Split playbook into multiple roles

As suggested in #63 (Github issue), splitting the
playbook's logic into multiple roles will be beneficial for
maintainability.

This patch realizes this split. Still, some components
affect others, so the roles are not really independent of one
another. For example:
- disabling mxisd (`matrix_mxisd_enabled: false`), causes Synapse
and riot-web to reconfigure themselves with other (public)
Identity servers.

- enabling matrix-corporal (`matrix_corporal_enabled: true`) affects
how reverse-proxying (by `matrix-nginx-proxy`) is done, in order to
put matrix-corporal's gateway server in front of Synapse

We may be able to move away from such dependencies in the future,
at the expense of a more complicated manual configuration, but
it's probably not worth sacrificing the convenience we have now.

As part of this work, the way we do "start components" has been
redone now to use a loop, as suggested in #65 (Github issue).
This should make restarting faster and more reliable.
development
Slavi Pantaleev 6 years ago
parent 7d1561b506
commit 51312b8250

@ -1,3 +1,15 @@
# 2019-01-xx
## Splitting the playbook into multiple roles
For better maintainability, the playbook logic (which all used to reside in a single `matrix-server` role)
has been split out into a number of different roles: `matrix-synapse`, `matrix-postgres`, `matrix-riot-web`, `matrix-mxisd`, etc. (see the `roles/` directory).
To keep the filesystem more consistent with this separation, the **Postgres data had to be relocated**.
The default value of `matrix_postgres_data_path` was changed from `/matrix/postgres` to `/matrix/postgres/data`. The `/matrix/postgres` directory is what we consider a base path now (new variable `matrix_postgres_base_path`). **Your Postgres data files will automatically be relocated by the playbook** (`/matrix/postgres/*` -> `/matrix/postgres/data/`) when you run with `--tags=setup-all` (or `--tags=setup-postgres`). While this shouldn't cause data-loss, **it's better if you do a Postgres backup just in case**. You'd need to restart all services after this migration (`--tags=start`).
# 2019-01-11 # 2019-01-11
## (BC Break) mxisd configuration changes ## (BC Break) mxisd configuration changes
@ -30,7 +42,7 @@ The following variables are no longer supported by this playbook:
- `matrix_mxisd_template_config` - `matrix_mxisd_template_config`
You are encouraged to use the `matrix_mxisd_configuration_extension_yaml` variable to define your own mxisd configuration additions and overrides. You are encouraged to use the `matrix_mxisd_configuration_extension_yaml` variable to define your own mxisd configuration additions and overrides.
Refer to the [default variables file](roles/matrix-server/defaults/main.yml) for more information. Refer to the [default variables file](roles/matrix-mxisd/defaults/main.yml) for more information.
This new way of configuring mxisd is beneficial because: This new way of configuring mxisd is beneficial because:
@ -92,7 +104,7 @@ Based on feedback from others, running Synapse on Python 3 is supposed to decrea
## Riot homepage customization ## Riot homepage customization
You can now customize some parts of the Riot homepage (or even completely replace it with your own custom page). You can now customize some parts of the Riot homepage (or even completely replace it with your own custom page).
See the `matrix_riot_web_homepage_` variables in `roles/matrix-server/defaults/main.yml`. See the `matrix_riot_web_homepage_` variables in `roles/matrix-riot-web/defaults/main.yml`.
# 2018-12-04 # 2018-12-04

@ -29,7 +29,7 @@ You can refer to the [mxisd website](https://github.com/kamax-io/mxisd) for more
To use a more custom configuration, you can define a `matrix_mxisd_configuration_extension_yaml` string variable To use a more custom configuration, you can define a `matrix_mxisd_configuration_extension_yaml` string variable
and put your configuration in it. and put your configuration in it.
To learn more about how to do this, refer to the information about `matrix_mxisd_configuration_extension_yaml` in the [default variables file](../roles/matrix-server/defaults/main.yml). To learn more about how to do this, refer to the information about `matrix_mxisd_configuration_extension_yaml` in the [default variables file](../roles/matrix-mxisd/defaults/main.yml) of the mxisd component.
## Troubleshooting ## Troubleshooting

@ -8,7 +8,7 @@ You can follow these steps:
- copy the sample configuration file (`cp examples/host-vars.yml inventory/host_vars/matrix.<your-domain>/vars.yml`) - copy the sample configuration file (`cp examples/host-vars.yml inventory/host_vars/matrix.<your-domain>/vars.yml`)
- edit the configuration file (`inventory/host_vars/matrix.<your-domain>/vars.yml`) to your liking. You may also take a look at `roles/matrix-server/defaults/main.yml` and see if there's something you'd like to copy over and override in your `vars.yml` configuration file. - edit the configuration file (`inventory/host_vars/matrix.<your-domain>/vars.yml`) to your liking. You may also take a look at the various `roles/ROLE_NAME_HERE/defaults/main.yml` files and see if there's something you'd like to copy over and override in your `vars.yml` configuration file.
- copy the sample inventory hosts file (`cp examples/hosts inventory/hosts`) - copy the sample inventory hosts file (`cp examples/hosts inventory/hosts`)

@ -0,0 +1,37 @@
# The bare hostname which represents your identity.
# This is something like "example.com".
# Note: this playbook does not touch the server referenced here.
hostname_identity: "{{ host_specific_hostname_identity|lower }}"
# This is where your data lives and what we set up here.
# This and the Riot hostname (see below) are expected to be on the same server.
hostname_matrix: "matrix.{{ hostname_identity }}"
# This is where you access the web UI from and what we set up here.
# This and the Matrix hostname (see above) are expected to be on the same server.
hostname_riot: "riot.{{ hostname_identity }}"
matrix_user_username: "matrix"
matrix_user_uid: 991
matrix_user_gid: 991
matrix_base_data_path: "/matrix"
matrix_static_files_base_path: "{{ matrix_base_data_path }}/static-files"
matrix_homeserver_url: "https://{{ hostname_matrix }}"
matrix_identity_server_url: "https://{{ matrix_synapse_trusted_third_party_id_servers[0] }}"
# The Docker network that all services would be put into
matrix_docker_network: "matrix"
# Variables to Control which parts of our roles run.
run_setup: true
run_import_postgres: true
run_upgrade_postgres: true
run_start: true
run_register_user: true
run_import_sqlite_db: true
run_import_media_store: true
run_self_check: true

@ -0,0 +1,9 @@
---
- name: Get rid of old files and directories
file:
path: "{{ item }}"
state: absent
with_items:
- "{{ matrix_base_data_path }}/environment-variables"
- "{{ matrix_base_data_path }}/scratchpad"

@ -0,0 +1,33 @@
- import_tasks: "{{ role_path }}/tasks/clean_up_old_files.yml"
when: run_setup
tags:
- setup-all
- import_tasks: "{{ role_path }}/tasks/setup_server_base.yml"
when: run_setup
tags:
- setup-all
- import_tasks: "{{ role_path }}/tasks/setup_matrix_base.yml"
when: run_setup
tags:
- setup-all
- import_tasks: "{{ role_path }}/tasks/setup_well_known.yml"
when: run_setup
tags:
- setup-all
- setup-mxisd
- setup-synapse
- setup-nginx-proxy
- import_tasks: "{{ role_path }}/tasks/sanity_check.yml"
tags:
- always
- import_tasks: "{{ role_path }}/tasks/self_check_dns.yml"
delegate_to: 127.0.0.1
become: false
when: run_self_check
tags:
- self-check

@ -22,7 +22,7 @@
when: "matrix_mxisd_enabled" when: "matrix_mxisd_enabled"
- name: Perform DNS SRV checks - name: Perform DNS SRV checks
include_tasks: "{{ role_path }}/tasks/self_check/self_check_dns_srv.yml" include_tasks: "{{ role_path }}/tasks/self_check_dns_srv.yml"
with_items: "{{ dns_srv_record_checks }}" with_items: "{{ dns_srv_record_checks }}"
loop_control: loop_control:
loop_var: dns_srv_record_check loop_var: dns_srv_record_check

@ -13,12 +13,6 @@
state: present state: present
group: "{{ matrix_user_username }}" group: "{{ matrix_user_username }}"
- name: Ensure environment variables data path exists
file:
path: "{{ matrix_environment_variables_data_path }}"
state: directory
mode: 0700
- name: Ensure Matrix base path exists - name: Ensure Matrix base path exists
file: file:
path: "{{ item }}" path: "{{ item }}"
@ -28,7 +22,6 @@
group: "{{ matrix_user_username }}" group: "{{ matrix_user_username }}"
with_items: with_items:
- "{{ matrix_base_data_path }}" - "{{ matrix_base_data_path }}"
- "{{ matrix_synapse_base_path }}"
# `docker_network` doesn't work as expected when the given network # `docker_network` doesn't work as expected when the given network
# is a substring of a network that already exists. # is a substring of a network that already exists.

@ -0,0 +1,21 @@
# We need others to be able to read these directories too,
# so that matrix-nginx-proxy's nginx user can access the files.
#
# For running with another webserver, we recommend being part of the `matrix` group.
- name: Ensure Matrix static-files path exists
file:
path: "{{ item }}"
state: directory
mode: 0755
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_username }}"
with_items:
- "{{ matrix_static_files_base_path }}/.well-known/matrix"
- name: Ensure Matrix /.well-known/matrix/client configured
template:
src: "{{ role_path }}/templates/static-files/well-known/matrix-client.j2"
dest: "{{ matrix_static_files_base_path }}/.well-known/matrix"
mode: 0644
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_username }}"

@ -0,0 +1,3 @@
# This will contain a list of enabled services that the playbook is managing.
# Each component is expected to append its service name to this list.
matrix_systemd_services_list: []

@ -0,0 +1,4 @@
- import_tasks: "{{ role_path }}/tasks/start.yml"
when: run_start
tags:
- start

@ -0,0 +1,18 @@
---
- name: Ensure systemd reloaded
service:
daemon_reload: yes
- name: Ensure Matrix services stopped
service:
name: "{{ item }}"
state: stopped
with_items: "{{ matrix_systemd_services_list }}"
- name: Ensure Matrix services started
service:
name: "{{ item }}"
enabled: yes
state: started
with_items: "{{ matrix_systemd_services_list }}"

@ -0,0 +1,28 @@
# Enable this to add support for matrix-corporal.
# See: https://github.com/devture/matrix-corporal
matrix_corporal_enabled: false
# Controls whether the matrix-corporal web server's ports are exposed outside of the container.
# Normally, matrix-nginx-proxy is enabled and nginx can reach matrix-corporal over the container network.
# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose
# matrix-corporal's web-server ports to the local host (`127.0.0.1:41080` and `127.0.0.1:41081`).
matrix_corporal_container_expose_ports: "{{ not matrix_nginx_proxy_enabled }}"
matrix_corporal_docker_image: "devture/matrix-corporal:1.2.2"
matrix_corporal_base_path: "{{ matrix_base_data_path }}/corporal"
matrix_corporal_config_dir_path: "{{ matrix_corporal_base_path }}/config"
matrix_corporal_cache_dir_path: "{{ matrix_corporal_base_path }}/cache"
matrix_corporal_var_dir_path: "{{ matrix_corporal_base_path }}/var"
matrix_corporal_matrix_timeout_milliseconds: 45000
matrix_corporal_reconciliation_retry_interval_milliseconds: 30000
matrix_corporal_reconciliation_user_id_local_part: "matrix-corporal"
matrix_corporal_http_api_enabled: false
matrix_corporal_http_api_auth_token: ""
# Matrix Corporal policy provider configuration (goes directly into the configuration's `PolicyProvider` value)
matrix_corporal_policy_provider_config: ""
matrix_corporal_debug: false

