation_domain_whitelist: matrix_synapse_federation_domain_whitelist:
@ -19,10 +19,10 @@ If you wish to disable federation, you can do that with an empty list (`[]`), or
## Disabling federation ## Disabling federation
To completely disable federation, isolating your server from the rest of the Matrix network, add this to your configuration file (`inventory/matrix.<your-domain>/vars.yml`): To completely disable federation, isolating your server from the rest of the Matrix network, add this to your configuration file (`inventory/host_vars/matrix.<your-domain>/vars.yml`):
```yaml ```yaml
matrix_synapse_federation_enabled: false matrix_synapse_federation_enabled: false
``` ```
With that, your server's users will only be able to talk among themselves, but not to anyone who is on another server. With that, your server's users will only be able to talk among themselves, but not to anyone who is on another server.

@ -13,13 +13,13 @@ No matter which external webserver you decide to go with, you'll need to:
1) Make sure your web server user (something like `http`, `apache`, `www-data`, `nginx`) is part of the `matrix` group. You should run something like this: `usermod -a -G matrix nginx` 1) Make sure your web server user (something like `http`, `apache`, `www-data`, `nginx`) is part of the `matrix` group. You should run something like this: `usermod -a -G matrix nginx`
2) Edit your configuration file (`inventory/matrix.<your-domain>/vars.yml`) to disable the integrated nginx server: 2) Edit your configuration file (`inventory/host_vars/matrix.<your-domain>/vars.yml`) to disable the integrated nginx server:
```yaml ```yaml
matrix_nginx_proxy_enabled: false matrix_nginx_proxy_enabled: false
``` ```
3) **If you'll manage SSL certificates by yourself**, edit your configuration file (`inventory/matrix.<your-domain>/vars.yml`) to disable SSL certificate retrieval: 3) **If you'll manage SSL certificates by yourself**, edit your configuration file (`inventory/host_vars/matrix.<your-domain>/vars.yml`) to disable SSL certificate retrieval:
```yaml ```yaml
matrix_ssl_retrieval_method: none matrix_ssl_retrieval_method: none

@ -29,7 +29,7 @@ You'll need an Amazon S3 bucket and some IAM user credentials (access key + secr
} }
``` ```
You then need to enable S3 support in your configuration file (`inventory/matrix.<your-domain>/vars.yml`). You then need to enable S3 support in your configuration file (`inventory/host_vars/matrix.<your-domain>/vars.yml`).
It would be something like this: It would be something like this:
```yaml ```yaml

@ -89,10 +89,8 @@ matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate_key: /matrix/ssl/
If your files are not in `/matrix/ssl` but in some other location, you would need to mount them into the container: If your files are not in `/matrix/ssl` but in some other location, you would need to mount them into the container:
```yaml ```yaml
matrix_nginx_proxy_container_additional_volumes: matrix_synapse_container_extra_arguments:
- src: /some/path/on/the/host - "--mount type-bind,src=/some/path/on/the/host,dst=/some/path/inside/the/container,ro"
dst: /some/path/inside/the/container
options: ro
``` ```
You then refer to them (for `matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate` and `matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate_key`) by using `/some/path/inside/the/container`. You then refer to them (for `matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate` and `matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate_key`) by using `/some/path/inside/the/container`.
@ -118,10 +116,8 @@ Make sure to reload/restart your webserver once in a while, so that newer certif
To do that, make sure the certificate files are mounted into the Synapse container: To do that, make sure the certificate files are mounted into the Synapse container:
```yaml ```yaml
matrix_synapse_container_additional_volumes: matrix_synapse_container_extra_arguments:
- src: /some/path/on/the/host - "--mount type-bind,src=/some/path/on/the/host,dst=/some/path/inside/the/container,ro"
dst: /some/path/inside/the/container
options: ro
``` ```
You can then tell Synapse to serve Federation traffic over TLS on `tcp/8448`: You can then tell Synapse to serve Federation traffic over TLS on `tcp/8448`:

@ -6,7 +6,7 @@ This is for when you wish to have your own Apache webserver sitting in front of
See the [Using your own webserver, instead of this playbook's nginx proxy](../../docs/configuring-playbook-own-webserver.md) documentation page. See the [Using your own webserver, instead of this playbook's nginx proxy](../../docs/configuring-playbook-own-webserver.md) documentation page.
To use your own Apache reverse-proxy, you first need to disable the integrated nginx server. To use your own Apache reverse-proxy, you first need to disable the integrated nginx server.
You do that with the following custom configuration (`inventory/matrix.<your-domain>/vars.yml`): You do that with the following custom configuration (`inventory/host_vars/matrix.<your-domain>/vars.yml`):
```yaml ```yaml
matrix_nginx_proxy_enabled: false matrix_nginx_proxy_enabled: false

