Merge pull request #73 from spantaleev/split-into-multiple-roles

Split playbook into multiple roles
development
Slavi Pantaleev 6 years ago committed by GitHub
commit 906942f304
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

@ -1,3 +1,15 @@
# 2019-01-xx
## Splitting the playbook into multiple roles
For better maintainability, the playbook logic (which all used to reside in a single `matrix-server` role)
has been split out into a number of different roles: `matrix-synapse`, `matrix-postgres`, `matrix-riot-web`, `matrix-mxisd`, etc. (see the `roles/` directory).
To keep the filesystem more consistent with this separation, the **Postgres data had to be relocated**.
The default value of `matrix_postgres_data_path` was changed from `/matrix/postgres` to `/matrix/postgres/data`. The `/matrix/postgres` directory is what we consider a base path now (new variable `matrix_postgres_base_path`). **Your Postgres data files will automatically be relocated by the playbook** (`/matrix/postgres/*` -> `/matrix/postgres/data/`) when you run with `--tags=setup-all` (or `--tags=setup-postgres`). While this shouldn't cause data-loss, **it's better if you do a Postgres backup just in case**. You'd need to restart all services after this migration (`--tags=start`).
# 2019-01-11
## (BC Break) mxisd configuration changes
@ -30,7 +42,7 @@ The following variables are no longer supported by this playbook:
- `matrix_mxisd_template_config`
You are encouraged to use the `matrix_mxisd_configuration_extension_yaml` variable to define your own mxisd configuration additions and overrides.
Refer to the [default variables file](roles/matrix-server/defaults/main.yml) for more information.
Refer to the [default variables file](roles/matrix-mxisd/defaults/main.yml) for more information.
This new way of configuring mxisd is beneficial because:
@ -92,7 +104,7 @@ Based on feedback from others, running Synapse on Python 3 is supposed to decrea
## Riot homepage customization
You can now customize some parts of the Riot homepage (or even completely replace it with your own custom page).
See the `matrix_riot_web_homepage_` variables in `roles/matrix-server/defaults/main.yml`.
See the `matrix_riot_web_homepage_` variables in `roles/matrix-riot-web/defaults/main.yml`.
# 2018-12-04

@ -29,7 +29,7 @@ You can refer to the [mxisd website](https://github.com/kamax-io/mxisd) for more
To use a more custom configuration, you can define a `matrix_mxisd_configuration_extension_yaml` string variable
and put your configuration in it.
To learn more about how to do this, refer to the information about `matrix_mxisd_configuration_extension_yaml` in the [default variables file](../roles/matrix-server/defaults/main.yml).
To learn more about how to do this, refer to the information about `matrix_mxisd_configuration_extension_yaml` in the [default variables file](../roles/matrix-mxisd/defaults/main.yml) of the mxisd component.
## Troubleshooting

@ -8,7 +8,7 @@ You can follow these steps:
- copy the sample configuration file (`cp examples/host-vars.yml inventory/host_vars/matrix.<your-domain>/vars.yml`)
- edit the configuration file (`inventory/host_vars/matrix.<your-domain>/vars.yml`) to your liking. You may also take a look at `roles/matrix-server/defaults/main.yml` and see if there's something you'd like to copy over and override in your `vars.yml` configuration file.
- edit the configuration file (`inventory/host_vars/matrix.<your-domain>/vars.yml`) to your liking. You may also take a look at the various `roles/ROLE_NAME_HERE/defaults/main.yml` files and see if there's something you'd like to copy over and override in your `vars.yml` configuration file.
- copy the sample inventory hosts file (`cp examples/hosts inventory/hosts`)

@ -0,0 +1,38 @@
# The bare hostname which represents your identity.
# This is something like "example.com".
# Note: this playbook does not touch the server referenced here.
hostname_identity: "{{ host_specific_hostname_identity|lower }}"
# This is where your data lives and what we set up here.
# This and the Riot hostname (see below) are expected to be on the same server.
hostname_matrix: "matrix.{{ hostname_identity }}"
# This is where you access the web UI from and what we set up here.
# This and the Matrix hostname (see above) are expected to be on the same server.
hostname_riot: "riot.{{ hostname_identity }}"
matrix_user_username: "matrix"
matrix_user_uid: 991
matrix_user_gid: 991
matrix_base_data_path: "/matrix"
matrix_base_data_path_mode: "750"
matrix_static_files_base_path: "{{ matrix_base_data_path }}/static-files"
matrix_homeserver_url: "https://{{ hostname_matrix }}"
matrix_identity_server_url: "https://{{ matrix_synapse_trusted_third_party_id_servers[0] }}"
# The Docker network that all services would be put into
matrix_docker_network: "matrix"
# Variables to Control which parts of our roles run.
run_setup: true
run_import_postgres: true
run_upgrade_postgres: true
run_start: true
run_register_user: true
run_import_sqlite_db: true
run_import_media_store: true
run_self_check: true

@ -0,0 +1,9 @@
---
- name: Get rid of old files and directories
file:
path: "{{ item }}"
state: absent
with_items:
- "{{ matrix_base_data_path }}/environment-variables"
- "{{ matrix_base_data_path }}/scratchpad"

@ -0,0 +1,33 @@
- import_tasks: "{{ role_path }}/tasks/clean_up_old_files.yml"
when: run_setup
tags:
- setup-all
- import_tasks: "{{ role_path }}/tasks/setup_server_base.yml"
when: run_setup
tags:
- setup-all
- import_tasks: "{{ role_path }}/tasks/setup_matrix_base.yml"
when: run_setup
tags:
- setup-all
- import_tasks: "{{ role_path }}/tasks/setup_well_known.yml"
when: run_setup
tags:
- setup-all
- setup-mxisd
- setup-synapse
- setup-nginx-proxy
- import_tasks: "{{ role_path }}/tasks/sanity_check.yml"
tags:
- always
- import_tasks: "{{ role_path }}/tasks/self_check_dns.yml"
delegate_to: 127.0.0.1
become: false
when: run_self_check
tags:
- self-check

@ -22,7 +22,7 @@
when: "matrix_mxisd_enabled"
- name: Perform DNS SRV checks
include_tasks: "{{ role_path }}/tasks/self_check/self_check_dns_srv.yml"
include_tasks: "{{ role_path }}/tasks/self_check_dns_srv.yml"
with_items: "{{ dns_srv_record_checks }}"
loop_control:
loop_var: dns_srv_record_check

@ -13,22 +13,15 @@
state: present
group: "{{ matrix_user_username }}"
- name: Ensure environment variables data path exists
file:
path: "{{ matrix_environment_variables_data_path }}"
state: directory
mode: 0700
- name: Ensure Matrix base path exists
file:
path: "{{ item }}"
state: directory
mode: 0750
mode: "{{ matrix_base_data_path_mode }}"
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_username }}"
with_items:
- "{{ matrix_base_data_path }}"
- "{{ matrix_synapse_base_path }}"
# `docker_network` doesn't work as expected when the given network
# is a substring of a network that already exists.

