From 50bf8c8dd7cc681e54afd69f7038358ef2a2c80f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bj=C3=B6rn=20Marten?= Date: Thu, 9 Jan 2020 17:00:03 +0100 Subject: [PATCH 01/46] Add matrix-appservice-webhooks role. --- group_vars/matrix_servers | 34 ++++++ .../defaults/main.yml | 110 ++++++++++++++++++ .../tasks/init.yml | 79 +++++++++++++ .../tasks/main.yml | 21 ++++ .../tasks/setup_install.yml | 64 ++++++++++ .../tasks/setup_uninstall.yml | 24 ++++ .../tasks/validate_config.yml | 11 ++ .../templates/database.json.j2 | 13 +++ .../templates/schema.yml.j2 | 54 +++++++++ .../matrix-appservice-webhooks.service.j2 | 43 +++++++ setup.yml | 1 + 11 files changed, 454 insertions(+) create mode 100644 roles/matrix-bridge-appservice-webhooks/defaults/main.yml create mode 100644 roles/matrix-bridge-appservice-webhooks/tasks/init.yml create mode 100644 roles/matrix-bridge-appservice-webhooks/tasks/main.yml create mode 100644 roles/matrix-bridge-appservice-webhooks/tasks/setup_install.yml create mode 100644 roles/matrix-bridge-appservice-webhooks/tasks/setup_uninstall.yml create mode 100644 roles/matrix-bridge-appservice-webhooks/tasks/validate_config.yml create mode 100644 roles/matrix-bridge-appservice-webhooks/templates/database.json.j2 create mode 100644 roles/matrix-bridge-appservice-webhooks/templates/schema.yml.j2 create mode 100644 roles/matrix-bridge-appservice-webhooks/templates/systemd/matrix-appservice-webhooks.service.j2 diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 61c9fe69..0d030909 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -60,6 +60,40 @@ matrix_appservice_discord_homeserver_token: "{{ matrix_synapse_macaroon_secret_k ###################################################################### +###################################################################### +# +# matrix-appservice-webhooks +# +###################################################################### + +# We don't enable bridges by default. +matrix_appservice_webhooks_enabled: false + +# Normally, matrix-nginx-proxy is enabled and nginx can reach matrix-appservice-webhooks over the container network. +# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose +# matrix-appservice-webhooks' client-server port to the local host. +matrix_appservice_webhooks_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:{{ matrix_appservice_webhooks_webhooks_port }}' }}" + +matrix_appservice_webhooks_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'webhooks-appservice-token') | to_uuid }}" + +matrix_appservice_webhooks_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'webhooks-homeserver-token') | to_uuid }}" + +matrix_appservice_webhooks_id_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'webhooks-id-token') | to_uuid }}" + +matrix_appservice_webhooks_systemd_required_services_list: | + {{ + ['docker.service'] + + + (['matrix-synapse.service'] if matrix_synapse_enabled else []) + }} + +###################################################################### +# +# /matrix-appservice-webhooks +# +###################################################################### + + ###################################################################### # # matrix-appservice-slack diff --git a/roles/matrix-bridge-appservice-webhooks/defaults/main.yml b/roles/matrix-bridge-appservice-webhooks/defaults/main.yml new file mode 100644 index 00000000..e88fabb8 --- /dev/null +++ b/roles/matrix-bridge-appservice-webhooks/defaults/main.yml @@ -0,0 +1,110 @@ +# matrix-appservice-webhooks is a Matrix <-> webhook bridge +# See: https://github.com/turt2live/matrix-appservice-webhooks + +matrix_appservice_webhooks_enabled: true + +matrix_appservice_webhooks_docker_image: "turt2live/matrix-appservice-webhooks:latest" +matrix_appservice_webhooks_docker_image_force_pull: "{{ matrix_appservice_webhooks_docker_image.endswith(':latest') }}" + +matrix_appservice_webhooks_base_path: "{{ matrix_base_data_path }}/appservice-webhooks" +matrix_appservice_webhooks_config_path: "{{ matrix_appservice_webhooks_base_path }}/config" +matrix_appservice_webhooks_data_path: "{{ matrix_appservice_webhooks_base_path }}/data" + +matrix_appservice_webhooks_public_endpoint: /appservice-webhooks +matrix_appservice_webhooks_inbound_uri_prefix: "{{ matrix_homeserver_url }}{{ matrix_appservice_webhooks_public_endpoint }}" + +# Once you make a control room in Matrix, you can get its ID by typing any message and checking its source +matrix_appservice_webhooks_control_room_id: '' +matrix_appservice_webhooks_bot_name: 'webhookbot' +matrix_appservice_webhooks_user_prefix: '_webhook' + +# Controls the webhooks_PORT and MATRIX_PORT of the installation +matrix_appservice_webhooks_matrix_port: 6789 +matrix_appservice_webhooks_webhooks_port: 6788 + +# Controls whether the appservice-webhooks container exposes its HTTP port (tcp/6788 in the container). +# +# Takes an ":" or "" value (e.g. "127.0.0.1:9999"), or empty string to not expose. +matrix_appservice_webhooks_container_http_host_bind_port: '' + +matrix_appservice_webhooks_homeserver_media_url: "matrix.{{ matrix_domain }}" +matrix_appservice_webhooks_homeserver_url: "http://matrix-synapse:8008" +matrix_appservice_webhooks_homeserver_domain: "{{ matrix_domain }}" +matrix_appservice_webhooks_appservice_url: 'http://matrix-appservice-webhooks' + +# A list of extra arguments to pass to the container +matrix_appservice_webhooks_container_extra_arguments: [] + +# List of systemd services that matrix-appservice-webhooks.service depends on. +matrix_appservice_webhooks_systemd_required_services_list: ['docker.service', 'matrix-synapse.service'] + +# List of systemd services that matrix-appservice-webhooks.service wants +matrix_appservice_webhooks_systemd_wanted_services_list: [] + +matrix_appservice_webhooks_appservice_token: '' +matrix_appservice_webhooks_homeserver_token: '' +matrix_appservice_webhooks_id_token: '' + +matrix_appservice_webhooks_configuration_yaml: | + + # Configuration specific to the application service. All fields (unless otherwise marked) are required. + homeserver: + # The domain for the client-server API calls. + url: "{{ matrix_appservice_webhooks_homeserver_url }}" + + # The domain part for user IDs on this home server. Usually, but not always, this is the same as the + # home server's URL. + domain: "{{ matrix_domain }}" + + # Configuration specific to the bridge. All fields (unless otherwise marked) are required. + webhookBot: + # The localpart to use for the bot. May require re-registering the application service. + localpart: "_webhook" + + # Appearance options for the Matrix bot + appearance: + displayName: "Webhook Bridge" + avatarUrl: "http://i.imgur.com/IDOBtEJ.png" # webhook icon + + # Provisioning API options + provisioning: + # Your secret for the API. Required for all provisioning API requests. + secret: 'warummussesdennsolangsein' + + # Configuration related to the web portion of the bridge. Handles the inbound webhooks + web: + hookUrlBase: "{{ matrix_appservice_webhooks_inbound_uri_prefix }}" + + logging: + file: data/webhook.log + console: true + consoleLevel: info + fileLevel: verbose + writeFiles: true + rotate: + size: 52428800 # bytes, default is 50mb + count: 5 + +matrix_appservice_webhooks_configuration_extension_yaml: | + # + +matrix_appservice_webhooks_configuration_extension: "{{ matrix_appservice_webhooks_configuration_extension_yaml|from_yaml if matrix_appservice_webhooks_configuration_extension_yaml|from_yaml else {} }}" + +matrix_appservice_webhooks_configuration: "{{ matrix_appservice_webhooks_configuration_yaml|from_yaml|combine(matrix_appservice_webhooks_configuration_extension, recursive=True) }}" + +matrix_appservice_webhooks_registration_yaml: | + id: "{{ matrix_appservice_webhooks_id_token }}" + hs_token: "{{ matrix_appservice_webhooks_homeserver_token }}" + as_token: "{{ matrix_appservice_webhooks_appservice_token }}" + namespaces: + users: + - exclusive: true + regex: '@{{ matrix_appservice_webhooks_user_prefix }}.*' + aliases: [] + rooms: [] + url: "{{ matrix_appservice_webhooks_appservice_url }}:{{ matrix_appservice_webhooks_matrix_port }}" + sender_localpart: _webhook + rate_limited: false + protocols: null + +matrix_appservice_webhooks_registration: "{{ matrix_appservice_webhooks_registration_yaml|from_yaml }}" diff --git a/roles/matrix-bridge-appservice-webhooks/tasks/init.yml b/roles/matrix-bridge-appservice-webhooks/tasks/init.yml new file mode 100644 index 00000000..ffa0492d --- /dev/null +++ b/roles/matrix-bridge-appservice-webhooks/tasks/init.yml @@ -0,0 +1,79 @@ +# If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. +# We don't want to fail in such cases. +- name: Fail if matrix-synapse role already executed + fail: + msg: >- + The matrix-bridge-appservice-webhooks role needs to execute before the matrix-synapse role. + when: "matrix_synapse_role_executed|default(False)" + +- set_fact: + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-appservice-webhooks'] }}" + when: matrix_appservice_webhooks_enabled|bool + +# If the matrix-synapse role is not used, these variables may not exist. +- set_fact: + matrix_synapse_container_extra_arguments: > + {{ matrix_synapse_container_extra_arguments|default([]) }} + + + ["--mount type=bind,src={{ matrix_appservice_webhooks_config_path }}/webhooks-registration.yaml,dst=/matrix-appservice-webhooks-registration.yaml,ro"] + + matrix_synapse_app_service_config_files: > + {{ matrix_synapse_app_service_config_files|default([]) }} + + + {{ ["/matrix-appservice-webhooks-registration.yaml"] }} + when: matrix_appservice_webhooks_enabled|bool + +# If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. +# We don't want to fail in such cases. +- name: Fail if matrix-synapse role already executed + fail: + msg: >- + The matrix-bridge-appservice-webhooks role needs to execute before the matrix-synapse role. + when: "matrix_synapse_role_executed|default(False)" + +- block: + - name: Fail if matrix-nginx-proxy role already executed + fail: + msg: >- + Trying to append webhooks Appservice's reverse-proxying configuration to matrix-nginx-proxy, + but it's pointless since the matrix-nginx-proxy role had already executed. + To fix this, please change the order of roles in your plabook, + so that the matrix-nginx-proxy role would run after the matrix-bridge-appservice-webhooks role. + when: matrix_nginx_proxy_role_executed|default(False)|bool + + - name: Generate Matrix Appservice webhooks proxying configuration for matrix-nginx-proxy + set_fact: + matrix_appservice_webhooks_matrix_nginx_proxy_configuration: | + location {{ matrix_appservice_webhooks_public_endpoint }} { + {% if matrix_nginx_proxy_enabled|default(False) %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + rewrite {{ matrix_appservice_webhooks_public_endpoint }}/(.*) /$1 break; + proxy_pass {{ matrix_appservice_webhooks_appservice_url }}:{{ matrix_appservice_webhooks_matrix_port }}; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://127.0.0.1:{{ matrix_appservice_webhooks_matrix_port }}; + {% endif %} + } + + - name: Register webhooks Appservice proxying configuration with matrix-nginx-proxy + set_fact: + matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: | + {{ + matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks|default([]) + + + [matrix_appservice_webhooks_matrix_nginx_proxy_configuration] + }} + tags: + - always + when: matrix_appservice_webhooks_enabled|bool + +- name: Warn about reverse-proxying if matrix-nginx-proxy not used + debug: + msg: >- + NOTE: You've enabled the Matrix webhooks bridge but are not using the matrix-nginx-proxy + reverse proxy. + Please make sure that you're proxying the `{{ something }}` + URL endpoint to the matrix-appservice-webhooks container. + You can expose the container's port using the `matrix_appservice_webhooks_container_http_host_bind_port` variable. + when: "matrix_appservice_webhooks_enabled|bool and matrix_nginx_proxy_enabled is not defined" diff --git a/roles/matrix-bridge-appservice-webhooks/tasks/main.yml b/roles/matrix-bridge-appservice-webhooks/tasks/main.yml new file mode 100644 index 00000000..216905f3 --- /dev/null +++ b/roles/matrix-bridge-appservice-webhooks/tasks/main.yml @@ -0,0 +1,21 @@ +- import_tasks: "{{ role_path }}/tasks/init.yml" + tags: + - always + +- import_tasks: "{{ role_path }}/tasks/validate_config.yml" + when: "run_setup|bool and matrix_appservice_webhooks_enabled|bool" + tags: + - setup-all + - setup-appservice-webhooks + +- import_tasks: "{{ role_path }}/tasks/setup_install.yml" + when: "run_setup|bool and matrix_appservice_webhooks_enabled|bool" + tags: + - setup-all + - setup-appservice-webhooks + +- import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" + when: "run_setup|bool and not matrix_appservice_webhooks_enabled|bool" + tags: + - setup-all + - setup-appservice-webhooks diff --git a/roles/matrix-bridge-appservice-webhooks/tasks/setup_install.yml b/roles/matrix-bridge-appservice-webhooks/tasks/setup_install.yml new file mode 100644 index 00000000..94b4ef0c --- /dev/null +++ b/roles/matrix-bridge-appservice-webhooks/tasks/setup_install.yml @@ -0,0 +1,64 @@ +--- + +- name: Ensure Appservice webhooks image is pulled + docker_image: + name: "{{ matrix_appservice_webhooks_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_appservice_webhooks_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_appservice_webhooks_docker_image_force_pull }}" + +- name: Ensure AppService webhooks paths exist + file: + path: "{{ item }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_username }}" + with_items: + - "{{ matrix_appservice_webhooks_base_path }}" + - "{{ matrix_appservice_webhooks_config_path }}" + - "{{ matrix_appservice_webhooks_data_path }}" + +- name: Ensure Matrix Appservice webhooks config is installed + copy: + content: "{{ matrix_appservice_webhooks_configuration|to_nice_yaml }}" + dest: "{{ matrix_appservice_webhooks_config_path }}/config.yaml" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_username }}" + +- name: Ensure Matrix Appservice webhooks schema.yml template exists + template: + src: "{{ role_path }}/templates/schema.yml.j2" + dest: "{{ matrix_appservice_webhooks_config_path }}/schema.yml" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_username }}" + +- name: Ensure Matrix Appservice webhooks database.json template exists + template: + src: "{{ role_path }}/templates/database.json.j2" + dest: "{{ matrix_appservice_webhooks_data_path }}/database.json" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_username }}" + +- name: Ensure appservice-webhooks registration.yaml installed + copy: + content: "{{ matrix_appservice_webhooks_registration|to_nice_yaml }}" + dest: "{{ matrix_appservice_webhooks_config_path }}/webhooks-registration.yaml" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_username }}" + +- name: Ensure matrix-appservice-webhooks.service installed + template: + src: "{{ role_path }}/templates/systemd/matrix-appservice-webhooks.service.j2" + dest: "/etc/systemd/system/matrix-appservice-webhooks.service" + mode: 0644 + register: matrix_appservice_webhooks_systemd_service_result + +- name: Ensure systemd reloaded after matrix-appservice-webhooks.service installation + service: + daemon_reload: yes + when: "matrix_appservice_webhooks_systemd_service_result.changed" diff --git a/roles/matrix-bridge-appservice-webhooks/tasks/setup_uninstall.yml b/roles/matrix-bridge-appservice-webhooks/tasks/setup_uninstall.yml new file mode 100644 index 00000000..605b2525 --- /dev/null +++ b/roles/matrix-bridge-appservice-webhooks/tasks/setup_uninstall.yml @@ -0,0 +1,24 @@ +--- + +- name: Check existence of matrix-appservice-webhooks service + stat: + path: "/etc/systemd/system/matrix-appservice-webhooks.service" + register: matrix_appservice_webhooks_service_stat + +- name: Ensure matrix-appservice-webhooks is stopped + service: + name: matrix-appservice-webhooks + state: stopped + daemon_reload: yes + when: "matrix_appservice_webhooks_service_stat.stat.exists" + +- name: Ensure matrix-appservice-webhooks.service doesn't exist + file: + path: "/etc/systemd/system/matrix-appservice-webhooks.service" + state: absent + when: "matrix_appservice_webhooks_service_stat.stat.exists" + +- name: Ensure systemd reloaded after matrix-appservice-webhooks.service removal + service: + daemon_reload: yes + when: "matrix_appservice_webhooks_service_stat.stat.exists" diff --git a/roles/matrix-bridge-appservice-webhooks/tasks/validate_config.yml b/roles/matrix-bridge-appservice-webhooks/tasks/validate_config.yml new file mode 100644 index 00000000..43b3ae01 --- /dev/null +++ b/roles/matrix-bridge-appservice-webhooks/tasks/validate_config.yml @@ -0,0 +1,11 @@ +--- + +- name: Fail if required settings not defined + fail: + msg: >- + You need to define a required configuration setting (`{{ item }}`). + when: "vars[item] == ''" + with_items: + - "matrix_appservice_webhooks_appservice_token" + - "matrix_appservice_webhooks_homeserver_token" + - "matrix_appservice_webhooks_id_token" diff --git a/roles/matrix-bridge-appservice-webhooks/templates/database.json.j2 b/roles/matrix-bridge-appservice-webhooks/templates/database.json.j2 new file mode 100644 index 00000000..e70f1d83 --- /dev/null +++ b/roles/matrix-bridge-appservice-webhooks/templates/database.json.j2 @@ -0,0 +1,13 @@ +{ + "defaultEnv": { + "ENV": "NODE_ENV" + }, + "development": { + "driver": "sqlite3", + "filename": "/data/development.db" + }, + "production": { + "driver": "sqlite3", + "filename": "/data/production.db" + } +} diff --git a/roles/matrix-bridge-appservice-webhooks/templates/schema.yml.j2 b/roles/matrix-bridge-appservice-webhooks/templates/schema.yml.j2 new file mode 100644 index 00000000..e999555d --- /dev/null +++ b/roles/matrix-bridge-appservice-webhooks/templates/schema.yml.j2 @@ -0,0 +1,54 @@ +"$schema": "http://json-schema.org/draft-04/schema#" +type: "object" +properties: + provisioning: + type: "object" + properties: + secret: + type: "string" + homeserver: + type: "object" + properties: + domain: + type: "string" + url: + type: "string" + mediaUrl: + type: "string" + web: + type: "object" + properties: + hookUrlBase: + type: "string" + webhookBot: + type: "object" + properties: + localpart: + type: "string" + appearance: + type: "object" + properties: + displayName: + type: "string" + avatarUrl: + type: "string" + logging: + type: "object" + properties: + file: + type: "string" + console: + type: "boolean" + consoleLevel: + type: "string" + fileLevel: + type: "string" + writeFiles: + type: "boolean" + rotate: + type: "object" + properties: + size: + type: "number" + count: + type: "number" diff --git a/roles/matrix-bridge-appservice-webhooks/templates/systemd/matrix-appservice-webhooks.service.j2 b/roles/matrix-bridge-appservice-webhooks/templates/systemd/matrix-appservice-webhooks.service.j2 new file mode 100644 index 00000000..cde798df --- /dev/null +++ b/roles/matrix-bridge-appservice-webhooks/templates/systemd/matrix-appservice-webhooks.service.j2 @@ -0,0 +1,43 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=Matrix Appservice webhooks server +{% for service in matrix_appservice_webhooks_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +{% for service in matrix_appservice_webhooks_systemd_wanted_services_list %} +Wants={{ service }} +{% endfor %} + +[Service] +Type=simple +ExecStartPre=-/usr/bin/docker kill matrix-appservice-webhooks +ExecStartPre=-/usr/bin/docker rm matrix-appservice-webhooks + +# Intentional delay, so that the homeserver (we likely depend on) can manage to start. +ExecStartPre=/bin/sleep 5 + +ExecStart=/usr/bin/docker run --rm --name matrix-appservice-webhooks \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --network={{ matrix_docker_network }} \ + {% if matrix_appservice_webhooks_container_http_host_bind_port %} + -p {{ matrix_appservice_webhooks_container_http_host_bind_port }}:{{matrix_appservice_webhooks_matrix_port}} \ + {% endif %} + -v {{ matrix_appservice_webhooks_config_path }}:/config:z \ + -v {{ matrix_appservice_webhooks_data_path }}:/data:z \ + {% for arg in matrix_appservice_webhooks_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_appservice_webhooks_docker_image }} \ + node index.js -p {{ matrix_appservice_webhooks_matrix_port }} -c /config/config.yaml -f /config/webhooks-registration.yaml + +ExecStop=-/usr/bin/docker kill matrix-appservice-webhooks +ExecStop=-/usr/bin/docker rm matrix-appservice-webhooks +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-appservice-webhooks + +[Install] +WantedBy=multi-user.target diff --git a/setup.yml b/setup.yml index 3d677074..429a6c4f 100755 --- a/setup.yml +++ b/setup.yml @@ -10,6 +10,7 @@ - matrix-corporal - matrix-bridge-appservice-discord - matrix-bridge-appservice-slack + - matrix-bridge-appservice-webhooks - matrix-bridge-appservice-irc - matrix-bridge-mautrix-facebook - matrix-bridge-mautrix-hangouts From 9892eac7891d9d41abdf92a3b89151900cb1ece7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bj=C3=B6rn=20Marten?= Date: Fri, 10 Jan 2020 12:38:37 +0100 Subject: [PATCH 02/46] Adjust API secret to be a configurable and required variable --- roles/matrix-bridge-appservice-webhooks/defaults/main.yml | 3 ++- .../tasks/validate_config.yml | 1 + 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/roles/matrix-bridge-appservice-webhooks/defaults/main.yml b/roles/matrix-bridge-appservice-webhooks/defaults/main.yml index e88fabb8..0515638b 100644 --- a/roles/matrix-bridge-appservice-webhooks/defaults/main.yml +++ b/roles/matrix-bridge-appservice-webhooks/defaults/main.yml @@ -44,6 +44,7 @@ matrix_appservice_webhooks_systemd_wanted_services_list: [] matrix_appservice_webhooks_appservice_token: '' matrix_appservice_webhooks_homeserver_token: '' matrix_appservice_webhooks_id_token: '' +matrix_appservice_webhooks_api_secret: '' matrix_appservice_webhooks_configuration_yaml: | @@ -69,7 +70,7 @@ matrix_appservice_webhooks_configuration_yaml: | # Provisioning API options provisioning: # Your secret for the API. Required for all provisioning API requests. - secret: 'warummussesdennsolangsein' + secret: '{{ matrix_appservice_webhooks_api_secret }}' # Configuration related to the web portion of the bridge. Handles the inbound webhooks web: diff --git a/roles/matrix-bridge-appservice-webhooks/tasks/validate_config.yml b/roles/matrix-bridge-appservice-webhooks/tasks/validate_config.yml index 43b3ae01..b92a0eb9 100644 --- a/roles/matrix-bridge-appservice-webhooks/tasks/validate_config.yml +++ b/roles/matrix-bridge-appservice-webhooks/tasks/validate_config.yml @@ -9,3 +9,4 @@ - "matrix_appservice_webhooks_appservice_token" - "matrix_appservice_webhooks_homeserver_token" - "matrix_appservice_webhooks_id_token" + - "matrix_appservice_webhooks_api_secret" From 3a8061618552b31fba874d9db9a52b3e622b72bd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bj=C3=B6rn=20Marten?= Date: Fri, 10 Jan 2020 12:40:55 +0100 Subject: [PATCH 03/46] Change logging behaviour to only stdout with configurable verbosity (default: info) --- roles/matrix-bridge-appservice-webhooks/defaults/main.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/roles/matrix-bridge-appservice-webhooks/defaults/main.yml b/roles/matrix-bridge-appservice-webhooks/defaults/main.yml index 0515638b..665eafa5 100644 --- a/roles/matrix-bridge-appservice-webhooks/defaults/main.yml +++ b/roles/matrix-bridge-appservice-webhooks/defaults/main.yml @@ -46,6 +46,9 @@ matrix_appservice_webhooks_homeserver_token: '' matrix_appservice_webhooks_id_token: '' matrix_appservice_webhooks_api_secret: '' +# Logging information (error, warn, info, verbose, debug is availabe) default is: info +matrix_appservice_webhooks_log_level: 'info' + matrix_appservice_webhooks_configuration_yaml: | # Configuration specific to the application service. All fields (unless otherwise marked) are required. @@ -79,9 +82,9 @@ matrix_appservice_webhooks_configuration_yaml: | logging: file: data/webhook.log console: true - consoleLevel: info + consoleLevel: {{ matrix_appservice_webhooks_log_level }} fileLevel: verbose - writeFiles: true + writeFiles: false rotate: size: 52428800 # bytes, default is 50mb count: 5 From 6b2bf2c38b9e9a4331db99fd633199b20b3b6255 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bj=C3=B6rn=20Marten?= Date: Fri, 10 Jan 2020 12:43:09 +0100 Subject: [PATCH 04/46] Get rid of rewrite terminology --- roles/matrix-bridge-appservice-webhooks/tasks/init.yml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/roles/matrix-bridge-appservice-webhooks/tasks/init.yml b/roles/matrix-bridge-appservice-webhooks/tasks/init.yml index ffa0492d..33401bf9 100644 --- a/roles/matrix-bridge-appservice-webhooks/tasks/init.yml +++ b/roles/matrix-bridge-appservice-webhooks/tasks/init.yml @@ -44,15 +44,14 @@ - name: Generate Matrix Appservice webhooks proxying configuration for matrix-nginx-proxy set_fact: matrix_appservice_webhooks_matrix_nginx_proxy_configuration: | - location {{ matrix_appservice_webhooks_public_endpoint }} { + location {{ matrix_appservice_webhooks_public_endpoint }}/ { {% if matrix_nginx_proxy_enabled|default(False) %} {# Use the embedded DNS resolver in Docker containers to discover the service #} resolver 127.0.0.11 valid=5s; - rewrite {{ matrix_appservice_webhooks_public_endpoint }}/(.*) /$1 break; - proxy_pass {{ matrix_appservice_webhooks_appservice_url }}:{{ matrix_appservice_webhooks_matrix_port }}; + proxy_pass {{ matrix_appservice_webhooks_appservice_url }}:{{ matrix_appservice_webhooks_matrix_port }}/; {% else %} {# Generic configuration for use outside of our container setup #} - proxy_pass http://127.0.0.1:{{ matrix_appservice_webhooks_matrix_port }}; + proxy_pass http://127.0.0.1:{{ matrix_appservice_webhooks_matrix_port }}/; {% endif %} } From 654d45a2bf84d76252c79614b2a4c32fd82e9daa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bj=C3=B6rn=20Marten?= Date: Fri, 10 Jan 2020 12:49:29 +0100 Subject: [PATCH 05/46] Adjust message when webhook bridge is activated but nginx-proxy is not --- roles/matrix-bridge-appservice-webhooks/tasks/init.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-appservice-webhooks/tasks/init.yml b/roles/matrix-bridge-appservice-webhooks/tasks/init.yml index 33401bf9..bc275f78 100644 --- a/roles/matrix-bridge-appservice-webhooks/tasks/init.yml +++ b/roles/matrix-bridge-appservice-webhooks/tasks/init.yml @@ -72,7 +72,7 @@ msg: >- NOTE: You've enabled the Matrix webhooks bridge but are not using the matrix-nginx-proxy reverse proxy. - Please make sure that you're proxying the `{{ something }}` + Please make sure that you're proxying the `{{ matrix_appservice_webhooks_public_endpoint }}` URL endpoint to the matrix-appservice-webhooks container. You can expose the container's port using the `matrix_appservice_webhooks_container_http_host_bind_port` variable. when: "matrix_appservice_webhooks_enabled|bool and matrix_nginx_proxy_enabled is not defined" From c2696e8fa733606745b042f39ade7419ebb8d0f7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bj=C3=B6rn=20Marten?= Date: Fri, 10 Jan 2020 14:53:33 +0100 Subject: [PATCH 06/46] Add appservice-webhooks configuration documentation --- ...ing-playbook-bridge-appservice-webhooks.md | 58 +++++++++++++++++++ 1 file changed, 58 insertions(+) create mode 100644 docs/configuring-playbook-bridge-appservice-webhooks.md diff --git a/docs/configuring-playbook-bridge-appservice-webhooks.md b/docs/configuring-playbook-bridge-appservice-webhooks.md new file mode 100644 index 00000000..da0e206d --- /dev/null +++ b/docs/configuring-playbook-bridge-appservice-webhooks.md @@ -0,0 +1,58 @@ +# Setting up Appservice Webhooks (optional) + +The playbook can install and configure [matrix-appservice-webhooks](https://github.com/turt2live/matrix-appservice-webhooks) for you. + +Setup Instructions: + +loosely based on [this](https://github.com/turt2live/matrix-appservice-webhooks/blob/master/README.md) + +1. All you basically need is to adjust your `inventory/host_vars/matrix./host-vars.yml`: + ```yaml + matrix_appservice_webhooks_enabled: true + matrix_appservice_webhooks_api_secret: '' + ``` + +2. In case you want to change the verbosity of logging via `journalctl -fu matrix-appservice-webhooks.service` +you can adjust this in `inventory/host_vars/matrix./host-vars.yml` as well. +
+*Note*: default value is: `info` and availabe log levels are : `info, verbose` + + ```yaml + matrix_appservice_webhooks_log_level: '' + ``` + +3. If you've already installed Matrix services using the playbook before, you'll need to re-run it (`--tags=setup-all,start`). If not, proceed with [configuring other playbook services](configuring-playbook.md) and then with [Installing](installing.md). Get back to this guide once ready. + +4. Invite the bridge bot user to your room: + - either with: + ``` + /invite @_webhook:matrix. + ``` + *Note*: Make sure you have administration permissions in your room + - or simply add the bridge bot to a private channel (personal channels imply you being an administrator) + +5. Send a message to the bridge bot in order to receive a private message including the webhook link. + ``` + !webhook + ``` + +6. The JSON body for posting messages will have to look like this: + ``` + { + "text": "Hello world!", + "format": "plain", + "displayName": "My Cool Webhook", + "avatarUrl": "http://i.imgur.com/IDOBtEJ.png" + } + ``` + - You can test this via curl like so: + ``` + curl --header "Content-Type: application/json" \ + --data '{ + "text": "Hello world!", + "format": "plain", + "displayName": "My Cool Webhook", + "avatarUrl": "http://i.imgur.com/IDOBtEJ.png" + }' \ + + ``` From c6e066595bf24c054a2105f890a9a27f1d73b37a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bj=C3=B6rn=20Marten?= Date: Fri, 10 Jan 2020 15:04:23 +0100 Subject: [PATCH 07/46] Add matrix-appservice-webhooks to configurable services in README.md --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index e228519b..7fe575ce 100644 --- a/README.md +++ b/README.md @@ -50,6 +50,8 @@ Using this playbook, you can get the following services configured on your serve - (optional) the [matrix-appservice-slack](https://github.com/matrix-org/matrix-appservice-slack) bridge for bridging your Matrix server to [Slack](https://slack.com/) +- (optional) the [matrix-appservice-webhooks](https://github.com/turt2live/matrix-appservice-webhooks) bridge for slack compatible webhooks ([ConcourseCI](https://concourse-ci.org/), [Slack](https://slack.com/) etc. pp.) + - (optional) [Email2Matrix](https://github.com/devture/email2matrix) for relaying email messages to Matrix rooms - (optional) [Dimension](https://github.com/turt2live/matrix-dimension), an open source integrations manager for matrix clients From cb57cd503e80bc8e024d855e14ea328e887c762f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bj=C3=B6rn=20Marten?= Date: Mon, 13 Jan 2020 17:28:54 +0100 Subject: [PATCH 08/46] Fix documentation mistakes caused due to carelessness --- docs/configuring-playbook-bridge-appservice-webhooks.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/configuring-playbook-bridge-appservice-webhooks.md b/docs/configuring-playbook-bridge-appservice-webhooks.md index da0e206d..2badcac2 100644 --- a/docs/configuring-playbook-bridge-appservice-webhooks.md +++ b/docs/configuring-playbook-bridge-appservice-webhooks.md @@ -6,14 +6,14 @@ Setup Instructions: loosely based on [this](https://github.com/turt2live/matrix-appservice-webhooks/blob/master/README.md) -1. All you basically need is to adjust your `inventory/host_vars/matrix./host-vars.yml`: +1. All you basically need is to adjust your `inventory/host_vars/matrix./vars.yml`: ```yaml matrix_appservice_webhooks_enabled: true matrix_appservice_webhooks_api_secret: '' ``` 2. In case you want to change the verbosity of logging via `journalctl -fu matrix-appservice-webhooks.service` -you can adjust this in `inventory/host_vars/matrix./host-vars.yml` as well. +you can adjust this in `inventory/host_vars/matrix./vars.yml` as well.