@ -0,0 +1,9 @@
- name: Override configuration specifying where the Matrix Client API is
set_fact:
matrix_nginx_proxy_matrix_client_api_addr_with_proxy_container: "matrix-corporal:41080"
matrix_nginx_proxy_matrix_client_api_addr_sans_proxy_container: "localhost:41080"
when: "matrix_corporal_enabled"
- set_fact:
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-corporal'] }}"
when: "matrix_corporal_enabled"

@ -0,0 +1,16 @@
- import_tasks: "{{ role_path }}/tasks/init.yml"
tags:
- always
- import_tasks: "{{ role_path }}/tasks/setup_corporal.yml"
when: run_setup
tags:
- setup-all
- setup-corporal
- import_tasks: "{{ role_path }}/tasks/self_check_corporal.yml"
delegate_to: 127.0.0.1
become: false
when: "run_self_check and matrix_corporal_enabled"
tags:
- self-check

@ -42,7 +42,7 @@
- name: Ensure Matrix Corporal config installed - name: Ensure Matrix Corporal config installed
template: template:
src: "{{ role_path }}/templates/corporal/config.json.j2" src: "{{ role_path }}/templates/config.json.j2"
dest: "{{ matrix_corporal_config_dir_path }}/config.json" dest: "{{ matrix_corporal_config_dir_path }}/config.json"
mode: 0644 mode: 0644
when: "matrix_corporal_enabled" when: "matrix_corporal_enabled"
@ -58,8 +58,11 @@
# Tasks related to getting rid of matrix-corporal (if it was previously enabled) # Tasks related to getting rid of matrix-corporal (if it was previously enabled)
# #
- name: Ensure matrix-corporal.service doesn't exist - name: Ensure matrix-corporal files don't exist
file: file:
path: "/etc/systemd/system/matrix-corporal.service" path: "{{ item }}"
state: absent state: absent
when: "not matrix_corporal_enabled" when: "not matrix_corporal_enabled"
with_items:
- /etc/systemd/system/matrix-corporal.service
- "{{ matrix_corporal_config_dir_path }}/config.json"

@ -13,7 +13,7 @@ ExecStart=/usr/bin/docker run --rm --name matrix-corporal \
--log-driver=none \ --log-driver=none \
--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
--network={{ matrix_docker_network }} \ --network={{ matrix_docker_network }} \
{% if not matrix_nginx_proxy_enabled %} {% if matrix_corporal_container_expose_ports %}
-p 127.0.0.1:41080:41080 \ -p 127.0.0.1:41080:41080 \
-p 127.0.0.1:41081:41081 \ -p 127.0.0.1:41081:41081 \
{% endif %} {% endif %}

@ -0,0 +1,14 @@
matrix_coturn_docker_image: "instrumentisto/coturn:4.5.0.8"
matrix_coturn_base_path: "{{ matrix_base_data_path }}/coturn"
matrix_coturn_config_path: "{{ matrix_coturn_base_path }}/turnserver.conf"
# A shared secret (between Synapse and Coturn) used for authentication.
# You can put any string here, but generating a strong one is preferred (e.g. `pwgen -s 64 1`).
matrix_coturn_turn_static_auth_secret: ""
# UDP port-range to use for TURN
matrix_coturn_turn_udp_min_port: 49152
matrix_coturn_turn_udp_max_port: 49172
matrix_coturn_turn_external_ip_address: "{{ ansible_host }}"

@ -0,0 +1,2 @@
- set_fact:
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-coturn'] }}"

@ -0,0 +1,9 @@
- import_tasks: "{{ role_path }}/tasks/init.yml"
tags:
- always
- import_tasks: "{{ role_path }}/tasks/setup_coturn.yml"
when: run_setup
tags:
- setup-coturn
- setup-all

@ -19,7 +19,7 @@
- name: Ensure turnserver.conf installed - name: Ensure turnserver.conf installed
template: template:
src: "{{ role_path }}/templates/coturn/turnserver.conf.j2" src: "{{ role_path }}/templates/turnserver.conf.j2"
dest: "{{ matrix_coturn_config_path }}" dest: "{{ matrix_coturn_config_path }}"
mode: 0644 mode: 0644

@ -13,7 +13,6 @@ ExecStart=/usr/bin/docker run --rm --name matrix-coturn \
-p 3478:3478 \ -p 3478:3478 \
-p 3478:3478/udp \ -p 3478:3478/udp \
-p {{ matrix_coturn_turn_udp_min_port }}-{{ matrix_coturn_turn_udp_max_port }}:{{ matrix_coturn_turn_udp_min_port }}-{{ matrix_coturn_turn_udp_max_port }}/udp \ -p {{ matrix_coturn_turn_udp_min_port }}-{{ matrix_coturn_turn_udp_max_port }}:{{ matrix_coturn_turn_udp_min_port }}-{{ matrix_coturn_turn_udp_max_port }}/udp \
-v {{ matrix_synapse_config_dir_path }}:/matrix-config:ro \
-v {{ matrix_coturn_config_path }}:/turnserver.conf:ro \ -v {{ matrix_coturn_config_path }}:/turnserver.conf:ro \
{{ matrix_coturn_docker_image }} \ {{ matrix_coturn_docker_image }} \
-c /turnserver.conf -c /turnserver.conf

@ -0,0 +1,16 @@
# By default, this playbook sets up a postfix mailer server (running in a container).
# This is so that Matrix Synapse can send email reminders for unread messages.
# Other services (like mxisd), however, also use that mailer to send emails through it.
matrix_mailer_enabled: true
matrix_mailer_base_path: "{{ matrix_base_data_path }}/mailer"
matrix_mailer_docker_image: "panubo/postfix:latest"
matrix_mailer_sender_address: "matrix@{{ hostname_identity }}"
matrix_mailer_relay_use: false
matrix_mailer_relay_host_name: "mail.example.com"
matrix_mailer_relay_host_port: 587
matrix_mailer_relay_auth: false
matrix_mailer_relay_auth_username: ""
matrix_mailer_relay_auth_password: ""

@ -0,0 +1,3 @@
- set_fact:
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mailer'] }}"
when: "matrix_mailer_enabled"

@ -0,0 +1,9 @@
- import_tasks: "{{ role_path }}/tasks/init.yml"
tags:
- always
- import_tasks: "{{ role_path }}/tasks/setup_mailer.yml"
when: run_setup
tags:
- setup-mailer
- setup-all

@ -4,13 +4,21 @@
# Tasks related to setting up the mailer # Tasks related to setting up the mailer
# #
- name: Ensure mailer base path exists
file:
path: "{{ matrix_mailer_base_path }}"
state: directory
mode: 0750
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_username }}"
when: matrix_mailer_enabled
- name: Ensure mailer environment variables file created - name: Ensure mailer environment variables file created
template: template:
src: "{{ role_path }}/templates/env/{{ item }}.j2" src: "{{ role_path }}/templates/env-mailer.j2"
dest: "{{ matrix_environment_variables_data_path }}/{{ item }}" dest: "{{ matrix_mailer_base_path }}/env-mailer"
mode: 0640 mode: 0640
with_items: when: matrix_mailer_enabled
- "env-mailer"
- name: Ensure mailer image is pulled - name: Ensure mailer image is pulled
docker_image: docker_image:
@ -49,7 +57,7 @@
- name: Ensure Matrix mailer environment variables path doesn't exist - name: Ensure Matrix mailer environment variables path doesn't exist
file: file:
path: "{{ matrix_environment_variables_data_path }}/env-mailer" path: "{{ matrix_mailer_base_path }}"
state: absent state: absent
when: "not matrix_mailer_enabled" when: "not matrix_mailer_enabled"

@ -10,7 +10,7 @@ ExecStartPre=-/usr/bin/docker rm matrix-mailer
ExecStart=/usr/bin/docker run --rm --name matrix-mailer \ ExecStart=/usr/bin/docker run --rm --name matrix-mailer \
--log-driver=none \ --log-driver=none \
--network={{ matrix_docker_network }} \ --network={{ matrix_docker_network }} \
--env-file={{ matrix_environment_variables_data_path }}/env-mailer \ --env-file={{ matrix_mailer_base_path }}/env-mailer \
{{ matrix_mailer_docker_image }} {{ matrix_mailer_docker_image }}
ExecStop=-/usr/bin/docker kill matrix-mailer ExecStop=-/usr/bin/docker kill matrix-mailer
ExecStop=-/usr/bin/docker rm matrix-mailer ExecStop=-/usr/bin/docker rm matrix-mailer

@ -0,0 +1,101 @@
# By default, this playbook installs the mxisd identity server on the same domain as Synapse (`hostname_matrix`).
# If you wish to use the public identity servers (matrix.org, vector.im, riot.im) instead of your own,
# you may wish to disable this.
matrix_mxisd_enabled: true
matrix_mxisd_docker_image: "kamax/mxisd:1.2.2"
matrix_mxisd_base_path: "{{ matrix_base_data_path }}/mxisd"
matrix_mxisd_config_path: "{{ matrix_mxisd_base_path }}/config"
matrix_mxisd_data_path: "{{ matrix_mxisd_base_path }}/data"
# Controls whether the mxisd web server's port is exposed outside of the container.
# Normally, matrix-nginx-proxy is enabled and nginx can reach mxisd over the container network.
# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose
# mxisd's web-server port to the local host (`127.0.0.1:8090`).
matrix_mxisd_container_expose_port: "{{ not matrix_nginx_proxy_enabled }}"
# Your identity server is private by default.
# To ensure maximum discovery, you can make your identity server
# also forward lookups to the central matrix.org Identity server
# (at the cost of potentially leaking all your contacts information).
# Enabling this is discouraged. Learn more here: https://github.com/kamax-io/mxisd/blob/master/docs/features/identity.md#lookups
matrix_mxisd_matrixorg_forwarding_enabled: false
# mxisd has serveral supported identity stores.
# One of them (which we enable by default) is storing identities directly in Synapse's database.
# Learn more here: https://github.com/kamax-matrix/mxisd/blob/master/docs/stores/synapse.md
#
# If you need to disable this in favor of some other store, you can toggle it to disabled here
# and add your own mxisd configuration for the other store in `matrix_mxisd_configuration_extension_yaml`.
matrix_mxisd_synapsesql_enabled: true
matrix_mxisd_synapsesql_type: postgresql
matrix_mxisd_synapsesql_connection: //{{ matrix_postgres_connection_hostname }}/{{ matrix_postgres_db_name }}?user={{ matrix_postgres_connection_username }}&password={{ matrix_postgres_connection_password }}
# Default mxisd configuration template which covers the generic use case.
# You can customize it by controlling the various variables inside it.
#
# For a more advanced customization, you can extend the default (see `matrix_mxisd_configuration_extension_yaml`)
# or completely replace this variable with your own template.
matrix_mxisd_configuration_yaml: |
matrix:
domain: {{ hostname_identity }}
server:
name: {{ hostname_matrix }}
key:
path: /var/mxisd/sign.key
storage:
provider:
sqlite:
database: /var/mxisd/mxisd.db
{% if matrix_mxisd_matrixorg_forwarding_enabled %}
forward:
servers: ['matrix-org']
{% endif %}
threepid:
medium:
email:
identity:
from: {{ matrix_mailer_sender_address }}
connectors:
smtp:
host: matrix-mailer
port: 587
tls: 0
synapseSql:
enabled: {{ matrix_mxisd_synapsesql_enabled }}
type: {{ matrix_mxisd_synapsesql_type }}
connection: {{ matrix_mxisd_synapsesql_connection }}
matrix_mxisd_configuration_extension_yaml: |
# Your custom YAML configuration for mxisd goes here.
# This configuration extends the default starting configuration (`matrix_mxisd_configuration_yaml`).
#
# You can override individual variables from the default configuration, or introduce new ones.
#
# If you need something more special, you can take full control by
# completely redefining `matrix_mxisd_configuration_yaml`.
#
# Example configuration extension follows:
#
# ldap:
# enabled: true
# connection:
# host: ldapHostnameOrIp
# tls: false
# port: 389
# baseDns: ['OU=Users,DC=example,DC=org']
# bindDn: CN=My Mxisd User,OU=Users,DC=example,DC=org
# bindPassword: TheUserPassword
# Doing `|from_yaml` when the extension contains nothing yields an empty string ("").
# We need to ensure it's a dictionary or `|combine` (when building `matrix_mxisd_configuration`) will fail later.
matrix_mxisd_configuration_extension: "{{ matrix_mxisd_configuration_extension_yaml|from_yaml if matrix_mxisd_configuration_extension_yaml|from_yaml else {} }}"
# Holds the final mxisd configuration (a combination of the default and its extension).
# You most likely don't need to touch this variable. Instead, see `matrix_mxisd_configuration_yaml`.
matrix_mxisd_configuration: "{{ matrix_mxisd_configuration_yaml|from_yaml|combine(matrix_mxisd_configuration_extension, recursive=True) }}"