@ -36,8 +36,8 @@ matrix_appservice_discord_enabled: false
# Normally, matrix-nginx-proxy is enabled and nginx can reach matrix-appservice-discord over the container network. # Normally, matrix-nginx-proxy is enabled and nginx can reach matrix-appservice-discord over the container network.
# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose
# matrix-appservice-discord's client-server port to the local host (`127.0.0.1:9005`). # matrix-appservice-discord's client-server port to the local host.
matrix_appservice_discord_container_expose_client_server_api_port: "{{ not matrix_nginx_proxy_enabled }}" matrix_appservice_discord_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9005' }}"
matrix_appservice_discord_systemd_required_services_list: | matrix_appservice_discord_systemd_required_services_list: |
{{ {{
@ -64,8 +64,8 @@ matrix_appservice_irc_enabled: false
# Normally, matrix-nginx-proxy is enabled and nginx can reach matrix-appservice-irc over the container network. # Normally, matrix-nginx-proxy is enabled and nginx can reach matrix-appservice-irc over the container network.
# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose
# matrix-appservice-irc's client-server port to the local host (`127.0.0.1:9999`). # matrix-appservice-irc's client-server port to the local host.
matrix_appservice_irc_container_expose_client_server_api_port: "{{ not matrix_nginx_proxy_enabled }}" matrix_appservice_irc_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9999' }}"
matrix_appservice_irc_systemd_required_services_list: | matrix_appservice_irc_systemd_required_services_list: |
{{ {{
@ -122,6 +122,8 @@ matrix_mautrix_telegram_systemd_required_services_list: |
matrix_mautrix_telegram_public_endpoint: "/{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'telegram') | to_uuid }}" matrix_mautrix_telegram_public_endpoint: "/{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'telegram') | to_uuid }}"
matrix_mautrix_telegram_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9006' }}"
###################################################################### ######################################################################
# #
# /matrix-bridge-mautrix-telegram # /matrix-bridge-mautrix-telegram
@ -162,8 +164,9 @@ matrix_corporal_enabled: false
# Normally, matrix-nginx-proxy is enabled and nginx can reach matrix-corporal over the container network. # Normally, matrix-nginx-proxy is enabled and nginx can reach matrix-corporal over the container network.
# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose
# matrix-corporal's web-server ports to the local host (`127.0.0.1:41080` and `127.0.0.1:41081`). # matrix-corporal's web-server ports to the local host.
matrix_corporal_container_expose_ports: "{{ not matrix_nginx_proxy_enabled }}" matrix_corporal_container_http_gateway_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:41080' }}"
matrix_corporal_container_http_api_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:41081' }}"
matrix_corporal_systemd_required_services_list: | matrix_corporal_systemd_required_services_list: |
{{ {{
@ -222,8 +225,8 @@ matrix_dimension_enabled: false
# Normally, matrix-nginx-proxy is enabled and nginx can reach Dimension over the container network. # Normally, matrix-nginx-proxy is enabled and nginx can reach Dimension over the container network.
# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose
# the Dimension HTTP port to the local host (`127.0.0.1:8184`). # the Dimension HTTP port to the local host.
matrix_dimension_container_expose_port: "{{ not matrix_nginx_proxy_enabled }}" matrix_dimension_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:8184' }}"
###################################################################### ######################################################################
# #
@ -264,8 +267,8 @@ matrix_mxisd_enabled: true
# Normally, matrix-nginx-proxy is enabled and nginx can reach mxisd over the container network. # Normally, matrix-nginx-proxy is enabled and nginx can reach mxisd over the container network.
# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose
# mxisd's web-server port to the local host (`127.0.0.1:8090`). # mxisd's web-server port.
matrix_mxisd_container_expose_port: "{{ not matrix_nginx_proxy_enabled }}" matrix_mxisd_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:8090' }}"
# We enable Synapse integration via its Postgres database by default. # We enable Synapse integration via its Postgres database by default.
# When using another Identity store, you might wish to disable this and define # When using another Identity store, you might wish to disable this and define
@ -408,8 +411,8 @@ matrix_riot_web_enabled: true
# Normally, matrix-nginx-proxy is enabled and nginx can reach riot-web over the container network. # Normally, matrix-nginx-proxy is enabled and nginx can reach riot-web over the container network.
# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose
# the riot-web HTTP port to the local host (`127.0.0.1:80`). # the riot-web HTTP port to the local host.
matrix_riot_web_container_expose_port: "{{ not matrix_nginx_proxy_enabled }}" matrix_riot_web_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:8765' }}"
matrix_riot_web_default_hs_url: "{{ matrix_homeserver_url }}" matrix_riot_web_default_hs_url: "{{ matrix_homeserver_url }}"
matrix_riot_web_default_is_url: "{{ matrix_identity_server_url }}" matrix_riot_web_default_is_url: "{{ matrix_identity_server_url }}"
@ -449,15 +452,20 @@ matrix_riot_web_enable_presence_by_hs_url: |
matrix_synapse_trusted_third_party_id_servers: "{{ [matrix_server_fqn_matrix] if matrix_mxisd_enabled else matrix_synapse_id_servers_public }}" matrix_synapse_trusted_third_party_id_servers: "{{ [matrix_server_fqn_matrix] if matrix_mxisd_enabled else matrix_synapse_id_servers_public }}"
# Normally, matrix-nginx-proxy is enabled and nginx can reach Synapse over the container network. # Normally, matrix-nginx-proxy is enabled and nginx can reach Synapse over the container network.
# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose its ports # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it,
# to the local host. # you can expose Synapse's ports to the host.
# #
# For exposing the Matrix Client API's port (plain HTTP) to the local host (`127.0.0.1:8008`). # For exposing the Matrix Client API's port (plain HTTP) to the local host.
matrix_synapse_container_expose_client_api_port: "{{ not matrix_nginx_proxy_enabled }}" matrix_synapse_container_client_api_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:8008' }}"
# For exposing the Matrix Federation API's port (plain HTTP) to the local host (`127.0.0.1:8048`). #
matrix_synapse_container_expose_federation_api_port: "{{ not matrix_nginx_proxy_enabled }}" # For exposing the Matrix Federation API's plain port (plain HTTP) to the local host.
matrix_synapse_container_federation_api_plain_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:8048' }}"
matrix_synapse_container_expose_metrics_port: "{{ not matrix_nginx_proxy_enabled }}" #
# For exposing the Matrix Federation API's TLS port (HTTPS) to the internet on all network interfaces.
matrix_synapse_container_federation_api_tls_host_bind_port: "{{ '8448' if (matrix_synapse_federation_enabled and matrix_synapse_tls_federation_listener_enabled) else '' }}"
#
# For exposing the Synapse Metrics API's port (plain HTTP) to the local host.
matrix_synapse_container_metrics_api_host_bind_port: "{{ '127.0.0.1:9100' if (matrix_synapse_metrics_enabled and not matrix_nginx_proxy_enabled) else '' }}"
matrix_synapse_database_host: "{{ matrix_postgres_connection_hostname }}" matrix_synapse_database_host: "{{ matrix_postgres_connection_hostname }}"
matrix_synapse_database_user: "{{ matrix_postgres_connection_username }}" matrix_synapse_database_user: "{{ matrix_postgres_connection_username }}"

@ -11,8 +11,10 @@ matrix_appservice_discord_base_path: "{{ matrix_base_data_path }}/appservice-dis
matrix_appservice_discord_client_id: '' matrix_appservice_discord_client_id: ''
matrix_appservice_discord_bot_token: '' matrix_appservice_discord_bot_token: ''
# Controls whether the Appservice Discord container exposes the Client/Server API port (tcp/9005). # Controls whether the matrix-appservice-discord container exposes its HTTP port (tcp/9005 in the container).
matrix_appservice_discord_container_expose_client_server_api_port: false #
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:9005"), or empty string to not expose.
matrix_appservice_discord_container_http_host_bind_port: ''
# A list of extra arguments to pass to the container # A list of extra arguments to pass to the container
matrix_appservice_discord_container_extra_arguments: [] matrix_appservice_discord_container_extra_arguments: []

@ -61,9 +61,6 @@
-l discord_bot -l discord_bot
when: "not appservice_discord_registration_file.stat.exists" when: "not appservice_discord_registration_file.stat.exists"
- set_fact:
matrix_synapse_app_service_config_file_appservice_discord: '{{ matrix_appservice_discord_base_path }}/discord-registration.yml'
- name: Check if a matrix-appservice-discord invite_link file exists - name: Check if a matrix-appservice-discord invite_link file exists
stat: stat:
path: "{{ matrix_appservice_discord_base_path }}/invite_link" path: "{{ matrix_appservice_discord_base_path }}/invite_link"
@ -82,12 +79,12 @@
# If the matrix-synapse role is not used, these variables may not exist. # If the matrix-synapse role is not used, these variables may not exist.
- set_fact: - set_fact:
matrix_synapse_container_additional_volumes: > matrix_synapse_container_extra_arguments: >
{{ matrix_synapse_container_additional_volumes|default([]) }} {{ matrix_synapse_container_extra_arguments|default([]) }}
+ +
{{ [{'src': '{{ matrix_appservice_discord_base_path }}/discord-registration.yaml', 'dst': '{{ matrix_synapse_app_service_config_file_appservice_discord }}', 'options': 'ro'}] }} {{ ["--mount type=bind,src={{ matrix_appservice_discord_base_path }}/discord-registration.yaml,dst=/matrix-appservice-discord-registration.yaml,ro"] }}
matrix_synapse_app_service_config_files: > matrix_synapse_app_service_config_files: >
{{ matrix_synapse_app_service_config_files|default([]) }} {{ matrix_synapse_app_service_config_files|default([]) }}
+ +
{{ ["{{ matrix_synapse_app_service_config_file_appservice_discord }}"] | to_nice_json }} {{ ["/matrix-appservice-discord-registration.yaml"] }}

@ -8,3 +8,12 @@
with_items: with_items:
- "matrix_appservice_discord_client_id" - "matrix_appservice_discord_client_id"
- "matrix_appservice_discord_bot_token" - "matrix_appservice_discord_bot_token"
- name: (Deprecation) Catch and report renamed appservice-discord variables
fail:
msg: >-
Your configuration contains a variable, which now has a different name.
Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`).
when: "item.old in vars"
with_items:
- {'old': 'matrix_appservice_discord_container_expose_client_server_api_port', 'new': '<superseded by matrix_appservice_discord_container_http_host_bind_port>'}