*Note*: default value is: `info` and availabe log levels are : `info, verbose` @@ -26,7 +26,7 @@ you can adjust this in `inventory/host_vars/matrix./host-vars.yml` 4. Invite the bridge bot user to your room: - either with: ``` - /invite @_webhook:matrix. + /invite @_webhook: ``` *Note*: Make sure you have administration permissions in your room - or simply add the bridge bot to a private channel (personal channels imply you being an administrator) From a8476c1b8ec21fff072c176aa6c1f9df5dbc674c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bj=C3=B6rn=20Marten?= Date: Mon, 13 Jan 2020 17:29:19 +0100 Subject: [PATCH 09/46] Mention that the bridge itself expects its own domain and not '/appservice-webhooks' --- roles/matrix-bridge-appservice-webhooks/defaults/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/matrix-bridge-appservice-webhooks/defaults/main.yml b/roles/matrix-bridge-appservice-webhooks/defaults/main.yml index 665eafa5..b8034440 100644 --- a/roles/matrix-bridge-appservice-webhooks/defaults/main.yml +++ b/roles/matrix-bridge-appservice-webhooks/defaults/main.yml @@ -10,6 +10,7 @@ matrix_appservice_webhooks_base_path: "{{ matrix_base_data_path }}/appservice-we matrix_appservice_webhooks_config_path: "{{ matrix_appservice_webhooks_base_path }}/config" matrix_appservice_webhooks_data_path: "{{ matrix_appservice_webhooks_base_path }}/data" +# If nginx-proxy is disabled, the bridge itself expects its endpoint to be on its own domain (e.g. "localhost:6789") matrix_appservice_webhooks_public_endpoint: /appservice-webhooks matrix_appservice_webhooks_inbound_uri_prefix: "{{ matrix_homeserver_url }}{{ matrix_appservice_webhooks_public_endpoint }}" From 208d5d0fda866481279fcaacf4e6d1e3fd6b60fc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bj=C3=B6rn=20Marten?= Date: Mon, 13 Jan 2020 17:29:46 +0100 Subject: [PATCH 10/46] Adjust log level choices to verbose and info --- roles/matrix-bridge-appservice-webhooks/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-appservice-webhooks/defaults/main.yml b/roles/matrix-bridge-appservice-webhooks/defaults/main.yml index b8034440..a616c361 100644 --- a/roles/matrix-bridge-appservice-webhooks/defaults/main.yml +++ b/roles/matrix-bridge-appservice-webhooks/defaults/main.yml @@ -47,7 +47,7 @@ matrix_appservice_webhooks_homeserver_token: '' matrix_appservice_webhooks_id_token: '' matrix_appservice_webhooks_api_secret: '' -# Logging information (error, warn, info, verbose, debug is availabe) default is: info +# Logging information (info and verbose is available) default is: info matrix_appservice_webhooks_log_level: 'info' matrix_appservice_webhooks_configuration_yaml: | From 268e1d0c80ed39664523319afd7114d999bb3a33 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bj=C3=B6rn=20Marten?= Date: Mon, 13 Jan 2020 17:30:01 +0100 Subject: [PATCH 11/46] Remove appearance section in matrix_appservice_webhooks_configuration_yaml due to not being used --- roles/matrix-bridge-appservice-webhooks/defaults/main.yml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/roles/matrix-bridge-appservice-webhooks/defaults/main.yml b/roles/matrix-bridge-appservice-webhooks/defaults/main.yml index a616c361..c556b152 100644 --- a/roles/matrix-bridge-appservice-webhooks/defaults/main.yml +++ b/roles/matrix-bridge-appservice-webhooks/defaults/main.yml @@ -66,11 +66,6 @@ matrix_appservice_webhooks_configuration_yaml: | # The localpart to use for the bot. May require re-registering the application service. localpart: "_webhook" - # Appearance options for the Matrix bot - appearance: - displayName: "Webhook Bridge" - avatarUrl: "http://i.imgur.com/IDOBtEJ.png" # webhook icon - # Provisioning API options provisioning: # Your secret for the API. Required for all provisioning API requests. From 80e4eb9ab7526b89e6b629b111d30976080b9900 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bj=C3=B6rn=20Marten?= Date: Mon, 13 Jan 2020 17:30:19 +0100 Subject: [PATCH 12/46] Remove file logging completely --- roles/matrix-bridge-appservice-webhooks/defaults/main.yml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/roles/matrix-bridge-appservice-webhooks/defaults/main.yml b/roles/matrix-bridge-appservice-webhooks/defaults/main.yml index c556b152..a317af18 100644 --- a/roles/matrix-bridge-appservice-webhooks/defaults/main.yml +++ b/roles/matrix-bridge-appservice-webhooks/defaults/main.yml @@ -76,14 +76,9 @@ matrix_appservice_webhooks_configuration_yaml: | hookUrlBase: "{{ matrix_appservice_webhooks_inbound_uri_prefix }}" logging: - file: data/webhook.log console: true consoleLevel: {{ matrix_appservice_webhooks_log_level }} - fileLevel: verbose writeFiles: false - rotate: - size: 52428800 # bytes, default is 50mb - count: 5 matrix_appservice_webhooks_configuration_extension_yaml: | # From f9d518796bc23c1ab4e275477d63e0632b725f2d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bj=C3=B6rn=20Marten?= Date: Mon, 13 Jan 2020 17:30:39 +0100 Subject: [PATCH 13/46] Correct regex in matrix_appservice_webhooks_registration_yaml --- roles/matrix-bridge-appservice-webhooks/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-appservice-webhooks/defaults/main.yml b/roles/matrix-bridge-appservice-webhooks/defaults/main.yml index a317af18..cd675162 100644 --- a/roles/matrix-bridge-appservice-webhooks/defaults/main.yml +++ b/roles/matrix-bridge-appservice-webhooks/defaults/main.yml @@ -94,7 +94,7 @@ matrix_appservice_webhooks_registration_yaml: | namespaces: users: - exclusive: true - regex: '@{{ matrix_appservice_webhooks_user_prefix }}.*' + regex: '@{{ matrix_appservice_webhooks_user_prefix }}*:{{ matrix_domain }}' aliases: [] rooms: [] url: "{{ matrix_appservice_webhooks_appservice_url }}:{{ matrix_appservice_webhooks_matrix_port }}" From 0ffe821cfbcd87867a2c0161f1d12bc198208012 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 14 Jan 2020 15:55:56 +0200 Subject: [PATCH 14/46] Fix some minor Markdown rendering issues --- ...ing-playbook-bridge-appservice-webhooks.md | 73 ++++++++++--------- 1 file changed, 37 insertions(+), 36 deletions(-) diff --git a/docs/configuring-playbook-bridge-appservice-webhooks.md b/docs/configuring-playbook-bridge-appservice-webhooks.md index 2badcac2..1db6f452 100644 --- a/docs/configuring-playbook-bridge-appservice-webhooks.md +++ b/docs/configuring-playbook-bridge-appservice-webhooks.md @@ -7,52 +7,53 @@ Setup Instructions: loosely based on [this](https://github.com/turt2live/matrix-appservice-webhooks/blob/master/README.md) 1. All you basically need is to adjust your `inventory/host_vars/matrix./vars.yml`: - ```yaml - matrix_appservice_webhooks_enabled: true - matrix_appservice_webhooks_api_secret: '' - ``` + +```yaml +matrix_appservice_webhooks_enabled: true +matrix_appservice_webhooks_api_secret: '' +``` 2. In case you want to change the verbosity of logging via `journalctl -fu matrix-appservice-webhooks.service` you can adjust this in `inventory/host_vars/matrix./vars.yml` as well. -
-*Note*: default value is: `info` and availabe log levels are : `info, verbose` - ```yaml - matrix_appservice_webhooks_log_level: '' - ``` +*Note*: default value is: `info` and availabe log levels are : `info`, `verbose` + +```yaml +matrix_appservice_webhooks_log_level: '' +``` 3. If you've already installed Matrix services using the playbook before, you'll need to re-run it (`--tags=setup-all,start`). If not, proceed with [configuring other playbook services](configuring-playbook.md) and then with [Installing](installing.md). Get back to this guide once ready. 4. Invite the bridge bot user to your room: - - either with: - ``` - /invite @_webhook: - ``` - *Note*: Make sure you have administration permissions in your room + + - either with `/invite @_webhook:` (*Note*: Make sure you have administration permissions in your room) + - or simply add the bridge bot to a private channel (personal channels imply you being an administrator) 5. Send a message to the bridge bot in order to receive a private message including the webhook link. - ``` - !webhook - ``` +``` +!webhook +``` 6. The JSON body for posting messages will have to look like this: - ``` - { - "text": "Hello world!", - "format": "plain", - "displayName": "My Cool Webhook", - "avatarUrl": "http://i.imgur.com/IDOBtEJ.png" - } - ``` - - You can test this via curl like so: - ``` - curl --header "Content-Type: application/json" \ - --data '{ - "text": "Hello world!", - "format": "plain", - "displayName": "My Cool Webhook", - "avatarUrl": "http://i.imgur.com/IDOBtEJ.png" - }' \ - - ``` +```json +{ + "text": "Hello world!", + "format": "plain", + "displayName": "My Cool Webhook", + "avatarUrl": "http://i.imgur.com/IDOBtEJ.png" +} +``` + +You can test this via curl like so: + +``` +curl --header "Content-Type: application/json" \ +--data '{ +"text": "Hello world!", +"format": "plain", +"displayName": "My Cool Webhook", +"avatarUrl": "http://i.imgur.com/IDOBtEJ.png" +}' \ + +``` From 48402141935591130f06219f0c6c53e003f0633d Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 14 Jan 2020 16:02:37 +0200 Subject: [PATCH 15/46] Announce Appservice Webhooks support Related to #339 (Github Pull Request). --- CHANGELOG.md | 9 +++++++++ README.md | 2 ++ docs/configuring-playbook-bridge-appservice-webhooks.md | 2 ++ docs/configuring-playbook.md | 2 ++ 4 files changed, 15 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8848df0b..d5596724 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,12 @@ +# 2020-01-14 + +## Added support for Appservice Webhooks + +Thanks to a contribution from [Björn Marten](https://github.com/tripleawwy) from [netresearch](https://www.netresearch.de/), the playbook can now install and configure [matrix-appservice-webhooks](https://github.com/turt2live/matrix-appservice-webhooks) for you. This bridge provides support for Slack-compatible webhooks. + +Learn more in [Setting up Appservice Webhooks](docs/configuring-playbook-bridge-appservice-webhooks.md). + + # 2020-01-12 ## Added support for automatic Double Puppeting for all Mautrix bridges diff --git a/README.md b/README.md index 7fe575ce..277d6dce 100644 --- a/README.md +++ b/README.md @@ -140,6 +140,8 @@ This playbook sets up your server using the following Docker images: - [cadair/matrix-appservice-slack](https://hub.docker.com/r/cadair/matrix-appservice-slack) - the [matrix-appservice-slack](https://github.com/matrix-org/matrix-appservice-slack) bridge to [Slack](https://slack.com/) (optional) +- [turt2live/matrix-appservice-webhooks](https://hub.docker.com/r/turt2live/matrix-appservice-webhooks) - the [Appservice Webhooks](https://github.com/turt2live/matrix-appservice-webhooks) bridge (optional) + - [turt2live/matrix-dimension](https://hub.docker.com/r/turt2live/matrix-dimension) - the [Dimension](https://dimension.t2bot.io/) integrations manager (optional) diff --git a/docs/configuring-playbook-bridge-appservice-webhooks.md b/docs/configuring-playbook-bridge-appservice-webhooks.md index 1db6f452..4e56d8e4 100644 --- a/docs/configuring-playbook-bridge-appservice-webhooks.md +++ b/docs/configuring-playbook-bridge-appservice-webhooks.md @@ -2,6 +2,8 @@ The playbook can install and configure [matrix-appservice-webhooks](https://github.com/turt2live/matrix-appservice-webhooks) for you. +This bridge provides support for Slack-compatible webhooks. + Setup Instructions: loosely based on [this](https://github.com/turt2live/matrix-appservice-webhooks/blob/master/README.md) diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index 5b605cbf..4d84fac3 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -93,4 +93,6 @@ When you're done with all the configuration you'd like to do, continue with [Ins - [Setting up Appservice Slack bridging](configuring-playbook-bridge-appservice-slack.md) (optional) +- [Setting up Appservice Webhooks bridging](configuring-playbook-bridge-appservice-webhooks.md) (optional) + - [Setting up Email2Matrix](configuring-playbook-email2matrix.md) (optional) From 73d0bf7170668867e4b4176b39ffa039653c1cf0 Mon Sep 17 00:00:00 2001 From: David Gnedt Date: Wed, 15 Jan 2020 19:15:42 +0100 Subject: [PATCH 16/46] Fix regex in matrix_appservice_webhooks_registration_yaml --- roles/matrix-bridge-appservice-webhooks/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-appservice-webhooks/defaults/main.yml b/roles/matrix-bridge-appservice-webhooks/defaults/main.yml index cd675162..09daa22b 100644 --- a/roles/matrix-bridge-appservice-webhooks/defaults/main.yml +++ b/roles/matrix-bridge-appservice-webhooks/defaults/main.yml @@ -94,7 +94,7 @@ matrix_appservice_webhooks_registration_yaml: | namespaces: users: - exclusive: true - regex: '@{{ matrix_appservice_webhooks_user_prefix }}*:{{ matrix_domain }}' + regex: '^@{{ matrix_appservice_webhooks_user_prefix | regex_escape }}.*:{{ matrix_domain | regex_escape }}$' aliases: [] rooms: [] url: "{{ matrix_appservice_webhooks_appservice_url }}:{{ matrix_appservice_webhooks_matrix_port }}" From 72f6e56fb85cbfd5e6433223114633024a10f8ab Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 18 Jan 2020 14:17:50 +0200 Subject: [PATCH 17/46] Upgrade mautrix-telegram (0.6.1 -> 0.7.0) --- roles/matrix-bridge-mautrix-telegram/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-mautrix-telegram/defaults/main.yml b/roles/matrix-bridge-mautrix-telegram/defaults/main.yml index 065030da..6cfa3abb 100644 --- a/roles/matrix-bridge-mautrix-telegram/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-telegram/defaults/main.yml @@ -4,7 +4,7 @@ matrix_mautrix_telegram_enabled: true # See: https://mau.dev/tulir/mautrix-telegram/container_registry -matrix_mautrix_telegram_docker_image: "dock.mau.dev/tulir/mautrix-telegram:v0.6.1" +matrix_mautrix_telegram_docker_image: "dock.mau.dev/tulir/mautrix-telegram:v0.7.0" matrix_mautrix_telegram_docker_image_force_pull: "{{ matrix_mautrix_telegram_docker_image.endswith(':latest') }}" matrix_mautrix_telegram_base_path: "{{ matrix_base_data_path }}/mautrix-telegram" From b8eb5e4e0d6ee83fdb841a397ed4f6b2f7a93b99 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 18 Jan 2020 19:55:26 +0200 Subject: [PATCH 18/46] Add a note for users not using SSH keys --- docs/installing.