Merge branch 'master' of https://github.com/spantaleev/matrix-docker-ansible-deploy into add-support-for-suse-linux

3 years ago · 6f99f95aa2
parent f364fba182 2bf052369d
commit 6f99f95aa2
54 changed files with 336 additions and 192 deletions
--- a/docs/configuring-awx-system.md
+++ b/docs/configuring-awx-system.md
@ -26,7 +26,7 @@ The following repositories allow you to copy and use this setup:

 Updates to this section are trailed here:

-[GoMatrixHosting Matrix Docker Ansible Deploy](https://gitlab.com/GoMatrixHosting/gomatrixhosting-matrix-docker-ansible-deploy)
+[GoMatrixHosting Matrix Docker Ansible Deploy](https://gitlab.com/GoMatrixHosting/matrix-docker-ansible-deploy)


 ## Does I need an AWX setup to use this? How do I configure it? 
--- a/docs/configuring-playbook-own-webserver.md
+++ b/docs/configuring-playbook-own-webserver.md
@ -108,6 +108,9 @@ matrix_nginx_proxy_container_federation_host_bind_port: '127.0.0.1:8449'
 # Since we don't obtain any certificates (`matrix_ssl_retrieval_method: none` above), it won't work by default.
 # An alternative is to tweak some of: `matrix_coturn_tls_enabled`, `matrix_coturn_tls_cert_path` and `matrix_coturn_tls_key_path`.
 matrix_coturn_enabled: false
+
+# Trust the reverse proxy to send the correct `X-Forwarded-Proto` header as it is handling the SSL connection.
+matrix_nginx_proxy_trust_forwarded_proto: true
 ```

 With this, nginx would still be in use, but it would not bother with anything SSL related or with taking up public ports.
--- a/docs/configuring-playbook-prometheus-grafana.md
+++ b/docs/configuring-playbook-prometheus-grafana.md
@ -56,8 +56,40 @@ Name | Description
 `matrix_nginx_proxy_proxy_synapse_metrics`|Set this to `true` to make matrix-nginx-proxy expose the Synapse metrics at `https://matrix.DOMAIN/_synapse/metrics`
 `matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled`|Set this to `true` to password-protect (using HTTP Basic Auth) `https://matrix.DOMAIN/_synapse/metrics` (the username is always `prometheus`, the password is defined in `matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key`)
 `matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key`|Set this to a password to use for HTTP Basic Auth for protecting `https://matrix.DOMAIN/_synapse/metrics` (the username is always `prometheus` - it's not configurable)
-`matrix_server_fqn_grafana`|Use this variable to override the domain at which the Grafana web user-interface is at (defaults to `stats.DOMAIN`).
+`matrix_server_fqn_grafana`|Use this variable to override the domain at which the Grafana web user-interface is at (defaults to `stats.DOMAIN`)

+### Collecting system and Postgres metrics to an external Prometheus server (advanced)
+
+When you normally enable the Prometheus and Grafana via the playbook, it will also show general system (via node-exporter) and Postgres (via postgres-exporter) stats. If you are instead collecting your metrics to an external Prometheus server, you can follow this advanced configuration example to also export these stats.
+
+It would be possible to use `matrix_prometheus_node_exporter_container_http_host_bind_port` etc., but that is not always the best choice, for example because your server is on a public network.
+
+Use the following variables in addition to the ones mentioned above:
+
+Name | Description
+-----|----------
+`matrix_nginx_proxy_proxy_grafana_enabled`|Set this to `true` to make the stats subdomain (`matrix_server_fqn_grafana`) available via the Nginx proxy
+`matrix_ssl_additional_domains_to_obtain_certificates_for`|Add `"{{ matrix_server_fqn_grafana }}"` to this list to have letsencrypt fetch a certificate for the stats subdomain
+`matrix_prometheus_node_exporter_enabled`|Set this to `true` to enable the node (general system stats) exporter
+`matrix_prometheus_postgres_exporter_enabled`|Set this to `true` to enable the Postgres exporter
+`matrix_nginx_proxy_proxy_grafana_additional_server_configuration_blocks`|Add locations to this list depending on which of the above exporters you enabled (see below)
+
+```nginx
+matrix_nginx_proxy_proxy_grafana_additional_server_configuration_blocks:
+  - 'location /node-exporter/ {
+  resolver 127.0.0.11 valid=5s;
+  proxy_pass http://matrix-prometheus-node-exporter:9100/;
+  auth_basic "protected";
+  auth_basic_user_file /nginx-data/matrix-synapse-metrics-htpasswd;
+  }'
+  - 'location /postgres-exporter/ {
+  resolver 127.0.0.11 valid=5s;
+  proxy_pass http://matrix-prometheus-postgres-exporter:9187/;
+  auth_basic "protected";
+  auth_basic_user_file /nginx-data/matrix-synapse-metrics-htpasswd;
+  }'
+```
+You can customize the `location`s to your liking, just point your Prometheus to there later (e.g. `stats.DOMAIN/node-exporter/metrics`). Nginx is very picky about the `proxy_pass`syntax: take care to follow the example closely and note the trailing slash as well as absent use of variables. postgres-exporter uses the nonstandard port 9187.

 ## More information

--- a/docs/faq.md
+++ b/docs/faq.md
@ -121,7 +121,7 @@ This is similar to the [EMnify/matrix-synapse-auto-deploy](https://github.com/EM

 - this one **can be executed more than once** without causing trouble

- works on various distros: **CentOS** (7.0+), Debian-based distributions (**Debian** 9/Stretch+, **Ubuntu** 16.04+), **Archlinux**
+- works on various distros: **CentOS** (7.0+), Debian-based distributions (**Debian** 10/Buster+, **Ubuntu** 18.04+), **Archlinux**

 - this one installs everything in a single directory (`/matrix` by default) and **doesn't "contaminate" your server** with files all over the place

--- a/docs/importing-postgres.md
+++ b/docs/importing-postgres.md
@ -60,7 +60,7 @@ ALTER TABLE public.application_services_state OWNER TO synapse_user;
 It can be worked around by changing the username to `synapse`, for example by using `sed`:

 ```Shell
-$ sed -i "s/synapse_user/synapse/g" homeserver.sql"
+$ sed -i "s/synapse_user/synapse/g" homeserver.sql
 ```

 This uses sed to perform an 'in-place' (`-i`) replacement globally (`/g`), searching for `synapse user` and replacing with `synapse` (`s/synapse_user/synapse`). If your database username was different, change `synapse_user` to that username instead.
--- a/docs/prerequisites.md
+++ b/docs/prerequisites.md
@ -4,8 +4,8 @@ To install Matrix services using this Ansible playbook, you need:

 - (Recommended) An **x86** server ([What kind of server specs do I need?](faq.md#what-kind-of-server-specs-do-i-need)) running one of these operating systems:
  - **CentOS** (7 only for now; [8 is not yet supported](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/300))
-  - **Debian** (9/Stretch or newer)
-  - **Ubuntu** (16.04 or newer, although [20.04 may be problematic](ansible.md#supported-ansible-versions))
+  - **Debian** (10/Buster or newer)
+  - **Ubuntu** (18.04 or newer, although [20.04 may be problematic](ansible.md#supported-ansible-versions))
  - **Archlinux**

 Generally, newer is better. We only strive to support released stable versions of distributions, not betas or pre-releases. This playbook can take over your whole server or co-exist with other services that you have there.