@ -19,8 +19,8 @@ ExecStart=/usr/bin/docker run --rm --name matrix-appservice-discord \
--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
--cap-drop=ALL \ --cap-drop=ALL \
--network={{ matrix_docker_network }} \ --network={{ matrix_docker_network }} \
{% if matrix_appservice_discord_container_expose_client_server_api_port %} {% if matrix_appservice_discord_container_http_host_bind_port %}
-p 127.0.0.1:9005:9005 \ -p {{ matrix_appservice_discord_container_http_host_bind_port }}:9005 \
{% endif %} {% endif %}
-v {{ matrix_appservice_discord_base_path }}:/data \ -v {{ matrix_appservice_discord_base_path }}:/data \
{% for arg in matrix_appservice_discord_container_extra_arguments %} {% for arg in matrix_appservice_discord_container_extra_arguments %}

@ -7,8 +7,10 @@ matrix_appservice_irc_docker_image: "tedomum/matrix-appservice-irc:latest"
matrix_appservice_irc_base_path: "{{ matrix_base_data_path }}/appservice-irc" matrix_appservice_irc_base_path: "{{ matrix_base_data_path }}/appservice-irc"
# Controls whether the Appservice IRC container exposes the Client/Server API port (tcp/9999). # Controls whether the matrix-appservice-discord container exposes its HTTP port (tcp/9999 in the container).
matrix_appservice_irc_container_expose_client_server_api_port: false #
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:9999"), or empty string to not expose.
matrix_appservice_irc_container_http_host_bind_port: ''
# A list of extra arguments to pass to the container # A list of extra arguments to pass to the container
matrix_appservice_irc_container_extra_arguments: [] matrix_appservice_irc_container_extra_arguments: []

@ -70,20 +70,17 @@
-l irc_bot -l irc_bot
when: "not appservice_irc_registration_file.stat.exists" when: "not appservice_irc_registration_file.stat.exists"
- set_fact:
matrix_synapse_app_service_config_file_appservice_irc: '/app-registration/appservice-irc.yml'
# If the matrix-synapse role is not used, these variables may not exist. # If the matrix-synapse role is not used, these variables may not exist.
- set_fact: - set_fact:
matrix_synapse_container_additional_volumes: > matrix_synapse_container_extra_arguments: >
{{ matrix_synapse_container_additional_volumes|default([]) }} {{ matrix_synapse_container_extra_arguments|default([]) }}
+ +
{{ [{'src': '{{ matrix_appservice_irc_base_path }}/registration.yaml', 'dst': '{{ matrix_synapse_app_service_config_file_appservice_irc }}', 'options': 'ro'}] }} {{ ["--mount type=bind,src={{ matrix_appservice_irc_base_path }}/registration.yaml,dst=/matrix-appservice-irc-registration.yaml,ro"] }}
matrix_synapse_app_service_config_files: > matrix_synapse_app_service_config_files: >
{{ matrix_synapse_app_service_config_files|default([]) }} {{ matrix_synapse_app_service_config_files|default([]) }}
+ +
{{ ["{{ matrix_synapse_app_service_config_file_appservice_irc }}"] | to_nice_json }} {{ ["/matrix-appservice-irc-registration.yaml"] }}
- name: Ensure IRC configuration directory permissions are correct - name: Ensure IRC configuration directory permissions are correct
file: file:

@ -14,3 +14,11 @@
You need to define additional configuration in `matrix_appservice_irc_configuration_extension_yaml` or to override `matrix_appservice_irc_configuration`. You need to define additional configuration in `matrix_appservice_irc_configuration_extension_yaml` or to override `matrix_appservice_irc_configuration`.
when: "matrix_appservice_irc_configuration.ircService|default(none) is none" when: "matrix_appservice_irc_configuration.ircService|default(none) is none"
- name: (Deprecation) Catch and report renamed appservice-irc variables
fail:
msg: >-
Your configuration contains a variable, which now has a different name.
Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`).
when: "item.old in vars"
with_items:
- {'old': 'matrix_appservice_irc_container_expose_client_server_api_port', 'new': '<superseded by matrix_appservice_irc_container_http_host_bind_port>'}

@ -19,8 +19,8 @@ ExecStart=/usr/bin/docker run --rm --name matrix-appservice-irc \
--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
--cap-drop=ALL \ --cap-drop=ALL \
--network={{ matrix_docker_network }} \ --network={{ matrix_docker_network }} \
{% if matrix_appservice_irc_container_expose_client_server_api_port %} {% if matrix_appservice_irc_container_http_host_bind_port %}
-p 127.0.0.1:9999:9999 \ -p {{ matrix_appservice_irc_container_http_host_bind_port }}:9999 \
{% endif %} {% endif %}
-v {{ matrix_appservice_irc_base_path }}:/data:z \ -v {{ matrix_appservice_irc_base_path }}:/data:z \
{% for arg in matrix_appservice_irc_container_extra_arguments %} {% for arg in matrix_appservice_irc_container_extra_arguments %}

@ -7,10 +7,6 @@ matrix_mautrix_facebook_docker_image: "tulir/mautrix-facebook:latest"
matrix_mautrix_facebook_base_path: "{{ matrix_base_data_path }}/mautrix-facebook" matrix_mautrix_facebook_base_path: "{{ matrix_base_data_path }}/mautrix-facebook"
# Get your own API keys at https://developers.facebook.com/docs/apis-and-sdks/
matrix_mautrix_facebook_api_id: ''
matrix_mautrix_facebook_api_hash: ''
matrix_mautrix_facebook_homeserver_address: 'https://{{ matrix_server_fqn_matrix }}' matrix_mautrix_facebook_homeserver_address: 'https://{{ matrix_server_fqn_matrix }}'
matrix_mautrix_facebook_homeserver_domain: '{{ matrix_domain }}' matrix_mautrix_facebook_homeserver_domain: '{{ matrix_domain }}'
matrix_mautrix_facebook_appservice_address: 'http://matrix-mautrix-facebook:8080' matrix_mautrix_facebook_appservice_address: 'http://matrix-mautrix-facebook:8080'

@ -2,12 +2,6 @@
tags: tags:
- always - always
- import_tasks: "{{ role_path }}/tasks/validate_config.yml"
when: "run_setup|bool and matrix_mautrix_facebook_enabled|bool"
tags:
- setup-all
- setup-mautrix-facebook
- import_tasks: "{{ role_path }}/tasks/setup_install.yml" - import_tasks: "{{ role_path }}/tasks/setup_install.yml"
when: "run_setup|bool and matrix_mautrix_facebook_enabled|bool" when: "run_setup|bool and matrix_mautrix_facebook_enabled|bool"
tags: tags:

@ -65,17 +65,14 @@
python3 -m mautrix_facebook -g -c /data/config.yaml -r /data/registration.yaml python3 -m mautrix_facebook -g -c /data/config.yaml -r /data/registration.yaml
when: "not mautrix_facebook_registration_file_stat.stat.exists" when: "not mautrix_facebook_registration_file_stat.stat.exists"
- set_fact:
matrix_synapse_app_service_config_file_mautrix_facebook: '/app-registration/mautrix-facebook.yml'
# If the matrix-synapse role is not used, these variables may not exist. # If the matrix-synapse role is not used, these variables may not exist.
- set_fact: - set_fact:
matrix_synapse_container_additional_volumes: > matrix_synapse_container_extra_arguments: >
{{ matrix_synapse_container_additional_volumes|default([]) }} {{ matrix_synapse_container_extra_arguments|default([]) }}
+ +
{{ [{'src': '{{ matrix_mautrix_facebook_base_path }}/registration.yaml', 'dst': '{{ matrix_synapse_app_service_config_file_mautrix_facebook }}', 'options': 'ro'}] }} {{ ["--mount type=bind,src={{ matrix_mautrix_facebook_base_path }}/registration.yaml,dst=/matrix-mautrix-facebook-registration.yaml,ro"] }}
matrix_synapse_app_service_config_files: > matrix_synapse_app_service_config_files: >
{{ matrix_synapse_app_service_config_files|default([]) }} {{ matrix_synapse_app_service_config_files|default([]) }}
+ +
{{ ["{{ matrix_synapse_app_service_config_file_mautrix_facebook }}"] | to_nice_json }} {{ ["/matrix-mautrix-facebook-registration.yaml"] }}