@ -0,0 +1,21 @@
# We need others to be able to read these directories too,
# so that matrix-nginx-proxy's nginx user can access the files.
#
# For running with another webserver, we recommend being part of the `matrix` group.
- name: Ensure Matrix static-files path exists
file:
path: "{{ item }}"
state: directory
mode: 0755
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_username }}"
with_items:
- "{{ matrix_static_files_base_path }}/.well-known/matrix"
- name: Ensure Matrix /.well-known/matrix/client configured
template:
src: "{{ role_path }}/templates/static-files/well-known/matrix-client.j2"
dest: "{{ matrix_static_files_base_path }}/.well-known/matrix"
mode: 0644
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_username }}"

@ -0,0 +1,3 @@
# This will contain a list of enabled services that the playbook is managing.
# Each component is expected to append its service name to this list.
matrix_systemd_services_list: []

@ -0,0 +1,4 @@
- import_tasks: "{{ role_path }}/tasks/start.yml"
when: run_start
tags:
- start

@ -0,0 +1,18 @@
---
- name: Ensure systemd reloaded
service:
daemon_reload: yes
- name: Ensure Matrix services stopped
service:
name: "{{ item }}"
state: stopped
with_items: "{{ matrix_systemd_services_list }}"
- name: Ensure Matrix services started
service:
name: "{{ item }}"
enabled: yes
state: started
with_items: "{{ matrix_systemd_services_list }}"

@ -0,0 +1,28 @@
# Enable this to add support for matrix-corporal.
# See: https://github.com/devture/matrix-corporal
matrix_corporal_enabled: false
# Controls whether the matrix-corporal web server's ports are exposed outside of the container.
# Normally, matrix-nginx-proxy is enabled and nginx can reach matrix-corporal over the container network.
# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose
# matrix-corporal's web-server ports to the local host (`127.0.0.1:41080` and `127.0.0.1:41081`).
matrix_corporal_container_expose_ports: "{{ not matrix_nginx_proxy_enabled }}"
matrix_corporal_docker_image: "devture/matrix-corporal:1.2.2"
matrix_corporal_base_path: "{{ matrix_base_data_path }}/corporal"
matrix_corporal_config_dir_path: "{{ matrix_corporal_base_path }}/config"
matrix_corporal_cache_dir_path: "{{ matrix_corporal_base_path }}/cache"
matrix_corporal_var_dir_path: "{{ matrix_corporal_base_path }}/var"
matrix_corporal_matrix_timeout_milliseconds: 45000
matrix_corporal_reconciliation_retry_interval_milliseconds: 30000
matrix_corporal_reconciliation_user_id_local_part: "matrix-corporal"
matrix_corporal_http_api_enabled: false
matrix_corporal_http_api_auth_token: ""
# Matrix Corporal policy provider configuration (goes directly into the configuration's `PolicyProvider` value)
matrix_corporal_policy_provider_config: ""
matrix_corporal_debug: false

@ -0,0 +1,9 @@
- name: Override configuration specifying where the Matrix Client API is
set_fact:
matrix_nginx_proxy_matrix_client_api_addr_with_proxy_container: "matrix-corporal:41080"
matrix_nginx_proxy_matrix_client_api_addr_sans_proxy_container: "localhost:41080"
when: "matrix_corporal_enabled"
- set_fact:
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-corporal'] }}"
when: "matrix_corporal_enabled"

@ -0,0 +1,16 @@
- import_tasks: "{{ role_path }}/tasks/init.yml"
tags:
- always
- import_tasks: "{{ role_path }}/tasks/setup_corporal.yml"
when: run_setup
tags:
- setup-all
- setup-corporal
- import_tasks: "{{ role_path }}/tasks/self_check_corporal.yml"
delegate_to: 127.0.0.1
become: false
when: "run_self_check and matrix_corporal_enabled"
tags:
- self-check

@ -42,7 +42,7 @@
- name: Ensure Matrix Corporal config installed
template:
src: "{{ role_path }}/templates/corporal/config.json.j2"
src: "{{ role_path }}/templates/config.json.j2"
dest: "{{ matrix_corporal_config_dir_path }}/config.json"
mode: 0644
when: "matrix_corporal_enabled"
@ -58,8 +58,11 @@
# Tasks related to getting rid of matrix-corporal (if it was previously enabled)
#
- name: Ensure matrix-corporal.service doesn't exist
- name: Ensure matrix-corporal files don't exist
file:
path: "/etc/systemd/system/matrix-corporal.service"
path: "{{ item }}"
state: absent
when: "not matrix_corporal_enabled"
with_items:
- /etc/systemd/system/matrix-corporal.service
- "{{ matrix_corporal_config_dir_path }}/config.json"

@ -13,7 +13,7 @@ ExecStart=/usr/bin/docker run --rm --name matrix-corporal \
--log-driver=none \
--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
--network={{ matrix_docker_network }} \
{% if not matrix_nginx_proxy_enabled %}
{% if matrix_corporal_container_expose_ports %}
-p 127.0.0.1:41080:41080 \
-p 127.0.0.1:41081:41081 \
{% endif %}

@ -0,0 +1,14 @@
matrix_coturn_docker_image: "instrumentisto/coturn:4.5.0.8"
matrix_coturn_base_path: "{{ matrix_base_data_path }}/coturn"
matrix_coturn_config_path: "{{ matrix_coturn_base_path }}/turnserver.conf"
# A shared secret (between Synapse and Coturn) used for authentication.
# You can put any string here, but generating a strong one is preferred (e.g. `pwgen -s 64 1`).
matrix_coturn_turn_static_auth_secret: ""
# UDP port-range to use for TURN
matrix_coturn_turn_udp_min_port: 49152
matrix_coturn_turn_udp_max_port: 49172
matrix_coturn_turn_external_ip_address: "{{ ansible_host }}"

@ -0,0 +1,2 @@
- set_fact:
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-coturn'] }}"

@ -0,0 +1,9 @@
- import_tasks: "{{ role_path }}/tasks/init.yml"
tags:
- always
- import_tasks: "{{ role_path }}/tasks/setup_coturn.yml"
when: run_setup
tags:
- setup-coturn
- setup-all

@ -19,7 +19,7 @@
- name: Ensure turnserver.conf installed
template:
src: "{{ role_path }}/templates/coturn/turnserver.conf.j2"
src: "{{ role_path }}/templates/turnserver.conf.j2"
dest: "{{ matrix_coturn_config_path }}"
mode: 0644