--- a/docs/self-building.md
+++ b/docs/self-building.md
@ -22,6 +22,7 @@ List of roles where self-building the Docker image is currently possible:
 - `matrix-mailer`
 - `matrix-bridge-appservice-irc`
 - `matrix-bridge-appservice-slack`
+- `matrix-bridge-appservice-webhooks`
 - `matrix-bridge-mautrix-facebook`
 - `matrix-bridge-mautrix-hangouts`
 - `matrix-bridge-mautrix-telegram`
--- a/examples/vars.yml
+++ b/examples/vars.yml
@ -14,7 +14,7 @@ matrix_domain: YOUR_BARE_DOMAIN_NAME_HERE
 #
 # In case SSL renewal fails at some point, you'll also get an email notification there.
 #
-# If you decide to use another method for managing SSL certifites (different than the default Let's Encrypt),
+# If you decide to use another method for managing SSL certificates (different than the default Let's Encrypt),
 # you won't be required to define this variable (see `docs/configuring-playbook-ssl-certificates.md`).
 #
 # Example value: someone@example.com
--- a/group_vars/matrix_servers
+++ b/group_vars/matrix_servers
@ -104,6 +104,8 @@ matrix_appservice_discord_database_password: "{{ matrix_synapse_macaroon_secret_
 # We don't enable bridges by default.
 matrix_appservice_webhooks_enabled: false

+matrix_appservice_webhooks_container_image_self_build: "{{ matrix_architecture != 'amd64' }}"
+
 # Normally, matrix-nginx-proxy is enabled and nginx can reach matrix-appservice-webhooks over the container network.
 # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose
 # matrix-appservice-webhooks' client-server port to the local host.
--- a/roles/matrix-awx/tasks/backup_server.yml
+++ b/roles/matrix-awx/tasks/backup_server.yml
@ -24,14 +24,6 @@
    mode: '0660'
  tags: use-survey

- name: Collect AWX admin token the hard way!
-  delegate_to: 127.0.0.1
-  shell: |
-      curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g'
-  register: tower_token
-  no_log: True
-  tags: use-survey
-
 - name: Recreate 'Backup Server' job template
  delegate_to: 127.0.0.1
  awx.awx.tower_job_template:
@ -49,8 +41,8 @@
    become_enabled: yes
    state: present
    verbosity: 1
-    tower_host: "https://{{ tower_host }}"
-    tower_oauthtoken: "{{ tower_token.stdout }}"
+    tower_host: "https://{{ awx_host }}"
+    tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
    validate_certs: yes
  tags: use-survey

@ -90,6 +82,15 @@
  command: borgmatic -c /root/.config/borgmatic/config_2.yaml
  when: matrix_awx_backup_enabled|bool

+- name: Delete the AWX session token for executing modules
+  awx.awx.tower_token:
+    description: 'AWX Session Token'
+    scope: "write"
+    state: absent
+    existing_token_id: "{{ awx_session_token.ansible_facts.tower_token.id }}"
+    tower_host: "https://{{ awx_host }}"
+    tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
+
 - name: Set boolean value to exit playbook
  set_fact:
    end_playbook: true
--- a/roles/matrix-awx/tasks/create_session_token.yml
+++ b/roles/matrix-awx/tasks/create_session_token.yml
@ -0,0 +1,10 @@
+
+- name: Create a AWX session token for executing modules
+  awx.awx.tower_token:
+    description: 'AWX Session Token'
+    scope: "write"
+    state: present
+    tower_host: "https://{{ awx_host }}"
+    tower_oauthtoken: "{{ awx_master_token }}"
+  register: awx_session_token
+  no_log: True
--- a/roles/matrix-awx/tasks/create_user.yml
+++ b/roles/matrix-awx/tasks/create_user.yml
@ -23,6 +23,15 @@
    /usr/local/bin/matrix-synapse-register-user {{ new_username | quote }} {{ new_password | quote }} {{ admin_bool }}
  register: cmd

+- name: Delete the AWX session token for executing modules
+  awx.awx.tower_token:
+    description: 'AWX Session Token'
+    scope: "write"
+    state: absent
+    existing_token_id: "{{ awx_session_token.ansible_facts.tower_token.id }}"
+    tower_host: "https://{{ awx_host }}"
+    tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
+
 - name: Result
  debug: msg="{{ cmd.stdout }}"

--- a/roles/matrix-awx/tasks/customise_website_access_export.yml
+++ b/roles/matrix-awx/tasks/customise_website_access_export.yml
@ -77,13 +77,6 @@
    mode: '0660'
  when: customise_base_domain_website is undefined

- name: Collect AWX admin token the hard way!
-  delegate_to: 127.0.0.1
-  shell: |
-      curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g'
-  register: tower_token
-  no_log: True
-
 - name: Recreate 'Configure Website + Access Export' job template
  delegate_to: 127.0.0.1
  awx.awx.tower_job_template:
@ -101,8 +94,8 @@
    become_enabled: yes
    state: present
    verbosity: 1
-    tower_host: "https://{{ tower_host }}"
-    tower_oauthtoken: "{{ tower_token.stdout }}"
+    tower_host: "https://{{ awx_host }}"
+    tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
    validate_certs: yes
  when: customise_base_domain_website is defined

@ -123,8 +116,8 @@
    become_enabled: yes
    state: present
    verbosity: 1
-    tower_host: "https://{{ tower_host }}"
-    tower_oauthtoken: "{{ tower_token.stdout }}"
+    tower_host: "https://{{ awx_host }}"
+    tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
    validate_certs: yes
  when: customise_base_domain_website is undefined

--- a/roles/matrix-awx/tasks/delete_session_token.yml
+++ b/roles/matrix-awx/tasks/delete_session_token.yml
@ -0,0 +1,9 @@
+
+- name: Delete the AWX session token for executing modules
+  awx.awx.tower_token:
+    description: 'AWX Session Token'
+    scope: "write"
+    state: absent
+    existing_token_id: "{{ awx_session_token.ansible_facts.tower_token.id }}"
+    tower_host: "https://{{ awx_host }}"
+    tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
--- a/roles/matrix-awx/tasks/export_server.yml
+++ b/roles/matrix-awx/tasks/export_server.yml
@ -24,6 +24,15 @@
    units: days
    unique: yes

+- name: Delete the AWX session token for executing modules
+  awx.awx.tower_token:
+    description: 'AWX Session Token'
+    scope: "write"
+    state: absent
+    existing_token_id: "{{ awx_session_token.ansible_facts.tower_token.id }}"
+    tower_host: "https://{{ awx_host }}"
+    tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
+
 - name: Set boolean value to exit playbook
  set_fact:
    end_playbook: true
--- a/roles/matrix-awx/tasks/load_hosting_and_org_variables.yml
+++ b/roles/matrix-awx/tasks/load_hosting_and_org_variables.yml
@ -9,3 +9,7 @@
    file: '/var/lib/awx/projects/hosting/hosting_vars.yml'
  no_log: True

+- name: Include AWX master token from awx_tokens.yml
+  include_vars:
+    file: /var/lib/awx/projects/hosting/awx_tokens.yml
+  no_log: True
--- a/roles/matrix-awx/tasks/main.yml
+++ b/roles/matrix-awx/tasks/main.yml
@ -17,6 +17,15 @@
  tags:
    - always

+# Create AWX session token
+- include_tasks: 
+    file: "create_session_token.yml"
+    apply:
+      tags: always
+  when: run_setup|bool and matrix_awx_enabled|bool
+  tags:
+    - always
+
 # Perform a backup of the server
 - include_tasks: 
    file: "backup_server.yml"
@ -25,7 +34,7 @@
  when: run_setup|bool and matrix_awx_enabled|bool
  tags:
    - backup-server
-    
+
 # Perform a export of the server
 - include_tasks: 
    file: "export_server.yml"
@ -62,6 +71,15 @@
  tags:
    - purge-database

+# Rotate SSH key if called
+- include_tasks: 
+    file: "rotate_ssh.yml"
+    apply:
+      tags: rotate-ssh
+  when: run_setup|bool and matrix_awx_enabled|bool
+  tags:
+    - rotate-ssh
+
 # Import configs, media repo from /chroot/backup import
 - include_tasks: 
    file: "import_awx.yml"
@ -179,6 +197,15 @@
  tags:
    - setup-synapse-admin

+# Delete AWX session token
+- include_tasks: 
+    file: "delete_session_token.yml"
+    apply:
+      tags: always
+  when: run_setup|bool and matrix_awx_enabled|bool
+  tags:
+    - always
+
 # Load newly formed matrix variables from AWX volume
 - include_tasks: 
    file: "load_matrix_variables.yml"
--- a/roles/matrix-awx/tasks/purge_database_main.yml
+++ b/roles/matrix-awx/tasks/purge_database_main.yml
@ -5,18 +5,18 @@
    name: dateutils
    state: latest

- name: Ensure dateutils, curl and jq intalled on target machine
+- name: Include vars in matrix_vars.yml
+  include_vars:
+    file: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
+  no_log: True
+
+- name: Ensure curl and jq intalled on target machine
  apt:
    pkg:
    - curl
    - jq
    state: present

- name: Include vars in matrix_vars.yml
-  include_vars:
-    file: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
-  no_log: True
-
 - name: Collect before shrink size of Synapse database
  shell: du -sh /matrix/postgres/data
  register: db_size_before_stat
@ -144,13 +144,6 @@
  loop: "{{ room_list_state_events.splitlines() | flatten(levels=1) }}"
  when: purge_mode.find("Number of events [slower]") != -1

- name: Collect AWX admin token the hard way!