@ -1,10 +0,0 @@
---
- name: Fail if required settings not defined
fail:
msg: >-
You need to define a required configuration setting (`{{ item }}`).
when: "vars[item] == ''"
with_items:
- "matrix_mautrix_facebook_api_id"
- "matrix_mautrix_facebook_api_hash"

@ -3,7 +3,7 @@
matrix_mautrix_telegram_enabled: true matrix_mautrix_telegram_enabled: true
matrix_mautrix_telegram_docker_image: "tulir/mautrix-telegram:v0.5.1" matrix_mautrix_telegram_docker_image: "tulir/mautrix-telegram:v0.5.2"
matrix_mautrix_telegram_base_path: "{{ matrix_base_data_path }}/mautrix-telegram" matrix_mautrix_telegram_base_path: "{{ matrix_base_data_path }}/mautrix-telegram"
@ -21,8 +21,10 @@ matrix_mautrix_telegram_homeserver_domain: '{{ matrix_domain }}'
matrix_mautrix_telegram_appservice_address: 'http://matrix-mautrix-telegram:8080' matrix_mautrix_telegram_appservice_address: 'http://matrix-mautrix-telegram:8080'
matrix_mautrix_telegram_appservice_public_external: 'https://{{ matrix_server_fqn_matrix }}{{ matrix_mautrix_telegram_public_endpoint }}' matrix_mautrix_telegram_appservice_public_external: 'https://{{ matrix_server_fqn_matrix }}{{ matrix_mautrix_telegram_public_endpoint }}'
# Set this to a port number to expose on the host when not using matrix-nginx-proxy # Controls whether the matrix-telegram container exposes its HTTP port (tcp/8080 in the container).
matrix_mautrix_telegram_container_exposed_port_number: ~ #
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:9006"), or empty string to not expose.
matrix_mautrix_telegram_container_http_host_bind_port: ''
# A list of extra arguments to pass to the container # A list of extra arguments to pass to the container
matrix_mautrix_telegram_container_extra_arguments: [] matrix_mautrix_telegram_container_extra_arguments: []

@ -76,43 +76,40 @@
python3 -m mautrix_telegram -g -c /data/config.yaml -r /data/registration.yaml python3 -m mautrix_telegram -g -c /data/config.yaml -r /data/registration.yaml
when: "not mautrix_telegram_registration_file_stat.stat.exists" when: "not mautrix_telegram_registration_file_stat.stat.exists"
- set_fact:
matrix_synapse_app_service_config_file_mautrix_telegram: '/app-registration/mautrix-telegram.yml'
# If the matrix-synapse role is not used, these variables may not exist. # If the matrix-synapse role is not used, these variables may not exist.
- set_fact: - set_fact:
matrix_synapse_container_additional_volumes: > matrix_synapse_container_extra_arguments: >
{{ matrix_synapse_container_additional_volumes|default([]) }} {{ matrix_synapse_container_extra_arguments|default([]) }}
+ +
{{ [{'src': '{{ matrix_mautrix_telegram_base_path }}/registration.yaml', 'dst': '{{ matrix_synapse_app_service_config_file_mautrix_telegram }}', 'options': 'ro'}] }} {{ ["--mount type=bind,src={{ matrix_mautrix_telegram_base_path }}/registration.yaml,dst=/matrix-mautrix-telegram-registration.yaml,ro"] }}
matrix_synapse_app_service_config_files: > matrix_synapse_app_service_config_files: >
{{ matrix_synapse_app_service_config_files|default([]) }} {{ matrix_synapse_app_service_config_files|default([]) }}
+ +
{{ ["{{ matrix_synapse_app_service_config_file_mautrix_telegram }}"] | to_nice_json }} {{ ["/matrix-mautrix-telegram-registration.yaml"] }}
- block: - block:
- name: Fail if matrix-nginx-proxy role already executed - name: Fail if matrix-nginx-proxy role already executed
fail: fail:
msg: > msg: >-
Trying to append Mautrix Telegram's reverse-proxying configuration to matrix-nginx-proxy, Trying to append Mautrix Telegram's reverse-proxying configuration to matrix-nginx-proxy,
but it's pointless since the matrix-nginx-proxy role had already executed. but it's pointless since the matrix-nginx-proxy role had already executed.
To fix this, please change the order of roles in your plabook, To fix this, please change the order of roles in your plabook,
so that the matrix-nginx-proxy role would run after the matrix-bridge-mautrix-telegram role. so that the matrix-nginx-proxy role would run after the matrix-bridge-mautrix-telegram role.
when: matrix_nginx_proxy_role_executed|bool when: matrix_nginx_proxy_role_executed|default(False)|bool
- name: Generate Mautrix Telegram proxying configuration for matrix-nginx-proxy - name: Generate Mautrix Telegram proxying configuration for matrix-nginx-proxy
set_fact: set_fact:
matrix_mautrix_telegram_matrix_nginx_proxy_configuration: | matrix_mautrix_telegram_matrix_nginx_proxy_configuration: |
location {{ matrix_mautrix_telegram_public_endpoint }} { location {{ matrix_mautrix_telegram_public_endpoint }} {
{% if matrix_nginx_proxy_enabled %} {% if matrix_nginx_proxy_enabled|default(False) %}
{# Use the embedded DNS resolver in Docker containers to discover the service #} {# Use the embedded DNS resolver in Docker containers to discover the service #}
resolver 127.0.0.11 valid=5s; resolver 127.0.0.11 valid=5s;
set $backend "matrix-mautrix-telegram:8080"; set $backend "matrix-mautrix-telegram:8080";
proxy_pass http://$backend; proxy_pass http://$backend;
{% else %} {% else %}
{# Generic configuration for use outside of our container setup #} {# Generic configuration for use outside of our container setup #}
proxy_pass http://127.0.0.1:8080; proxy_pass http://127.0.0.1:9006;
{% endif %} {% endif %}
} }
@ -120,20 +117,19 @@
set_fact: set_fact:
matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: | matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: |
{{ {{
matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks|default([])
+ +
[matrix_mautrix_telegram_matrix_nginx_proxy_configuration] [matrix_mautrix_telegram_matrix_nginx_proxy_configuration]
}} }}
when: "matrix_nginx_proxy_enabled|default(False)"
tags: tags:
- always - always
- name: Warn about reverse-proxying if matrix-nginx-proxy not used - name: Warn about reverse-proxying if matrix-nginx-proxy not used
debug: debug:
msg: > msg: >-
NOTE: You've enabled the Mautrix Telegram bridge but are not using the matrix-nginx-proxy NOTE: You've enabled the Mautrix Telegram bridge but are not using the matrix-nginx-proxy
reverse proxy. reverse proxy.
Please make sure that you're proxying the `{{ matrix_mautrix_telegram_public_endpoint }}` Please make sure that you're proxying the `{{ matrix_mautrix_telegram_public_endpoint }}`
URL endpoint to the matrix-mautrix-telegram container. URL endpoint to the matrix-mautrix-telegram container.
You can expose the container's port using the `matrix_mautrix_telegram_container_http_host_bind_port` variable.
when: "matrix_nginx_proxy_enabled is not defined" when: "matrix_nginx_proxy_enabled is not defined"