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/docs/installing.md b/docs/installing.md index 78bd1be1..1e3ebf54 100644 --- a/docs/installing.md +++ b/docs/installing.md @@ -8,9 +8,11 @@ Run this as-is to set up a server: ansible-playbook -i inventory/hosts setup.yml --tags=setup-all ``` -This **doesn't start any services just yet** (another step does this later - below). +**Note**: if you don't use SSH keys for authentication, but rather a regular password, you may need to add `--ask-pass` to the above (and all other) Ansible commands. -Feel free to **re-run this any time** you think something is off with the server configuration. +The above command **doesn't start any services just yet** (another step does this later - below). + +Feel free to **re-run this setup command any time** you think something is off with the server configuration. ## Things you might want to do after installing From 776c1083929fe6bb35d8d339435628ea00eba7d9 Mon Sep 17 00:00:00 2001 From: prasket Date: Sun, 19 Jan 2020 18:35:57 -0800 Subject: [PATCH 19/46] created new file with change admin options and removed make admin file. Updated name references as well throughout the project. --- docs/registering-users.md | 6 +++--- docs/updating-users-passwords.md | 2 +- .../matrix-postgres/tasks/setup_postgres.yml | 8 ++++---- .../matrix-change-user-admin-status.j2 | 19 +++++++++++++++++++ .../usr-local-bin/matrix-make-user-admin.j2 | 17 ----------------- 5 files changed, 27 insertions(+), 25 deletions(-) create mode 100644 roles/matrix-postgres/templates/usr-local-bin/matrix-change-user-admin-status.j2 delete mode 100644 roles/matrix-postgres/templates/usr-local-bin/matrix-make-user-admin.j2 diff --git a/docs/registering-users.md b/docs/registering-users.md index 50dd92a9..d5ddc6c7 100644 --- a/docs/registering-users.md +++ b/docs/registering-users.md @@ -24,11 +24,11 @@ If you've just installed Matrix, **to finalize the installation process**, it's ----- -The script `/usr/local/bin/matrix-make-user-admin` may be used to upgrade a user's privileges: +The script `/usr/local/bin/matrix-change-user-admin-status` may be used to change a user's admin privileges: * log on to your server with ssh -* execute with the username: +* execute with the username and 0/1 (0 = non-admin | 1 = admin) ``` -/usr/local/bin/matrix-make-user-admin +/usr/local/bin/matrix-change-user-admin-status <0/1> ``` diff --git a/docs/updating-users-passwords.md b/docs/updating-users-passwords.md index 838e2000..90dfb64e 100644 --- a/docs/updating-users-passwords.md +++ b/docs/updating-users-passwords.md @@ -34,7 +34,7 @@ where `` is the hash returned by the docker command above. Use the Synapse User Admin API as described here: https://github.com/matrix-org/synapse/blob/master/docs/admin_api/user_admin_api.rst#reset-password -This requires an access token from a server admin account. If you didn't make your account a server admin when you created it, you can use the `/usr/local/bin/matrix-make-user-admin` script as described in [registering-users.md](registering-users.md). Note this method will also log the user out of all of their clients while the other options do not. +This requires an access token from a server admin account. If you didn't make your account a server admin when you created it, you can use the `/usr/local/bin/matrix-change-user-admin-status` script as described in [registering-users.md](registering-users.md). Note this method will also log the user out of all of their clients while the other options do not. ### Example: To set @user:domain.com's password to `correct_horse_battery_staple` you could use this curl command: diff --git a/roles/matrix-postgres/tasks/setup_postgres.yml b/roles/matrix-postgres/tasks/setup_postgres.yml index 9ee09381..c55a2e65 100644 --- a/roles/matrix-postgres/tasks/setup_postgres.yml +++ b/roles/matrix-postgres/tasks/setup_postgres.yml @@ -73,10 +73,10 @@ mode: 0750 when: matrix_postgres_enabled|bool -- name: Ensure matrix-make-user-admin script created +- name: Ensure matrix-change-user-admin-status script created template: - src: "{{ role_path }}/templates/usr-local-bin/matrix-make-user-admin.j2" - dest: "/usr/local/bin/matrix-make-user-admin" + src: "{{ role_path }}/templates/usr-local-bin/matrix-change-user-admin-status.j2" + dest: "/usr/local/bin/matrix-change-user-admin-status" mode: 0750 when: matrix_postgres_enabled|bool @@ -146,6 +146,6 @@ state: absent with_items: - matrix-postgres-cli - - matrix-make-user-admin + - matrix-change-user-admin-status - matrix-postgres-update-user-password-hash when: "not matrix_postgres_enabled|bool" diff --git a/roles/matrix-postgres/templates/usr-local-bin/matrix-change-user-admin-status.j2 b/roles/matrix-postgres/templates/usr-local-bin/matrix-change-user-admin-status.j2 new file mode 100644 index 00000000..815a5b10 --- /dev/null +++ b/roles/matrix-postgres/templates/usr-local-bin/matrix-change-user-admin-status.j2 @@ -0,0 +1,19 @@ +#jinja2: lstrip_blocks: "True" +#!/bin/bash + +if [ $# -ne 2 ]; then + echo "Usage: "$0" <0/1>" + echo "Usage: 0 = non-admin" + echo "Usage: 1 = admin" + exit 1 +fi + +docker run \ + -it \ + --rm \ + --user=991:991 \ + --cap-drop=ALL \ + --env-file=/matrix/postgres/env-postgres-psql \ + --network matrix \ + postgres:12.1-alpine \ + psql -h matrix-postgres -c "UPDATE users set admin=$2 WHERE name like '@$1:seattlematrix.org'" diff --git a/roles/matrix-postgres/templates/usr-local-bin/matrix-make-user-admin.j2 b/roles/matrix-postgres/templates/usr-local-bin/matrix-make-user-admin.j2 deleted file mode 100644 index f8daa6a7..00000000 --- a/roles/matrix-postgres/templates/usr-local-bin/matrix-make-user-admin.j2 +++ /dev/null @@ -1,17 +0,0 @@ -#jinja2: lstrip_blocks: "True" -#!/bin/bash - -if [ $# -ne 1 ]; then - echo "Usage: "$0" " - exit 1 -fi - -docker run \ - -it \ - --rm \ - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ - --cap-drop=ALL \ - --env-file={{ matrix_postgres_base_path }}/env-postgres-psql \ - --network {{ matrix_docker_network }} \ - {{ matrix_postgres_docker_image_to_use }} \ - psql -h {{ matrix_postgres_connection_hostname }} -c "UPDATE users set admin=1 WHERE name like '@$1:{{ matrix_domain }}'" From e99497bb60e3ae11c9bf04f2d06c8f7703986294 Mon Sep 17 00:00:00 2001 From: prasket Date: Sun, 19 Jan 2020 18:35:57 -0800 Subject: [PATCH 20/46] created new file with change admin options and removed make admin file. Updated name references as well throughout the project. --- docs/registering-users.md | 6 +++--- docs/updating-users-passwords.md | 2 +- .../matrix-postgres/tasks/setup_postgres.yml | 8 ++++---- .../matrix-change-user-admin-status.j2 | 19 +++++++++++++++++++ .../usr-local-bin/matrix-make-user-admin.j2 | 17 ----------------- 5 files changed, 27 insertions(+), 25 deletions(-) create mode 100644 roles/matrix-postgres/templates/usr-local-bin/matrix-change-user-admin-status.j2 delete mode 100644 roles/matrix-postgres/templates/usr-local-bin/matrix-make-user-admin.j2 diff --git a/docs/registering-users.md b/docs/registering-users.md index 50dd92a9..d5ddc6c7 100644 --- a/docs/registering-users.md +++ b/docs/registering-users.md @@ -24,11 +24,11 @@ If you've just installed Matrix, **to finalize the installation process**, it's ----- -The script `/usr/local/bin/matrix-make-user-admin` may be used to upgrade a user's privileges: +The script `/usr/local/bin/matrix-change-user-admin-status` may be used to change a user's admin privileges: * log on to your server with ssh -* execute with the username: +* execute with the username and 0/1 (0 = non-admin | 1 = admin) ``` -/usr/local/bin/matrix-make-user-admin +/usr/local/bin/matrix-change-user-admin-status <0/1> ``` diff --git a/docs/updating-users-passwords.md b/docs/updating-users-passwords.md index 838e2000..90dfb64e 100644 --- a/docs/updating-users-passwords.md +++ b/docs/updating-users-passwords.md @@ -34,7 +34,7 @@ where `` is the hash returned by the docker command above. Use the Synapse User Admin API as described here: https://github.com/matrix-org/synapse/blob/master/docs/admin_api/user_admin_api.rst#reset-password -This requires an access token from a server admin account. If you didn't make your account a server admin when you created it, you can use the `/usr/local/bin/matrix-make-user-admin` script as described in [registering-users.md](registering-users.md). Note this method will also log the user out of all of their clients while the other options do not. +This requires an access token from a server admin account. If you didn't make your account a server admin when you created it, you can use the `/usr/local/bin/matrix-change-user-admin-status` script as described in [registering-users.md](registering-users.md). Note this method will also log the user out of all of their clients while the other options do not. ### Example: To set @user:domain.com's password to `correct_horse_battery_staple` you could use this curl command: diff --git a/roles/matrix-postgres/tasks/setup_postgres.yml b/roles/matrix-postgres/tasks/setup_postgres.yml index 9ee09381..c55a2e65 100644 --- a/roles/matrix-postgres/tasks/setup_postgres.yml +++ b/roles/matrix-postgres/tasks/setup_postgres.yml @@ -73,10 +73,10 @@ mode: 0750 when: matrix_postgres_enabled|bool -- name: Ensure matrix-make-user-admin script created +- name: Ensure matrix-change-user-admin-status script created template: - src: "{{ role_path }}/templates/usr-local-bin/matrix-make-user-admin.j2" - dest: "/usr/local/bin/matrix-make-user-admin" + src: "{{ role_path }}/templates/usr-local-bin/matrix-change-user-admin-status.j2" + dest: "/usr/local/bin/matrix-change-user-admin-status" mode: 0750 when: matrix_postgres_enabled|bool @@ -146,6 +146,6 @@ state: absent with_items: - matrix-postgres-cli - - matrix-make-user-admin + - matrix-change-user-admin-status - matrix-postgres-update-user-password-hash when: "not matrix_postgres_enabled|bool" diff --git a/roles/matrix-postgres/templates/usr-local-bin/matrix-change-user-admin-status.j2 b/roles/matrix-postgres/templates/usr-local-bin/matrix-change-user-admin-status.j2 new file mode 100644 index 00000000..815a5b10 --- /dev/null +++ b/roles/matrix-postgres/templates/usr-local-bin/matrix-change-user-admin-status.j2 @@ -0,0 +1,19 @@ +#jinja2: lstrip_blocks: "True" +#!/bin/bash + +if [ $# -ne 2 ]; then + echo "Usage: "$0" <0/1>" + echo "Usage: 0 = non-admin" + echo "Usage: 1 = admin" + exit 1 +fi + +docker run \ + -it \ + --rm \ + --user=991:991 \ + --cap-drop=ALL \ + --env-file=/matrix/postgres/env-postgres-psql \ + --network matrix \ + postgres:12.1-alpine \ + psql -h matrix-postgres -c "UPDATE users set admin=$2 WHERE name like '@$1:seattlematrix.org'" diff --git a/roles/matrix-postgres/templates/usr-local-bin/matrix-make-user-admin.j2 b/roles/matrix-postgres/templates/usr-local-bin/matrix-make-user-admin.j2 deleted file mode 100644 index f8daa6a7..00000000 --- a/roles/matrix-postgres/templates/usr-local-bin/matrix-make-user-admin.j2 +++ /dev/null @@ -1,17 +0,0 @@ -#jinja2: lstrip_blocks: "True" -#!/bin/bash - -if [ $# -ne 1 ]; then - echo "Usage: "$0" " - exit 1 -fi - -docker run \ - -it \ - --rm \ - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ - --cap-drop=ALL \ - --env-file={{ matrix_postgres_base_path }}/env-postgres-psql \ - --network {{ matrix_docker_network }} \ - {{ matrix_postgres_docker_image_to_use }} \ - psql -h {{ matrix_postgres_connection_hostname }} -c "UPDATE users set admin=1 WHERE name like '@$1:{{ matrix_domain }}'" From 121994f56225540cb627232048148d5685eaf4ab Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Mon, 20 Jan 2020 12:09:01 -0600 Subject: [PATCH 21/46] Reword updating-users-passwords.md option 3 --- docs/updating-users-passwords.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/updating-users-passwords.md b/docs/updating-users-passwords.md index 838e2000..865379d3 100644 --- a/docs/updating-users-passwords.md +++ b/docs/updating-users-passwords.md @@ -34,7 +34,9 @@ where `` is the hash returned by the docker command above. Use the Synapse User Admin API as described here: https://github.com/matrix-org/synapse/blob/master/docs/admin_api/user_admin_api.rst#reset-password -This requires an access token from a server admin account. If you didn't make your account a server admin when you created it, you can use the `/usr/local/bin/matrix-make-user-admin` script as described in [registering-users.md](registering-users.md). Note this method will also log the user out of all of their clients while the other options do not. +Note this method will log the user out of all of their clients while the other options do not. + +This option requires an access token from a server admin account. If you didn't make your account a server admin when you created it, you can use the `/usr/local/bin/matrix-make-user-admin` script as described in [registering-users.md](registering-users.md). ### Example: To set @user:domain.com's password to `correct_horse_battery_staple` you could use this curl command: From 92c6031c9f19ca609e71fe3e411752a1c4a78d91 Mon Sep 17 00:00:00 2001 From: prasket Date: Mon, 20 Jan 2020 12:59:36 -0800 Subject: [PATCH 22/46] changes to the docs for the new admin modifcation scripts --- docs/registering-users.md | 5 ++++- docs/updating-users-passwords.md | 9 ++++++--- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/docs/registering-users.md b/docs/registering-users.md index d5ddc6c7..cf0ede41 100644 --- a/docs/registering-users.md +++ b/docs/registering-users.md @@ -24,7 +24,10 @@ If you've just installed Matrix, **to finalize the installation process**, it's ----- -The script `/usr/local/bin/matrix-change-user-admin-status` may be used to change a user's admin privileges: + +## Adding/Removing Administrator privileges to an existing user. + +The script `/usr/local/bin/matrix-change-user-admin-status` may be used to change a user's admin privileges. * log on to your server with ssh * execute with the username and 0/1 (0 = non-admin | 1 = admin) diff --git a/docs/updating-users-passwords.md b/docs/updating-users-passwords.md index 90dfb64e..698405b4 100644 --- a/docs/updating-users-passwords.md +++ b/docs/updating-users-passwords.md @@ -2,10 +2,11 @@ ## Option 1 (if you are using the default matrix-postgres container): -You can reset a user's password via the Ansible playbook (make sure to edit the `` and `` part below): +You can reset a user's password via the Ansible playbook (make sure to edit the `` and `` part below) ``` -ansible-playbook -i inventory/hosts setup.yml --extra-vars='username= password=' --tags=update-user-password +ansible-playbook -i inventory/hosts setup.yml --extra-vars='user:w +name= password=' --tags=update-user-password ``` **Note**: `` is just a plain username (like `john`), not your full `@:` identifier. @@ -34,7 +35,9 @@ where `` is the hash returned by the docker command above. Use the Synapse User Admin API as described here: https://github.com/matrix-org/synapse/blob/master/docs/admin_api/user_admin_api.rst#reset-password -This requires an access token from a server admin account. If you didn't make your account a server admin when you created it, you can use the `/usr/local/bin/matrix-change-user-admin-status` script as described in [registering-users.md](registering-users.md). Note this method will also log the user out of all of their clients while the other options do not. +This requires an access token from a server admin account. *This method will also log the user out of all of their clients while the other options do not.