@ -13,7 +13,6 @@ ExecStart=/usr/bin/docker run --rm --name matrix-coturn \
-p 3478:3478 \
-p 3478:3478/udp \
-p {{ matrix_coturn_turn_udp_min_port }}-{{ matrix_coturn_turn_udp_max_port }}:{{ matrix_coturn_turn_udp_min_port }}-{{ matrix_coturn_turn_udp_max_port }}/udp \
-v {{ matrix_synapse_config_dir_path }}:/matrix-config:ro \
-v {{ matrix_coturn_config_path }}:/turnserver.conf:ro \
{{ matrix_coturn_docker_image }} \
-c /turnserver.conf

@ -0,0 +1,16 @@
# By default, this playbook sets up a postfix mailer server (running in a container).
# This is so that Matrix Synapse can send email reminders for unread messages.
# Other services (like mxisd), however, also use that mailer to send emails through it.
matrix_mailer_enabled: true
matrix_mailer_base_path: "{{ matrix_base_data_path }}/mailer"
matrix_mailer_docker_image: "panubo/postfix:latest"
matrix_mailer_sender_address: "matrix@{{ hostname_identity }}"
matrix_mailer_relay_use: false
matrix_mailer_relay_host_name: "mail.example.com"
matrix_mailer_relay_host_port: 587
matrix_mailer_relay_auth: false
matrix_mailer_relay_auth_username: ""
matrix_mailer_relay_auth_password: ""

@ -0,0 +1,3 @@
- set_fact:
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mailer'] }}"
when: "matrix_mailer_enabled"

@ -0,0 +1,9 @@
- import_tasks: "{{ role_path }}/tasks/init.yml"
tags:
- always
- import_tasks: "{{ role_path }}/tasks/setup_mailer.yml"
when: run_setup
tags:
- setup-mailer
- setup-all

@ -4,13 +4,21 @@
# Tasks related to setting up the mailer
#
- name: Ensure mailer base path exists
file:
path: "{{ matrix_mailer_base_path }}"
state: directory
mode: 0750
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_username }}"
when: matrix_mailer_enabled
- name: Ensure mailer environment variables file created
template:
src: "{{ role_path }}/templates/env/{{ item }}.j2"
dest: "{{ matrix_environment_variables_data_path }}/{{ item }}"
src: "{{ role_path }}/templates/env-mailer.j2"
dest: "{{ matrix_mailer_base_path }}/env-mailer"
mode: 0640
with_items:
- "env-mailer"
when: matrix_mailer_enabled
- name: Ensure mailer image is pulled
docker_image:
@ -49,7 +57,7 @@
- name: Ensure Matrix mailer environment variables path doesn't exist
file:
path: "{{ matrix_environment_variables_data_path }}/env-mailer"
path: "{{ matrix_mailer_base_path }}"
state: absent
when: "not matrix_mailer_enabled"

@ -10,7 +10,7 @@ ExecStartPre=-/usr/bin/docker rm matrix-mailer
ExecStart=/usr/bin/docker run --rm --name matrix-mailer \
--log-driver=none \
--network={{ matrix_docker_network }} \
--env-file={{ matrix_environment_variables_data_path }}/env-mailer \
--env-file={{ matrix_mailer_base_path }}/env-mailer \
{{ matrix_mailer_docker_image }}
ExecStop=-/usr/bin/docker kill matrix-mailer
ExecStop=-/usr/bin/docker rm matrix-mailer

@ -0,0 +1,101 @@
# By default, this playbook installs the mxisd identity server on the same domain as Synapse (`hostname_matrix`).
# If you wish to use the public identity servers (matrix.org, vector.im, riot.im) instead of your own,
# you may wish to disable this.
matrix_mxisd_enabled: true
matrix_mxisd_docker_image: "kamax/mxisd:1.2.2"
matrix_mxisd_base_path: "{{ matrix_base_data_path }}/mxisd"
matrix_mxisd_config_path: "{{ matrix_mxisd_base_path }}/config"
matrix_mxisd_data_path: "{{ matrix_mxisd_base_path }}/data"
# Controls whether the mxisd web server's port is exposed outside of the container.
# Normally, matrix-nginx-proxy is enabled and nginx can reach mxisd over the container network.
# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose
# mxisd's web-server port to the local host (`127.0.0.1:8090`).
matrix_mxisd_container_expose_port: "{{ not matrix_nginx_proxy_enabled }}"
# Your identity server is private by default.
# To ensure maximum discovery, you can make your identity server
# also forward lookups to the central matrix.org Identity server
# (at the cost of potentially leaking all your contacts information).
# Enabling this is discouraged. Learn more here: https://github.com/kamax-io/mxisd/blob/master/docs/features/identity.md#lookups
matrix_mxisd_matrixorg_forwarding_enabled: false
# mxisd has serveral supported identity stores.
# One of them (which we enable by default) is storing identities directly in Synapse's database.
# Learn more here: https://github.com/kamax-matrix/mxisd/blob/master/docs/stores/synapse.md
#
# If you need to disable this in favor of some other store, you can toggle it to disabled here
# and add your own mxisd configuration for the other store in `matrix_mxisd_configuration_extension_yaml`.
matrix_mxisd_synapsesql_enabled: true
matrix_mxisd_synapsesql_type: postgresql
matrix_mxisd_synapsesql_connection: //{{ matrix_postgres_connection_hostname }}/{{ matrix_postgres_db_name }}?user={{ matrix_postgres_connection_username }}&password={{ matrix_postgres_connection_password }}
# Default mxisd configuration template which covers the generic use case.
# You can customize it by controlling the various variables inside it.
#
# For a more advanced customization, you can extend the default (see `matrix_mxisd_configuration_extension_yaml`)
# or completely replace this variable with your own template.
matrix_mxisd_configuration_yaml: |
matrix:
domain: {{ hostname_identity }}
server:
name: {{ hostname_matrix }}
key:
path: /var/mxisd/sign.key
storage:
provider:
sqlite:
database: /var/mxisd/mxisd.db
{% if matrix_mxisd_matrixorg_forwarding_enabled %}
forward:
servers: ['matrix-org']
{% endif %}
threepid:
medium:
email:
identity:
from: {{ matrix_mailer_sender_address }}
connectors:
smtp:
host: matrix-mailer
port: 587
tls: 0
synapseSql:
enabled: {{ matrix_mxisd_synapsesql_enabled }}
type: {{ matrix_mxisd_synapsesql_type }}
connection: {{ matrix_mxisd_synapsesql_connection }}
matrix_mxisd_configuration_extension_yaml: |
# Your custom YAML configuration for mxisd goes here.
# This configuration extends the default starting configuration (`matrix_mxisd_configuration_yaml`).
#
# You can override individual variables from the default configuration, or introduce new ones.
#
# If you need something more special, you can take full control by
# completely redefining `matrix_mxisd_configuration_yaml`.
#
# Example configuration extension follows:
#
# ldap:
# enabled: true
# connection:
# host: ldapHostnameOrIp
# tls: false
# port: 389
# baseDns: ['OU=Users,DC=example,DC=org']
# bindDn: CN=My Mxisd User,OU=Users,DC=example,DC=org
# bindPassword: TheUserPassword
# Doing `|from_yaml` when the extension contains nothing yields an empty string ("").
# We need to ensure it's a dictionary or `|combine` (when building `matrix_mxisd_configuration`) will fail later.
matrix_mxisd_configuration_extension: "{{ matrix_mxisd_configuration_extension_yaml|from_yaml if matrix_mxisd_configuration_extension_yaml|from_yaml else {} }}"
# Holds the final mxisd configuration (a combination of the default and its extension).
# You most likely don't need to touch this variable. Instead, see `matrix_mxisd_configuration_yaml`.
matrix_mxisd_configuration: "{{ matrix_mxisd_configuration_yaml|from_yaml|combine(matrix_mxisd_configuration_extension, recursive=True) }}"