-  delegate_to: 127.0.0.1
-  shell: |
-      curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g'
-  register: tower_token
-  no_log: True
-
 - name: Adjust 'Deploy/Update a Server' job template
  delegate_to: 127.0.0.1
  awx.awx.tower_job_template:
@ -165,8 +158,8 @@
    credential: "{{ member_id }} - AWX SSH Key"
    state: present
    verbosity: 1
-    tower_host: "https://{{ tower_host }}"
-    tower_oauthtoken: "{{ tower_token.stdout }}"
+    tower_host: "https://{{ awx_host }}"
+    tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
    validate_certs: yes
  when: (purge_mode.find("No local users [recommended]") != -1) or (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1) or (purge_mode.find("Skip purging rooms [faster]") != -1)

@ -175,8 +168,8 @@
  awx.awx.tower_job_launch:
    job_template: "{{ matrix_domain }} - 0 - Deploy/Update a Server"
    wait: yes
-    tower_host: "https://{{ tower_host }}"
-    tower_oauthtoken: "{{ tower_token.stdout }}"
+    tower_host: "https://{{ awx_host }}"
+    tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
    validate_certs: yes 
  when: (purge_mode.find("No local users [recommended]") != -1) or (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1) or (purge_mode.find("Skip purging rooms [faster]") != -1)

@ -194,8 +187,8 @@
    credential: "{{ member_id }} - AWX SSH Key"
    state: present
    verbosity: 1
-    tower_host: "https://{{ tower_host }}"
-    tower_oauthtoken: "{{ tower_token.stdout }}"
+    tower_host: "https://{{ awx_host }}"
+    tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
    validate_certs: yes
  when: (purge_mode.find("No local users [recommended]") != -1) or (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1) or (purge_mode.find("Skip purging rooms [faster]") != -1)

@ -231,8 +224,8 @@
    credential: "{{ member_id }} - AWX SSH Key"
    state: present
    verbosity: 1
-    tower_host: "https://{{ tower_host }}"
-    tower_oauthtoken: "{{ tower_token.stdout }}"
+    tower_host: "https://{{ awx_host }}"
+    tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
    validate_certs: yes
  when: (purge_mode.find("Perform final shrink") != -1)

@ -241,8 +234,8 @@
  awx.awx.tower_job_launch:
    job_template: "{{ matrix_domain }} - 0 - Deploy/Update a Server"
    wait: yes
-    tower_host: "https://{{ tower_host }}"
-    tower_oauthtoken: "{{ tower_token.stdout }}"
+    tower_host: "https://{{ awx_host }}"
+    tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
    validate_certs: yes 
  when: (purge_mode.find("Perform final shrink") != -1)

@ -260,8 +253,8 @@
    credential: "{{ member_id }} - AWX SSH Key"
    state: present
    verbosity: 1
-    tower_host: "https://{{ tower_host }}"
-    tower_oauthtoken: "{{ tower_token.stdout }}"
+    tower_host: "https://{{ awx_host }}"
+    tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
    validate_certs: yes
  when: (purge_mode.find("Perform final shrink") != -1)

@ -308,6 +301,15 @@
    msg: "{{ db_size_after_stat.stdout.split('\n') }}"
  when: (db_size_after_stat is defined) and (purge_mode.find("Perform final shrink") != -1)

+- name: Delete the AWX session token for executing modules
+  awx.awx.tower_token:
+    description: 'AWX Session Token'
+    scope: "write"
+    state: absent
+    existing_token_id: "{{ awx_session_token.ansible_facts.tower_token.id }}"
+    tower_host: "https://{{ awx_host }}"
+    tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
+
 - name: Set boolean value to exit playbook
  set_fact:
    end_playbook: true
--- a/roles/matrix-awx/tasks/purge_media_main.yml
+++ b/roles/matrix-awx/tasks/purge_media_main.yml
@ -1,5 +1,5 @@

- name: Ensure dateutils and curl is installed in AWX
+- name: Ensure dateutils is installed in AWX
  delegate_to: 127.0.0.1
  yum:
    name: dateutils
@ -90,6 +90,15 @@
    msg: "{{ remote_media_size_after.stdout.split('\n') }}"
  when: matrix_purge_media_type == "Remote Media"

+- name: Delete the AWX session token for executing modules
+  awx.awx.tower_token:
+    description: 'AWX Session Token'
+    scope: "write"
+    state: absent
+    existing_token_id: "{{ awx_session_token.ansible_facts.tower_token.id }}"
+    tower_host: "https://{{ awx_host }}"
+    tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
+
 - name: Set boolean value to exit playbook
  set_fact:
    end_playbook: true
--- a/roles/matrix-awx/tasks/rename_variables.yml
+++ b/roles/matrix-awx/tasks/rename_variables.yml
@ -5,4 +5,3 @@
    path: "/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml"
    regexp: 'matrix_synapse_use_presence'
    replace: 'matrix_synapse_presence_enabled'
-
--- a/roles/matrix-awx/tasks/rotate_ssh.yml
+++ b/roles/matrix-awx/tasks/rotate_ssh.yml
@ -0,0 +1,24 @@
+
+- name: Set the new authorized key taken from file
+  authorized_key:
+    user: root
+    state: present
+    exclusive: yes
+    key: "{{ lookup('file', '/var/lib/awx/projects/hosting/client_public.key') }}"
+
+- name: Delete the AWX session token for executing modules
+  awx.awx.tower_token:
+    description: 'AWX Session Token'
+    scope: "write"
+    state: absent
+    existing_token_id: "{{ awx_session_token.ansible_facts.tower_token.id }}"
+    tower_host: "https://{{ awx_host }}"
+    tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
+
+- name: Set boolean value to exit playbook
+  set_fact:
+    end_playbook: true
+
+- name: End playbook if this task list is called.