* + +If you didn't make your account a server admin when you created it, you can use the `/usr/local/bin/matrix-change-user-admin-status` script as described in [registering-users.md](registering-users.md). ### Example: To set @user:domain.com's password to `correct_horse_battery_staple` you could use this curl command: From a23455b697362abf16a9b96783066f670c579228 Mon Sep 17 00:00:00 2001 From: prasket Date: Mon, 20 Jan 2020 13:02:02 -0800 Subject: [PATCH 23/46] accidentaly removed a : --- docs/updating-users-passwords.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/updating-users-passwords.md b/docs/updating-users-passwords.md index 698405b4..e0f6e3de 100644 --- a/docs/updating-users-passwords.md +++ b/docs/updating-users-passwords.md @@ -2,7 +2,7 @@ ## Option 1 (if you are using the default matrix-postgres container): -You can reset a user's password via the Ansible playbook (make sure to edit the `` and `` part below) +You can reset a user's password via the Ansible playbook (make sure to edit the `` and `` part below): ``` ansible-playbook -i inventory/hosts setup.yml --extra-vars='user:w From 80dd5f0b4697c57fc4d56f0d914dd6b68dd6259c Mon Sep 17 00:00:00 2001 From: prasket Date: Mon, 20 Jan 2020 13:05:46 -0800 Subject: [PATCH 24/46] reversing another accident, forgot vim mode wasnt enabled at the time --- docs/updating-users-passwords.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/docs/updating-users-passwords.md b/docs/updating-users-passwords.md index e0f6e3de..f2fac643 100644 --- a/docs/updating-users-passwords.md +++ b/docs/updating-users-passwords.md @@ -5,8 +5,7 @@ You can reset a user's password via the Ansible playbook (make sure to edit the `` and `` part below): ``` -ansible-playbook -i inventory/hosts setup.yml --extra-vars='user:w -name= password=' --tags=update-user-password +ansible-playbook -i inventory/hosts setup.yml --extra-vars='username= password=' --tags=update-user-password ``` **Note**: `` is just a plain username (like `john`), not your full `@:` identifier. From 9d3d538a2d054e78fdf4c655ff660bc31de02ed9 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 21 Jan 2020 00:12:49 +0200 Subject: [PATCH 25/46] Use C collation for Postgres to appease Synapse --- CHANGELOG.md | 17 +++++++++++++++++ .../matrix-postgres/tasks/upgrade_postgres.yml | 7 ++++++- .../templates/env-postgres-server.j2 | 5 ++++- 3 files changed, 27 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d5596724..620d8ec3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,20 @@ +# 2020-01-21 + +## Postgres collation changes (action required!) + +By default, we've been using a UTF-8 collation for Postgres. This is known to cause Synapse some troubles (see the [relevant issue](https://github.com/matrix-org/synapse/issues/6722)) on systems that use [glibc](https://www.gnu.org/software/libc/). We run Postgres in an [Alpine Linux](https://alpinelinux.org/) container (which uses [musl](https://www.musl-libc.org/), and not glibc), so our users are likely not affected by the index corruption problem observed by others. + +Still, we might become affected in the future. In any case, it's imminent that Synapse will complain about databases which do not use a C collation. + +To avoid future problems, we recommend that you run the following command: + +``` +ansible-playbook -i inventory/hosts setup.yml --tags=upgrade-postgres --extra-vars='{"postgres_force_upgrade": true}' +``` + +It forces a [Postgres database upgrade](docs/maintenance-postgres.md#upgrading-postgresql), which would recreate your Postgres database using the proper (`C`) collation. If you are low on disk space, or run into trouble, refer to the Postgres database upgrade documentation page. + + # 2020-01-14 ## Added support for Appservice Webhooks diff --git a/roles/matrix-postgres/tasks/upgrade_postgres.yml b/roles/matrix-postgres/tasks/upgrade_postgres.yml index 9a30e819..8a3886b3 100644 --- a/roles/matrix-postgres/tasks/upgrade_postgres.yml +++ b/roles/matrix-postgres/tasks/upgrade_postgres.yml @@ -20,6 +20,11 @@ postgres_start_wait_time: 15 when: "postgres_start_wait_time|default('') == ''" +- name: Set postgres_force_upgrade, if not provided + set_fact: + postgres_force_upgrade: false + when: "postgres_force_upgrade|default('') == ''" + - name: Fail, if trying to upgrade external Postgres database fail: msg: "Your configuration indicates that you're not using Postgres from this role. There is nothing to upgrade." @@ -45,7 +50,7 @@ - name: Abort, if already at latest Postgres version fail: msg: "You are already running the latest Postgres version supported ({{ matrix_postgres_docker_image_latest }}). Nothing to do" - when: "matrix_postgres_detected_version_corresponding_docker_image == matrix_postgres_docker_image_latest" + when: "matrix_postgres_detected_version_corresponding_docker_image == matrix_postgres_docker_image_latest and not postgres_force_upgrade" - debug: msg: "Upgrading database from {{ matrix_postgres_detected_version_corresponding_docker_image }} to {{ matrix_postgres_docker_image_latest }}" diff --git a/roles/matrix-postgres/templates/env-postgres-server.j2 b/roles/matrix-postgres/templates/env-postgres-server.j2 index 34f75aee..06feb82a 100644 --- a/roles/matrix-postgres/templates/env-postgres-server.j2 +++ b/roles/matrix-postgres/templates/env-postgres-server.j2 @@ -1,4 +1,7 @@ #jinja2: lstrip_blocks: "True" POSTGRES_USER={{ matrix_postgres_connection_username }} POSTGRES_PASSWORD={{ matrix_postgres_connection_password }} -POSTGRES_DB={{ matrix_postgres_db_name }} \ No newline at end of file +POSTGRES_DB={{ matrix_postgres_db_name }} +# Synapse refuses to run if collation is not C. +# See https://github.com/matrix-org/synapse/issues/6722 +POSTGRES_INITDB_ARGS=--lc-collate C --lc-ctype C --encoding UTF8 From 65963f694afde5e9b186d9531b13940ddf8d6f11 Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Mon, 20 Jan 2020 16:33:47 -0600 Subject: [PATCH 26/46] Use Postgres 12.1 when creating a backup --- docs/maintenance-postgres.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/maintenance-postgres.md b/docs/maintenance-postgres.md index a62b4994..da62509b 100644 --- a/docs/maintenance-postgres.md +++ b/docs/maintenance-postgres.md @@ -42,7 +42,7 @@ docker run \ --rm \ --network=matrix \ --env-file=/matrix/postgres/env-postgres-psql \ -postgres:12.0-alpine \ +postgres:12.1-alpine \ pg_dumpall -h matrix-postgres \ | gzip -c \ > /postgres.sql.gz From 83e7a8d9e6173ad1919dd9fa5e8edf602be05459 Mon Sep 17 00:00:00 2001 From: prasket Date: Tue, 21 Jan 2020 18:29:17 -0800 Subject: [PATCH 27/46] corrected hardcoded matrix domain and added code to remove old matrix-make-user-admin script per suggestion. --- roles/matrix-postgres/tasks/setup_postgres.yml | 6 ++++++ .../usr-local-bin/matrix-change-user-admin-status.j2 | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/roles/matrix-postgres/tasks/setup_postgres.yml b/roles/matrix-postgres/tasks/setup_postgres.yml index c55a2e65..16c27677 100644 --- a/roles/matrix-postgres/tasks/setup_postgres.yml +++ b/roles/matrix-postgres/tasks/setup_postgres.yml @@ -80,6 +80,12 @@ mode: 0750 when: matrix_postgres_enabled|bool +- name: (Migration) Ensure old matrix-make-user-admin script deleted + file: + path: "/usr/local/bin/matrix-make-user-admin" + state: absent + when: matrix_postgres_enabled|bool + - name: Ensure matrix-postgres-update-user-password-hash script created template: src: "{{ role_path }}/templates/usr-local-bin/matrix-postgres-update-user-password-hash.j2" diff --git a/roles/matrix-postgres/templates/usr-local-bin/matrix-change-user-admin-status.j2 b/roles/matrix-postgres/templates/usr-local-bin/matrix-change-user-admin-status.j2 index 815a5b10..5f66ca6c 100644 --- a/roles/matrix-postgres/templates/usr-local-bin/matrix-change-user-admin-status.j2 +++ b/roles/matrix-postgres/templates/usr-local-bin/matrix-change-user-admin-status.j2 @@ -16,4 +16,4 @@ docker run \ --env-file=/matrix/postgres/env-postgres-psql \ --network matrix \ postgres:12.1-alpine \ - psql -h matrix-postgres -c "UPDATE users set admin=$2 WHERE name like '@$1:seattlematrix.org'" + psql -h matrix-postgres -c "UPDATE users set admin=$2 WHERE name like '@$1:{{ matrix_domain }}'" \ No newline at end of file From 86eff45e8b43d6251390ced770d34ab316f4a751 Mon Sep 17 00:00:00 2001 From: Dan Arnfield Date: Wed, 22 Jan 2020 15:33:20 -0600 Subject: [PATCH 28/46] uri.follow_redirects is now a string field --- roles/matrix-corporal/tasks/self_check_corporal.yml | 2 +- roles/matrix-mxisd/tasks/self_check_mxisd.yml | 2 +- roles/matrix-nginx-proxy/tasks/self_check_well_known.yml | 4 ++-- roles/matrix-nginx-proxy/tasks/self_check_well_known_file.yml | 2 +- roles/matrix-riot-web/tasks/self_check_riot_web.yml | 2 +- roles/matrix-synapse/tasks/self_check_client_api.yml | 2 +- roles/matrix-synapse/tasks/self_check_federation_api.yml | 2 +- 7 files changed, 8 insertions(+), 8 deletions(-) diff --git a/roles/matrix-corporal/tasks/self_check_corporal.yml b/roles/matrix-corporal/tasks/self_check_corporal.yml index 03e91d8d..d1561757 100644 --- a/roles/matrix-corporal/tasks/self_check_corporal.yml +++ b/roles/matrix-corporal/tasks/self_check_corporal.yml @@ -6,7 +6,7 @@ - name: Check Matrix Corporal HTTP gateway uri: url: "{{ corporal_client_api_url_endpoint_public }}" - follow_redirects: false + follow_redirects: none return_content: true register: result_corporal_client_api ignore_errors: true diff --git a/roles/matrix-mxisd/tasks/self_check_mxisd.yml b/roles/matrix-mxisd/tasks/self_check_mxisd.yml index 26dccb76..137907bb 100644 --- a/roles/matrix-mxisd/tasks/self_check_mxisd.yml +++ b/roles/matrix-mxisd/tasks/self_check_mxisd.yml @@ -6,7 +6,7 @@ - name: Check mxisd Identity Service uri: url: "{{ mxisd_url_endpoint_public }}" - follow_redirects: false + follow_redirects: none validate_certs: "{{ matrix_mxisd_self_check_validate_certificates }}" register: result_mxisd ignore_errors: true diff --git a/roles/matrix-nginx-proxy/tasks/self_check_well_known.yml b/roles/matrix-nginx-proxy/tasks/self_check_well_known.yml index 72be0f41..1e274ee3 100644 --- a/roles/matrix-nginx-proxy/tasks/self_check_well_known.yml +++ b/roles/matrix-nginx-proxy/tasks/self_check_well_known.yml @@ -6,7 +6,7 @@ - path: /.well-known/matrix/client purpose: Client Discovery cors: true - follow_redirects: false + follow_redirects: none validate_certs: "{{ matrix_nginx_proxy_self_check_validate_certificates }}" - block: @@ -15,7 +15,7 @@ path: /.well-known/matrix/server purpose: Server Discovery cors: false - follow_redirects: true + follow_redirects: safe validate_certs: "{{ matrix_nginx_proxy_self_check_validate_certificates }}" - name: Determine domains that we require certificates for (mxisd) diff --git a/roles/matrix-nginx-proxy/tasks/self_check_well_known_file.yml b/roles/matrix-nginx-proxy/tasks/self_check_well_known_file.yml index 91dbcdc8..e7a4cfac 100644 --- a/roles/matrix-nginx-proxy/tasks/self_check_well_known_file.yml +++ b/roles/matrix-nginx-proxy/tasks/self_check_well_known_file.yml @@ -9,7 +9,7 @@ - name: Check .well-known on the matrix hostname uri: url: "{{ well_known_url_matrix }}" - follow_redirects: false + follow_redirects: none return_content: true validate_certs: "{{ well_known_file_check.validate_certs }}" register: result_well_known_matrix diff --git a/roles/matrix-riot-web/tasks/self_check_riot_web.yml b/roles/matrix-riot-web/tasks/self_check_riot_web.yml index f16e210b..1a845b3e 100644 --- a/roles/matrix-riot-web/tasks/self_check_riot_web.yml +++ b/roles/matrix-riot-web/tasks/self_check_riot_web.yml @@ -6,7 +6,7 @@ - name: Check riot-web uri: url: "{{ riot_web_url_endpoint_public }}" - follow_redirects: false + follow_redirects: none validate_certs: "{{ matrix_riot_web_self_check_validate_certificates }}" register: result_riot_web ignore_errors: true diff --git a/roles/matrix-synapse/tasks/self_check_client_api.yml b/roles/matrix-synapse/tasks/self_check_client_api.yml index 50d0f4ef..fc691cc6 100644 --- a/roles/matrix-synapse/tasks/self_check_client_api.yml +++ b/roles/matrix-synapse/tasks/self_check_client_api.yml @@ -3,7 +3,7 @@ - name: Check Matrix Client API uri: url: "{{ matrix_synapse_client_api_url_endpoint_public }}" - follow_redirects: false + follow_redirects: none validate_certs: "{{ matrix_synapse_self_check_validate_certificates }}" register: result_matrix_synapse_client_api ignore_errors: true diff --git a/roles/matrix-synapse/tasks/self_check_federation_api.yml b/roles/matrix-synapse/tasks/self_check_federation_api.yml index b584cb35..fd4b338c 100644 --- a/roles/matrix-synapse/tasks/self_check_federation_api.yml +++ b/roles/matrix-synapse/tasks/self_check_federation_api.yml @@ -3,7 +3,7 @@ - name: Check Matrix Federation API uri: url: "{{ matrix_synapse_federation_api_url_endpoint_public }}" - follow_redirects: false + follow_redirects: none validate_certs: "{{ matrix_synapse_self_check_validate_certificates }}" register: result_matrix_synapse_federation_api ignore_errors: true From e9761679eb1a3feb627737e040fd7905d88f7bfd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Paul=20T=C3=B6tterman?