@ -0,0 +1,3 @@
- set_fact:
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mxisd'] }}"
when: "matrix_mxisd_enabled"

@ -0,0 +1,13 @@
- import_tasks: "{{ role_path }}/tasks/init.yml"
tags:
- always
- import_tasks: "{{ role_path }}/tasks/setup_mxisd.yml"
tags:
- setup-all
- setup-mxisd
- import_tasks: "{{ role_path }}/tasks/self_check_mxisd.yml"
delegate_to: 127.0.0.1
become: false
when: "run_self_check and matrix_mxisd_enabled"

@ -15,7 +15,7 @@ ExecStart=/usr/bin/docker run --rm --name matrix-mxisd \
--log-driver=none \ --log-driver=none \
--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
--network={{ matrix_docker_network }} \ --network={{ matrix_docker_network }} \
{% if not matrix_nginx_proxy_enabled %} {% if matrix_mxisd_container_expose_port %}
-p 127.0.0.1:8090:8090 \ -p 127.0.0.1:8090:8090 \
{% endif %} {% endif %}
-v {{ matrix_mxisd_config_path }}:/etc/mxisd:ro \ -v {{ matrix_mxisd_config_path }}:/etc/mxisd:ro \

@ -0,0 +1,50 @@
# By default, this playbook sets up its own nginx proxy server on port 80/443.
# This is fine if you're dedicating the whole server to Matrix.
# But in case that's not the case, you may wish to prevent that
# and take care of proxying by yourself.
matrix_nginx_proxy_enabled: true
matrix_nginx_proxy_docker_image: "nginx:1.15.8-alpine"
matrix_nginx_proxy_data_path: "{{ matrix_base_data_path }}/nginx-proxy"
matrix_nginx_proxy_confd_path: "{{ matrix_nginx_proxy_data_path }}/conf.d"
# The addresses where the Matrix Client API is.
# Certain extensions (like matrix-corporal) may override this in order to capture all traffic.
matrix_nginx_proxy_matrix_client_api_addr_with_proxy_container: "matrix-synapse:8008"
matrix_nginx_proxy_matrix_client_api_addr_sans_proxy_container: "localhost:8008"
# Specifies when to reload the matrix-nginx-proxy service so that
# a new SSL certificate could go into effect.
matrix_nginx_proxy_reload_cron_time_definition: "20 4 */5 * *"
# Specifies which SSL protocols to use when serving Riot and Synapse
# Note TLSv1.3 is not yet available in dockerized nginx
# See: https://github.com/nginxinc/docker-nginx/issues/190
matrix_nginx_proxy_ssl_protocols: "TLSv1.1 TLSv1.2"
# By default, this playbook automatically retrieves and auto-renews
# free SSL certificates from Let's Encrypt.
#
# The following retrieval methods are supported:
# - "lets-encrypt" - the playbook obtains free SSL certificates from Let's Encrypt
# - "self-signed" - the playbook generates and self-signs certificates
# - "manually-managed" - lets you manage certificates by yourself (manually; see below)
#
# If you decide to manage certificates by yourself (`matrix_ssl_retrieval_method: manually-managed`),
# you'd need to drop them into the directory specified by `matrix_ssl_config_dir_path`
# obeying the following hierarchy:
# - <matrix_ssl_config_dir_path>/live/<domain>/fullchain.pem
# - <matrix_ssl_config_dir_path>/live/<domain>/privkey.pem
# where <domain> refers to the domains that you need (usually `hostname_matrix` and `hostname_riot`).
matrix_ssl_retrieval_method: "lets-encrypt"
# Controls whether to obtain production or staging certificates from Let's Encrypt.
matrix_ssl_lets_encrypt_staging: false
matrix_ssl_lets_encrypt_certbot_docker_image: "certbot/certbot:v0.30.0"
matrix_ssl_lets_encrypt_certbot_standalone_http_port: 2402
matrix_ssl_lets_encrypt_support_email: "{{ host_specific_matrix_ssl_lets_encrypt_support_email }}"
matrix_ssl_base_path: "{{ matrix_base_data_path }}/ssl"
matrix_ssl_config_dir_path: "{{ matrix_ssl_base_path }}/config"
matrix_ssl_log_dir_path: "{{ matrix_ssl_base_path }}/log"

@ -0,0 +1,3 @@
- set_fact:
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-nginx-proxy'] }}"
when: "matrix_nginx_proxy_enabled"

@ -0,0 +1,23 @@
- import_tasks: "{{ role_path }}/tasks/init.yml"
tags:
- always
- import_tasks: "{{ role_path }}/tasks/ssl/main.yml"
when: run_setup
tags:
- setup-all
- setup-nginx-proxy
- setup-ssl
- import_tasks: "{{ role_path }}/tasks/setup_nginx_proxy.yml"
when: run_setup
tags:
- setup-all
- setup-nginx-proxy
- import_tasks: "{{ role_path }}/tasks/self_check_well_known.yml"
delegate_to: 127.0.0.1
become: false
when: run_self_check
tags:
- self-check

@ -13,12 +13,12 @@
owner: "{{ matrix_user_username }}" owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_username }}" group: "{{ matrix_user_username }}"
with_items: with_items:
- "{{ matrix_well_known_file_path|dirname }}" - "{{ matrix_static_files_base_path }}/.well-known/matrix"
- name: Ensure Matrix /.well-known/matrix/client configured - name: Ensure Matrix /.well-known/matrix/client configured
template: template:
src: "{{ role_path }}/templates/well-known/matrix-client.j2" src: "{{ role_path }}/templates/well-known/matrix-client.j2"
dest: "{{ matrix_well_known_file_path }}" dest: "{{ matrix_static_files_base_path }}/.well-known/matrix"
mode: 0644 mode: 0644
owner: "{{ matrix_user_username }}" owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_username }}" group: "{{ matrix_user_username }}"

@ -31,8 +31,8 @@
# Method specific tasks follow # Method specific tasks follow
- import_tasks: tasks/setup/ssl/setup_ssl_lets_encrypt.yml - import_tasks: tasks/ssl/setup_ssl_lets_encrypt.yml
- import_tasks: tasks/setup/ssl/setup_ssl_self_signed.yml - import_tasks: tasks/ssl/setup_ssl_self_signed.yml
- import_tasks: tasks/setup/ssl/setup_ssl_manually_managed.yml - import_tasks: tasks/ssl/setup_ssl_manually_managed.yml

@ -38,7 +38,7 @@
when: "matrix_ssl_retrieval_method == 'lets-encrypt'" when: "matrix_ssl_retrieval_method == 'lets-encrypt'"
- name: Obtain Let's Encrypt certificates - name: Obtain Let's Encrypt certificates
include_tasks: "{{ role_path }}/tasks/setup/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml" include_tasks: "{{ role_path }}/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml"
with_items: "{{ domains_requiring_certificates }}" with_items: "{{ domains_requiring_certificates }}"
loop_control: loop_control:
loop_var: domain_name loop_var: domain_name

@ -0,0 +1,8 @@
---
- name: Verify certificates
include_tasks: "{{ role_path }}/tasks/ssl/setup_ssl_manually_managed_verify_for_domain.yml"
with_items: "{{ domains_requiring_certificates }}"
loop_control:
loop_var: domain_name
when: "matrix_ssl_retrieval_method == 'manually-managed'"

@ -17,7 +17,7 @@
when: "matrix_ssl_retrieval_method == 'self-signed' and ansible_os_family == 'Debian'" when: "matrix_ssl_retrieval_method == 'self-signed' and ansible_os_family == 'Debian'"
- name: Generate self-signed certificates - name: Generate self-signed certificates
include_tasks: "{{ role_path }}/tasks/setup/ssl/setup_ssl_self_signed_obtain_for_domain.yml" include_tasks: "{{ role_path }}/tasks/ssl/setup_ssl_self_signed_obtain_for_domain.yml"
with_items: "{{ domains_requiring_certificates }}" with_items: "{{ domains_requiring_certificates }}"
loop_control: loop_control:
loop_var: domain_name loop_var: domain_name

@ -0,0 +1,15 @@
# The defaults below cause a postgres server to be configured (running within a container).
# Using an external server is possible by tweaking all of the parameters below.
matrix_postgres_use_external: false
matrix_postgres_connection_hostname: "matrix-postgres"
matrix_postgres_connection_username: "synapse"
matrix_postgres_connection_password: "synapse-password"
matrix_postgres_db_name: "homeserver"
matrix_postgres_base_path: "{{ matrix_base_data_path }}/postgres"
matrix_postgres_data_path: "{{ matrix_postgres_base_path }}/data"
matrix_postgres_docker_image_v9: "postgres:9.6.11-alpine"
matrix_postgres_docker_image_v10: "postgres:10.6-alpine"
matrix_postgres_docker_image_v11: "postgres:11.1-alpine"
matrix_postgres_docker_image_latest: "{{ matrix_postgres_docker_image_v11 }}"