@ -0,0 +1,3 @@
- set_fact:
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mxisd'] }}"
when: "matrix_mxisd_enabled"

@ -0,0 +1,13 @@
- import_tasks: "{{ role_path }}/tasks/init.yml"
tags:
- always
- import_tasks: "{{ role_path }}/tasks/setup_mxisd.yml"
tags:
- setup-all
- setup-mxisd
- import_tasks: "{{ role_path }}/tasks/self_check_mxisd.yml"
delegate_to: 127.0.0.1
become: false
when: "run_self_check and matrix_mxisd_enabled"

@ -15,7 +15,7 @@ ExecStart=/usr/bin/docker run --rm --name matrix-mxisd \
--log-driver=none \
--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
--network={{ matrix_docker_network }} \
{% if not matrix_nginx_proxy_enabled %}
{% if matrix_mxisd_container_expose_port %}
-p 127.0.0.1:8090:8090 \
{% endif %}
-v {{ matrix_mxisd_config_path }}:/etc/mxisd:ro \

@ -0,0 +1,50 @@
# By default, this playbook sets up its own nginx proxy server on port 80/443.
# This is fine if you're dedicating the whole server to Matrix.
# But in case that's not the case, you may wish to prevent that
# and take care of proxying by yourself.
matrix_nginx_proxy_enabled: true
matrix_nginx_proxy_docker_image: "nginx:1.15.8-alpine"
matrix_nginx_proxy_data_path: "{{ matrix_base_data_path }}/nginx-proxy"
matrix_nginx_proxy_confd_path: "{{ matrix_nginx_proxy_data_path }}/conf.d"
# The addresses where the Matrix Client API is.
# Certain extensions (like matrix-corporal) may override this in order to capture all traffic.
matrix_nginx_proxy_matrix_client_api_addr_with_proxy_container: "matrix-synapse:8008"
matrix_nginx_proxy_matrix_client_api_addr_sans_proxy_container: "localhost:8008"
# Specifies when to reload the matrix-nginx-proxy service so that
# a new SSL certificate could go into effect.
matrix_nginx_proxy_reload_cron_time_definition: "20 4 */5 * *"
# Specifies which SSL protocols to use when serving Riot and Synapse
# Note TLSv1.3 is not yet available in dockerized nginx
# See: https://github.com/nginxinc/docker-nginx/issues/190
matrix_nginx_proxy_ssl_protocols: "TLSv1.1 TLSv1.2"
# By default, this playbook automatically retrieves and auto-renews
# free SSL certificates from Let's Encrypt.
#
# The following retrieval methods are supported:
# - "lets-encrypt" - the playbook obtains free SSL certificates from Let's Encrypt
# - "self-signed" - the playbook generates and self-signs certificates
# - "manually-managed" - lets you manage certificates by yourself (manually; see below)
#
# If you decide to manage certificates by yourself (`matrix_ssl_retrieval_method: manually-managed`),
# you'd need to drop them into the directory specified by `matrix_ssl_config_dir_path`
# obeying the following hierarchy:
# - <matrix_ssl_config_dir_path>/live/<domain>/fullchain.pem
# - <matrix_ssl_config_dir_path>/live/<domain>/privkey.pem
# where <domain> refers to the domains that you need (usually `hostname_matrix` and `hostname_riot`).
matrix_ssl_retrieval_method: "lets-encrypt"
# Controls whether to obtain production or staging certificates from Let's Encrypt.
matrix_ssl_lets_encrypt_staging: false
matrix_ssl_lets_encrypt_certbot_docker_image: "certbot/certbot:v0.30.0"
matrix_ssl_lets_encrypt_certbot_standalone_http_port: 2402
matrix_ssl_lets_encrypt_support_email: "{{ host_specific_matrix_ssl_lets_encrypt_support_email }}"
matrix_ssl_base_path: "{{ matrix_base_data_path }}/ssl"
matrix_ssl_config_dir_path: "{{ matrix_ssl_base_path }}/config"
matrix_ssl_log_dir_path: "{{ matrix_ssl_base_path }}/log"

@ -0,0 +1,3 @@
- set_fact:
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-nginx-proxy'] }}"
when: "matrix_nginx_proxy_enabled"

@ -0,0 +1,23 @@
- import_tasks: "{{ role_path }}/tasks/init.yml"
tags:
- always
- import_tasks: "{{ role_path }}/tasks/ssl/main.yml"
when: run_setup
tags:
- setup-all
- setup-nginx-proxy
- setup-ssl
- import_tasks: "{{ role_path }}/tasks/setup_nginx_proxy.yml"
when: run_setup
tags:
- setup-all
- setup-nginx-proxy
- import_tasks: "{{ role_path }}/tasks/self_check_well_known.yml"
delegate_to: 127.0.0.1
become: false
when: run_self_check
tags:
- self-check

@ -13,12 +13,12 @@
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_username }}"
with_items:
- "{{ matrix_well_known_file_path|dirname }}"
- "{{ matrix_static_files_base_path }}/.well-known/matrix"
- name: Ensure Matrix /.well-known/matrix/client configured
template:
src: "{{ role_path }}/templates/well-known/matrix-client.j2"
dest: "{{ matrix_well_known_file_path }}"
dest: "{{ matrix_static_files_base_path }}/.well-known/matrix"
mode: 0644
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_username }}"

@ -31,8 +31,8 @@
# Method specific tasks follow
- import_tasks: tasks/setup/ssl/setup_ssl_lets_encrypt.yml
- import_tasks: tasks/ssl/setup_ssl_lets_encrypt.yml
- import_tasks: tasks/setup/ssl/setup_ssl_self_signed.yml
- import_tasks: tasks/ssl/setup_ssl_self_signed.yml
- import_tasks: tasks/setup/ssl/setup_ssl_manually_managed.yml
- import_tasks: tasks/ssl/setup_ssl_manually_managed.yml