@ -9,3 +9,12 @@
- "matrix_mautrix_telegram_api_id" - "matrix_mautrix_telegram_api_id"
- "matrix_mautrix_telegram_api_hash" - "matrix_mautrix_telegram_api_hash"
- "matrix_mautrix_telegram_public_endpoint" - "matrix_mautrix_telegram_public_endpoint"
- name: (Deprecation) Catch and report renamed Telegram variables
fail:
msg: >-
Your configuration contains a variable, which now has a different name.
Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`).
when: "item.old in vars"
with_items:
- {'old': 'matrix_mautrix_telegram_container_exposed_port_number', 'new': '<superseded by matrix_mautrix_telegram_container_http_host_bind_port>'}

@ -26,8 +26,8 @@ ExecStart=/usr/bin/docker run --rm --name matrix-mautrix-telegram \
--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
--cap-drop=ALL \ --cap-drop=ALL \
--network={{ matrix_docker_network }} \ --network={{ matrix_docker_network }} \
{% if matrix_mautrix_telegram_container_exposed_port_number is not none %} {% if matrix_mautrix_telegram_container_http_host_bind_port %}
-p 127.0.0.1:{{ matrix_mautrix_telegram_container_exposed_port_number }}:8080 \ -p {{ matrix_mautrix_telegram_container_http_host_bind_port }}:8080 \
{% endif %} {% endif %}
-v {{ matrix_mautrix_telegram_base_path }}:/data:z \ -v {{ matrix_mautrix_telegram_base_path }}:/data:z \
{% for arg in matrix_mautrix_telegram_container_extra_arguments %} {% for arg in matrix_mautrix_telegram_container_extra_arguments %}

@ -65,17 +65,14 @@
/usr/bin/mautrix-whatsapp -g -c /data/config.yaml -r /data/registration.yaml /usr/bin/mautrix-whatsapp -g -c /data/config.yaml -r /data/registration.yaml
when: "not mautrix_whatsapp_registration_file_stat.stat.exists" when: "not mautrix_whatsapp_registration_file_stat.stat.exists"
- set_fact:
matrix_synapse_app_service_config_file_mautrix_whatsapp: '/app-registration/mautrix-whatsapp.yml'
# If the matrix-synapse role is not used, these variables may not exist. # If the matrix-synapse role is not used, these variables may not exist.
- set_fact: - set_fact:
matrix_synapse_container_additional_volumes: > matrix_synapse_container_extra_arguments: >
{{ matrix_synapse_container_additional_volumes|default([]) }} {{ matrix_synapse_container_extra_arguments|default([]) }}
+ +
{{ [{'src': '{{ matrix_mautrix_whatsapp_base_path }}/registration.yaml', 'dst': '{{ matrix_synapse_app_service_config_file_mautrix_whatsapp }}', 'options': 'ro'}] }} {{ ["--mount type=bind,src={{ matrix_mautrix_whatsapp_base_path }}/registration.yaml,dst=/matrix-mautrix-whatsapp-registration.yaml,ro"] }}
matrix_synapse_app_service_config_files: > matrix_synapse_app_service_config_files: >
{{ matrix_synapse_app_service_config_files|default([]) }} {{ matrix_synapse_app_service_config_files|default([]) }}
+ +
{{ ["{{ matrix_synapse_app_service_config_file_mautrix_whatsapp }}"] | to_nice_json }} {{ ["/matrix-mautrix-whatsapp-registration.yaml"] }}

@ -36,6 +36,6 @@
msg: >- msg: >-
{{ item }} was not detected to be running. {{ item }} was not detected to be running.
It's possible that there's a configuration problem or another service on your server interferes with it (uses the same ports, etc.). It's possible that there's a configuration problem or another service on your server interferes with it (uses the same ports, etc.).
Try running `systemctl status {{ item }}` and `systemctl -fu {{ item }}` on the server to investigate. Try running `systemctl status {{ item }}` and `journalctl -fu {{ item }}` on the server to investigate.
with_items: "{{ matrix_systemd_services_list }}" with_items: "{{ matrix_systemd_services_list }}"
when: "ansible_facts.services[item + '.service']|default(none) is none or ansible_facts.services[item + '.service'].state != 'running'" when: "ansible_facts.services[item + '.service']|default(none) is none or ansible_facts.services[item + '.service'].state != 'running'"

@ -3,8 +3,15 @@
matrix_corporal_enabled: true matrix_corporal_enabled: true
# Controls whether the matrix-corporal web server's ports (`41080` and `41081`) are exposed outside of the container. # Controls whether the matrix-corporal container exposes its gateway HTTP port (tcp/41080 in the container).
matrix_corporal_container_expose_ports: false #
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:41080"), or empty string to not expose.
matrix_corporal_container_http_gateway_host_bind_port: ''
# Controls whether the matrix-corporal container exposes its API HTTP port (tcp/41081 in the container).
#
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:41081"), or empty string to not expose.
matrix_corporal_container_http_api_host_bind_port: ''
# A list of extra arguments to pass to the container # A list of extra arguments to pass to the container
matrix_corporal_container_extra_arguments: [] matrix_corporal_container_extra_arguments: []

@ -2,7 +2,7 @@
- name: Fail if required matrix-corporal settings not defined - name: Fail if required matrix-corporal settings not defined
fail: fail:
msg: > msg: >-
You need to define a required configuration setting (`{{ item }}`) for using matrix-corporal. You need to define a required configuration setting (`{{ item }}`) for using matrix-corporal.
when: "vars[item] == ''" when: "vars[item] == ''"
with_items: with_items:
@ -15,3 +15,13 @@
fail: fail:
msg: "The Matrix Corporal HTTP API is enabled (`matrix_corporal_http_api_enabled`), but no auth token has been set in `matrix_corporal_http_api_auth_token`" msg: "The Matrix Corporal HTTP API is enabled (`matrix_corporal_http_api_enabled`), but no auth token has been set in `matrix_corporal_http_api_auth_token`"
when: "matrix_corporal_http_api_enabled|bool and matrix_corporal_http_api_auth_token == ''" when: "matrix_corporal_http_api_enabled|bool and matrix_corporal_http_api_auth_token == ''"
- name: (Deprecation) Catch and report renamed corporal variables
fail:
msg: >-
Your configuration contains a variable, which now has a different name.
Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`).
when: "item.old in vars"
with_items:
- {'old': 'matrix_corporal_container_expose_ports', 'new': '<superseded by matrix_corporal_container_http_gateway_host_bind_port and matrix_corporal_container_http_api_host_bind_port>'}

@ -17,9 +17,11 @@ ExecStart=/usr/bin/docker run --rm --name matrix-corporal \
--cap-drop=ALL \ --cap-drop=ALL \
--read-only \ --read-only \
--network={{ matrix_docker_network }} \ --network={{ matrix_docker_network }} \
{% if matrix_corporal_container_expose_ports %} {% if matrix_corporal_container_http_gateway_host_bind_port %}
-p 127.0.0.1:41080:41080 \ -p {{ matrix_corporal_container_http_gateway_host_bind_port }}:41080 \
-p 127.0.0.1:41081:41081 \ {% endif %}
{% if matrix_corporal_container_http_api_host_bind_port %}
-p {{ matrix_corporal_container_http_api_host_bind_port }}:41081 \
{% endif %} {% endif %}
-v {{ matrix_corporal_config_dir_path }}:/etc/matrix-corporal:ro \ -v {{ matrix_corporal_config_dir_path }}:/etc/matrix-corporal:ro \
-v {{ matrix_corporal_cache_dir_path }}:/var/cache/matrix-corporal:rw \ -v {{ matrix_corporal_cache_dir_path }}:/var/cache/matrix-corporal:rw \