@ -51,7 +51,7 @@
command: | command: |
/usr/bin/docker run --rm --name matrix-postgres-import \ /usr/bin/docker run --rm --name matrix-postgres-import \
--network={{ matrix_docker_network }} \ --network={{ matrix_docker_network }} \
--env-file={{ matrix_environment_variables_data_path }}/env-postgres-pgsql-docker \ --env-file={{ matrix_postgres_base_path }}/env-postgres-psql \
-v {{ server_path_postgres_dump }}:{{ server_path_postgres_dump }}:ro \ -v {{ server_path_postgres_dump }}:{{ server_path_postgres_dump }}:ro \
--entrypoint=/bin/sh --entrypoint=/bin/sh
{{ matrix_postgres_docker_image_latest }} {{ matrix_postgres_docker_image_latest }}

@ -0,0 +1,3 @@
- set_fact:
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-postgres'] }}"
when: "not matrix_postgres_use_external"

@ -0,0 +1,24 @@
- import_tasks: "{{ role_path }}/tasks/init.yml"
tags:
- always
- import_tasks: "{{ role_path }}/tasks/setup_postgres.yml"
when: run_setup
tags:
- setup-postgres
- setup-all
- import_tasks: "{{ role_path }}/tasks/import_postgres.yml"
when: run_import_postgres
tags:
- import-postgres
- import_tasks: "{{ role_path }}/tasks/import_sqlite_db.yml"
when: run_import_sqlite_db
tags:
- import-sqlite-db
- import_tasks: "{{ role_path }}/tasks/upgrade_postgres.yml"
when: run_upgrade_postgres
tags:
- upgrade-postgres

@ -0,0 +1,70 @@
---
# We used to store Postgres data directly under `/matrix/postgres` (what is now considered `matrix_postgres_base_path`).
#
# From now on, we expect to store Postgres data one directory below now (`/matrix/postgres/data` - `matrix_postgres_data_path`).
# We wish to use the base directory for other purposes (storing environment variable files, etc.).
# Mixing those with the Postgres data is no good and it leads to Postgres's `initdb` complaining to initialize
# a database in a non-empty directory.
#
# For this reason, we store the Postgres data in `/matrix/postgres/data` and need to relocate any installations
# which still store it in the parent directory (`/matrix/postgres`).
- name: Check if old Postgres data directory is used
stat:
path: "{{ matrix_postgres_base_path }}/PG_VERSION"
register: result_pg_old_data_dir_stat
- name: Warn if old Postgres data directory detected
debug:
msg: >
Found that you have Postgres data in `{{ matrix_postgres_base_path }}`.
From now on, Postgres data is supposed to be stored in `{{ matrix_postgres_data_path }}` instead.
We'll stop Postgres and relocate the files there for you.
when: "result_pg_old_data_dir_stat.stat.exists"
- name: Find files and directories in old Postgres data path
find:
paths: "{{ matrix_postgres_base_path }}"
file_type: any
excludes: ["data"]
register: "result_pg_old_data_dir_find"
when: "result_pg_old_data_dir_stat.stat.exists"
- name: Ensure new Postgres data path exists
file:
path: "{{ matrix_postgres_data_path }}"
state: directory
mode: 0700
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_username }}"
when: "result_pg_old_data_dir_stat.stat.exists"
- name: Ensure matrix-postgres is stopped
service:
name: matrix-postgres
state: stopped
daemon_reload: yes
when: "result_pg_old_data_dir_stat.stat.exists"
- block:
- name: Relocate Postgres data files from old directory to new
command: "mv {{ item.path }} {{ matrix_postgres_data_path }}/{{ item.path|basename }}"
with_items: "{{ result_pg_old_data_dir_find.files }}"
when: "result_pg_old_data_dir_stat.stat.exists"
# Intentionally not starting matrix-postgres here.
# It likely needs to be updated to point to the new directory.
# In fact, let's even get rid of the outdated service, to ensure no one will start it
# and have it initialize a new database.
- name: Ensure outdated matrix-postgres.service doesn't exist
file:
path: "/etc/systemd/system/matrix-postgres.service"
state: absent
when: "result_pg_old_data_dir_stat.stat.exists"
- name: Ensure systemd reloaded after getting rid of outdated matrix-postgres.service
service:
daemon_reload: yes
when: "result_pg_old_data_dir_stat.stat.exists"

@ -4,7 +4,9 @@
# Generic tasks, no matter what kind of server we're using (internal/external) # Generic tasks, no matter what kind of server we're using (internal/external)
# #
- import_tasks: tasks/util/detect_existing_postgres_version.yml - import_tasks: "{{ role_path }}/tasks/migrate_postgres_data_directory.yml"
- import_tasks: "{{ role_path }}/tasks/util/detect_existing_postgres_version.yml"
# If we have found an existing version (installed from before), we use its corresponding Docker image. # If we have found an existing version (installed from before), we use its corresponding Docker image.
# If not, we install using the latest Postgres. # If not, we install using the latest Postgres.
@ -23,14 +25,27 @@
docker_image: docker_image:
name: "{{ matrix_postgres_docker_image_to_use }}" name: "{{ matrix_postgres_docker_image_to_use }}"
# We always create these directories, even if an external Postgres is used,
# because we store environment variable files there.
- name: Ensure Postgres paths exist
file:
path: "{{ item }}"
state: directory
mode: 0700
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_username }}"
with_items:
- "{{ matrix_postgres_base_path }}"
- "{{ matrix_postgres_data_path }}"
- name: Ensure Postgres environment variables file created - name: Ensure Postgres environment variables file created
template: template:
src: "{{ role_path }}/templates/env/{{ item }}.j2" src: "{{ role_path }}/templates/{{ item }}.j2"
dest: "{{ matrix_environment_variables_data_path }}/{{ item }}" dest: "{{ matrix_postgres_base_path }}/{{ item }}"
mode: 0640 mode: 0640
with_items: with_items:
- "env-postgres-pgsql-docker" - "env-postgres-psql"
- "env-postgres-server-docker" - "env-postgres-server"
- name: Ensure matrix-postgres-cli script created - name: Ensure matrix-postgres-cli script created
template: template:
@ -48,15 +63,6 @@
# Tasks related to setting up an internal postgres server # Tasks related to setting up an internal postgres server
# #
- name: Ensure postgres data path exists
file:
path: "{{ matrix_postgres_data_path }}"
state: directory
mode: 0700
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_username }}"
when: "not matrix_postgres_use_external"
- name: Ensure matrix-postgres.service installed - name: Ensure matrix-postgres.service installed
template: template:
src: "{{ role_path }}/templates/systemd/matrix-postgres.service.j2" src: "{{ role_path }}/templates/systemd/matrix-postgres.service.j2"
@ -96,5 +102,5 @@
# We just want to notify the user. Deleting data is too destructive. # We just want to notify the user. Deleting data is too destructive.
- name: Notify if matrix-postgres local data remains - name: Notify if matrix-postgres local data remains
debug: debug:
msg: "Note: You are not using a local PostgreSQL database, but some old data remains from before in {{ matrix_postgres_data_path }}. Feel free to delete that." msg: "Note: You are not using a local PostgreSQL database, but some old data remains from before in {{ matrix_postgres_data_path }}. Feel free to delete it."
when: "matrix_postgres_use_external and matrix_postgres_data_path_stat.stat.exists" when: "matrix_postgres_use_external and matrix_postgres_data_path_stat.stat.exists"

@ -71,7 +71,7 @@
command: | command: |
/usr/bin/docker run --rm --name matrix-postgres-dump \ /usr/bin/docker run --rm --name matrix-postgres-dump \
--network={{ matrix_docker_network }} \ --network={{ matrix_docker_network }} \
--env-file={{ matrix_environment_variables_data_path }}/env-postgres-pgsql-docker \ --env-file={{ matrix_postgres_base_path }}/env-postgres-psql \
-v {{ postgres_dump_dir }}:/out \ -v {{ postgres_dump_dir }}:/out \
{{ matrix_postgres_detected_version_corresponding_docker_image }} pg_dump -h matrix-postgres {{ matrix_postgres_db_name }} -f /out/{{ postgres_dump_name }} {{ matrix_postgres_detected_version_corresponding_docker_image }} pg_dump -h matrix-postgres {{ matrix_postgres_db_name }} -f /out/{{ postgres_dump_name }}
@ -86,7 +86,7 @@
- debug: - debug:
msg: "NOTE: Your Postgres data directory has been moved from `{{ matrix_postgres_data_path }}` to `{{ postgres_auto_upgrade_backup_data_path }}`. In the event of failure, you can move it back and run the playbook with --tags=setup-postgres to restore operation." msg: "NOTE: Your Postgres data directory has been moved from `{{ matrix_postgres_data_path }}` to `{{ postgres_auto_upgrade_backup_data_path }}`. In the event of failure, you can move it back and run the playbook with --tags=setup-postgres to restore operation."
- import_tasks: tasks/setup/setup_postgres.yml - import_tasks: tasks/setup_postgres.yml
- name: Ensure matrix-postgres autoruns and is restarted - name: Ensure matrix-postgres autoruns and is restarted
service: service:
@ -105,7 +105,7 @@
command: | command: |
/usr/bin/docker run --rm --name matrix-postgres-import \ /usr/bin/docker run --rm --name matrix-postgres-import \
--network={{ matrix_docker_network }} \ --network={{ matrix_docker_network }} \
--env-file={{ matrix_environment_variables_data_path }}/env-postgres-pgsql-docker \ --env-file={{ matrix_postgres_base_path }}/env-postgres-psql \
-v {{ postgres_dump_dir }}:/in:ro \ -v {{ postgres_dump_dir }}:/in:ro \
{{ matrix_postgres_docker_image_latest }} psql -v ON_ERROR_STOP=1 -h matrix-postgres -f /in/{{ postgres_dump_name }} {{ matrix_postgres_docker_image_latest }} psql -v ON_ERROR_STOP=1 -h matrix-postgres -f /in/{{ postgres_dump_name }}

@ -11,7 +11,7 @@ ExecStart=/usr/bin/docker run --rm --name matrix-postgres \
--log-driver=none \ --log-driver=none \
--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
--network={{ matrix_docker_network }} \ --network={{ matrix_docker_network }} \
--env-file={{ matrix_environment_variables_data_path }}/env-postgres-server-docker \ --env-file={{ matrix_postgres_base_path }}/env-postgres-server \
-v {{ matrix_postgres_data_path }}:/var/lib/postgresql/data \ -v {{ matrix_postgres_data_path }}:/var/lib/postgresql/data \
-v /etc/passwd:/etc/passwd:ro \ -v /etc/passwd:/etc/passwd:ro \
{{ matrix_postgres_docker_image_to_use }} {{ matrix_postgres_docker_image_to_use }}

@ -8,7 +8,7 @@ fi
docker run \ docker run \
-it \ -it \
--rm \ --rm \
--env-file={{ matrix_environment_variables_data_path }}/env-postgres-pgsql-docker \ --env-file={{ matrix_postgres_base_path }}/env-postgres-psql \
--network {{ matrix_docker_network }} \ --network {{ matrix_docker_network }} \
{{ matrix_postgres_docker_image_to_use }} \ {{ matrix_postgres_docker_image_to_use }} \
psql -h {{ matrix_postgres_connection_hostname }} -c "UPDATE users set admin=1 WHERE name like '@$1:{{ host_specific_hostname_identity }}'" psql -h {{ matrix_postgres_connection_hostname }} -c "UPDATE users set admin=1 WHERE name like '@$1:{{ host_specific_hostname_identity }}'"