@ -38,7 +38,7 @@
when: "matrix_ssl_retrieval_method == 'lets-encrypt'"
- name: Obtain Let's Encrypt certificates
include_tasks: "{{ role_path }}/tasks/setup/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml"
include_tasks: "{{ role_path }}/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml"
with_items: "{{ domains_requiring_certificates }}"
loop_control:
loop_var: domain_name

@ -0,0 +1,8 @@
---
- name: Verify certificates
include_tasks: "{{ role_path }}/tasks/ssl/setup_ssl_manually_managed_verify_for_domain.yml"
with_items: "{{ domains_requiring_certificates }}"
loop_control:
loop_var: domain_name
when: "matrix_ssl_retrieval_method == 'manually-managed'"

@ -17,7 +17,7 @@
when: "matrix_ssl_retrieval_method == 'self-signed' and ansible_os_family == 'Debian'"
- name: Generate self-signed certificates
include_tasks: "{{ role_path }}/tasks/setup/ssl/setup_ssl_self_signed_obtain_for_domain.yml"
include_tasks: "{{ role_path }}/tasks/ssl/setup_ssl_self_signed_obtain_for_domain.yml"
with_items: "{{ domains_requiring_certificates }}"
loop_control:
loop_var: domain_name

@ -0,0 +1,15 @@
# The defaults below cause a postgres server to be configured (running within a container).
# Using an external server is possible by tweaking all of the parameters below.
matrix_postgres_use_external: false
matrix_postgres_connection_hostname: "matrix-postgres"
matrix_postgres_connection_username: "synapse"
matrix_postgres_connection_password: "synapse-password"
matrix_postgres_db_name: "homeserver"
matrix_postgres_base_path: "{{ matrix_base_data_path }}/postgres"
matrix_postgres_data_path: "{{ matrix_postgres_base_path }}/data"
matrix_postgres_docker_image_v9: "postgres:9.6.11-alpine"
matrix_postgres_docker_image_v10: "postgres:10.6-alpine"
matrix_postgres_docker_image_v11: "postgres:11.1-alpine"
matrix_postgres_docker_image_latest: "{{ matrix_postgres_docker_image_v11 }}"

@ -51,7 +51,7 @@
command: |
/usr/bin/docker run --rm --name matrix-postgres-import \
--network={{ matrix_docker_network }} \
--env-file={{ matrix_environment_variables_data_path }}/env-postgres-pgsql-docker \
--env-file={{ matrix_postgres_base_path }}/env-postgres-psql \
-v {{ server_path_postgres_dump }}:{{ server_path_postgres_dump }}:ro \
--entrypoint=/bin/sh
{{ matrix_postgres_docker_image_latest }}

@ -0,0 +1,3 @@
- set_fact:
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-postgres'] }}"
when: "not matrix_postgres_use_external"

@ -0,0 +1,24 @@
- import_tasks: "{{ role_path }}/tasks/init.yml"
tags:
- always
- import_tasks: "{{ role_path }}/tasks/setup_postgres.yml"
when: run_setup
tags:
- setup-postgres
- setup-all
- import_tasks: "{{ role_path }}/tasks/import_postgres.yml"
when: run_import_postgres
tags:
- import-postgres
- import_tasks: "{{ role_path }}/tasks/import_sqlite_db.yml"
when: run_import_sqlite_db
tags:
- import-sqlite-db
- import_tasks: "{{ role_path }}/tasks/upgrade_postgres.yml"
when: run_upgrade_postgres
tags:
- upgrade-postgres

@ -0,0 +1,72 @@
---
# We used to store Postgres data directly under `/matrix/postgres` (what is now considered `matrix_postgres_base_path`).
#
# From now on, we expect to store Postgres data one directory below now (`/matrix/postgres/data` - `matrix_postgres_data_path`).
# We wish to use the base directory for other purposes (storing environment variable files, etc.).
# Mixing those with the Postgres data is no good and it leads to Postgres's `initdb` complaining to initialize
# a database in a non-empty directory.
#
# For this reason, we store the Postgres data in `/matrix/postgres/data` and need to relocate any installations
# which still store it in the parent directory (`/matrix/postgres`).
- name: Check if old Postgres data directory is used
stat:
path: "{{ matrix_postgres_base_path }}/PG_VERSION"
register: result_pg_old_data_dir_stat
- name: Warn if old Postgres data directory detected
debug:
msg: >
Found that you have Postgres data in `{{ matrix_postgres_base_path }}`.
From now on, Postgres data is supposed to be stored in `{{ matrix_postgres_data_path }}` instead.
We'll stop Postgres and relocate the files there for you.
when: "result_pg_old_data_dir_stat.stat.exists"
# We should stop Postgres first, before building a list of files,
# as to ignore any `postmaster.pid` files, etc.
- name: Ensure matrix-postgres is stopped
service:
name: matrix-postgres
state: stopped
daemon_reload: yes
when: "result_pg_old_data_dir_stat.stat.exists"
- name: Find files and directories in old Postgres data path
find:
paths: "{{ matrix_postgres_base_path }}"
file_type: any
excludes: ["data"]
register: "result_pg_old_data_dir_find"
when: "result_pg_old_data_dir_stat.stat.exists"
- name: Ensure new Postgres data path exists
file:
path: "{{ matrix_postgres_data_path }}"
state: directory
mode: 0700
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_username }}"
when: "result_pg_old_data_dir_stat.stat.exists"
- block:
- name: Relocate Postgres data files from old directory to new
command: "mv {{ item.path }} {{ matrix_postgres_data_path }}/{{ item.path|basename }}"
with_items: "{{ result_pg_old_data_dir_find.files }}"
when: "result_pg_old_data_dir_stat.stat.exists"
# Intentionally not starting matrix-postgres here.
# It likely needs to be updated to point to the new directory.
# In fact, let's even get rid of the outdated service, to ensure no one will start it
# and have it initialize a new database.
- name: Ensure outdated matrix-postgres.service doesn't exist
file:
path: "/etc/systemd/system/matrix-postgres.service"
state: absent
when: "result_pg_old_data_dir_stat.stat.exists"
- name: Ensure systemd reloaded after getting rid of outdated matrix-postgres.service
service:
daemon_reload: yes
when: "result_pg_old_data_dir_stat.stat.exists"