@ -2,7 +2,7 @@
- name: Fail if required Coturn settings not defined - name: Fail if required Coturn settings not defined
fail: fail:
msg: > msg: >-
You need to define a required configuration setting (`{{ item }}`) for using Coturn. You need to define a required configuration setting (`{{ item }}`) for using Coturn.
when: "vars[item] == ''" when: "vars[item] == ''"
with_items: with_items:

@ -18,7 +18,10 @@ matrix_dimension_docker_image: "turt2live/matrix-dimension:latest"
matrix_dimension_user_uid: 1000 matrix_dimension_user_uid: 1000
matrix_dimension_user_gid: 1000 matrix_dimension_user_gid: 1000
matrix_dimension_container_expose_port: false # Controls whether the matrix-dimension container exposes its HTTP port (tcp/8184 in the container).
#
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:8184"), or empty string to not expose.
matrix_dimension_container_http_host_bind_port: ''
# A list of extra arguments to pass to the container # A list of extra arguments to pass to the container
matrix_dimension_container_extra_arguments: [] matrix_dimension_container_extra_arguments: []

@ -13,3 +13,12 @@
with_items: with_items:
- "matrix_synapse_federation_enabled" - "matrix_synapse_federation_enabled"
when: "matrix_dimension_enabled|bool and not matrix_synapse_federation_enabled|bool" when: "matrix_dimension_enabled|bool and not matrix_synapse_federation_enabled|bool"
- name: (Deprecation) Catch and report renamed Dimension variables
fail:
msg: >-
Your configuration contains a variable, which now has a different name.
Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`).
when: "item.old in vars"
with_items:
- {'old': 'matrix_dimension_container_expose_port', 'new': '<superseded by matrix_dimension_container_http_host_bind_port>'}

@ -17,8 +17,8 @@ ExecStart=/usr/bin/docker run --rm --name matrix-dimension \
{% if matrix_dimension_widgets_allow_self_signed_ssl_certificates %} {% if matrix_dimension_widgets_allow_self_signed_ssl_certificates %}
-e NODE_TLS_REJECT_UNAUTHORIZED=0 \ -e NODE_TLS_REJECT_UNAUTHORIZED=0 \
{% endif %} {% endif %}
{% if matrix_dimension_container_expose_port %} {% if matrix_dimension_container_http_host_bind_port %}
-p 127.0.0.1:8184:8184 \ -p {{ matrix_dimension_container_http_host_bind_port }}:8184 \
{% endif %} {% endif %}
-v {{ matrix_dimension_base_path }}:/data:rw \ -v {{ matrix_dimension_base_path }}:/data:rw \
{% for arg in matrix_dimension_container_extra_arguments %} {% for arg in matrix_dimension_container_extra_arguments %}

@ -1,12 +1,17 @@
# mxisd is a Federated Matrix Identity Server
# See: https://github.com/kamax-matrix/mxisd
matrix_mxisd_enabled: true matrix_mxisd_enabled: true
matrix_mxisd_docker_image: "kamax/mxisd:1.4.3" matrix_mxisd_docker_image: "kamax/mxisd:1.4.4"
matrix_mxisd_base_path: "{{ matrix_base_data_path }}/mxisd" matrix_mxisd_base_path: "{{ matrix_base_data_path }}/mxisd"
matrix_mxisd_config_path: "{{ matrix_mxisd_base_path }}/config" matrix_mxisd_config_path: "{{ matrix_mxisd_base_path }}/config"
matrix_mxisd_data_path: "{{ matrix_mxisd_base_path }}/data" matrix_mxisd_data_path: "{{ matrix_mxisd_base_path }}/data"
# Controls whether the mxisd web server's port (`8090`) is exposed outside of the container. # Controls whether the matrix-mxisd container exposes its HTTP port (tcp/8090 in the container).
matrix_mxisd_container_expose_port: false #
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:8090"), or empty string to not expose.
matrix_mxisd_container_http_host_bind_port: ''
# A list of extra arguments to pass to the container # A list of extra arguments to pass to the container
matrix_mxisd_container_extra_arguments: [] matrix_mxisd_container_extra_arguments: []

@ -45,3 +45,13 @@
when: "vars[item] == ''" when: "vars[item] == ''"
with_items: with_items:
- "matrix_mxisd_threepid_medium_email_connectors_smtp_host" - "matrix_mxisd_threepid_medium_email_connectors_smtp_host"
- name: (Deprecation) Catch and report renamed mxisd variables
fail:
msg: >-
Your configuration contains a variable, which now has a different name.
Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`).
when: "item.old in vars"
with_items:
- {'old': 'matrix_mxisd_container_expose_port', 'new': '<superseded by matrix_mxisd_container_http_host_bind_port>'}

@ -23,8 +23,8 @@ ExecStart=/usr/bin/docker run --rm --name matrix-mxisd \
--read-only \ --read-only \
--tmpfs=/tmp:rw,exec,nosuid,size=10m \ --tmpfs=/tmp:rw,exec,nosuid,size=10m \
--network={{ matrix_docker_network }} \ --network={{ matrix_docker_network }} \
{% if matrix_mxisd_container_expose_port %} {% if matrix_mxisd_container_http_host_bind_port %}
-p 127.0.0.1:8090:8090 \ -p {{ matrix_mxisd_container_http_host_bind_port }}:8090 \
{% endif %} {% endif %}
-v {{ matrix_mxisd_config_path }}:/etc/mxisd:ro \ -v {{ matrix_mxisd_config_path }}:/etc/mxisd:ro \
-v {{ matrix_mxisd_data_path }}:/var/mxisd:rw \ -v {{ matrix_mxisd_data_path }}:/var/mxisd:rw \

@ -2,7 +2,7 @@
- name: (Deprecation) Catch and report renamed settings - name: (Deprecation) Catch and report renamed settings
fail: fail:
msg: > msg: >-
Your configuration contains a variable, which now has a different name. Your configuration contains a variable, which now has a different name.
Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`). Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`).
when: "item.old in vars" when: "item.old in vars"

@ -169,6 +169,25 @@ server {
} }
{% endif %} {% endif %}
location /_synapse/admin {
{% if matrix_nginx_proxy_enabled %}
{# Use the embedded DNS resolver in Docker containers to discover the service #}
resolver 127.0.0.11 valid=5s;
set $backend "{{ matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container }}";
proxy_pass http://$backend;
{% else %}
{# Generic configuration for use outside of our container setup #}
proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container }};
{% endif %}
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
client_body_buffer_size 25M;
client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb }}M;
proxy_max_temp_file_size 0;
}
location / { location / {
rewrite ^/$ /_matrix/static/ last; rewrite ^/$ /_matrix/static/ last;
} }

@ -1,10 +1,13 @@
matrix_riot_web_enabled: true matrix_riot_web_enabled: true
matrix_riot_web_docker_image: "bubuntux/riot-web:v1.1.2" matrix_riot_web_docker_image: "bubuntux/riot-web:v1.2.0"
matrix_riot_web_data_path: "{{ matrix_base_data_path }}/riot-web" matrix_riot_web_data_path: "{{ matrix_base_data_path }}/riot-web"
matrix_riot_web_container_expose_port: false # Controls whether the matrix-riot-web container exposes its HTTP port (tcp/8080 in the container).
#
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:8765"), or empty string to not expose.
matrix_riot_web_container_http_host_bind_port: ''
# A list of extra arguments to pass to the container # A list of extra arguments to pass to the container
matrix_riot_web_container_extra_arguments: [] matrix_riot_web_container_extra_arguments: []