+  meta: end_play
+  when: end_playbook is defined and end_playbook|bool
--- a/roles/matrix-awx/tasks/set_variables_corporal.yml
+++ b/roles/matrix-awx/tasks/set_variables_corporal.yml
@ -218,13 +218,6 @@
 - debug:
    msg: "matrix_corporal_matrix_registration_shared_secret: {{ matrix_corporal_matrix_registration_shared_secret }}"

- name: Collect AWX admin token the hard way!
-  delegate_to: 127.0.0.1
-  shell: |
-      curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g'
-  register: tower_token
-  no_log: True
-
 - name: Recreate 'Configure Corporal (Advanced)' job template
  delegate_to: 127.0.0.1
  awx.awx.tower_job_template:
@ -242,6 +235,6 @@
    become_enabled: yes
    state: present
    verbosity: 1
-    tower_host: "https://{{ tower_host }}"
-    tower_oauthtoken: "{{ tower_token.stdout }}"
+    tower_host: "https://{{ awx_host }}"
+    tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
    validate_certs: yes
--- a/roles/matrix-awx/tasks/set_variables_dimension.yml
+++ b/roles/matrix-awx/tasks/set_variables_dimension.yml
@ -82,13 +82,6 @@
    dest:  '/matrix/awx/configure_dimension.json'
    mode: '0660'

- name: Collect AWX admin token the hard way!
-  delegate_to: 127.0.0.1
-  shell: |
-      curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g'
-  register: tower_token
-  no_log: True
-
 - name: Recreate 'Configure Dimension' job template
  delegate_to: 127.0.0.1
  awx.awx.tower_job_template:
@ -106,6 +99,6 @@
    become_enabled: yes
    state: present
    verbosity: 1
-    tower_host: "https://{{ tower_host }}"
-    tower_oauthtoken: "{{ tower_token.stdout }}"
+    tower_host: "https://{{ awx_host }}"
+    tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
    validate_certs: yes
--- a/roles/matrix-awx/tasks/set_variables_element.yml
+++ b/roles/matrix-awx/tasks/set_variables_element.yml
@ -40,13 +40,6 @@
    dest: '/matrix/awx/configure_element.json'
    mode: '0660'

- name: Collect AWX admin token the hard way!
-  delegate_to: 127.0.0.1
-  shell: |
-      curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g'
-  register: tower_token
-  no_log: True
-
 - name: Recreate 'Configure Element' job template
  delegate_to: 127.0.0.1
  awx.awx.tower_job_template:
@ -64,6 +57,6 @@
    become_enabled: yes
    state: present
    verbosity: 1
-    tower_host: "https://{{ tower_host }}"
-    tower_oauthtoken: "{{ tower_token.stdout }}"
+    tower_host: "https://{{ awx_host }}"
+    tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
    validate_certs: yes
--- a/roles/matrix-awx/tasks/set_variables_element_subdomain.yml
+++ b/roles/matrix-awx/tasks/set_variables_element_subdomain.yml
@ -21,13 +21,6 @@
    dest: '/matrix/awx/configure_element_subdomain.json'
    mode: '0660'

- name: Collect AWX admin token the hard way!
-  delegate_to: 127.0.0.1
-  shell: |
-      curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g'
-  register: tower_token
-  no_log: True
-
 - name: Recreate 'Configure Element Subdomain' job template
  delegate_to: 127.0.0.1
  awx.awx.tower_job_template:
@ -44,6 +37,6 @@
    survey_spec: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_element_subdomain.json') }}"
    state: present
    verbosity: 1
-    tower_host: "https://{{ tower_host }}"
-    tower_oauthtoken: "{{ tower_token.stdout }}"
+    tower_host: "https://{{ awx_host }}"
+    tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
    validate_certs: yes
--- a/roles/matrix-awx/tasks/set_variables_jitsi.yml
+++ b/roles/matrix-awx/tasks/set_variables_jitsi.yml
@ -22,13 +22,6 @@
    dest:  '/matrix/awx/configure_jitsi.json'
    mode: '0660'

- name: Collect AWX admin token the hard way!
-  delegate_to: 127.0.0.1
-  shell: |
-      curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g'
-  register: tower_token
-  no_log: True
-
 - name: Recreate 'Configure Jitsi' job template
  delegate_to: 127.0.0.1
  awx.awx.tower_job_template:
@ -46,6 +39,6 @@
    become_enabled: yes
    state: present
    verbosity: 1
-    tower_host: "https://{{ tower_host }}"
-    tower_oauthtoken: "{{ tower_token.stdout }}"
+    tower_host: "https://{{ awx_host }}"
+    tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
    validate_certs: yes
--- a/roles/matrix-awx/tasks/set_variables_ma1sd.yml
+++ b/roles/matrix-awx/tasks/set_variables_ma1sd.yml
@ -79,13 +79,6 @@
    dest:  '/matrix/awx/configure_ma1sd.json'
    mode: '0660'

- name: Collect AWX admin token the hard way!
-  delegate_to: 127.0.0.1
-  shell: |
-      curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g'
-  register: tower_token
-  no_log: True
-
 - name: Recreate 'Configure ma1sd (Advanced)' job template
  delegate_to: 127.0.0.1
  awx.awx.tower_job_template:
@ -103,7 +96,7 @@
    become_enabled: yes
    state: present
    verbosity: 1
-    tower_host: "https://{{ tower_host }}"
-    tower_oauthtoken: "{{ tower_token.stdout }}"
+    tower_host: "https://{{ awx_host }}"
+    tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
    validate_certs: yes

--- a/roles/matrix-awx/tasks/set_variables_mailer.yml
+++ b/roles/matrix-awx/tasks/set_variables_mailer.yml
@ -21,13 +21,6 @@
    dest: '/matrix/awx/configure_email_relay.json'
    mode: '0660'

- name: Collect AWX admin token the hard way!
-  delegate_to: 127.0.0.1
-  shell: |
-      curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g'
-  register: tower_token
-  no_log: True
-
 - name: Recreate 'Configure Email Relay' job template
  delegate_to: 127.0.0.1
  awx.awx.tower_job_template:
@ -45,6 +38,6 @@
    become_enabled: yes
    state: present
    verbosity: 1
-    tower_host: "https://{{ tower_host }}"
-    tower_oauthtoken: "{{ tower_token.stdout }}"
+    tower_host: "https://{{ awx_host }}"
+    tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
    validate_certs: yes
--- a/roles/matrix-awx/tasks/set_variables_synapse.yml
+++ b/roles/matrix-awx/tasks/set_variables_synapse.yml
@ -200,13 +200,6 @@
    dest:  '/matrix/awx/configure_synapse.json'
    mode: '0660'

- name: Collect AWX admin token the hard way!
-  delegate_to: 127.0.0.1
-  shell: |
-      curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g'
-  register: tower_token
-  no_log: True
-
 - name: Recreate 'Configure Synapse' job template
  delegate_to: 127.0.0.1
  awx.awx.tower_job_template:
@ -224,6 +217,6 @@
    become_enabled: yes
    state: present
    verbosity: 1
-    tower_host: "https://{{ tower_host }}"
-    tower_oauthtoken: "{{ tower_token.stdout }}"
+    tower_host: "https://{{ awx_host }}"
+    tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
    validate_certs: yes
--- a/roles/matrix-awx/tasks/set_variables_synapse_admin.yml
+++ b/roles/matrix-awx/tasks/set_variables_synapse_admin.yml
@ -21,13 +21,6 @@
    dest:  '/matrix/awx/configure_synapse_admin.json'
    mode: '0660'

- name: Collect AWX admin token the hard way!