= Date: Thu, 23 Jan 2020 15:46:24 +0200 Subject: [PATCH 29/46] Upgrade Synapse to 1.9.0 --- roles/matrix-synapse/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index 601028a5..c4fbeea6 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -3,7 +3,7 @@ matrix_synapse_enabled: true -matrix_synapse_docker_image: "matrixdotorg/synapse:v1.8.0" +matrix_synapse_docker_image: "matrixdotorg/synapse:v1.9.0" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse" From 2c04384e8e7dbfeb8be0711285e569febfe6034e Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 23 Jan 2020 15:47:53 +0200 Subject: [PATCH 30/46] Synchronize config with the one from Synapse 1.9.0 Related to #355. --- group_vars/matrix_servers | 1 - roles/matrix-synapse/defaults/main.yml | 2 +- .../matrix-synapse/tasks/validate_config.yml | 1 + .../templates/synapse/homeserver.yaml.j2 | 314 ++++++++++-------- 4 files changed, 170 insertions(+), 148 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 0d030909..2d08e23b 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -638,7 +638,6 @@ matrix_synapse_email_smtp_host: "matrix-mailer" matrix_synapse_email_smtp_port: 8025 matrix_synapse_email_smtp_require_transport_security: false matrix_synapse_email_notif_from: "Matrix <{{ matrix_mailer_sender_address }}>" -matrix_synapse_email_riot_base_url: "https://{{ matrix_server_fqn_riot }}" # Even if TURN doesn't support TLS (it does by default), # it doesn't hurt to try a secure connection anyway. diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index c4fbeea6..5a091b0a 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -259,7 +259,7 @@ matrix_synapse_email_smtp_host: "" matrix_synapse_email_smtp_port: 587 matrix_synapse_email_smtp_require_transport_security: false matrix_synapse_email_notif_from: "Matrix " -matrix_synapse_email_riot_base_url: "https://{{ matrix_server_fqn_riot }}" +matrix_synapse_email_client_base_url: "https://{{ matrix_server_fqn_riot }}" # Enable this to activate the REST auth password provider module. diff --git a/roles/matrix-synapse/tasks/validate_config.yml b/roles/matrix-synapse/tasks/validate_config.yml index fa496642..f3a4a869 100644 --- a/roles/matrix-synapse/tasks/validate_config.yml +++ b/roles/matrix-synapse/tasks/validate_config.yml @@ -15,6 +15,7 @@ Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`). when: "item.old in vars" with_items: + - {'old': 'matrix_synapse_email_riot_base_url', 'new': ''} - {'old': 'matrix_synapse_container_expose_api_port', 'new': ''} - {'old': 'matrix_synapse_no_tls', 'new': ''} - {'old': 'matrix_enable_room_list_search', 'new': 'matrix_synapse_enable_room_list_search'} diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index 75e147d4..0b3e96a9 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -392,17 +392,17 @@ retention: # # The rationale for this per-job configuration is that some rooms might have a # retention policy with a low 'max_lifetime', where history needs to be purged - # of outdated messages on a very frequent basis (e.g. every 5min), but not want - # that purge to be performed by a job that's iterating over every room it knows, - # which would be quite heavy on the server. + # of outdated messages on a more frequent basis than for the rest of the rooms + # (e.g. every 12h), but not want that purge to be performed by a job that's + # iterating over every room it knows, which could be heavy on the server. # #purge_jobs: # - shortest_max_lifetime: 1d # longest_max_lifetime: 3d - # interval: 5m: + # interval: 12h # - shortest_max_lifetime: 3d # longest_max_lifetime: 1y - # interval: 24h + # interval: 1d ## TLS ## @@ -891,23 +891,6 @@ enable_registration: {{ matrix_synapse_enable_registration|to_json }} # Optional account validity configuration. This allows for accounts to be denied # any request after a given period. # -# ``enabled`` defines whether the account validity feature is enabled. Defaults -# to False. -# -# ``period`` allows setting the period after which an account is valid -# after its registration. When renewing the account, its validity period -# will be extended by this amount of time. This parameter is required when using -# the account validity feature. -# -# ``renew_at`` is the amount of time before an account's expiry date at which -# Synapse will send an email to the account's email address with a renewal link. -# This needs the ``email`` and ``public_baseurl`` configuration sections to be -# filled. -# -# ``renew_email_subject`` is the subject of the email sent out with the renewal -# link. ``%(app)s`` can be used as a placeholder for the ``app_name`` parameter -# from the ``email`` section. -# # Once this feature is enabled, Synapse will look for registered users without an # expiration date at startup and will add one to every account it found using the # current settings at that time. @@ -918,32 +901,55 @@ enable_registration: {{ matrix_synapse_enable_registration|to_json }} # date will be randomly selected within a range [now + period - d ; now + period], # where d is equal to 10% of the validity period. # -#account_validity: -# enabled: True -# period: 6w -# renew_at: 1w -# renew_email_subject: "Renew your %(app)s account" -# # Directory in which Synapse will try to find the HTML files to serve to the -# # user when trying to renew an account. Optional, defaults to -# # synapse/res/templates. -# template_dir: "res/templates" -# # HTML to be displayed to the user after they successfully renewed their -# # account. Optional. -# account_renewed_html_path: "account_renewed.html" -# # HTML to be displayed when the user tries to renew an account with an invalid -# # renewal token. Optional. -# invalid_token_html_path: "invalid_token.html" +account_validity: + # The account validity feature is disabled by default. Uncomment the + # following line to enable it. + # + #enabled: true -# Time that a user's session remains valid for, after they log in. -# -# Note that this is not currently compatible with guest logins. -# -# Note also that this is calculated at login time: changes are not applied -# retrospectively to users who have already logged in. -# -# By default, this is infinite. -# -#session_lifetime: 24h + # The period after which an account is valid after its registration. When + # renewing the account, its validity period will be extended by this amount + # of time. This parameter is required when using the account validity + # feature. + # + #period: 6w + + # The amount of time before an account's expiry date at which Synapse will + # send an email to the account's email address with a renewal link. By + # default, no such emails are sent. + # + # If you enable this setting, you will also need to fill out the 'email' and + # 'public_baseurl' configuration sections. + # + #renew_at: 1w + + # The subject of the email sent out with the renewal link. '%(app)s' can be + # used as a placeholder for the 'app_name' parameter from the 'email' + # section. + # + # Note that the placeholder must be written '%(app)s', including the + # trailing 's'. + # + # If this is not set, a default value is used. + # + #renew_email_subject: "Renew your %(app)s account" + + # Directory in which Synapse will try to find templates for the HTML files to + # serve to the user when trying to renew an account. If not set, default + # templates from within the Synapse package will be used. + # + #template_dir: "res/templates" + + # File within 'template_dir' giving the HTML to be displayed to the user after + # they successfully renewed their account. If not set, default text is used. + # + #account_renewed_html_path: "account_renewed.html" + + # File within 'template_dir' giving the HTML to be displayed when the user + # tries to renew an account with an invalid renewal token. If not set, + # default text is used. + # + #invalid_token_html_path: "invalid_token.html" # The user must provide all of the below types of 3PID when registering. # @@ -1378,107 +1384,123 @@ password_config: pepper: {{ matrix_synapse_password_config_pepper|string|to_json }} - -# Enable sending emails for password resets, notification events or -# account expiry notices -# -# If your SMTP server requires authentication, the optional smtp_user & -# smtp_pass variables should be used -# -#email: -# enable_notifs: false -# smtp_host: "localhost" -# smtp_port: 25 # SSL: 465, STARTTLS: 587 -# smtp_user: "exampleusername" -# smtp_pass: "examplepassword" -# require_transport_security: False -# notif_from: "Your Friendly %(app)s homeserver " -# app_name: Matrix -# -# # Enable email notifications by default -# # -# notif_for_new_users: True -# -# # Defining a custom URL for Riot is only needed if email notifications -# # should contain links to a self-hosted installation of Riot; when set -# # the "app_name" setting is ignored -# # -# riot_base_url: "http://localhost/riot" -# -# # Configure the time that a validation email or text message code -# # will expire after sending -# # -# # This is currently used for password resets -# # -# #validation_token_lifetime: 1h -# -# # Template directory. All template files should be stored within this -# # directory. If not set, default templates from within the Synapse -# # package will be used -# # -# # For the list of default templates, please see -# # https://github.com/matrix-org/synapse/tree/master/synapse/res/templates -# # -# #template_dir: res/templates -# -# # Templates for email notifications -# # -# notif_template_html: notif_mail.html -# notif_template_text: notif_mail.txt -# -# # Templates for account expiry notices -# # -# expiry_template_html: notice_expiry.html -# expiry_template_text: notice_expiry.txt -# -# # Templates for password reset emails sent by the homeserver -# # -# #password_reset_template_html: password_reset.html -# #password_reset_template_text: password_reset.txt -# -# # Templates for registration emails sent by the homeserver -# # -# #registration_template_html: registration.html -# #registration_template_text: registration.txt -# -# # Templates for validation emails sent by the homeserver when adding an email to -# # your user account -# # -# #add_threepid_template_html: add_threepid.html -# #add_threepid_template_text: add_threepid.txt -# -# # Templates for password reset success and failure pages that a user -# # will see after attempting to reset their password -# # -# #password_reset_template_success_html: password_reset_success.html -# #password_reset_template_failure_html: password_reset_failure.html -# -# # Templates for registration success and failure pages that a user -# # will see after attempting to register using an email or phone -# # -# #registration_template_success_html: registration_success.html -# #registration_template_failure_html: registration_failure.html -# -# # Templates for success and failure pages that a user will see after attempting -# # to add an email or phone to their account -# # -# #add_threepid_success_html: add_threepid_success.html -# #add_threepid_failure_html: add_threepid_failure.html {% if matrix_synapse_email_enabled %} +# Configuration for sending emails from Synapse. +# email: - enable_notifs: true - smtp_host: {{ matrix_synapse_email_smtp_host|string|to_json }} - smtp_port: {{ matrix_synapse_email_smtp_port|to_json }} - require_transport_security: {{ matrix_synapse_email_smtp_require_transport_security|to_json }} - notif_from: {{ matrix_synapse_email_notif_from|string|to_json }} - app_name: Matrix - notif_template_html: notif_mail.html - notif_template_text: notif_mail.txt - # Templates for account expiry notices. - expiry_template_html: notice_expiry.html - expiry_template_text: notice_expiry.txt - notif_for_new_users: True - riot_base_url: {{ matrix_synapse_email_riot_base_url|string|to_json }} + # The hostname of the outgoing SMTP server to use. Defaults to 'localhost'. + # + #smtp_host: mail.server + smtp_host: {{ matrix_synapse_email_smtp_host|string|to_json }} + + # The port on the mail server for outgoing SMTP. Defaults to 25. + # + #smtp_port: 587 + smtp_port: {{ matrix_synapse_email_smtp_port|to_json }} + + # Username/password for authentication to the SMTP server. By default, no + # authentication is attempted. + # + # smtp_user: "exampleusername" + # smtp_pass: "examplepassword" + + # Uncomment the following to require TLS transport security for SMTP. + # By default, Synapse will connect over plain text, and will then switch to + # TLS via STARTTLS *if the SMTP server supports it*. If this option is set, + # Synapse will refuse to connect unless the server supports STARTTLS. + # + #require_transport_security: true + require_transport_security: {{ matrix_synapse_email_smtp_require_transport_security|to_json }} + + # Enable sending emails for messages that the user has missed + # + #enable_notifs: false + enable_notifs: true + + # notif_from defines the "From" address to use when sending emails. + # It must be set if email sending is enabled. + # + # The placeholder '%(app)s' will be replaced by the application name, + # which is normally 'app_name' (below), but may be overridden by the + # Matrix client application. + # + # Note that the placeholder must be written '%(app)s', including the + # trailing 's'. + # + #notif_from: "Your Friendly %(app)s homeserver " + notif_from: {{ matrix_synapse_email_notif_from|string|to_json }} + + # app_name defines the default value for '%(app)s' in notif_from. It + # defaults to 'Matrix'. + # + #app_name: my_branded_matrix_server + app_name: Matrix + + # Uncomment the following to disable automatic subscription to email + # notifications for new users. Enabled by default. + # + #notif_for_new_users: false + notif_for_new_users: True + + # Custom URL for client links within the email notifications. By default + # links will be based on "https://matrix.to". + # + # (This setting used to be called riot_base_url; the old name is still + # supported for backwards-compatibility but is now deprecated.) + # + #client_base_url: "http://localhost/riot" + client_base_url: {{ matrix_synapse_email_client_base_url|string|to_json }} + + # Configure the time that a validation email will expire after sending. + # Defaults to 1h. + # + #validation_token_lifetime: 15m + + # Directory in which Synapse will try to find the template files below. + # If not set, default templates from within the Synapse package will be used. + # + # DO NOT UNCOMMENT THIS SETTING unless you want to customise the templates. + # If you *do* uncomment it, you will need to make sure that all the templates + # below are in the directory. + # + # Synapse will look for the following templates in this directory: + # + # * The contents of email notifications of missed events: 'notif_mail.html' and + # 'notif_mail.txt'. + # + # * The contents of account expiry notice emails: 'notice_expiry.html' and + # 'notice_expiry.txt'. + # + # * The contents of password reset emails sent by the homeserver: + # 'password_reset.html' and 'password_reset.txt' + # + # * HTML pages for success and failure that a user will see when they follow + # the link in the password reset email: 'password_reset_success.html' and + # 'password_reset_failure.html' + # + # * The contents of address verification emails sent during registration: + # 'registration.html' and 'registration.txt' + # + # * HTML pages for success and failure that a user will see when they follow + # the link in an address verification email sent during registration: + # 'registration_success.html' and 'registration_failure.html' + # + # * The contents of address verification emails sent when an address is added + # to a Matrix account: 'add_threepid.html' and 'add_threepid.txt' + # + # * HTML pages for success and failure that a user will see when they follow + # the link in an address verification email sent when an address is added + # to a Matrix account: 'add_threepid_success.html' and + # 'add_threepid_failure.html' + # + # You can see the default templates at: + # https://github.com/matrix-org/synapse/tree/master/synapse/res/templates + # + #template_dir: "res/templates" + notif_template_html: notif_mail.html + notif_template_text: notif_mail.txt + expiry_template_html: notice_expiry.html + expiry_template_text: notice_expiry.txt {% endif %} From e0defd4d4cad19aa7e2aeb7cf108f67112d78226 Mon Sep 17 00:00:00 2001 From: Zach Mertes Date: Fri, 24 Jan 2020 05:06:36 -0500 Subject: [PATCH 31/46] Fix invalid password salts for slack webhooks --- group_vars/matrix_servers | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 2d08e23b..6e06be1b 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -74,11 +74,11 @@ matrix_appservice_webhooks_enabled: false # matrix-appservice-webhooks' client-server port to the local host. matrix_appservice_webhooks_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:{{ matrix_appservice_webhooks_webhooks_port }}' }}" -matrix_appservice_webhooks_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'webhooks-appservice-token') | to_uuid }}" +matrix_appservice_webhooks_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'webhook.as.token') | to_uuid }}" -matrix_appservice_webhooks_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'webhooks-homeserver-token') | to_uuid }}" +matrix_appservice_webhooks_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'webhook.hs.token') | to_uuid }}" -matrix_appservice_webhooks_id_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'webhooks-id-token') | to_uuid }}" +matrix_appservice_webhooks_id_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'webhook.id.token') | to_uuid }}" matrix_appservice_webhooks_systemd_required_services_list: | {{ From bc620895cabd98bb2a79078b3e560f7dea8154e7 Mon Sep 17 00:00:00 2001 From: Dan Arnfield Date: Fri, 24 Jan 2020 06:59:42 -0600 Subject: [PATCH 32/46] Install python3-docker if ansible is running python 3 --- roles/matrix-base/tasks/server_base/setup_debian.