@ -4,7 +4,9 @@
# Generic tasks, no matter what kind of server we're using (internal/external)
#
- import_tasks: tasks/util/detect_existing_postgres_version.yml
- import_tasks: "{{ role_path }}/tasks/migrate_postgres_data_directory.yml"
- import_tasks: "{{ role_path }}/tasks/util/detect_existing_postgres_version.yml"
# If we have found an existing version (installed from before), we use its corresponding Docker image.
# If not, we install using the latest Postgres.
@ -23,14 +25,27 @@
docker_image:
name: "{{ matrix_postgres_docker_image_to_use }}"
# We always create these directories, even if an external Postgres is used,
# because we store environment variable files there.
- name: Ensure Postgres paths exist
file:
path: "{{ item }}"
state: directory
mode: 0700
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_username }}"
with_items:
- "{{ matrix_postgres_base_path }}"
- "{{ matrix_postgres_data_path }}"
- name: Ensure Postgres environment variables file created
template:
src: "{{ role_path }}/templates/env/{{ item }}.j2"
dest: "{{ matrix_environment_variables_data_path }}/{{ item }}"
src: "{{ role_path }}/templates/{{ item }}.j2"
dest: "{{ matrix_postgres_base_path }}/{{ item }}"
mode: 0640
with_items:
- "env-postgres-pgsql-docker"
- "env-postgres-server-docker"
- "env-postgres-psql"
- "env-postgres-server"
- name: Ensure matrix-postgres-cli script created
template:
@ -48,15 +63,6 @@
# Tasks related to setting up an internal postgres server
#
- name: Ensure postgres data path exists
file:
path: "{{ matrix_postgres_data_path }}"
state: directory
mode: 0700
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_username }}"
when: "not matrix_postgres_use_external"
- name: Ensure matrix-postgres.service installed
template:
src: "{{ role_path }}/templates/systemd/matrix-postgres.service.j2"
@ -96,5 +102,5 @@
# We just want to notify the user. Deleting data is too destructive.
- name: Notify if matrix-postgres local data remains
debug:
msg: "Note: You are not using a local PostgreSQL database, but some old data remains from before in {{ matrix_postgres_data_path }}. Feel free to delete that."
msg: "Note: You are not using a local PostgreSQL database, but some old data remains from before in {{ matrix_postgres_data_path }}. Feel free to delete it."
when: "matrix_postgres_use_external and matrix_postgres_data_path_stat.stat.exists"

@ -71,7 +71,7 @@
command: |
/usr/bin/docker run --rm --name matrix-postgres-dump \
--network={{ matrix_docker_network }} \
--env-file={{ matrix_environment_variables_data_path }}/env-postgres-pgsql-docker \
--env-file={{ matrix_postgres_base_path }}/env-postgres-psql \
-v {{ postgres_dump_dir }}:/out \
{{ matrix_postgres_detected_version_corresponding_docker_image }} pg_dump -h matrix-postgres {{ matrix_postgres_db_name }} -f /out/{{ postgres_dump_name }}
@ -86,7 +86,7 @@
- debug:
msg: "NOTE: Your Postgres data directory has been moved from `{{ matrix_postgres_data_path }}` to `{{ postgres_auto_upgrade_backup_data_path }}`. In the event of failure, you can move it back and run the playbook with --tags=setup-postgres to restore operation."
- import_tasks: tasks/setup/setup_postgres.yml
- import_tasks: tasks/setup_postgres.yml
- name: Ensure matrix-postgres autoruns and is restarted
service:
@ -105,7 +105,7 @@
command: |
/usr/bin/docker run --rm --name matrix-postgres-import \
--network={{ matrix_docker_network }} \
--env-file={{ matrix_environment_variables_data_path }}/env-postgres-pgsql-docker \
--env-file={{ matrix_postgres_base_path }}/env-postgres-psql \
-v {{ postgres_dump_dir }}:/in:ro \
{{ matrix_postgres_docker_image_latest }} psql -v ON_ERROR_STOP=1 -h matrix-postgres -f /in/{{ postgres_dump_name }}

@ -11,7 +11,7 @@ ExecStart=/usr/bin/docker run --rm --name matrix-postgres \
--log-driver=none \
--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
--network={{ matrix_docker_network }} \
--env-file={{ matrix_environment_variables_data_path }}/env-postgres-server-docker \
--env-file={{ matrix_postgres_base_path }}/env-postgres-server \
-v {{ matrix_postgres_data_path }}:/var/lib/postgresql/data \
-v /etc/passwd:/etc/passwd:ro \
{{ matrix_postgres_docker_image_to_use }}

@ -8,7 +8,7 @@ fi
docker run \
-it \
--rm \
--env-file={{ matrix_environment_variables_data_path }}/env-postgres-pgsql-docker \
--env-file={{ matrix_postgres_base_path }}/env-postgres-psql \
--network {{ matrix_docker_network }} \
{{ matrix_postgres_docker_image_to_use }} \
psql -h {{ matrix_postgres_connection_hostname }} -c "UPDATE users set admin=1 WHERE name like '@$1:{{ host_specific_hostname_identity }}'"

@ -3,7 +3,7 @@
docker run \
-it \
--rm \
--env-file={{ matrix_environment_variables_data_path }}/env-postgres-pgsql-docker \
--env-file={{ matrix_postgres_base_path }}/env-postgres-psql \
--network {{ matrix_docker_network }} \
{{ matrix_postgres_docker_image_to_use }} \
psql -h {{ matrix_postgres_connection_hostname }}

@ -0,0 +1,32 @@
# By default, this playbook installs the Riot.IM web UI on the `hostname_riot` domain.
# If you wish to connect to your Matrix server by other means,
# you may wish to disable this.
matrix_riot_web_enabled: true
matrix_riot_web_docker_image: "bubuntux/riot-web:v0.17.8"
matrix_riot_web_data_path: "{{ matrix_base_data_path }}/riot-web"
# Riot config.json customizations
matrix_riot_web_disable_custom_urls: true
matrix_riot_web_disable_guests: true
matrix_riot_web_integrations_ui_url: "https://scalar.vector.im/"
matrix_riot_web_integrations_rest_url: "https://scalar.vector.im/api"
matrix_riot_web_integrations_widgets_urls: "https://scalar.vector.im/api"
matrix_riot_web_integrations_jitsi_widget_url: "https://scalar.vector.im/api/widgets/jitsi.html"
# Riot public room directory server(s)
matrix_riot_web_roomdir_servers: ['matrix.org']
matrix_riot_web_welcome_user_id: "@riot-bot:matrix.org"
# Riot home.html customizations
# Default home.html template file
matrix_riot_web_homepage_template: "{{ role_path }}/templates/home.html.j2"
# Show general discussion about Matrix and Riot row
matrix_riot_web_homepage_template_general: true
# Show Matrix technical discussions row
matrix_riot_web_homepage_template_technical: true
# Show building services on Matrix row
matrix_riot_web_homepage_template_building: true
# Show contributing code to Matrix and Riot row
matrix_riot_web_homepage_template_contributing: true

@ -0,0 +1,3 @@
- set_fact:
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-riot-web'] }}"
when: matrix_riot_web_enabled

@ -0,0 +1,16 @@
- import_tasks: "{{ role_path }}/tasks/init.yml"
tags:
- always
- import_tasks: "{{ role_path }}/tasks/setup_riot_web.yml"
when: run_setup
tags:
- setup-all
- setup-riot-web
- import_tasks: "{{ role_path }}/tasks/self_check_riot_web.yml"
delegate_to: 127.0.0.1
become: false
when: "run_self_check and matrix_riot_web_enabled"
tags:
- self-check