-  delegate_to: 127.0.0.1
-  shell: |
-      curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g'
-  register: tower_token
-  no_log: True
-
 - name: Recreate 'Configure Synapse Admin' job template
  delegate_to: 127.0.0.1
  awx.awx.tower_job_template:
@ -45,6 +38,6 @@
    become_enabled: yes
    state: present
    verbosity: 1
-    tower_host: "https://{{ tower_host }}"
-    tower_oauthtoken: "{{ tower_token.stdout }}"
+    tower_host: "https://{{ awx_host }}"
+    tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
    validate_certs: yes
--- a/roles/matrix-base/defaults/main.yml
+++ b/roles/matrix-base/defaults/main.yml
@ -83,8 +83,8 @@ matrix_host_command_openssl: "/usr/bin/env openssl"
 matrix_host_command_systemctl: "/usr/bin/env systemctl"
 matrix_host_command_sh: "/usr/bin/env sh"

-matrix_ntpd_package: "{{ 'systemd-timesyncd' if ansible_distribution == 'CentOS' and ansible_distribution_major_version > '7' else ( 'systemd' if ansible_os_family == 'Suse' else 'ntp' ) }}"
-matrix_ntpd_service: "{{ 'systemd-timesyncd' if ( (ansible_distribution == 'CentOS' and ansible_distribution_major_version > '7') or ansible_os_family == 'Suse') else ('ntpd' if ansible_os_family == 'RedHat' or ansible_distribution == 'Archlinux' else 'ntp') }}"
+matrix_ntpd_package: "{{ 'systemd-timesyncd' if (ansible_distribution == 'CentOS' and ansible_distribution_major_version > '7') or (ansible_distribution == 'Ubuntu' and ansible_distribution_major_version > '18')  else ( 'systemd' if ansible_os_family == 'Suse' else 'ntp' ) }}"
+matrix_ntpd_service: "{{ 'systemd-timesyncd' if (ansible_distribution == 'CentOS' and ansible_distribution_major_version > '7') or (ansible_distribution == 'Ubuntu' and ansible_distribution_major_version > '18') or ansible_distribution == 'Archlinux' or ansible_os_family == 'Suse' else ('ntpd' if ansible_os_family == 'RedHat' else 'ntp') }}"

 matrix_homeserver_url: "https://{{ matrix_server_fqn_matrix }}"

--- a/roles/matrix-base/tasks/server_base/setup_archlinux.yml
+++ b/roles/matrix-base/tasks/server_base/setup_archlinux.yml
@ -4,7 +4,6 @@
  pacman:
    name:
      - python-docker
-      - "{{ matrix_ntpd_package }}"
      # TODO This needs to be verified. Which version do we need?
      - fuse3
      - python-dnspython
--- a/roles/matrix-bot-mjolnir/defaults/main.yml
+++ b/roles/matrix-bot-mjolnir/defaults/main.yml
@ -3,7 +3,7 @@

 matrix_bot_mjolnir_enabled: true

-matrix_bot_mjolnir_version: "v0.1.19"
+matrix_bot_mjolnir_version: "v1.1.20"

 matrix_bot_mjolnir_container_image_self_build: false
 matrix_bot_mjolnir_container_image_self_build_repo: "https://github.com/matrix-org/mjolnir.git"
--- a/roles/matrix-bridge-appservice-irc/defaults/main.yml
+++ b/roles/matrix-bridge-appservice-irc/defaults/main.yml
@ -7,7 +7,7 @@ matrix_appservice_irc_container_self_build: false
 matrix_appservice_irc_docker_repo: "https://github.com/matrix-org/matrix-appservice-irc.git"
 matrix_appservice_irc_docker_src_files_path: "{{ matrix_base_data_path }}/appservice-irc/docker-src"

-matrix_appservice_irc_version: release-0.30.0
+matrix_appservice_irc_version: release-0.31.0
 matrix_appservice_irc_docker_image: "{{ matrix_container_global_registry_prefix }}matrixdotorg/matrix-appservice-irc:{{ matrix_appservice_irc_version }}"
 matrix_appservice_irc_docker_image_force_pull: "{{ matrix_appservice_irc_docker_image.endswith(':latest') }}"

--- a/roles/matrix-bridge-appservice-webhooks/defaults/main.yml
+++ b/roles/matrix-bridge-appservice-webhooks/defaults/main.yml
@ -3,13 +3,20 @@

 matrix_appservice_webhooks_enabled: true

+matrix_appservice_webhooks_container_image_self_build: false
+matrix_appservice_webhooks_container_image_self_build_repo: "https://github.com/turt2live/matrix-appservice-webhooks"
+matrix_appservice_webhooks_container_image_self_build_repo_version: "{{ 'master' if matrix_appservice_webhooks_version == 'latest' else matrix_appservice_webhooks_version }}"
+matrix_appservice_webhooks_container_image_self_build_repo_dockerfile_path: "Dockerfile"
+
 matrix_appservice_webhooks_version: latest
-matrix_appservice_webhooks_docker_image: "{{ matrix_container_global_registry_prefix }}turt2live/matrix-appservice-webhooks:{{ matrix_appservice_webhooks_version }}"
+matrix_appservice_webhooks_docker_image: "{{ matrix_appservice_webhooks_docker_image_name_prefix }}turt2live/matrix-appservice-webhooks:{{ matrix_appservice_webhooks_version }}"
+matrix_appservice_webhooks_docker_image_name_prefix: "{{ 'localhost/' if matrix_appservice_webhooks_container_image_self_build else matrix_container_global_registry_prefix }}"
 matrix_appservice_webhooks_docker_image_force_pull: "{{ matrix_appservice_webhooks_docker_image.endswith(':latest') }}"

 matrix_appservice_webhooks_base_path: "{{ matrix_base_data_path }}/appservice-webhooks"
 matrix_appservice_webhooks_config_path: "{{ matrix_appservice_webhooks_base_path }}/config"
 matrix_appservice_webhooks_data_path: "{{ matrix_appservice_webhooks_base_path }}/data"
+matrix_appservice_webhooks_docker_src_files_path: "{{ matrix_appservice_webhooks_base_path }}/docker-src"

 # If nginx-proxy is disabled, the bridge itself expects its endpoint to be on its own domain (e.g. "localhost:6789")
 matrix_appservice_webhooks_public_endpoint: /appservice-webhooks
--- a/roles/matrix-bridge-appservice-webhooks/tasks/setup_install.yml
+++ b/roles/matrix-bridge-appservice-webhooks/tasks/setup_install.yml
@ -1,23 +1,47 @@
 ---

- name: Ensure Appservice webhooks image is pulled
-  docker_image:
-    name: "{{ matrix_appservice_webhooks_docker_image }}"
-    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
-    force_source: "{{ matrix_appservice_webhooks_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
-    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_appservice_webhooks_docker_image_force_pull }}"
-
 - name: Ensure AppService webhooks paths exist
  file:
-    path: "{{ item }}"
+    path: "{{ item.path }}"
    state: directory
    mode: 0750
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"
  with_items:
-    - "{{ matrix_appservice_webhooks_base_path }}"
-    - "{{ matrix_appservice_webhooks_config_path }}"
-    - "{{ matrix_appservice_webhooks_data_path }}"
+    - { path: "{{ matrix_appservice_webhooks_base_path }}", when: true }
+    - { path: "{{ matrix_appservice_webhooks_config_path }}", when: true }
+    - { path: "{{ matrix_appservice_webhooks_data_path }}", when: true }
+    - { path: "{{ matrix_appservice_webhooks_docker_src_files_path }}", when: "{{ matrix_appservice_webhooks_container_image_self_build }}"}
+  when: "item.when|bool"
+