@ -3,7 +3,7 @@
docker run \ docker run \
-it \ -it \
--rm \ --rm \
--env-file={{ matrix_environment_variables_data_path }}/env-postgres-pgsql-docker \ --env-file={{ matrix_postgres_base_path }}/env-postgres-psql \
--network {{ matrix_docker_network }} \ --network {{ matrix_docker_network }} \
{{ matrix_postgres_docker_image_to_use }} \ {{ matrix_postgres_docker_image_to_use }} \
psql -h {{ matrix_postgres_connection_hostname }} psql -h {{ matrix_postgres_connection_hostname }}

@ -0,0 +1,32 @@
# By default, this playbook installs the Riot.IM web UI on the `hostname_riot` domain.
# If you wish to connect to your Matrix server by other means,
# you may wish to disable this.
matrix_riot_web_enabled: true
matrix_riot_web_docker_image: "bubuntux/riot-web:v0.17.8"
matrix_riot_web_data_path: "{{ matrix_base_data_path }}/riot-web"
# Riot config.json customizations
matrix_riot_web_disable_custom_urls: true
matrix_riot_web_disable_guests: true
matrix_riot_web_integrations_ui_url: "https://scalar.vector.im/"
matrix_riot_web_integrations_rest_url: "https://scalar.vector.im/api"
matrix_riot_web_integrations_widgets_urls: "https://scalar.vector.im/api"
matrix_riot_web_integrations_jitsi_widget_url: "https://scalar.vector.im/api/widgets/jitsi.html"
# Riot public room directory server(s)
matrix_riot_web_roomdir_servers: ['matrix.org']
matrix_riot_web_welcome_user_id: "@riot-bot:matrix.org"
# Riot home.html customizations
# Default home.html template file
matrix_riot_web_homepage_template: "{{ role_path }}/templates/home.html.j2"
# Show general discussion about Matrix and Riot row
matrix_riot_web_homepage_template_general: true
# Show Matrix technical discussions row
matrix_riot_web_homepage_template_technical: true
# Show building services on Matrix row
matrix_riot_web_homepage_template_building: true
# Show contributing code to Matrix and Riot row
matrix_riot_web_homepage_template_contributing: true

@ -0,0 +1,3 @@
- set_fact:
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-riot-web'] }}"
when: matrix_riot_web_enabled

@ -0,0 +1,16 @@
- import_tasks: "{{ role_path }}/tasks/init.yml"
tags:
- always
- import_tasks: "{{ role_path }}/tasks/setup_riot_web.yml"
when: run_setup
tags:
- setup-all
- setup-riot-web
- import_tasks: "{{ role_path }}/tasks/self_check_riot_web.yml"
delegate_to: 127.0.0.1
become: false
when: "run_self_check and matrix_riot_web_enabled"
tags:
- self-check

@ -26,7 +26,7 @@
owner: "{{ matrix_user_username }}" owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_username }}" group: "{{ matrix_user_username }}"
with_items: with_items:
- {src: "{{ role_path }}/templates/riot-web/config.json.j2", name: "config.json"} - {src: "{{ role_path }}/templates/config.json.j2", name: "config.json"}
- {src: "{{ matrix_riot_web_homepage_template }}", name: "home.html"} - {src: "{{ matrix_riot_web_homepage_template }}", name: "home.html"}
when: matrix_riot_web_enabled when: matrix_riot_web_enabled