@ -26,7 +26,7 @@
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_username }}"
with_items:
- {src: "{{ role_path }}/templates/riot-web/config.json.j2", name: "config.json"}
- {src: "{{ role_path }}/templates/config.json.j2", name: "config.json"}
- {src: "{{ matrix_riot_web_homepage_template }}", name: "home.html"}
when: matrix_riot_web_enabled

@ -1,463 +0,0 @@
# The bare hostname which represents your identity.
# This is something like "example.com".
# Note: this playbook does not touch the server referenced here.
hostname_identity: "{{ host_specific_hostname_identity|lower }}"
# This is where your data lives and what we set up here.
# This and the Riot hostname (see below) are expected to be on the same server.
hostname_matrix: "matrix.{{ hostname_identity }}"
# This is where you access the web UI from and what we set up here.
# This and the Matrix hostname (see above) are expected to be on the same server.
hostname_riot: "riot.{{ hostname_identity }}"
matrix_user_username: "matrix"
matrix_user_uid: 991
matrix_user_gid: 991
matrix_base_data_path: "/matrix"
matrix_environment_variables_data_path: "{{ matrix_base_data_path }}/environment-variables"
matrix_static_files_base_path: "{{ matrix_base_data_path }}/static-files"
matrix_homeserver_url: "https://{{ hostname_matrix }}"
matrix_identity_server_url: "https://{{ matrix_synapse_trusted_third_party_id_servers[0] }}"
# The Docker network that all services would be put into
matrix_docker_network: "matrix"
matrix_synapse_docker_image: "matrixdotorg/synapse:v0.34.1.1-py3"
matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse"
matrix_synapse_config_dir_path: "{{ matrix_synapse_base_path }}/config"
matrix_synapse_run_path: "{{ matrix_synapse_base_path }}/run"
matrix_synapse_storage_path: "{{ matrix_synapse_base_path }}/storage"
matrix_synapse_media_store_path: "{{ matrix_synapse_storage_path }}/media-store"
matrix_synapse_ext_path: "{{ matrix_synapse_base_path }}/ext"
matrix_synapse_in_container_python_packages_path: "/usr/local/lib/python3.6/site-packages"
# Specifies which template files to use when configuring Synapse.
# If you'd like to have your own different configuration, feel free to copy and paste
# the original files into your inventory (e.g. in `inventory/host_vars/<host>/`)
# and then change the specific host's `vars.yaml` file like this:
# matrix_synapse_template_synapse_homeserver: "{{ playbook_dir }}/inventory/host_vars/<host>/homeserver.yaml.j2"
matrix_synapse_template_synapse_homeserver: "{{ role_path }}/templates/synapse/homeserver.yaml.j2"
matrix_synapse_template_synapse_log: "{{ role_path }}/templates/synapse/synapse.log.config.j2"
matrix_synapse_macaroon_secret_key: ""
matrix_synapse_registration_shared_secret: "{{ matrix_synapse_macaroon_secret_key }}"
matrix_synapse_form_secret: "{{ matrix_synapse_macaroon_secret_key }}"
# These are the identity servers that would be trusted by Synapse if mxisd is NOT enabled
matrix_synapse_id_servers_public: ['vector.im', 'matrix.org']
# These are the identity servers that would be trusted by Synapse if mxisd IS enabled
matrix_synapse_id_servers_own: "['{{ hostname_matrix }}']"
# The final list of identity servers to use for Synapse.
# The first one would also be used as riot-web's default identity server.
matrix_synapse_trusted_third_party_id_servers: "{{ matrix_synapse_id_servers_own if matrix_mxisd_enabled else matrix_synapse_id_servers_public }}"
matrix_synapse_max_upload_size_mb: 10
matrix_synapse_max_log_file_size_mb: 100
matrix_synapse_max_log_files_count: 10
# Log levels
# Possible options are defined here https://docs.python.org/3/library/logging.html#logging-levels
# warning: setting log level to DEBUG will make synapse log sensitive information such
# as access tokens
matrix_synapse_log_level: "INFO"
matrix_synapse_storage_sql_log_level: "INFO"
matrix_synapse_root_log_level: "INFO"
# Rate limits
matrix_synapse_rc_messages_per_second: 0.2
matrix_synapse_rc_message_burst_count: 10.0
# Enable this to allow Synapse to report utilization statistics about your server to matrix.org
# (things like number of users, number of messages sent, uptime, load, etc.)
matrix_synapse_report_stats: false
# Controls whether the Matrix server will track presence status (online, offline, unavailable) for users.
# If users participate in large rooms with many other servers,
# disabling this will decrease server load significantly.
matrix_synapse_use_presence: true
# Controls whether people with access to the homeserver can register by themselves.
matrix_synapse_enable_registration: false
# Users who register on this homeserver will automatically be joined to these rooms.
# Rooms are to be specified using addresses (e.g. `#address:example.com`)
matrix_synapse_auto_join_rooms: []
# Controls whether auto-join rooms (`matrix_synapse_auto_join_rooms`) are to be created
# automatically if they don't already exist.
matrix_synapse_autocreate_auto_join_rooms: true
# Controls password-peppering for Matrix Synapse. Not to be changed after initial setup.
matrix_synapse_password_config_pepper: ""
# Controls the number of events that Matrix Synapse caches in memory.
matrix_synapse_event_cache_size: "100K"
# Controls cache sizes for Matrix Synapse via the SYNAPSE_CACHE_FACTOR environment variable.
# Raise this to increase cache sizes or lower it to potentially lower memory use.
# To learn more, see:
# - https://github.com/matrix-org/synapse#help-synapse-eats-all-my-ram
# - https://github.com/matrix-org/synapse/issues/3939
matrix_synapse_cache_factor: 0.5
# Controls whether Matrix Synapse will federate at all.
# Disable this to completely isolate your server from the rest of the Matrix network.
matrix_synapse_federation_enabled: true
# A list of domain names that are allowed to federate with the given Matrix Synapse server.
# An empty list value (`[]`) will also effectively stop federation, but if that's the desired
# result, it's better to accomplish it by changing `matrix_synapse_federation_enabled`.
matrix_synapse_federation_domain_whitelist: ~
# A list of additional "volumes" to mount in the container.
# This list gets populated dynamically based on Synapse extensions that have been enabled.
# Contains definition objects like this: `{"src": "/outside", "dst": "/inside", "options": "rw|ro|slave|.."}
matrix_synapse_container_additional_volumes: []
# A list of additional loggers to register in synapse.log.config.
# This list gets populated dynamically based on Synapse extensions that have been enabled.
# Contains definition objects like this: `{"name": "..", "level": "DEBUG"}
matrix_synapse_additional_loggers: []