+- name: Ensure Appservice webhooks image is pulled
+  docker_image:
+    name: "{{ matrix_appservice_webhooks_docker_image }}"
+    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
+    force_source: "{{ matrix_appservice_webhooks_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
+    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_appservice_webhooks_docker_image_force_pull }}"
+  when: "not matrix_appservice_webhooks_container_image_self_build|bool"
+
+- block:
+    - name: Ensure Appservice webhooks repository is present on self-build
+      git:
+        repo: "{{ matrix_appservice_webhooks_container_image_self_build_repo }}"
+        dest: "{{ matrix_appservice_webhooks_docker_src_files_path }}"
+        version: "{{ matrix_appservice_webhooks_container_image_self_build_repo_version }}"
+        force: "yes"
+      register: matrix_appservice_webhooks_git_pull_results
+
+    - name: Ensure Appservice webhooks Docker image is built
+      docker_image:
+        name: "{{ matrix_appservice_webhooks_docker_image }}"
+        source: build
+        force_source: "{{ matrix_appservice_webhooks_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
+        force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_appservice_webhooks_git_pull_results.changed }}"
+        build:
+          dockerfile: "{{ matrix_appservice_webhooks_container_image_self_build_repo_dockerfile_path }}"
+          path: "{{ matrix_appservice_webhooks_docker_src_files_path }}"
+          pull: yes
+  when: "matrix_appservice_webhooks_container_image_self_build|bool"

 - name: Ensure Matrix Appservice webhooks config is installed
  copy:
--- a/roles/matrix-bridge-beeper-linkedin/defaults/main.yml
+++ b/roles/matrix-bridge-beeper-linkedin/defaults/main.yml
@ -3,7 +3,7 @@

 matrix_beeper_linkedin_enabled: true

-matrix_beeper_linkedin_version: v0.5.0
+matrix_beeper_linkedin_version: v0.5.1
 # See: https://gitlab.com/beeper/linkedin/container_registry
 matrix_beeper_linkedin_docker_image: "registry.gitlab.com/beeper/linkedin:{{ matrix_beeper_linkedin_version }}-amd64"
 matrix_beeper_linkedin_docker_image_force_pull: "{{ matrix_beeper_linkedin_docker_image.endswith(':latest-amd64') }}"
--- a/roles/matrix-bridge-heisenbridge/defaults/main.yml
+++ b/roles/matrix-bridge-heisenbridge/defaults/main.yml
@ -3,7 +3,7 @@

 matrix_heisenbridge_enabled: true

-matrix_heisenbridge_version: 1.0.1
+matrix_heisenbridge_version: 1.2.1
 matrix_heisenbridge_docker_image: "{{ matrix_container_global_registry_prefix }}hif1/heisenbridge:{{ matrix_heisenbridge_version }}"
 matrix_heisenbridge_docker_image_force_pull: "{{ matrix_heisenbridge_docker_image.endswith(':latest') }}"

--- a/roles/matrix-client-element/defaults/main.yml
+++ b/roles/matrix-client-element/defaults/main.yml
@ -3,7 +3,7 @@ matrix_client_element_enabled: true
 matrix_client_element_container_image_self_build: false
 matrix_client_element_container_image_self_build_repo: "https://github.com/vector-im/riot-web.git"

-matrix_client_element_version: v1.8.4
+matrix_client_element_version: v1.9.0
 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}"
 matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_container_global_registry_prefix }}"
 matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}"
--- a/roles/matrix-etherpad/tasks/init.yml
+++ b/roles/matrix-etherpad/tasks/init.yml
@ -15,7 +15,7 @@
  - name: Generate Etherpad proxying configuration for matrix-nginx-proxy
    set_fact:
      matrix_etherpad_matrix_nginx_proxy_configuration: |
-        rewrite ^{{ matrix_etherpad_public_endpoint }}$ $scheme://$server_name{{ matrix_etherpad_public_endpoint }}/ permanent;
+        rewrite ^{{ matrix_etherpad_public_endpoint }}$ {{ matrix_nginx_proxy_x_forwarded_proto_value }}://$server_name{{ matrix_etherpad_public_endpoint }}/ permanent;

        location {{ matrix_etherpad_public_endpoint }}/ {
        {% if matrix_nginx_proxy_enabled|default(False) %}
@ -27,7 +27,7 @@
          proxy_http_version 1.1;  # recommended with keepalive connections
          proxy_pass_header Server;
          proxy_set_header Host $host;
-          proxy_set_header X-Forwarded-Proto $scheme; # for EP to set secure cookie flag when https is used
+          proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }}; # for EP to set secure cookie flag when https is used
          # WebSocket proxying - from http://nginx.org/en/docs/http/websocket.html
          proxy_set_header Upgrade $http_upgrade;
          proxy_set_header Connection $connection_upgrade;
--- a/roles/matrix-grafana/defaults/main.yml
+++ b/roles/matrix-grafana/defaults/main.yml
@ -3,7 +3,7 @@

 matrix_grafana_enabled: false

-matrix_grafana_version: 8.1.3
+matrix_grafana_version: 8.1.4
 matrix_grafana_docker_image: "{{ matrix_container_global_registry_prefix }}grafana/grafana:{{ matrix_grafana_version }}"
 matrix_grafana_docker_image_force_pull: "{{ matrix_grafana_docker_image.endswith(':latest') }}"

--- a/roles/matrix-nginx-proxy/defaults/main.yml
+++ b/roles/matrix-nginx-proxy/defaults/main.yml
@ -1,5 +1,5 @@
 matrix_nginx_proxy_enabled: true
-matrix_nginx_proxy_version: 1.21.1-alpine
+matrix_nginx_proxy_version: 1.21.3-alpine

 # We use an official nginx image, which we fix-up to run unprivileged.
 # An alternative would be an `nginxinc/nginx-unprivileged` image, but
@ -40,6 +40,12 @@ matrix_nginx_proxy_container_extra_arguments: []
 # - services are served directly from the HTTP vhost
 matrix_nginx_proxy_https_enabled: true

+# Controls whether matrix-nginx-proxy trusts an upstream server's X-Forwarded-Proto header
+#
+# Required if you disable HTTPS for the container (see `matrix_nginx_proxy_https_enabled`) and have an upstream server handle it instead.
+matrix_nginx_proxy_trust_forwarded_proto: false
+matrix_nginx_proxy_x_forwarded_proto_value: "{{ '$http_x_forwarded_proto' if matrix_nginx_proxy_trust_forwarded_proto else '$scheme' }}"
+
 # Controls whether the matrix-nginx-proxy container exposes its HTTP port (tcp/8080 in the container).
 #
 # Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:80"), or empty string to not expose.
@ -177,6 +183,10 @@ matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container: "127.0.0.1:809
 # Controls whether proxying for metrics (`/_synapse/metrics`) should be done (on the matrix domain)
 matrix_nginx_proxy_proxy_synapse_metrics: false
 matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled: false
+# The following value will be written verbatim to the htpasswd file that stores the password for nginx to check against and needs to be encoded appropriately.