@ -8,9 +8,9 @@
with_items: with_items:
- "matrix_riot_web_default_hs_url" - "matrix_riot_web_default_hs_url"
- name: (Deprecation) Catch and report renamed settings - name: (Deprecation) Catch and report renamed riot-web variables
fail: fail:
msg: > msg: >-
Your configuration contains a variable, which now has a different name. Your configuration contains a variable, which now has a different name.
Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`). Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`).
when: "item.old in vars" when: "item.old in vars"
@ -20,3 +20,4 @@
- {'old': 'matrix_riot_web_homepage_template_technical', 'new': '<removed>'} - {'old': 'matrix_riot_web_homepage_template_technical', 'new': '<removed>'}
- {'old': 'matrix_riot_web_homepage_template_building', 'new': '<removed>'} - {'old': 'matrix_riot_web_homepage_template_building', 'new': '<removed>'}
- {'old': 'matrix_riot_web_homepage_template_contributing', 'new': '<removed>'} - {'old': 'matrix_riot_web_homepage_template_contributing', 'new': '<removed>'}
- {'old': 'matrix_riot_web_container_expose_port', 'new': '<superseded by matrix_riot_web_container_http_host_bind_port>'}

@ -17,8 +17,8 @@ ExecStart=/usr/bin/docker run --rm --name matrix-riot-web \
--cap-drop=ALL \ --cap-drop=ALL \
--read-only \ --read-only \
--network={{ matrix_docker_network }} \ --network={{ matrix_docker_network }} \
{% if matrix_riot_web_container_expose_port %} {% if matrix_riot_web_container_http_host_bind_port %}
-p 127.0.0.1:8765:8080 \ -p {{ matrix_riot_web_container_http_host_bind_port }}:8080 \
{% endif %} {% endif %}
--tmpfs=/tmp:rw,noexec,nosuid,size=10m \ --tmpfs=/tmp:rw,noexec,nosuid,size=10m \
-v {{ matrix_riot_web_data_path }}/nginx.conf:/etc/nginx/nginx.conf:ro \ -v {{ matrix_riot_web_data_path }}/nginx.conf:/etc/nginx/nginx.conf:ro \

@ -1,3 +1,3 @@
--- ---
matrix_riot_web_embedded_pages_home_url: "{{ (none if matrix_riot_web_embedded_pages_home_path is none else 'home.html') }}" matrix_riot_web_embedded_pages_home_url: "{{ ('' if matrix_riot_web_embedded_pages_home_path is none else 'home.html') }}"

@ -3,7 +3,7 @@
matrix_synapse_enabled: true matrix_synapse_enabled: true
matrix_synapse_docker_image: "matrixdotorg/synapse:v0.99.5.1" matrix_synapse_docker_image: "matrixdotorg/synapse:v0.99.5.2"
matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse" matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse"
matrix_synapse_config_dir_path: "{{ matrix_synapse_base_path }}/config" matrix_synapse_config_dir_path: "{{ matrix_synapse_base_path }}/config"
@ -12,16 +12,32 @@ matrix_synapse_storage_path: "{{ matrix_synapse_base_path }}/storage"
matrix_synapse_media_store_path: "{{ matrix_synapse_storage_path }}/media-store" matrix_synapse_media_store_path: "{{ matrix_synapse_storage_path }}/media-store"
matrix_synapse_ext_path: "{{ matrix_synapse_base_path }}/ext" matrix_synapse_ext_path: "{{ matrix_synapse_base_path }}/ext"
# Controls whether the Synapse container exposes the Client/Server API port (tcp/8008). # Controls whether the matrix-synapse container exposes the Client/Server API port (tcp/8008 in the container).
matrix_synapse_container_expose_client_api_port: false #
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:8008"), or empty string to not expose.
# Controls whether the Synapse container exposes the Server/Server (Federation) API port (tcp/8048). matrix_synapse_container_client_api_host_bind_port: ''
# This is for the plain HTTP API. If you need Synapse to handle TLS encryption,
# that would be on another port (tcp/8448) controlled by `matrix_synapse_tls_federation_listener_enabled`. # Controls whether the matrix-synapse container exposes the plain (unencrypted) Server/Server (Federation) API port (tcp/8048 in the container).
matrix_synapse_container_expose_federation_api_port: false #
# Takes effect only if federation is enabled (matrix_synapse_federation_enabled).
# Controls whether the matrix-synapse container exposes the metrics port (tcp/9100). #
matrix_synapse_container_expose_metrics_port: false # Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:8048"), or empty string to not expose.
matrix_synapse_container_federation_api_plain_host_bind_port: ''
# Controls whether the matrix-synapse container exposes the tls (encrypted) Server/Server (Federation) API port (tcp/8448 in the container).
#
# Takes effect only if federation is enabled (matrix_synapse_federation_enabled)
# and TLS support is enabled (matrix_synapse_tls_federation_listener_enabled).
#
# Takes an "<ip>:<port>" or "<port>" value (e.g. "8448"), or empty string to not expose.
matrix_synapse_container_federation_api_tls_host_bind_port: ''
# Controls whether the matrix-synapse container exposes the metrics port (tcp/9100 in the container).
#
# Takes effect only if metrics are enabled (matrix_synapse_metrics_enabled).
#
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:9100"), or empty string to not expose.
matrix_synapse_container_metrics_api_host_bind_port: ''
# A list of extra arguments to pass to the container # A list of extra arguments to pass to the container
matrix_synapse_container_extra_arguments: [] matrix_synapse_container_extra_arguments: []
@ -154,6 +170,11 @@ matrix_synapse_federation_domain_whitelist: ~
# A list of additional "volumes" to mount in the container. # A list of additional "volumes" to mount in the container.
# This list gets populated dynamically based on Synapse extensions that have been enabled. # This list gets populated dynamically based on Synapse extensions that have been enabled.
# Contains definition objects like this: `{"src": "/outside", "dst": "/inside", "options": "rw|ro|slave|.."} # Contains definition objects like this: `{"src": "/outside", "dst": "/inside", "options": "rw|ro|slave|.."}
#
# Note: internally, this uses the `-v` flag for mounting the specified volumes.
# It's better (safer) to use the `--mount` flag for mounting volumes.
# To use `--mount`, specifiy it in `matrix_synapse_container_extra_arguments`.
# Example: `matrix_synapse_container_extra_arguments: ['--mount type=bind,src=/outside,dst=/inside,ro']
matrix_synapse_container_additional_volumes: [] matrix_synapse_container_additional_volumes: []
# A list of additional loggers to register in synapse.log.config. # A list of additional loggers to register in synapse.log.config.
@ -163,7 +184,7 @@ matrix_synapse_additional_loggers: []
# A list of appservice config files (in-container filesystem paths). # A list of appservice config files (in-container filesystem paths).
# This list gets populated dynamically based on Synapse extensions that have been enabled. # This list gets populated dynamically based on Synapse extensions that have been enabled.
# You may wish to use this together with `matrix_synapse_container_additional_volumes`. # You may wish to use this together with `matrix_synapse_container_additional_volumes` or `matrix_synapse_container_extra_arguments`.
matrix_synapse_app_service_config_files: [] matrix_synapse_app_service_config_files: []
# This is set dynamically during execution depending on whether # This is set dynamically during execution depending on whether

@ -1,8 +1,6 @@
- set_fact: - set_fact:
matrix_synapse_password_providers_enabled: true matrix_synapse_password_providers_enabled: true
when: matrix_synapse_ext_password_provider_ldap_enabled|bool
- set_fact:
matrix_synapse_additional_loggers: > matrix_synapse_additional_loggers: >
{{ matrix_synapse_additional_loggers }} {{ matrix_synapse_additional_loggers }}
+ +