@ -1,463 +0,0 @@
# The bare hostname which represents your identity.
# This is something like "example.com".
# Note: this playbook does not touch the server referenced here.
hostname_identity: "{{ host_specific_hostname_identity|lower }}"
# This is where your data lives and what we set up here.
# This and the Riot hostname (see below) are expected to be on the same server.
hostname_matrix: "matrix.{{ hostname_identity }}"
# This is where you access the web UI from and what we set up here.
# This and the Matrix hostname (see above) are expected to be on the same server.
hostname_riot: "riot.{{ hostname_identity }}"
matrix_user_username: "matrix"
matrix_user_uid: 991
matrix_user_gid: 991
matrix_base_data_path: "/matrix"
matrix_environment_variables_data_path: "{{ matrix_base_data_path }}/environment-variables"
matrix_static_files_base_path: "{{ matrix_base_data_path }}/static-files"
matrix_homeserver_url: "https://{{ hostname_matrix }}"
matrix_identity_server_url: "https://{{ matrix_synapse_trusted_third_party_id_servers[0] }}"
# The Docker network that all services would be put into
matrix_docker_network: "matrix"
matrix_synapse_docker_image: "matrixdotorg/synapse:v0.34.1.1-py3"
matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse"
matrix_synapse_config_dir_path: "{{ matrix_synapse_base_path }}/config"
matrix_synapse_run_path: "{{ matrix_synapse_base_path }}/run"
matrix_synapse_storage_path: "{{ matrix_synapse_base_path }}/storage"
matrix_synapse_media_store_path: "{{ matrix_synapse_storage_path }}/media-store"
matrix_synapse_ext_path: "{{ matrix_synapse_base_path }}/ext"
matrix_synapse_in_container_python_packages_path: "/usr/local/lib/python3.6/site-packages"
# Specifies which template files to use when configuring Synapse.
# If you'd like to have your own different configuration, feel free to copy and paste
# the original files into your inventory (e.g. in `inventory/host_vars/<host>/`)
# and then change the specific host's `vars.yaml` file like this:
# matrix_synapse_template_synapse_homeserver: "{{ playbook_dir }}/inventory/host_vars/<host>/homeserver.yaml.j2"
matrix_synapse_template_synapse_homeserver: "{{ role_path }}/templates/synapse/homeserver.yaml.j2"
matrix_synapse_template_synapse_log: "{{ role_path }}/templates/synapse/synapse.log.config.j2"
matrix_synapse_macaroon_secret_key: ""
matrix_synapse_registration_shared_secret: "{{ matrix_synapse_macaroon_secret_key }}"
matrix_synapse_form_secret: "{{ matrix_synapse_macaroon_secret_key }}"
# These are the identity servers that would be trusted by Synapse if mxisd is NOT enabled
matrix_synapse_id_servers_public: ['vector.im', 'matrix.org']
# These are the identity servers that would be trusted by Synapse if mxisd IS enabled
matrix_synapse_id_servers_own: "['{{ hostname_matrix }}']"
# The final list of identity servers to use for Synapse.
# The first one would also be used as riot-web's default identity server.
matrix_synapse_trusted_third_party_id_servers: "{{ matrix_synapse_id_servers_own if matrix_mxisd_enabled else matrix_synapse_id_servers_public }}"
matrix_synapse_max_upload_size_mb: 10
matrix_synapse_max_log_file_size_mb: 100
matrix_synapse_max_log_files_count: 10
# Log levels
# Possible options are defined here https://docs.python.org/3/library/logging.html#logging-levels
# warning: setting log level to DEBUG will make synapse log sensitive information such
# as access tokens
matrix_synapse_log_level: "INFO"
matrix_synapse_storage_sql_log_level: "INFO"
matrix_synapse_root_log_level: "INFO"
# Rate limits
matrix_synapse_rc_messages_per_second: 0.2
matrix_synapse_rc_message_burst_count: 10.0
# Enable this to allow Synapse to report utilization statistics about your server to matrix.org
# (things like number of users, number of messages sent, uptime, load, etc.)
matrix_synapse_report_stats: false
# Controls whether the Matrix server will track presence status (online, offline, unavailable) for users.
# If users participate in large rooms with many other servers,
# disabling this will decrease server load significantly.
matrix_synapse_use_presence: true
# Controls whether people with access to the homeserver can register by themselves.
matrix_synapse_enable_registration: false
# Users who register on this homeserver will automatically be joined to these rooms.
# Rooms are to be specified using addresses (e.g. `#address:example.com`)
matrix_synapse_auto_join_rooms: []
# Controls whether auto-join rooms (`matrix_synapse_auto_join_rooms`) are to be created
# automatically if they don't already exist.
matrix_synapse_autocreate_auto_join_rooms: true
# Controls password-peppering for Matrix Synapse. Not to be changed after initial setup.
matrix_synapse_password_config_pepper: ""
# Controls the number of events that Matrix Synapse caches in memory.
matrix_synapse_event_cache_size: "100K"
# Controls cache sizes for Matrix Synapse via the SYNAPSE_CACHE_FACTOR environment variable.
# Raise this to increase cache sizes or lower it to potentially lower memory use.
# To learn more, see:
# - https://github.com/matrix-org/synapse#help-synapse-eats-all-my-ram
# - https://github.com/matrix-org/synapse/issues/3939
matrix_synapse_cache_factor: 0.5
# Controls whether Matrix Synapse will federate at all.
# Disable this to completely isolate your server from the rest of the Matrix network.
matrix_synapse_federation_enabled: true
# A list of domain names that are allowed to federate with the given Matrix Synapse server.
# An empty list value (`[]`) will also effectively stop federation, but if that's the desired
# result, it's better to accomplish it by changing `matrix_synapse_federation_enabled`.
matrix_synapse_federation_domain_whitelist: ~
# A list of additional "volumes" to mount in the container.
# This list gets populated dynamically based on Synapse extensions that have been enabled.
# Contains definition objects like this: `{"src": "/outside", "dst": "/inside", "options": "rw|ro|slave|.."}
matrix_synapse_container_additional_volumes: []
# A list of additional loggers to register in synapse.log.config.
# This list gets populated dynamically based on Synapse extensions that have been enabled.
# Contains definition objects like this: `{"name": "..", "level": "DEBUG"}
matrix_synapse_additional_loggers: []
# A list of service config files
# This list gets populated dynamically based on Synapse extensions that have been enabled.
# Contains fs paths
matrix_synapse_app_service_config_files: []
# This is set dynamically during execution depending on whether
# any password providers have been enabled or not.
matrix_synapse_password_providers_enabled: false
# Enable this to activate the REST auth password provider module.
# See: https://github.com/kamax-io/matrix-synapse-rest-auth
matrix_synapse_ext_password_provider_rest_auth_enabled: false
matrix_synapse_ext_password_provider_rest_auth_download_url: "https://raw.githubusercontent.com/kamax-io/matrix-synapse-rest-auth/v0.1.1/rest_auth_provider.py"
matrix_synapse_ext_password_provider_rest_auth_endpoint: ""
matrix_synapse_ext_password_provider_rest_auth_registration_enforce_lowercase: false
matrix_synapse_ext_password_provider_rest_auth_registration_profile_name_autofill: true
matrix_synapse_ext_password_provider_rest_auth_login_profile_name_autofill: false
# Enable this to activate the Shared Secret Auth password provider module.
# See: https://github.com/devture/matrix-synapse-shared-secret-auth
matrix_synapse_ext_password_provider_shared_secret_auth_enabled: false
matrix_synapse_ext_password_provider_shared_secret_auth_download_url: "https://raw.githubusercontent.com/devture/matrix-synapse-shared-secret-auth/1.0.1/shared_secret_authenticator.py"
matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret: ""
# Enable this to activate LDAP password provider
matrix_synapse_ext_password_provider_ldap_enabled: false
matrix_synapse_ext_password_provider_ldap_uri: "ldap://ldap.mydomain.tld:389"
matrix_synapse_ext_password_provider_ldap_start_tls: true
matrix_synapse_ext_password_provider_ldap_base: ""
matrix_synapse_ext_password_provider_ldap_attributes_uid: "uid"
matrix_synapse_ext_password_provider_ldap_attributes_mail: "mail"
matrix_synapse_ext_password_provider_ldap_attributes_name: "cn"
matrix_synapse_ext_password_provider_ldap_bind_dn: ""
matrix_synapse_ext_password_provider_ldap_bind_password: ""
matrix_synapse_ext_password_provider_ldap_filter: ""
# The defaults below cause a postgres server to be configured (running within a container).
# Using an external server is possible by tweaking all of the parameters below.
matrix_postgres_use_external: false
matrix_postgres_connection_hostname: "matrix-postgres"
matrix_postgres_connection_username: "synapse"
matrix_postgres_connection_password: "synapse-password"
matrix_postgres_db_name: "homeserver"
matrix_postgres_data_path: "{{ matrix_base_data_path }}/postgres"
matrix_postgres_docker_image_v9: "postgres:9.6.11-alpine"
matrix_postgres_docker_image_v10: "postgres:10.6-alpine"
matrix_postgres_docker_image_v11: "postgres:11.1-alpine"
matrix_postgres_docker_image_latest: "{{ matrix_postgres_docker_image_v11 }}"
matrix_coturn_docker_image: "instrumentisto/coturn:4.5.0.8"
matrix_coturn_base_path: "{{ matrix_base_data_path }}/coturn"
matrix_coturn_config_path: "{{ matrix_coturn_base_path }}/turnserver.conf"
# A shared secret (between Synapse and Coturn) used for authentication.
# You can put any string here, but generating a strong one is preferred (e.g. `pwgen -s 64 1`).
matrix_coturn_turn_static_auth_secret: ""
# UDP port-range to use for TURN
matrix_coturn_turn_udp_min_port: 49152
matrix_coturn_turn_udp_max_port: 49172
matrix_coturn_turn_external_ip_address: "{{ ansible_host }}"
matrix_s3_media_store_enabled: false
matrix_s3_goofys_docker_image: "ewoutp/goofys:latest"
matrix_s3_media_store_bucket_name: "your-bucket-name"
matrix_s3_media_store_aws_access_key: "your-aws-access-key"
matrix_s3_media_store_aws_secret_key: "your-aws-secret-key"
matrix_s3_media_store_region: "eu-central-1"
# By default, this playbook sets up a postfix mailer server (running in a container).
# This is so that Matrix Synapse can send email reminders for unread messages.
# Other services (like mxisd), however, also use that mailer to send emails through it.
matrix_mailer_enabled: true
matrix_mailer_docker_image: "panubo/postfix:latest"
matrix_mailer_sender_address: "matrix@{{ hostname_identity }}"
matrix_mailer_relay_use: false
matrix_mailer_relay_host_name: "mail.example.com"
matrix_mailer_relay_host_port: 587
matrix_mailer_relay_auth: false
matrix_mailer_relay_auth_username: ""
matrix_mailer_relay_auth_password: ""
# By default, this playbook installs the mxisd identity server on the same domain as Synapse (`hostname_matrix`).
# If you wish to use the public identity servers (matrix.org, vector.im, riot.im) instead of your own,
# you may wish to disable this.
matrix_mxisd_enabled: true
matrix_mxisd_docker_image: "kamax/mxisd:1.2.2"
matrix_mxisd_base_path: "{{ matrix_base_data_path }}/mxisd"
matrix_mxisd_config_path: "{{ matrix_mxisd_base_path }}/config"
matrix_mxisd_data_path: "{{ matrix_mxisd_base_path }}/data"
# Your identity server is private by default.
# To ensure maximum discovery, you can make your identity server
# also forward lookups to the central matrix.org Identity server
# (at the cost of potentially leaking all your contacts information).
# Enabling this is discouraged. Learn more here: https://github.com/kamax-io/mxisd/blob/master/docs/features/identity.md#lookups
matrix_mxisd_matrixorg_forwarding_enabled: false
# mxisd has serveral supported identity stores.
# One of them (which we enable by default) is storing identities directly in Synapse's database.
# Learn more here: https://github.com/kamax-matrix/mxisd/blob/master/docs/stores/synapse.md
#
# If you need to disable this in favor of some other store, you can toggle it to disabled here
# and add your own mxisd configuration for the other store in `matrix_mxisd_configuration_extension_yaml`.
matrix_mxisd_synapsesql_enabled: true
matrix_mxisd_synapsesql_type: postgresql
matrix_mxisd_synapsesql_connection: //{{ matrix_postgres_connection_hostname }}/{{ matrix_postgres_db_name }}?user={{ matrix_postgres_connection_username }}&password={{ matrix_postgres_connection_password }}
# Default mxisd configuration template which covers the generic use case.
# You can customize it by controlling the various variables inside it.
#
# For a more advanced customization, you can extend the default (see `matrix_mxisd_configuration_extension_yaml`)
# or completely replace this variable with your own template.
matrix_mxisd_configuration_yaml: |
matrix:
domain: {{ hostname_identity }}
server:
name: {{ hostname_matrix }}
key:
path: /var/mxisd/sign.key
storage:
provider:
sqlite:
database: /var/mxisd/mxisd.db
{% if matrix_mxisd_matrixorg_forwarding_enabled %}
forward:
servers: ['matrix-org']
{% endif %}
threepid:
medium:
email:
identity:
from: {{ matrix_mailer_sender_address }}
connectors:
smtp:
host: matrix-mailer
port: 587
tls: 0
synapseSql:
enabled: {{ matrix_mxisd_synapsesql_enabled }}
type: {{ matrix_mxisd_synapsesql_type }}
connection: {{ matrix_mxisd_synapsesql_connection }}
matrix_mxisd_configuration_extension_yaml: |
# Your custom YAML configuration for mxisd goes here.
# This configuration extends the default starting configuration (`matrix_mxisd_configuration_yaml`).
#
# You can override individual variables from the default configuration, or introduce new ones.
#
# If you need something more special, you can take full control by
# completely redefining `matrix_mxisd_configuration_yaml`.
#
# Example configuration extension follows:
#
# ldap:
# enabled: true
# connection:
# host: ldapHostnameOrIp
# tls: false
# port: 389
# baseDns: ['OU=Users,DC=example,DC=org']
# bindDn: CN=My Mxisd User,OU=Users,DC=example,DC=org
# bindPassword: TheUserPassword
# Doing `|from_yaml` when the extension contains nothing yields an empty string ("").
# We need to ensure it's a dictionary or `|combine` (when building `matrix_mxisd_configuration`) will fail later.
matrix_mxisd_configuration_extension: "{{ matrix_mxisd_configuration_extension_yaml|from_yaml if matrix_mxisd_configuration_extension_yaml|from_yaml else {} }}"
# Holds the final mxisd configuration (a combination of the default and its extension).
# You most likely don't need to touch this variable. Instead, see `matrix_mxisd_configuration_yaml`.
matrix_mxisd_configuration: "{{ matrix_mxisd_configuration_yaml|from_yaml|combine(matrix_mxisd_configuration_extension, recursive=True) }}"
# Enable this to add support for matrix-corporal.
# See: https://github.com/devture/matrix-corporal
matrix_corporal_enabled: false
matrix_corporal_docker_image: "devture/matrix-corporal:1.2.2"
matrix_corporal_base_path: "{{ matrix_base_data_path }}/corporal"
matrix_corporal_config_dir_path: "{{ matrix_corporal_base_path }}/config"
matrix_corporal_cache_dir_path: "{{ matrix_corporal_base_path }}/cache"
matrix_corporal_var_dir_path: "{{ matrix_corporal_base_path }}/var"
matrix_corporal_matrix_timeout_milliseconds: 45000
matrix_corporal_reconciliation_retry_interval_milliseconds: 30000
matrix_corporal_reconciliation_user_id_local_part: "matrix-corporal"
matrix_corporal_http_api_enabled: false
matrix_corporal_http_api_auth_token: ""
# Matrix Corporal policy provider configuration (goes directly into the configuration's `PolicyProvider` value)
matrix_corporal_policy_provider_config: ""
matrix_corporal_debug: false
# By default, this playbook installs the Riot.IM web UI on the `hostname_riot` domain.
# If you wish to connect to your Matrix server by other means,
# you may wish to disable this.
matrix_riot_web_enabled: true
matrix_riot_web_docker_image: "bubuntux/riot-web:v0.17.8"
matrix_riot_web_data_path: "{{ matrix_base_data_path }}/riot-web"
# Riot config.json customizations
matrix_riot_web_disable_custom_urls: true
matrix_riot_web_disable_guests: true
matrix_riot_web_integrations_ui_url: "https://scalar.vector.im/"
matrix_riot_web_integrations_rest_url: "https://scalar.vector.im/api"
matrix_riot_web_integrations_widgets_urls: "https://scalar.vector.im/api"
matrix_riot_web_integrations_jitsi_widget_url: "https://scalar.vector.im/api/widgets/jitsi.html"
# Riot public room directory server(s)
matrix_riot_web_roomdir_servers: ['matrix.org']
matrix_riot_web_welcome_user_id: "@riot-bot:matrix.org"
# Riot home.html customizations
# Default home.html template file
matrix_riot_web_homepage_template: "{{ role_path }}/templates/riot-web/home.html.j2"
# Show general discussion about Matrix and Riot row
matrix_riot_web_homepage_template_general: true
# Show Matrix technical discussions row
matrix_riot_web_homepage_template_technical: true
# Show building services on Matrix row
matrix_riot_web_homepage_template_building: true
# Show contributing code to Matrix and Riot row
matrix_riot_web_homepage_template_contributing: true
# Matrix mautrix is a Matrix <-> Telegram bridge
# Enable telegram bridge
matrix_mautrix_telegram_enabled: false
matrix_mautrix_telegram_docker_image: "tulir/mautrix-telegram:v0.4.0"
matrix_mautrix_telegram_base_path: "{{ matrix_base_data_path }}/mautrix-telegram"
# Get your own API keys at https://my.telegram.org/apps
matrix_mautrix_telegram_api_id: YOUR_TELEGRAM_APP_ID
matrix_mautrix_telegram_api_hash: YOUR_TELEGRAM_API_HASH
# Mautrix telegram public endpoint to log in to telegram
# Use an uuid so it's not easily discoverable
matrix_mautrix_telegram_public_endpoint: "/{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'telegram') | to_uuid }}"
# Matrix mautrix is a Matrix <-> Whatsapp bridge
# Enable whatsapp bridge
matrix_mautrix_whatsapp_enabled: false
matrix_mautrix_whatsapp_docker_image: "tulir/mautrix-whatsapp:latest"
matrix_mautrix_whatsapp_base_path: "{{ matrix_base_data_path }}/mautrix-whatsapp"
# By default, this playbook sets up its own nginx proxy server on port 80/443.
# This is fine if you're dedicating the whole server to Matrix.
# But in case that's not the case, you may wish to prevent that
# and take care of proxying by yourself.
matrix_nginx_proxy_enabled: true
matrix_nginx_proxy_docker_image: "nginx:1.15.8-alpine"
matrix_nginx_proxy_data_path: "{{ matrix_base_data_path }}/nginx-proxy"
matrix_nginx_proxy_confd_path: "{{ matrix_nginx_proxy_data_path }}/conf.d"
# The addresses where the Matrix Client API is.
# Certain extensions (like matrix-corporal) may override this in order to capture all traffic.
matrix_nginx_proxy_matrix_client_api_addr_with_proxy_container: "matrix-synapse:8008"
matrix_nginx_proxy_matrix_client_api_addr_sans_proxy_container: "localhost:8008"
# Specifies when to reload the matrix-nginx-proxy service so that
# a new SSL certificate could go into effect.
matrix_nginx_proxy_reload_cron_time_definition: "20 4 */5 * *"
# Specifies which SSL protocols to use when serving Riot and Synapse
# Note TLSv1.3 is not yet available in dockerized nginx
# See: https://github.com/nginxinc/docker-nginx/issues/190
matrix_nginx_proxy_ssl_protocols: "TLSv1.1 TLSv1.2"
# By default, this playbook automatically retrieves and auto-renews
# free SSL certificates from Let's Encrypt.
#
# The following retrieval methods are supported:
# - "lets-encrypt" - the playbook obtains free SSL certificates from Let's Encrypt
# - "self-signed" - the playbook generates and self-signs certificates
# - "manually-managed" - lets you manage certificates by yourself (manually; see below)
#
# If you decide to manage certificates by yourself (`matrix_ssl_retrieval_method: manually-managed`),
# you'd need to drop them into the directory specified by `matrix_ssl_config_dir_path`
# obeying the following hierarchy:
# - <matrix_ssl_config_dir_path>/live/<domain>/fullchain.pem
# - <matrix_ssl_config_dir_path>/live/<domain>/privkey.pem
# where <domain> refers to the domains that you need (usually `hostname_matrix` and `hostname_riot`).
matrix_ssl_retrieval_method: "lets-encrypt"
# Controls whether to obtain production or staging certificates from Let's Encrypt.
matrix_ssl_lets_encrypt_staging: false
matrix_ssl_lets_encrypt_certbot_docker_image: "certbot/certbot:v0.30.0"
matrix_ssl_lets_encrypt_certbot_standalone_http_port: 2402
matrix_ssl_lets_encrypt_support_email: "{{ host_specific_matrix_ssl_lets_encrypt_support_email }}"
matrix_ssl_base_path: "{{ matrix_base_data_path }}/ssl"
matrix_ssl_config_dir_path: "{{ matrix_ssl_base_path }}/config"
matrix_ssl_log_dir_path: "{{ matrix_ssl_base_path }}/log"
# Variables to Control which parts of the role run.
run_setup: true
run_import_postgres: true
run_upgrade_postgres: true
run_start: true
run_register_user: true
run_import_sqlite_db: true
run_import_media_store: true
run_self_check: true