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-base/tasks/server_base/setup_debian.yml b/roles/matrix-base/tasks/server_base/setup_debian.yml index 3a9192f0..3460fd3d 100644 --- a/roles/matrix-base/tasks/server_base/setup_debian.yml +++ b/roles/matrix-base/tasks/server_base/setup_debian.yml @@ -28,7 +28,7 @@ apt: name: - bash-completion - - python-docker + - "python{{'3' if ansible_python.version.major == 3}}-docker" - ntp - fuse state: latest From 320d5125419f4b2c358af5cd78e704b680ba0e95 Mon Sep 17 00:00:00 2001 From: dhose <4066579+dhose@users.noreply.github.com> Date: Fri, 24 Jan 2020 19:46:58 +0100 Subject: [PATCH 33/46] Fix for when if case evaluates to false --- roles/matrix-base/tasks/server_base/setup_debian.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-base/tasks/server_base/setup_debian.yml b/roles/matrix-base/tasks/server_base/setup_debian.yml index 3460fd3d..c8325324 100644 --- a/roles/matrix-base/tasks/server_base/setup_debian.yml +++ b/roles/matrix-base/tasks/server_base/setup_debian.yml @@ -28,7 +28,7 @@ apt: name: - bash-completion - - "python{{'3' if ansible_python.version.major == 3}}-docker" + - "python{{'3' if ansible_python.version.major == 3 else ''}}-docker" - ntp - fuse state: latest From 77b919aec690a48b6c9ffd10f66711edbfa72966 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 25 Jan 2020 10:04:21 +0200 Subject: [PATCH 34/46] Become compatible with official matrix-appservice-irc Docker image This change allows us to work with both our existing Docker image (`tedomum/matrix-appservice-irc:latest`) and with the official Docker image (`matrixdotorg/matrix-appservice-irc`). The actual change to the official Docker image requires more testing and will be done separately. --- roles/matrix-bridge-appservice-irc/tasks/setup_install.yml | 6 ++++-- .../templates/systemd/matrix-appservice-irc.service.j2 | 3 ++- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/roles/matrix-bridge-appservice-irc/tasks/setup_install.yml b/roles/matrix-bridge-appservice-irc/tasks/setup_install.yml index f3340094..e2c2c2b6 100644 --- a/roles/matrix-bridge-appservice-irc/tasks/setup_install.yml +++ b/roles/matrix-bridge-appservice-irc/tasks/setup_install.yml @@ -98,13 +98,15 @@ --cap-drop=ALL -v {{ matrix_appservice_irc_config_path }}:/config:z -v {{ matrix_appservice_irc_data_path }}:/data:z + --entrypoint=/bin/bash {{ matrix_appservice_irc_docker_image }} - node app.js + -c + 'node app.js -r -f /config/registration-template.yaml -u "http://matrix-appservice-irc:9999" -c /config/config.yaml - -l irc_bot + -l irc_bot' changed_when: false - name: Read Appservice IRC registration-template.yaml diff --git a/roles/matrix-bridge-appservice-irc/templates/systemd/matrix-appservice-irc.service.j2 b/roles/matrix-bridge-appservice-irc/templates/systemd/matrix-appservice-irc.service.j2 index 596a6005..53e5b8e3 100644 --- a/roles/matrix-bridge-appservice-irc/templates/systemd/matrix-appservice-irc.service.j2 +++ b/roles/matrix-bridge-appservice-irc/templates/systemd/matrix-appservice-irc.service.j2 @@ -30,8 +30,9 @@ ExecStart=/usr/bin/docker run --rm --name matrix-appservice-irc \ {% for arg in matrix_appservice_irc_container_extra_arguments %} {{ arg }} \ {% endfor %} + --entrypoint=/bin/bash \ {{ matrix_appservice_irc_docker_image }} \ - -c /config/config.yaml -f /config/registration.yaml -p 9999 + -c 'node app.js -c /config/config.yaml -f /config/registration.yaml -p 9999' ExecStop=-/usr/bin/docker kill matrix-appservice-irc ExecStop=-/usr/bin/docker rm matrix-appservice-irc From aa05df6a028c50ca59c18edacd01c56fa2e613cd Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 25 Jan 2020 10:07:08 +0200 Subject: [PATCH 35/46] Switch to upgraded & official matrix-appservice-irc Docker image --- .../defaults/main.yml | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/roles/matrix-bridge-appservice-irc/defaults/main.yml b/roles/matrix-bridge-appservice-irc/defaults/main.yml index 354e5fdb..c6e7ce87 100644 --- a/roles/matrix-bridge-appservice-irc/defaults/main.yml +++ b/roles/matrix-bridge-appservice-irc/defaults/main.yml @@ -3,7 +3,7 @@ matrix_appservice_irc_enabled: true -matrix_appservice_irc_docker_image: "tedomum/matrix-appservice-irc:latest" +matrix_appservice_irc_docker_image: "matrixdotorg/matrix-appservice-irc:release-0.14.1" matrix_appservice_irc_docker_image_force_pull: "{{ matrix_appservice_irc_docker_image.endswith(':latest') }}" matrix_appservice_irc_base_path: "{{ matrix_base_data_path }}/appservice-irc" @@ -377,11 +377,6 @@ matrix_appservice_irc_configuration_yaml: | enablePresence: {{ matrix_appservice_irc_homeserver_enablePresence|to_json }} ircService: - # The nedb database URI to connect to. This is the name of the directory to - # dump .db files to. This is relative to the project directory. - # Required. - databaseUri: "nedb:///data" - # WARNING: The bridge needs to send plaintext passwords to the IRC server, it cannot # send a password hash. As a result, passwords (NOT hashes) are stored encrypted in # the database. @@ -474,6 +469,15 @@ matrix_appservice_irc_configuration_yaml: | # enough for the vast majority of use cases. maxHttpSockets: 1000 + # Use an external database to store bridge state. + database: + # database engine (must be 'postgres' or 'nedb'). Default: nedb + engine: "nedb" + # Either a PostgreSQL connection string, or a path to the NeDB storage directory. + # For postgres, it must start with postgres:// + # For NeDB, it must start with nedb://. The path is relative to the project directory. + connectionString: "nedb:///data" + matrix_appservice_irc_configuration_extension_yaml: | # Your custom YAML configuration for Appservice IRC servers goes here. # This configuration extends the default starting configuration (`matrix_appservice_irc_configuration_yaml`). From c2135d1afed12a9c179be1386751c8c1382745aa Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 25 Jan 2020 10:23:59 +0200 Subject: [PATCH 36/46] Switch from kamax-matrix/matrix-synapse-rest-password-provider to ma1uta/matrix-synapse-rest-password-provider Synapse v1.9.0 changed some things which made the REST Auth Password Provider break. The ma1uta/matrix-synapse-rest-password-provider implements some workarounds for now and will likely deliver a proper fix in the future. Not much has changed between the 2 projects, so this should be a painless transition. --- roles/matrix-synapse/defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index 5a091b0a..233f9c47 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -263,9 +263,9 @@ matrix_synapse_email_client_base_url: "https://{{ matrix_server_fqn_riot }}" # Enable this to activate the REST auth password provider module. -# See: https://github.com/kamax-io/matrix-synapse-rest-auth +# See: https://github.com/ma1uta/matrix-synapse-rest-password-provider matrix_synapse_ext_password_provider_rest_auth_enabled: false -matrix_synapse_ext_password_provider_rest_auth_download_url: "https://raw.githubusercontent.com/kamax-io/matrix-synapse-rest-auth/v0.1.2/rest_auth_provider.py" +matrix_synapse_ext_password_provider_rest_auth_download_url: "https://github.com/ma1uta/matrix-synapse-rest-password-provider/blob/ed377fb70513c2e51b42055eb364195af1ccaf33/rest_auth_provider.py" matrix_synapse_ext_password_provider_rest_auth_endpoint: "" matrix_synapse_ext_password_provider_rest_auth_registration_enforce_lowercase: false matrix_synapse_ext_password_provider_rest_auth_registration_profile_name_autofill: true From d77df2990aa5718f18564895b6edf5b46c0bbb2c Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Sun, 26 Jan 2020 14:17:59 -0600 Subject: [PATCH 37/46] Link to official instructions on how to install Ansible --- docs/ansible.md | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/docs/ansible.md b/docs/ansible.md index f58241a1..e098c8a4 100644 --- a/docs/ansible.md +++ b/docs/ansible.md @@ -9,9 +9,7 @@ If your local computer cannot run Ansible, you can also run Ansible on some serv ## Supported Ansible versions -Ansible 2.5 or newer is required. - -If you're on Ansible 2.5.x, due to bugs in Ansible 2.5.0 and 2.5.1, at least Ansible 2.5.2 is required. +Ansible 2.5.2 or newer is required. ## Checking your Ansible version @@ -28,7 +26,7 @@ If you're on an old version of Ansible, you should [upgrade Ansible to a newer v Depending on your distribution, you may be able to upgrade Ansible in a few different ways: -- by using an additional repository (PPA, etc.), which provides newer Ansible versions +- by using an additional repository (PPA, etc.), which provides newer Ansible versions. See instructions for [CentOS](https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html#installing-ansible-on-rhel-centos-or-fedora), [Debian](https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html#installing-ansible-on-debian), or [Ubuntu](https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html#installing-ansible-on-ubuntu) on the Ansible website. - by removing the Ansible package (`yum remove ansible` or `apt-get remove ansible`) and installing via [pip](https://pip.pypa.io/en/stable/installing/) (`pip install ansible`). From 874d2390dd2ed17ee06cc0a2887cc6b57c10a824 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 26 Jan 2020 23:07:12 +0200 Subject: [PATCH 38/46] Revert "Upgrade Slack bridge to 1.0.2" This reverts commit 61e93744ecdaf1084d34268537a81f9cbc2f9210. Reverting because of: - https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/341 - https://github.com/matrix-org/matrix-appservice-slack/issues/347 --- .../defaults/main.yml | 20 +------------------ 1 file changed, 1 insertion(+), 19 deletions(-) diff --git a/roles/matrix-bridge-appservice-slack/defaults/main.yml b/roles/matrix-bridge-appservice-slack/defaults/main.yml index 5c6f5e34..58babbc3 100644 --- a/roles/matrix-bridge-appservice-slack/defaults/main.yml +++ b/roles/matrix-bridge-appservice-slack/defaults/main.yml @@ -3,7 +3,7 @@ matrix_appservice_slack_enabled: true -matrix_appservice_slack_docker_image: "matrixdotorg/matrix-appservice-slack:release-1.0.2" +matrix_appservice_slack_docker_image: "cadair/matrix-appservice-slack:latest" matrix_appservice_slack_docker_image_force_pull: "{{ matrix_appservice_slack_docker_image.endswith(':latest') }}" matrix_appservice_slack_base_path: "{{ matrix_base_data_path }}/appservice-slack" @@ -51,24 +51,6 @@ matrix_appservice_slack_configuration_yaml: | bot_username: "{{ matrix_appservice_slack_bot_name }}" username_prefix: {{ matrix_appservice_slack_user_prefix }} - # Optional if slack_hook_port and inbound_uri_prefix are defined, required otherwise. - rtm: - # Use the RTM API to listen for requests, which does not require - # the bridge to listen on the hook port. - # You should leave this enabled, unless you plan to use the - # bridge exclusively for webhooks. - enable: true - logging: "silent" # Logging level specific to RTM traffic. - # A prefix similar to inbound_uri_prefix for oauth2 requests. inbound_uri_prefix will be used if this is not set - # Optional - # redirect_prefix: "https://my.server.here:9898/mycustomoauthendpoint" - - # Allow users to add channels dynamically by using oauth, or puppet themselves. - # Optional - oauth2: - client_id: "" - client_secret: "" - homeserver: media_url: "{{ matrix_appservice_slack_homeserver_media_url }}" url: "{{ matrix_appservice_slack_homeserver_url }}" From c9f2bf89b54b189f643a2e1eaedf3b5328ca25fb Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 27 Jan 2020 12:22:36 +0200 Subject: [PATCH 39/46] Fix incorrect REST Auth module URL Regression since #362 (Github Pull Request). --- roles/matrix-synapse/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index 233f9c47..00543e7f 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -265,7 +265,7 @@ matrix_synapse_email_client_base_url: "https://{{ matrix_server_fqn_riot }}" # Enable this to activate the REST auth password provider module. # See: https://github.com/ma1uta/matrix-synapse-rest-password-provider matrix_synapse_ext_password_provider_rest_auth_enabled: false -matrix_synapse_ext_password_provider_rest_auth_download_url: "https://github.com/ma1uta/matrix-synapse-rest-password-provider/blob/ed377fb70513c2e51b42055eb364195af1ccaf33/rest_auth_provider.py" +matrix_synapse_ext_password_provider_rest_auth_download_url: "https://raw.githubusercontent.com/ma1uta/matrix-synapse-rest-password-provider/ed377fb70513c2e51b42055eb364195af1ccaf33/rest_auth_provider.py" matrix_synapse_ext_password_provider_rest_auth_endpoint: "" matrix_synapse_ext_password_provider_rest_auth_registration_enforce_lowercase: false matrix_synapse_ext_password_provider_rest_auth_registration_profile_name_autofill: true From b323c975cf79f99231e3bed670a8040dbf77b017 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 28 Jan 2020 13:01:30 +0200 Subject: [PATCH 40/46] Upgrade riot-web (1.5.7 -> 1.5.8) --- roles/matrix-riot-web/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-riot-web/defaults/main.yml b/roles/matrix-riot-web/defaults/main.yml index cf47fa94..6ded2b98 100644 --- a/roles/matrix-riot-web/defaults/main.yml +++ b/roles/matrix-riot-web/defaults/main.yml @@ -1,6 +1,6 @@ matrix_riot_web_enabled: true -matrix_riot_web_docker_image: "vectorim/riot-web:v1.5.7" +matrix_riot_web_docker_image: "vectorim/riot-web:v1.5.8" matrix_riot_web_docker_image_force_pull: "{{ matrix_riot_web_docker_image.endswith(':latest') }}" matrix_riot_web_data_path: "{{ matrix_base_data_path }}/riot-web" From f9a67624e136ccf6f71f25ab2fc3edcfd10f11a8 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 28 Jan 2020 16:02:09 +0200 Subject: [PATCH 41/46] Upgrade Synapse (1.9.0 -> 1.9.1) --- roles/matrix-synapse/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index 00543e7f..75adcf3e 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -3,7 +3,7 @@ matrix_synapse_enabled: true -matrix_synapse_docker_image: "matrixdotorg/synapse:v1.9.0" +matrix_synapse_docker_image: "matrixdotorg/synapse:v1.9.1" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse" From f18037ae42b3837ac14ab96f6868731069a5b6be Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 30 Jan 2020 12:56:20 +0200 Subject: [PATCH 42/46] Disable TLSv1.1 by default --- CHANGELOG.md | 9 +++++++++ docs/configuring-playbook-own-webserver.md | 2 +- examples/apache/matrix-dimension.conf | 2 +- examples/apache/matrix-riot-web.conf | 2 +- examples/apache/matrix-synapse.conf | 4 ++-- roles/matrix-nginx-proxy/defaults/main.yml | 2 +- 6 files changed, 15 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 620d8ec3..2f5f62f4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,12 @@ +# 2020-01-30 + +## Disabling TLSv1.1 + +To improve security, we've removed TLSv1.1 support from our default matrix-nginx-proxy configuration. + +If you need to support old clients, you can re-enable it with the following configuration: `matrix_nginx_proxy_ssl_protocols: "TLSv1.1 TLSv1.2 TLSv1.3"` + + # 2020-01-21 ## Postgres collation changes (action required!) diff --git a/docs/configuring-playbook-own-webserver.md b/docs/configuring-playbook-own-webserver.md index bb958cd7..d686c947 100644 --- a/docs/configuring-playbook-own-webserver.md +++ b/docs/configuring-playbook-own-webserver.md @@ -52,7 +52,7 @@ Note that if your nginx version is old, it might not like our default choice of ```yaml # Custom protocol list (removing `TLSv1.3`) to suit your nginx version. -matrix_nginx_proxy_ssl_protocols: "TLSv1.1 TLSv1.2" +matrix_nginx_proxy_ssl_protocols: "TLSv1.2" ``` diff --git a/examples/apache/matrix-dimension.conf b/examples/apache/matrix-dimension.conf index 9078cd87..f334690e 100644 --- a/examples/apache/matrix-dimension.conf +++ b/examples/apache/matrix-dimension.conf @@ -26,7 +26,7 @@ SSLCertificateKeyFile /matrix/ssl/config/live/dimension.DOMAIN/privkey.pem SSLProxyEngine on - SSLProxyProtocol +TLSv1.1 +TLSv1.2 +TLSv1.3 + SSLProxyProtocol +TLSv1.2 +TLSv1.3 SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH ProxyPreserveHost On diff --git a/examples/apache/matrix-riot-web.conf b/examples/apache/matrix-riot-web.conf index 85769785..0860a048 100644 --- a/examples/apache/matrix-riot-web.conf +++ b/examples/apache/matrix-riot-web.conf @@ -26,7 +26,7 @@ SSLCertificateKeyFile /matrix/ssl/config/live/riot.DOMAIN/privkey.pem SSLProxyEngine on - SSLProxyProtocol +TLSv1.1 +TLSv1.2 +TLSv1.3 + SSLProxyProtocol +TLSv1.2 +TLSv1.3 SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH ProxyPreserveHost On diff --git a/examples/apache/matrix-synapse.conf b/examples/apache/matrix-synapse.conf index f3f85d31..3e09121f 100644 --- a/examples/apache/matrix-synapse.conf +++ b/examples/apache/matrix-synapse.conf @@ -26,7 +26,7 @@ SSLCertificateKeyFile /matrix/ssl/config/live/matrix.DOMAIN/privkey.pem SSLProxyEngine on - SSLProxyProtocol +TLSv1.1 +TLSv1.2 +TLSv1.3 + SSLProxyProtocol +TLSv1.2 +TLSv1.3 SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH ProxyPreserveHost On @@ -103,7 +103,7 @@ Listen 8448 SSLCertificateKeyFile /matrix/ssl/config/live/matrix.DOMAIN/privkey.pem SSLProxyEngine on - SSLProxyProtocol +TLSv1.1 +TLSv1.2 +TLSv1.3 + SSLProxyProtocol +TLSv1.2 +TLSv1.3 SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH ProxyPreserveHost On diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index d6388a98..8ab923cb 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -160,7 +160,7 @@ matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: [] matrix_nginx_proxy_reload_cron_time_definition: "20 4 */5 * *" # Specifies which SSL protocols to use when serving Riot and Synapse -matrix_nginx_proxy_ssl_protocols: "TLSv1.1 TLSv1.2 TLSv1.3" +matrix_nginx_proxy_ssl_protocols: "TLSv1.2 TLSv1.3" # Controls whether the self-check feature should validate SSL certificates. matrix_nginx_proxy_self_check_validate_certificates: true From a0b313b3d13e7ed1331907bd3bbe466387aed9d0 Mon Sep 17 00:00:00 2001 From: joao-p-marques Date: Thu, 6 Feb 2020 00:25:26 +0000 Subject: [PATCH 43/46] fix invalid password salt on slack bridge --- group_vars/matrix_servers | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 6e06be1b..d230e041 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -108,11 +108,11 @@ matrix_appservice_slack_enabled: false # matrix-appservice-slack's client-server port to the local host. matrix_appservice_slack_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:{{ matrix_appservice_slack_slack_port }}' }}" -matrix_appservice_slack_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'slack-appservice-token') | to_uuid }}" +matrix_appservice_slack_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'slack.appservice.token') | to_uuid }}" -matrix_appservice_slack_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'slack-homeserver-token') | to_uuid }}" +matrix_appservice_slack_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'slack.homeserver.token') | to_uuid }}" -matrix_appservice_slack_id_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'slack-id-token') | to_uuid }}" +matrix_appservice_slack_id_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'slack.id.token') | to_uuid }}" matrix_appservice_slack_systemd_required_services_list: | {{ From 8fe8cf9113ffdc8e9141dbdb47846cf1c75dfed4 Mon Sep 17 00:00:00 2001 From: Lee Verberne Date: Sat, 8 Feb 2020 11:02:03 +0100 Subject: [PATCH 44/46] Fix matrix-appservice-irc database specification This fixes an incorrect indentation in the database specification for appservice-irc which caused matrix-appservice-irc to refuse to start with the remarkably unhelpful error message: ``` ERROR:CLI Failed to run bridge. ``` This also updates doc links to the new matrixdotorg repo because the tedomum repo contains out-of-date documentation. --- README.md | 4 ++-- ...configuring-playbook-bridge-appservice-irc.md | 4 ++-- .../defaults/main.yml | 16 ++++++++-------- 3 files changed, 12 insertions(+), 12 deletions(-) diff --git a/README.md b/README.md index 277d6dce..bf6398cd 100644 --- a/README.md +++ b/README.md @@ -44,7 +44,7 @@ Using this playbook, you can get the following services configured on your serve - (optional) the [mautrix-hangouts](https://github.com/tulir/mautrix-hangouts) bridge for bridging your Matrix server to [Google Hangouts](https://en.wikipedia.org/wiki/Google_Hangouts) -- (optional) the [matrix-appservice-irc](https://github.com/TeDomum/matrix-appservice-irc) bridge for bridging your Matrix server to [IRC](https://wikipedia.org/wiki/Internet_Relay_Chat) +- (optional) the [matrix-appservice-irc](https://github.com/matrix-org/matrix-appservice-irc) bridge for bridging your Matrix server to [IRC](https://wikipedia.org/wiki/Internet_Relay_Chat) - (optional) the [matrix-appservice-discord](https://github.com/Half-Shot/matrix-appservice-discord) bridge for bridging your Matrix server to [Discord](https://discordapp.com/) @@ -134,7 +134,7 @@ This playbook sets up your server using the following Docker images: - [tulir/mautrix-hangouts](https://hub.docker.com/r/tulir/mautrix-hangouts/) - the [mautrix-hangouts](https://github.com/tulir/mautrix-hangouts) bridge to [Google Hangouts](https://en.wikipedia.org/wiki/Google_Hangouts) (optional) -- [tedomum/matrix-appservice-irc](https://hub.docker.com/r/tedomum/matrix-appservice-irc/) - the [matrix-appservice-irc](https://github.com/TeDomum/matrix-appservice-irc) bridge to [IRC](https://wikipedia.org/wiki/Internet_Relay_Chat) (optional) +- [matrixdotorg/matrix-appservice-irc](https://hub.docker.com/r/matrixdotorg/matrix-appservice-irc) - the [matrix-appservice-irc](https://github.com/matrix-org/matrix-appservice-irc) bridge to [IRC](https://wikipedia.org/wiki/Internet_Relay_Chat) (optional) - [halfshot/matrix-appservice-discord](https://hub.docker.com/r/halfshot/matrix-appservice-discord) - the [matrix-appservice-discord](https://github.com/Half-Shot/matrix-appservice-discord) bridge to [Discord](https://discordapp.com/) (optional) diff --git a/docs/configuring-playbook-bridge-appservice-irc.md b/docs/configuring-playbook-bridge-appservice-irc.md index f66c9631..a9403cb5 100644 --- a/docs/configuring-playbook-bridge-appservice-irc.md +++ b/docs/configuring-playbook-bridge-appservice-irc.md @@ -1,8 +1,8 @@ # Setting up Appservice IRC (optional) -The playbook can install and configure [matrix-appservice-irc](https://github.com/TeDomum/matrix-appservice-irc) for you. +The playbook can install and configure [matrix-appservice-irc](https://github.com/matrix-org/matrix-appservice-irc) for you. -See the project's [documentation](https://github.com/TeDomum/matrix-appservice-irc/blob/master/HOWTO.md) to learn what it does and why it might be useful to you. +See the project's [documentation](https://github.com/matrix-org/matrix-appservice-irc/blob/master/HOWTO.md) to learn what it does and why it might be useful to you. You'll need to use the following playbook configuration: diff --git a/roles/matrix-bridge-appservice-irc/defaults/main.yml b/roles/matrix-bridge-appservice-irc/defaults/main.yml index c6e7ce87..a9b04872 100644 --- a/roles/matrix-bridge-appservice-irc/defaults/main.yml +++ b/roles/matrix-bridge-appservice-irc/defaults/main.yml @@ -469,14 +469,14 @@ matrix_appservice_irc_configuration_yaml: | # enough for the vast majority of use cases. maxHttpSockets: 1000 - # Use an external database to store bridge state. - database: - # database engine (must be 'postgres' or 'nedb'). Default: nedb - engine: "nedb" - # Either a PostgreSQL connection string, or a path to the NeDB storage directory. - # For postgres, it must start with postgres:// - # For NeDB, it must start with nedb://. The path is relative to the project directory. - connectionString: "nedb:///data" + # Use an external database to store bridge state. + database: + # database engine (must be 'postgres' or 'nedb'). Default: nedb + engine: "nedb" + # Either a PostgreSQL connection string, or a path to the NeDB storage directory. + # For postgres, it must start with postgres:// + # For NeDB, it must start with nedb://. The path is relative to the project directory. + connectionString: "nedb:///data" matrix_appservice_irc_configuration_extension_yaml: | # Your custom YAML configuration for Appservice IRC servers goes here. From 2c4eef72c37ba3b3deb0d193aaabfc7ef2519e9d Mon Sep 17 00:00:00 2001 From: teutates <10206665+teutat3s@users.noreply.github.com> Date: Mon, 10 Feb 2020 02:47:26 +0100 Subject: [PATCH 45/46] fix slack bridge: salt too large, sha512_crypt requires <= 16 chars --- group_vars/matrix_servers | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index d230e041..1c7ac23f 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -108,9 +108,9 @@ matrix_appservice_slack_enabled: false # matrix-appservice-slack's client-server port to the local host. matrix_appservice_slack_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:{{ matrix_appservice_slack_slack_port }}' }}" -matrix_appservice_slack_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'slack.appservice.token') | to_uuid }}" +matrix_appservice_slack_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'slack.as.token') | to_uuid }}" -matrix_appservice_slack_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'slack.homeserver.token') | to_uuid }}" +matrix_appservice_slack_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'slack.hs.token') | to_uuid }}" matrix_appservice_slack_id_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'slack.id.token') | to_uuid }}" From b280b05c25e83d11e73dcf7a9cf23a36705b7aa5 Mon Sep 17 00:00:00 2001 From: Daniel Hoffend Date: Mon, 10 Feb 2020 23:40:50 +0100 Subject: [PATCH 46/46] matrix-nginx-proxy: adding additional configuration blocks --- roles/matrix-nginx-proxy/defaults/main.yml | 14 +++++++++++++- .../nginx/conf.d/matrix-dimension.conf.j2 | 3 +++ .../templates/nginx/conf.d/matrix-domain.conf.j2 | 3 +++ .../templates/nginx/conf.d/matrix-riot-web.conf.j2 | 3 +++ .../templates/nginx/conf.d/nginx-http.conf.j2 | 5 ++++- 5 files changed, 26 insertions(+), 2 deletions(-) diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 8ab923cb..8eefe210 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -152,9 +152,21 @@ matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate_key: "{{ matrix_s # The tmpfs at /tmp needs to be large enough to handle multiple concurrent file uploads. matrix_nginx_proxy_tmp_directory_size_mb: "{{ (matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb | int) * 50 }}" -# A list of strings containing additional configuration blocks to add to the matrix domain's server configuration. +# A list of strings containing additional configuration blocks to add to the nginx http's server configuration. +matrix_nginx_proxy_proxy_http_additional_server_configuration_blocks: [] + +# A list of strings containing additional configuration blocks to add to the matrix synapse's server configuration. matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: [] +# A list of strings containing additional configuration blocks to add to the matrix riot's server configuration. +matrix_nginx_proxy_proxy_riot_additional_server_configuration_blocks: [] + +# A list of strings containing additional configuration blocks to add to the matrix dimension's server configuration. +matrix_nginx_proxy_proxy_dimension_additional_server_configuration_blocks: [] + +# A list of strings containing additional configuration blocks to add to the matrix domain server configuration. +matrix_nginx_proxy_proxy_domain_additional_server_configuration_blocks: [] + # Specifies when to reload the matrix-nginx-proxy service so that # a new SSL certificate could go into effect. matrix_nginx_proxy_reload_cron_time_definition: "20 4 */5 * *" diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 index babcb98c..e7019040 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 @@ -3,6 +3,9 @@ {% macro render_vhost_directives() %} gzip on; gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; +{% for configuration_block in matrix_nginx_proxy_proxy_dimension_additional_server_configuration_blocks %} + {{- configuration_block }} +{% endfor %} location / { {% if matrix_nginx_proxy_enabled %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 index 55f0e9f2..027f2d31 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 @@ -5,6 +5,9 @@ gzip on; gzip_types text/plain application/json; + {% for configuration_block in matrix_nginx_proxy_proxy_domain_additional_server_configuration_blocks %} + {{- configuration_block }} + {% endfor %} location /.well-known/matrix { root {{ matrix_static_files_base_path }}; diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 index a81035c7..2047748d 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 @@ -3,6 +3,9 @@ {% macro render_vhost_directives() %} gzip on; gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; + {% for configuration_block in matrix_nginx_proxy_proxy_riot_additional_server_configuration_blocks %} + {{- configuration_block }} + {% endfor %} location / { {% if matrix_nginx_proxy_enabled %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/nginx-http.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/nginx-http.conf.j2 index 290e1a98..8060ffd5 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/nginx-http.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/nginx-http.conf.j2 @@ -3,4 +3,7 @@ # which can sometimes be too low to handle our 2 vhosts (Synapse and Riot). # # Thus, we ensure a larger bucket size value is used. -server_names_hash_bucket_size 64; \ No newline at end of file +server_names_hash_bucket_size 64; +{% for configuration_block in matrix_nginx_proxy_proxy_http_additional_server_configuration_blocks %} + {{- configuration_block }} +{% endfor %}