@ -17,13 +17,11 @@
- set_fact: - set_fact:
matrix_synapse_password_providers_enabled: true matrix_synapse_password_providers_enabled: true
- set_fact: matrix_synapse_container_extra_arguments: >
matrix_synapse_container_additional_volumes: > {{ matrix_synapse_container_extra_arguments|default([]) }}
{{ matrix_synapse_container_additional_volumes }}
+ +
{{ [{'src': '{{ matrix_synapse_ext_path }}/rest_auth_provider.py', 'dst': '{{ matrix_synapse_in_container_python_packages_path }}/rest_auth_provider.py', 'options': 'ro'}] }} {{ ["--mount type=bind,src={{ matrix_synapse_ext_path }}/rest_auth_provider.py,dst={{ matrix_synapse_in_container_python_packages_path }}/rest_auth_provider.py,ro"] }}
- set_fact:
matrix_synapse_additional_loggers: > matrix_synapse_additional_loggers: >
{{ matrix_synapse_additional_loggers }} {{ matrix_synapse_additional_loggers }}
+ +

@ -17,13 +17,11 @@
- set_fact: - set_fact:
matrix_synapse_password_providers_enabled: true matrix_synapse_password_providers_enabled: true
- set_fact: matrix_synapse_container_extra_arguments: >
matrix_synapse_container_additional_volumes: > {{ matrix_synapse_container_extra_arguments|default([]) }}
{{ matrix_synapse_container_additional_volumes }}
+ +
{{ [{'src': '{{ matrix_synapse_ext_path }}/shared_secret_authenticator.py', 'dst': '{{ matrix_synapse_in_container_python_packages_path }}/shared_secret_authenticator.py', 'options': 'ro'}] }} {{ ["--mount type=bind,src={{ matrix_synapse_ext_path }}/shared_secret_authenticator.py,dst={{ matrix_synapse_in_container_python_packages_path }}/shared_secret_authenticator.py,ro"] }}
- set_fact:
matrix_synapse_additional_loggers: > matrix_synapse_additional_loggers: >
{{ matrix_synapse_additional_loggers }} {{ matrix_synapse_additional_loggers }}
+ +

@ -15,7 +15,7 @@
Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`). Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`).
when: "item.old in vars" when: "item.old in vars"
with_items: with_items:
- {'old': 'matrix_synapse_container_expose_api_port', 'new': 'matrix_synapse_container_expose_client_api_port'} - {'old': 'matrix_synapse_container_expose_api_port', 'new': '<superseded by matrix_synapse_container_federation_api_plain_host_bind_port>'}
- {'old': 'matrix_synapse_no_tls', 'new': '<removed>'} - {'old': 'matrix_synapse_no_tls', 'new': '<removed>'}
- {'old': 'matrix_enable_room_list_search', 'new': 'matrix_synapse_enable_room_list_search'} - {'old': 'matrix_enable_room_list_search', 'new': 'matrix_synapse_enable_room_list_search'}
- {'old': 'matrix_alias_creation_rules', 'new': 'matrix_synapse_alias_creation_rules'} - {'old': 'matrix_alias_creation_rules', 'new': 'matrix_synapse_alias_creation_rules'}
@ -27,3 +27,6 @@
- {'old': 'matrix_synapse_federation_rc_sleep_delay', 'new': '<sleep_delay subkey of matrix_synapse_rc_federation>'} - {'old': 'matrix_synapse_federation_rc_sleep_delay', 'new': '<sleep_delay subkey of matrix_synapse_rc_federation>'}
- {'old': 'matrix_synapse_federation_rc_reject_limit', 'new': '<reject_limit subkey of matrix_synapse_rc_federation>'} - {'old': 'matrix_synapse_federation_rc_reject_limit', 'new': '<reject_limit subkey of matrix_synapse_rc_federation>'}
- {'old': 'matrix_synapse_federation_rc_concurrent', 'new': '<concurrent subkey of matrix_synapse_rc_federation>'} - {'old': 'matrix_synapse_federation_rc_concurrent', 'new': '<concurrent subkey of matrix_synapse_rc_federation>'}
- {'old': 'matrix_synapse_container_expose_client_api_port', 'new': '<superseded by matrix_synapse_container_client_api_host_bind_port>'}
- {'old': 'matrix_synapse_container_expose_federation_api_port', 'new': '<superseded by matrix_synapse_container_federation_api_plain_host_bind_port>'}
- {'old': 'matrix_synapse_container_expose_metrics_port', 'new': '<superseded by matrix_synapse_container_metrics_api_host_bind_port>'}

@ -893,7 +893,7 @@ report_stats: {{ matrix_synapse_report_stats|to_json }}
# A list of application service config files to use # A list of application service config files to use
# #
app_service_config_files: {{ matrix_synapse_app_service_config_files }} app_service_config_files: {{ matrix_synapse_app_service_config_files|to_json }}
# Uncomment to enable tracking of application service IP addresses. Implicitly # Uncomment to enable tracking of application service IP addresses. Implicitly
# enables MAU tracking for application service users. # enables MAU tracking for application service users.

@ -29,17 +29,17 @@ ExecStart=/usr/bin/docker run --rm --name matrix-synapse \
--tmpfs=/tmp:rw,noexec,nosuid,size={{ matrix_synapse_tmp_directory_size_mb }}m \ --tmpfs=/tmp:rw,noexec,nosuid,size={{ matrix_synapse_tmp_directory_size_mb }}m \
--network={{ matrix_docker_network }} \ --network={{ matrix_docker_network }} \
-e SYNAPSE_CACHE_FACTOR={{ matrix_synapse_cache_factor }} \ -e SYNAPSE_CACHE_FACTOR={{ matrix_synapse_cache_factor }} \
{% if matrix_synapse_container_expose_client_api_port %} {% if matrix_synapse_container_client_api_host_bind_port %}
-p 127.0.0.1:8008:8008 \ -p {{ matrix_synapse_container_client_api_host_bind_port }}:8008 \
{% endif %} {% endif %}
{% if matrix_synapse_federation_enabled and matrix_synapse_tls_federation_listener_enabled %} {% if matrix_synapse_federation_enabled and matrix_synapse_tls_federation_listener_enabled and matrix_synapse_container_federation_api_tls_host_bind_port %}
-p 8448:8448 \ -p {{ matrix_synapse_container_federation_api_tls_host_bind_port }}:8448 \
{% endif %} {% endif %}
{% if matrix_synapse_federation_enabled and matrix_synapse_container_expose_federation_api_port %} {% if matrix_synapse_federation_enabled and matrix_synapse_container_federation_api_plain_host_bind_port %}
-p 127.0.0.1:8048:8048 \ -p {{ matrix_synapse_container_federation_api_plain_host_bind_port }}:8048 \
{% endif %} {% endif %}
{% if matrix_synapse_container_expose_metrics_port %} {% if matrix_synapse_metrics_enabled and matrix_synapse_container_metrics_api_host_bind_port %}
-p 127.0.0.1:{{ matrix_synapse_metrics_port }}:{{ matrix_synapse_metrics_port }} \ -p {{ matrix_synapse_container_metrics_api_host_bind_port }}:{{ matrix_synapse_metrics_port }} \
{% endif %} {% endif %}
-v {{ matrix_synapse_config_dir_path }}:/data:ro \ -v {{ matrix_synapse_config_dir_path }}:/data:ro \
-v {{ matrix_synapse_run_path }}:/matrix-run:rw \ -v {{ matrix_synapse_run_path }}:/matrix-run:rw \

Loading…
Cancel
Save