@ -1,41 +0,0 @@
---
- import_tasks: tasks/setup/main.yml
when: run_setup
- import_tasks: tasks/import/import_postgres.yml
tags:
- import-postgres
when: run_import_postgres
- import_tasks: tasks/upgrade_postgres.yml
tags:
- upgrade-postgres
when: run_upgrade_postgres
- import_tasks: tasks/start.yml
tags:
- start
when: run_start
- import_tasks: tasks/register_user.yml
tags:
- register-user
when: run_register_user
- import_tasks: tasks/import/import_sqlite_db.yml
tags:
- import-sqlite-db
when: run_import_sqlite_db
- import_tasks: tasks/import/import_media_store.yml
tags:
- import-media-store
when: run_import_media_store
- import_tasks: tasks/self_check/main.yml
delegate_to: 127.0.0.1
become: false
tags:
- self-check
when: run_self_check

@ -1,18 +0,0 @@
---
- import_tasks: tasks/self_check/self_check_dns.yml
- import_tasks: tasks/self_check/self_check_client_api.yml
- import_tasks: tasks/self_check/self_check_federation_api.yml
- import_tasks: tasks/self_check/self_check_riot_web.yml
when: "matrix_riot_web_enabled"
- import_tasks: tasks/self_check/self_check_mxisd.yml
when: "matrix_mxisd_enabled"
- import_tasks: tasks/self_check/self_check_well_known.yml
- import_tasks: tasks/self_check/self_check_corporal.yml
when: "matrix_corporal_enabled"

@ -1,77 +0,0 @@
---
- import_tasks: tasks/setup/setup_sanity_check.yml
tags:
- always
- import_tasks: tasks/setup/setup_base.yml
tags:
- setup-all
- import_tasks: tasks/setup/setup_main.yml
tags:
- setup-all
- import_tasks: tasks/setup/ssl/main.yml
tags:
- setup-all
- setup-ssl
- import_tasks: tasks/setup/setup_postgres.yml
tags:
- setup-all
- setup-postgres
- import_tasks: tasks/setup/setup_goofys.yml
tags:
- setup-all
- setup-goofys
- import_tasks: tasks/setup/setup_coturn.yml
tags:
- setup-all
- setup-coturn
- import_tasks: tasks/setup/setup_mailer.yml
tags:
- setup-all
- setup-mailer
- import_tasks: tasks/setup/setup_mxisd.yml
tags:
- setup-all
- setup-mxisd
- import_tasks: tasks/setup/setup_corporal_overrides.yml
tags:
- always
- import_tasks: tasks/setup/setup_corporal.yml
tags:
- setup-all
- setup-corporal
- import_tasks: tasks/setup/synapse/main.yml
tags:
- setup-all
- setup-synapse
- setup-coturn
- import_tasks: tasks/setup/setup_riot_web.yml
tags:
- setup-all
- setup-riot-web
- import_tasks: tasks/setup/setup_well_known.yml
tags:
- setup-all
- setup-mxisd
- setup-synapse
- setup-nginx-proxy
- setup-well-known
- import_tasks: tasks/setup/setup_nginx_proxy.yml
tags:
- setup-all
- setup-nginx-proxy
- setup-well-known

@ -1,11 +0,0 @@
# These overrides run with the `always` tag,
# because they're important not only for the `setup-corporal` tag, but for other tags too.
#
# We want an nginx-proxy rebuild (`--tags=setup-nginx-proxy`) to also go through here
# and be affected by these overrides.
- name: Override configuration specifying where the Matrix Client API is
set_fact:
matrix_nginx_proxy_matrix_client_api_addr_with_proxy_container: "matrix-corporal:41080"
matrix_nginx_proxy_matrix_client_api_addr_sans_proxy_container: "localhost:41080"
when: "matrix_corporal_enabled"

@ -1,8 +0,0 @@
---
- name: Verify certificates
include_tasks: "{{ role_path }}/tasks/setup/ssl/setup_ssl_manually_managed_verify_for_domain.yml"
with_items: "{{ domains_requiring_certificates }}"
loop_control:
loop_var: domain_name
when: "matrix_ssl_retrieval_method == 'manually-managed'"

@ -1,11 +0,0 @@
---
- import_tasks: tasks/setup/synapse/ext/setup_synapse_ext_rest_auth.yml
- import_tasks: tasks/setup/synapse/ext/setup_synapse_ext_shared_secret_auth.yml
- import_tasks: tasks/setup/synapse/ext/setup_synapse_ext_ldap_auth.yml
- import_tasks: tasks/setup/synapse/ext/setup_synapse_ext_mautrix_telegram.yml
- import_tasks: tasks/setup/synapse/ext/setup_synapse_ext_mautrix_whatsapp.yml

@ -1,7 +0,0 @@
---
- import_tasks: tasks/setup/synapse/setup_synapse_pre.yml
- import_tasks: tasks/setup/synapse/ext/main.yml
- import_tasks: tasks/setup/synapse/setup_synapse_main.yml

@ -1,87 +0,0 @@
---
- name: Ensure matrix-postgres autoruns and is restarted
service:
name: matrix-postgres
enabled: yes
state: restarted
daemon_reload: yes
when: "not matrix_postgres_use_external"
- name: Ensure matrix-goofys autoruns and is restarted
service:
name: matrix-goofys
enabled: yes
state: restarted
daemon_reload: yes
when: matrix_s3_media_store_enabled
- name: Ensure matrix-coturn autoruns and is restarted
service:
name: matrix-coturn
enabled: yes
state: restarted
daemon_reload: yes
- name: Ensure matrix-mailer autoruns and is restarted
service:
name: matrix-mailer
enabled: yes
state: restarted
daemon_reload: yes
when: matrix_mailer_enabled
- name: Ensure matrix-mxisd autoruns and is restarted
service:
name: matrix-mxisd
enabled: yes
state: restarted
daemon_reload: yes
when: matrix_mxisd_enabled
- name: Ensure matrix-synapse autoruns and is restarted
service:
name: matrix-synapse
enabled: yes
state: restarted
daemon_reload: yes
- name: Ensure matrix-riot-web autoruns and is restarted
service:
name: matrix-riot-web
enabled: yes
state: restarted
daemon_reload: yes
when: matrix_riot_web_enabled
- name: Ensure matrix-nginx-proxy autoruns and is restarted
service:
name: matrix-nginx-proxy
enabled: yes
state: restarted
daemon_reload: yes
when: matrix_nginx_proxy_enabled
- name: Ensure matrix-corporal autoruns and is restarted
service:
name: matrix-corporal
enabled: yes
state: restarted
daemon_reload: yes
when: matrix_corporal_enabled
- name: Ensure matrix-mautrix-telegram autoruns and is restarted
service:
name: matrix-mautrix-telegram
enabled: yes
state: restarted
daemon_reload: yes
when: matrix_mautrix_telegram_enabled
- name: Ensure matrix-mautrix-whatsapp autoruns and is restarted
service:
name: matrix-mautrix-whatsapp
enabled: yes
state: restarted
daemon_reload: yes
when: matrix_mautrix_whatsapp_enabled