+# Read the manpage at `man 1 htpasswd` to learn more, then encrypt your password, and paste the encrypted value here.
+# e.g. `htpasswd -c mypass.htpasswd prometheus` and enter `mysecurepw` when prompted yields `prometheus:$apr1$wZhqsn.U$7LC3kMmjUbjNAZjyMyvYv/`
+# The part after `prometheus:` is needed here. matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key: "$apr1$wZhqsn.U$7LC3kMmjUbjNAZjyMyvYv/"
 matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key: ""

 # The addresses where the Matrix Client API is.
@ -426,7 +436,7 @@ matrix_ssl_additional_domains_to_obtain_certificates_for: []

 # Controls whether to obtain production or staging certificates from Let's Encrypt.
 matrix_ssl_lets_encrypt_staging: false
-matrix_ssl_lets_encrypt_certbot_docker_image: "{{ matrix_container_global_registry_prefix }}certbot/certbot:{{ matrix_ssl_architecture }}-v1.18.0"
+matrix_ssl_lets_encrypt_certbot_docker_image: "{{ matrix_container_global_registry_prefix }}certbot/certbot:{{ matrix_ssl_architecture }}-v1.20.0"
 matrix_ssl_lets_encrypt_certbot_docker_image_force_pull: "{{ matrix_ssl_lets_encrypt_certbot_docker_image.endswith(':latest') }}"
 matrix_ssl_lets_encrypt_certbot_standalone_http_port: 2402
 matrix_ssl_lets_encrypt_support_email: ~
--- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2
+++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2
@ -88,7 +88,7 @@ server {
 	{% if matrix_nginx_proxy_ocsp_stapling_enabled %}
 		ssl_stapling on;
 		ssl_stapling_verify on;
-		ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_element_hostname }}/chain.pem;
+		ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_hydrogen_hostname }}/chain.pem;
 	{% endif %}

 	{% if matrix_nginx_proxy_ssl_session_tickets_off %}
--- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2
+++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2
@ -20,13 +20,13 @@
 	{% if matrix_nginx_proxy_floc_optout_enabled %}
 		add_header Permissions-Policy interest-cohort=() always;
 	{% endif %}
-	
+
 	{% if matrix_nginx_proxy_hsts_preload_enabled %}
 		add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
 	{% else %}
 		add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
 	{% endif %}
-	
+
 	add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}";

 	location /.well-known/matrix {
@ -59,7 +59,7 @@

 		proxy_set_header Host $host;
 		proxy_set_header X-Forwarded-For $remote_addr;
-		proxy_set_header X-Forwarded-Proto $scheme;
+		proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }};
 	}
 	{% endif %}

@ -77,7 +77,7 @@

 		proxy_set_header Host $host;
 		proxy_set_header X-Forwarded-For $remote_addr;
-		proxy_set_header X-Forwarded-Proto $scheme;
+		proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }};
 	}
 	{% endif %}

@ -112,7 +112,7 @@

 		proxy_set_header Host $host;
 		proxy_set_header X-Forwarded-For $remote_addr;
-		proxy_set_header X-Forwarded-Proto $scheme;
+		proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }};
 	}
 	{% endif %}

@ -137,7 +137,7 @@

 		proxy_set_header Host $host;
 		proxy_set_header X-Forwarded-For $remote_addr;
-		proxy_set_header X-Forwarded-Proto $scheme;
+		proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }};

 		client_body_buffer_size 25M;
 		client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb }}M;
@ -152,7 +152,7 @@
 	#}
 	location ~* ^/$ {
 		{% if matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain %}
-			return 302 $scheme://{{ matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain }}$request_uri;
+			return 302 {{ matrix_nginx_proxy_x_forwarded_proto_value }}://{{ matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain }}$request_uri;
 		{% else %}
 			rewrite ^/$ /_matrix/static/ last;
 		{% endif %}
@ -215,12 +215,12 @@ server {
 		ssl_stapling_verify on;
 		ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/chain.pem;
 	{% endif %}
-	
+
 	{% if matrix_nginx_proxy_ssl_session_tickets_off %}
 		ssl_session_tickets off;
 	{% endif %}
 	ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }};
-	ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }};	
+	ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }};

 	{{ render_vhost_directives() }}
 }
@ -262,7 +262,7 @@ server {
 			ssl_stapling_verify on;
 			ssl_trusted_certificate {{ matrix_nginx_proxy_proxy_matrix_federation_api_ssl_trusted_certificate }};
 		{% endif %}
-		
+
 		{% if matrix_nginx_proxy_ssl_session_tickets_off %}
 			ssl_session_tickets off;
 		{% endif %}
@ -283,7 +283,7 @@ server {

 		proxy_set_header Host $host;
 		proxy_set_header X-Forwarded-For $remote_addr;
-		proxy_set_header X-Forwarded-Proto $scheme;
+		proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }};

 		client_body_buffer_size 25M;
 		client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb }}M;
--- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2
+++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2
@ -71,7 +71,7 @@
 		proxy_set_header Connection "upgrade";
 		proxy_set_header Upgrade $http_upgrade;
 		proxy_set_header X-Forwarded-For $remote_addr;
-		proxy_set_header X-Forwarded-Proto $scheme;
+		proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }};
 		tcp_nodelay on;
 	}
 {% endmacro %}
@ -128,7 +128,7 @@ server {
 		ssl_stapling_verify on;
 		ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_jitsi_hostname }}/chain.pem;
 	{% endif %}
-	
+
 	{% if matrix_nginx_proxy_ssl_session_tickets_off %}
 		ssl_session_tickets off;
 	{% endif %}
--- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2
+++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2
@ -29,7 +29,7 @@

 		proxy_set_header Host $host;
 		proxy_set_header X-Forwarded-For $remote_addr;
-		proxy_set_header X-Forwarded-Proto $scheme;
+		proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }};
 	}
 {% endmacro %}

@ -85,7 +85,7 @@ server {
 		ssl_stapling_verify on;
 		ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_sygnal_hostname }}/chain.pem;
 	{% endif %}
-	
+
 	{% if matrix_nginx_proxy_ssl_session_tickets_off %}
 		ssl_session_tickets off;
 	{% endif %}
--- a/roles/matrix-postgres/defaults/main.yml
+++ b/roles/matrix-postgres/defaults/main.yml
@ -22,7 +22,8 @@ matrix_postgres_docker_image_v10: "{{ matrix_container_global_registry_prefix }}
 matrix_postgres_docker_image_v11: "{{ matrix_container_global_registry_prefix }}postgres:11.13{{ matrix_postgres_docker_image_suffix }}"
 matrix_postgres_docker_image_v12: "{{ matrix_container_global_registry_prefix }}postgres:12.8{{ matrix_postgres_docker_image_suffix }}"
 matrix_postgres_docker_image_v13: "{{ matrix_container_global_registry_prefix }}postgres:13.4{{ matrix_postgres_docker_image_suffix }}"
-matrix_postgres_docker_image_latest: "{{ matrix_postgres_docker_image_v13 }}"
+matrix_postgres_docker_image_v14: "{{ matrix_container_global_registry_prefix }}postgres:14.0{{ matrix_postgres_docker_image_suffix }}"
+matrix_postgres_docker_image_latest: "{{ matrix_postgres_docker_image_v14 }}"

 # This variable is assigned at runtime. Overriding its value has no effect.
 matrix_postgres_docker_image_to_use: '{{ matrix_postgres_docker_image_latest }}'
--- a/roles/matrix-postgres/tasks/util/detect_existing_postgres_version.yml
+++ b/roles/matrix-postgres/tasks/util/detect_existing_postgres_version.yml
@ -54,3 +54,8 @@
  set_fact:
    matrix_postgres_detected_version_corresponding_docker_image: "{{ matrix_postgres_docker_image_v12 }}"
  when: "matrix_postgres_detected_version == '12' or matrix_postgres_detected_version.startswith('12.')"
+
+- name: Determine corresponding Docker image to detected version (use 13.x, if detected)
+  set_fact:
+    matrix_postgres_detected_version_corresponding_docker_image: "{{ matrix_postgres_docker_image_v13 }}"
+  when: "matrix_postgres_detected_version == '13' or matrix_postgres_detected_version.startswith('13.')"
--- a/roles/matrix-registration/tasks/init.yml
+++ b/roles/matrix-registration/tasks/init.yml
@ -22,8 +22,8 @@
  - name: Generate matrix-registration proxying configuration for matrix-nginx-proxy
    set_fact:
      matrix_registration_matrix_nginx_proxy_configuration: |
-        rewrite ^{{ matrix_registration_public_endpoint }}$ $scheme://$server_name{{ matrix_registration_public_endpoint }}/ permanent;
-        rewrite ^{{ matrix_registration_public_endpoint }}/$ $scheme://$server_name{{ matrix_registration_public_endpoint }}/register redirect;
+        rewrite ^{{ matrix_registration_public_endpoint }}$ {{ matrix_nginx_proxy_x_forwarded_proto_value }}://$server_name{{ matrix_registration_public_endpoint }}/ permanent;
+        rewrite ^{{ matrix_registration_public_endpoint }}/$ {{ matrix_nginx_proxy_x_forwarded_proto_value }}://$server_name{{ matrix_registration_public_endpoint }}/register redirect;

        location ~ ^{{ matrix_registration_public_endpoint }}/(.*) {
        {% if matrix_nginx_proxy_enabled|default(False) %}
--- a/roles/matrix-synapse-admin/tasks/init.yml
+++ b/roles/matrix-synapse-admin/tasks/init.yml
@ -22,7 +22,7 @@
  - name: Generate Synapse Admin proxying configuration for matrix-nginx-proxy
    set_fact:
      matrix_synapse_admin_matrix_nginx_proxy_configuration: |
-        rewrite ^{{ matrix_synapse_admin_public_endpoint }}$ $scheme://$server_name{{ matrix_synapse_admin_public_endpoint }}/ permanent;
+        rewrite ^{{ matrix_synapse_admin_public_endpoint }}$ {{ matrix_nginx_proxy_x_forwarded_proto_value }}://$server_name{{ matrix_synapse_admin_public_endpoint }}/ permanent;

        location ~ ^{{ matrix_synapse_admin_public_endpoint }}/(.*) {
        {% if matrix_nginx_proxy_enabled|default(False) %}
--- a/roles/matrix-synapse/defaults/main.yml
+++ b/roles/matrix-synapse/defaults/main.yml
@ -15,8 +15,8 @@ matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_cont
 # amd64 gets released first.
 # arm32 relies on self-building, so the same version can be built immediately.
 # arm64 users need to wait for a prebuilt image to become available.
-matrix_synapse_version: v1.42.0
-matrix_synapse_version_arm64: v1.42.0
+matrix_synapse_version: v1.44.0
+matrix_synapse_version_arm64: v1.44.0
 matrix_synapse_docker_image_tag: "{{ matrix_synapse_version if matrix_architecture in ['arm32', 'amd64'] else matrix_synapse_version_arm64 }}"
 matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}"

--- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2
+++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2
@ -357,6 +357,24 @@ update_user_directory: false
 daemonize: false
 {% endif %}

+# Connection settings for the manhole
+#
+manhole_settings:
+  # The username for the manhole. This defaults to 'matrix'.
+  #
+  #username: manhole
+
+  # The password for the manhole. This defaults to 'rabbithole'.
+  #
+  #password: mypassword
+
+  # The private and public SSH key pair used to encrypt the manhole traffic.
+  # If these are left unset, then hardcoded and non-secret keys are used,
+  # which could allow traffic to be intercepted if sent over a public network.
+  #
+  #ssh_priv_key_path: /data/id_rsa
+  #ssh_pub_key_path: /data/id_rsa.pub
+
 # Forward extremities can build up in a room due to networking delays between
 # homeservers. Once this happens in a large room, calculation of the state of
 # that room can become quite expensive. To mitigate this, once the number of
@ -2258,7 +2276,7 @@ password_config:
      #
      #require_lowercase: true

-      # Whether a password must contain at least one lowercase letter.
+      # Whether a password must contain at least one uppercase letter.
      # Defaults to 'false'.
      #
      #require_uppercase: true
@ -2594,12 +2612,16 @@ user_directory:
    #enabled: false

    # Defines whether to search all users visible to your HS when searching
-    # the user directory, rather than limiting to users visible in public
-    # rooms. Defaults to false.
-    #
-    # If you set it true, you'll have to rebuild the user_directory search
-    # indexes, see:
-    # https://github.com/matrix-org/synapse/blob/master/docs/user_directory.md
+    # the user directory. If false, search results will only contain users
+    # visible in public rooms and users sharing a room with the requester.
+    # Defaults to false.
+    #
+    # NB. If you set this to true, and the last time the user_directory search
+    # indexes were (re)built was before Synapse 1.44, you'll have to
+    # rebuild the indexes in order to search through all known users.
+    # These indexes are built the first time Synapse starts; admins can
+    # manually trigger a rebuild following the instructions at
+    #     https://matrix-org.github.io/synapse/latest/user_directory.html
    #
    # Uncomment to return search results containing all known users, even if that
    # user does not share a room with the requester.
--- a/roles/matrix-synapse/vars/workers.yml
+++ b/roles/matrix-synapse/vars/workers.yml
@ -32,6 +32,8 @@ matrix_synapse_workers_generic_worker_endpoints:
  - ^/_matrix/federation/v1/user/devices/
  - ^/_matrix/federation/v1/get_groups_publicised$
  - ^/_matrix/key/v2/query
+  - ^/_matrix/federation/unstable/org.matrix.msc2946/spaces/
+  - ^/_matrix/federation/unstable/org.matrix.msc2946/hierarchy/

  # Inbound federation transaction request
  - ^/_matrix/federation/v1/send/
@ -43,6 +45,9 @@ matrix_synapse_workers_generic_worker_endpoints:
  - ^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/context/.*$
  - ^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/members$
  - ^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/state$
+  - ^/_matrix/client/unstable/org.matrix.msc2946/rooms/.*/spaces$
+  - ^/_matrix/client/unstable/org.matrix.msc2946/rooms/.*/hierarchy$
+  - ^/_matrix/client/unstable/im.nheko.summary/rooms/.*/summary$
  - ^/_matrix/client/(api/v1|r0|unstable)/account/3pid$
  - ^/_matrix/client/(api/v1|r0|unstable)/devices$
  - ^/_matrix/client/(api/v1|r0|unstable)/keys/query$
--- a/setup.yml
+++ b/setup.yml
@ -56,4 +56,4 @@
    - matrix-aux
    - matrix-postgres-backup
    - matrix-prometheus-postgres-exporter
-    - matrix-common-after
+    - matrix-common-after