@ -0,0 +1,176 @@
matrix_synapse_docker_image: "matrixdotorg/synapse:v0.34.1.1-py3"
matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse"
matrix_synapse_config_dir_path: "{{ matrix_synapse_base_path }}/config"
matrix_synapse_run_path: "{{ matrix_synapse_base_path }}/run"
matrix_synapse_storage_path: "{{ matrix_synapse_base_path }}/storage"
matrix_synapse_media_store_path: "{{ matrix_synapse_storage_path }}/media-store"
matrix_synapse_ext_path: "{{ matrix_synapse_base_path }}/ext"
# Controls whether the Synapse container exposes the Client/Server API port (tcp/8008).
# Normally, matrix-nginx-proxy is enabled and nginx can reach Synapse over the container network.
# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose
# the Client/Server API's port to the local host (`127.0.0.1:8008`).
matrix_synapse_container_expose_client_server_api_port: "{{ not matrix_nginx_proxy_enabled }}"
matrix_synapse_in_container_python_packages_path: "/usr/local/lib/python3.6/site-packages"
# Specifies which template files to use when configuring Synapse.
# If you'd like to have your own different configuration, feel free to copy and paste
# the original files into your inventory (e.g. in `inventory/host_vars/<host>/`)
# and then change the specific host's `vars.yaml` file like this:
# matrix_synapse_template_synapse_homeserver: "{{ playbook_dir }}/inventory/host_vars/<host>/homeserver.yaml.j2"
matrix_synapse_template_synapse_homeserver: "{{ role_path }}/templates/synapse/homeserver.yaml.j2"
matrix_synapse_template_synapse_log: "{{ role_path }}/templates/synapse/synapse.log.config.j2"
matrix_synapse_macaroon_secret_key: ""
matrix_synapse_registration_shared_secret: "{{ matrix_synapse_macaroon_secret_key }}"
matrix_synapse_form_secret: "{{ matrix_synapse_macaroon_secret_key }}"
# These are the identity servers that would be trusted by Synapse if mxisd is NOT enabled
matrix_synapse_id_servers_public: ['vector.im', 'matrix.org']
# These are the identity servers that would be trusted by Synapse if mxisd IS enabled
matrix_synapse_id_servers_own: "['{{ hostname_matrix }}']"
# The final list of identity servers to use for Synapse.
# The first one would also be used as riot-web's default identity server.
matrix_synapse_trusted_third_party_id_servers: "{{ matrix_synapse_id_servers_own if matrix_mxisd_enabled else matrix_synapse_id_servers_public }}"
matrix_synapse_max_upload_size_mb: 10
matrix_synapse_max_log_file_size_mb: 100
matrix_synapse_max_log_files_count: 10
# Log levels
# Possible options are defined here https://docs.python.org/3/library/logging.html#logging-levels
# warning: setting log level to DEBUG will make synapse log sensitive information such
# as access tokens
matrix_synapse_log_level: "INFO"
matrix_synapse_storage_sql_log_level: "INFO"
matrix_synapse_root_log_level: "INFO"
# Rate limits
matrix_synapse_rc_messages_per_second: 0.2
matrix_synapse_rc_message_burst_count: 10.0
# Enable this to allow Synapse to report utilization statistics about your server to matrix.org
# (things like number of users, number of messages sent, uptime, load, etc.)
matrix_synapse_report_stats: false
# Controls whether the Matrix server will track presence status (online, offline, unavailable) for users.
# If users participate in large rooms with many other servers,
# disabling this will decrease server load significantly.
matrix_synapse_use_presence: true
# Controls whether people with access to the homeserver can register by themselves.
matrix_synapse_enable_registration: false
# Users who register on this homeserver will automatically be joined to these rooms.
# Rooms are to be specified using addresses (e.g. `#address:example.com`)
matrix_synapse_auto_join_rooms: []
# Controls whether auto-join rooms (`matrix_synapse_auto_join_rooms`) are to be created
# automatically if they don't already exist.
matrix_synapse_autocreate_auto_join_rooms: true
# Controls password-peppering for Matrix Synapse. Not to be changed after initial setup.
matrix_synapse_password_config_pepper: ""
# Controls the number of events that Matrix Synapse caches in memory.
matrix_synapse_event_cache_size: "100K"
# Controls cache sizes for Matrix Synapse via the SYNAPSE_CACHE_FACTOR environment variable.
# Raise this to increase cache sizes or lower it to potentially lower memory use.
# To learn more, see:
# - https://github.com/matrix-org/synapse#help-synapse-eats-all-my-ram
# - https://github.com/matrix-org/synapse/issues/3939
matrix_synapse_cache_factor: 0.5
# Controls whether Matrix Synapse will federate at all.
# Disable this to completely isolate your server from the rest of the Matrix network.
matrix_synapse_federation_enabled: true
# A list of domain names that are allowed to federate with the given Matrix Synapse server.
# An empty list value (`[]`) will also effectively stop federation, but if that's the desired
# result, it's better to accomplish it by changing `matrix_synapse_federation_enabled`.
matrix_synapse_federation_domain_whitelist: ~
# A list of additional "volumes" to mount in the container.
# This list gets populated dynamically based on Synapse extensions that have been enabled.
# Contains definition objects like this: `{"src": "/outside", "dst": "/inside", "options": "rw|ro|slave|.."}
matrix_synapse_container_additional_volumes: []
# A list of additional loggers to register in synapse.log.config.
# This list gets populated dynamically based on Synapse extensions that have been enabled.
# Contains definition objects like this: `{"name": "..", "level": "DEBUG"}
matrix_synapse_additional_loggers: []
# A list of service config files
# This list gets populated dynamically based on Synapse extensions that have been enabled.
# Contains fs paths
matrix_synapse_app_service_config_files: []
# This is set dynamically during execution depending on whether
# any password providers have been enabled or not.
matrix_synapse_password_providers_enabled: false
# Enable this to activate the REST auth password provider module.
# See: https://github.com/kamax-io/matrix-synapse-rest-auth
matrix_synapse_ext_password_provider_rest_auth_enabled: false
matrix_synapse_ext_password_provider_rest_auth_download_url: "https://raw.githubusercontent.com/kamax-io/matrix-synapse-rest-auth/v0.1.1/rest_auth_provider.py"
matrix_synapse_ext_password_provider_rest_auth_endpoint: ""
matrix_synapse_ext_password_provider_rest_auth_registration_enforce_lowercase: false
matrix_synapse_ext_password_provider_rest_auth_registration_profile_name_autofill: true
matrix_synapse_ext_password_provider_rest_auth_login_profile_name_autofill: false
# Enable this to activate the Shared Secret Auth password provider module.
# See: https://github.com/devture/matrix-synapse-shared-secret-auth
matrix_synapse_ext_password_provider_shared_secret_auth_enabled: false
matrix_synapse_ext_password_provider_shared_secret_auth_download_url: "https://raw.githubusercontent.com/devture/matrix-synapse-shared-secret-auth/1.0.1/shared_secret_authenticator.py"
matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret: ""
# Enable this to activate LDAP password provider
matrix_synapse_ext_password_provider_ldap_enabled: false
matrix_synapse_ext_password_provider_ldap_uri: "ldap://ldap.mydomain.tld:389"
matrix_synapse_ext_password_provider_ldap_start_tls: true
matrix_synapse_ext_password_provider_ldap_base: ""
matrix_synapse_ext_password_provider_ldap_attributes_uid: "uid"
matrix_synapse_ext_password_provider_ldap_attributes_mail: "mail"
matrix_synapse_ext_password_provider_ldap_attributes_name: "cn"
matrix_synapse_ext_password_provider_ldap_bind_dn: ""
matrix_synapse_ext_password_provider_ldap_bind_password: ""
matrix_synapse_ext_password_provider_ldap_filter: ""
matrix_s3_media_store_enabled: false
matrix_s3_goofys_docker_image: "ewoutp/goofys:latest"
matrix_s3_media_store_bucket_name: "your-bucket-name"
matrix_s3_media_store_aws_access_key: "your-aws-access-key"
matrix_s3_media_store_aws_secret_key: "your-aws-secret-key"
matrix_s3_media_store_region: "eu-central-1"
# Matrix mautrix is a Matrix <-> Telegram bridge
# Enable telegram bridge
matrix_mautrix_telegram_enabled: false
matrix_mautrix_telegram_docker_image: "tulir/mautrix-telegram:v0.4.0"
matrix_mautrix_telegram_base_path: "{{ matrix_base_data_path }}/mautrix-telegram"
# Get your own API keys at https://my.telegram.org/apps
matrix_mautrix_telegram_api_id: YOUR_TELEGRAM_APP_ID
matrix_mautrix_telegram_api_hash: YOUR_TELEGRAM_API_HASH
# Mautrix telegram public endpoint to log in to telegram
# Use an uuid so it's not easily discoverable
matrix_mautrix_telegram_public_endpoint: "/{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'telegram') | to_uuid }}"
# Matrix mautrix is a Matrix <-> Whatsapp bridge
# Enable whatsapp bridge
matrix_mautrix_whatsapp_enabled: false
matrix_mautrix_whatsapp_docker_image: "tulir/mautrix-whatsapp:latest"
matrix_mautrix_whatsapp_base_path: "{{ matrix_base_data_path }}/mautrix-whatsapp"

@ -0,0 +1,5 @@
---
- import_tasks: "{{ role_path }}/tasks/ext/mautrix-telegram/init.yml"
- import_tasks: "{{ role_path }}/tasks/ext/mautrix-whatsapp/init.yml"

@ -0,0 +1,3 @@
- set_fact:
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-telegram'] }}"
when: matrix_mautrix_telegram_enabled

@ -19,7 +19,7 @@
- name: Ensure Matrix Mautrix telegram config installed - name: Ensure Matrix Mautrix telegram config installed
template: template:
src: "{{ role_path }}/templates/mautrix-telegram/config.yaml.j2" src: "{{ role_path }}/templates/ext/mautrix-telegram/config.yaml.j2"
dest: "{{ matrix_mautrix_telegram_base_path }}/config.yaml" dest: "{{ matrix_mautrix_telegram_base_path }}/config.yaml"
mode: 0644 mode: 0644
owner: "{{ matrix_user_username }}" owner: "{{ matrix_user_username }}"
@ -28,7 +28,7 @@
- name: Ensure matrix-mautrix-telegram.service installed - name: Ensure matrix-mautrix-telegram.service installed
template: template:
src: "{{ role_path }}/templates/systemd/matrix-mautrix-telegram.service.j2" src: "{{ role_path }}/templates/ext/mautrix-telegram/systemd/matrix-mautrix-telegram.service.j2"
dest: "/etc/systemd/system/matrix-mautrix-telegram.service" dest: "/etc/systemd/system/matrix-mautrix-telegram.service"
mode: 0644 mode: 0644
when: "matrix_mautrix_telegram_enabled" when: "matrix_mautrix_telegram_enabled"

@ -0,0 +1,3 @@
- set_fact:
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-whatsapp'] }}"
when: matrix_mautrix_whatsapp_enabled

@ -19,7 +19,7 @@
- name: Ensure Matrix Mautrix whatsapp config installed - name: Ensure Matrix Mautrix whatsapp config installed
template: template:
src: "{{ role_path }}/templates/mautrix-whatsapp/config.yaml.j2" src: "{{ role_path }}/templates/ext/mautrix-whatsapp/config.yaml.j2"
dest: "{{ matrix_mautrix_whatsapp_base_path }}/config.yaml" dest: "{{ matrix_mautrix_whatsapp_base_path }}/config.yaml"
mode: 0644 mode: 0644
owner: "{{ matrix_user_username }}" owner: "{{ matrix_user_username }}"
@ -28,7 +28,7 @@
- name: Ensure matrix-mautrix-whatsapp.service installed - name: Ensure matrix-mautrix-whatsapp.service installed
template: template:
src: "{{ role_path }}/templates/systemd/matrix-mautrix-whatsapp.service.j2" src: "{{ role_path }}/templates/ext/mautrix-whatsapp/systemd/matrix-mautrix-whatsapp.service.j2"
dest: "/etc/systemd/system/matrix-mautrix-whatsapp.service" dest: "/etc/systemd/system/matrix-mautrix-whatsapp.service"
mode: 0644 mode: 0644
when: "matrix_mautrix_whatsapp_enabled" when: "matrix_mautrix_whatsapp_enabled"

Some files were not shown because too many files have changed in this diff Show More

Loading…
Cancel
Save