# A list of service config files
# This list gets populated dynamically based on Synapse extensions that have been enabled.
# Contains fs paths
matrix_synapse_app_service_config_files: []
# This is set dynamically during execution depending on whether
# any password providers have been enabled or not.
matrix_synapse_password_providers_enabled: false
# Enable this to activate the REST auth password provider module.
# See: https://github.com/kamax-io/matrix-synapse-rest-auth
matrix_synapse_ext_password_provider_rest_auth_enabled: false
matrix_synapse_ext_password_provider_rest_auth_download_url: "https://raw.githubusercontent.com/kamax-io/matrix-synapse-rest-auth/v0.1.1/rest_auth_provider.py"
matrix_synapse_ext_password_provider_rest_auth_endpoint: ""
matrix_synapse_ext_password_provider_rest_auth_registration_enforce_lowercase: false
matrix_synapse_ext_password_provider_rest_auth_registration_profile_name_autofill: true
matrix_synapse_ext_password_provider_rest_auth_login_profile_name_autofill: false
# Enable this to activate the Shared Secret Auth password provider module.
# See: https://github.com/devture/matrix-synapse-shared-secret-auth
matrix_synapse_ext_password_provider_shared_secret_auth_enabled: false
matrix_synapse_ext_password_provider_shared_secret_auth_download_url: "https://raw.githubusercontent.com/devture/matrix-synapse-shared-secret-auth/1.0.1/shared_secret_authenticator.py"
matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret: ""
# Enable this to activate LDAP password provider
matrix_synapse_ext_password_provider_ldap_enabled: false
matrix_synapse_ext_password_provider_ldap_uri: "ldap://ldap.mydomain.tld:389"
matrix_synapse_ext_password_provider_ldap_start_tls: true
matrix_synapse_ext_password_provider_ldap_base: ""
matrix_synapse_ext_password_provider_ldap_attributes_uid: "uid"
matrix_synapse_ext_password_provider_ldap_attributes_mail: "mail"
matrix_synapse_ext_password_provider_ldap_attributes_name: "cn"
matrix_synapse_ext_password_provider_ldap_bind_dn: ""
matrix_synapse_ext_password_provider_ldap_bind_password: ""
matrix_synapse_ext_password_provider_ldap_filter: ""
# The defaults below cause a postgres server to be configured (running within a container).
# Using an external server is possible by tweaking all of the parameters below.
matrix_postgres_use_external: false
matrix_postgres_connection_hostname: "matrix-postgres"
matrix_postgres_connection_username: "synapse"
matrix_postgres_connection_password: "synapse-password"
matrix_postgres_db_name: "homeserver"
matrix_postgres_data_path: "{{ matrix_base_data_path }}/postgres"
matrix_postgres_docker_image_v9: "postgres:9.6.11-alpine"
matrix_postgres_docker_image_v10: "postgres:10.6-alpine"
matrix_postgres_docker_image_v11: "postgres:11.1-alpine"
matrix_postgres_docker_image_latest: "{{ matrix_postgres_docker_image_v11 }}"
matrix_coturn_docker_image: "instrumentisto/coturn:4.5.0.8"
matrix_coturn_base_path: "{{ matrix_base_data_path }}/coturn"
matrix_coturn_config_path: "{{ matrix_coturn_base_path }}/turnserver.conf"
# A shared secret (between Synapse and Coturn) used for authentication.
# You can put any string here, but generating a strong one is preferred (e.g. `pwgen -s 64 1`).
matrix_coturn_turn_static_auth_secret: ""
# UDP port-range to use for TURN
matrix_coturn_turn_udp_min_port: 49152
matrix_coturn_turn_udp_max_port: 49172
matrix_coturn_turn_external_ip_address: "{{ ansible_host }}"
matrix_s3_media_store_enabled: false
matrix_s3_goofys_docker_image: "ewoutp/goofys:latest"
matrix_s3_media_store_bucket_name: "your-bucket-name"
matrix_s3_media_store_aws_access_key: "your-aws-access-key"
matrix_s3_media_store_aws_secret_key: "your-aws-secret-key"
matrix_s3_media_store_region: "eu-central-1"
# By default, this playbook sets up a postfix mailer server (running in a container).
# This is so that Matrix Synapse can send email reminders for unread messages.
# Other services (like mxisd), however, also use that mailer to send emails through it.
matrix_mailer_enabled: true
matrix_mailer_docker_image: "panubo/postfix:latest"
matrix_mailer_sender_address: "matrix@{{ hostname_identity }}"
matrix_mailer_relay_use: false
matrix_mailer_relay_host_name: "mail.example.com"
matrix_mailer_relay_host_port: 587
matrix_mailer_relay_auth: false
matrix_mailer_relay_auth_username: ""
matrix_mailer_relay_auth_password: ""
# By default, this playbook installs the mxisd identity server on the same domain as Synapse (`hostname_matrix`).
# If you wish to use the public identity servers (matrix.org, vector.im, riot.im) instead of your own,
# you may wish to disable this.
matrix_mxisd_enabled: true
matrix_mxisd_docker_image: "kamax/mxisd:1.2.2"
matrix_mxisd_base_path: "{{ matrix_base_data_path }}/mxisd"
matrix_mxisd_config_path: "{{ matrix_mxisd_base_path }}/config"
matrix_mxisd_data_path: "{{ matrix_mxisd_base_path }}/data"
# Your identity server is private by default.
# To ensure maximum discovery, you can make your identity server
# also forward lookups to the central matrix.org Identity server
# (at the cost of potentially leaking all your contacts information).
# Enabling this is discouraged. Learn more here: https://github.com/kamax-io/mxisd/blob/master/docs/features/identity.md#lookups
matrix_mxisd_matrixorg_forwarding_enabled: false
# mxisd has serveral supported identity stores.
# One of them (which we enable by default) is storing identities directly in Synapse's database.
# Learn more here: https://github.com/kamax-matrix/mxisd/blob/master/docs/stores/synapse.md
#
# If you need to disable this in favor of some other store, you can toggle it to disabled here
# and add your own mxisd configuration for the other store in `matrix_mxisd_configuration_extension_yaml`.
matrix_mxisd_synapsesql_enabled: true
matrix_mxisd_synapsesql_type: postgresql
matrix_mxisd_synapsesql_connection: //{{ matrix_postgres_connection_hostname }}/{{ matrix_postgres_db_name }}?user={{ matrix_postgres_connection_username }}&password={{ matrix_postgres_connection_password }}
# Default mxisd configuration template which covers the generic use case.
# You can customize it by controlling the various variables inside it.
#
# For a more advanced customization, you can extend the default (see `matrix_mxisd_configuration_extension_yaml`)
# or completely replace this variable with your own template.
matrix_mxisd_configuration_yaml: |
matrix:
domain: {{ hostname_identity }}
server:
name: {{ hostname_matrix }}
key:
path: /var/mxisd/sign.key
storage:
provider:
sqlite:
database: /var/mxisd/mxisd.db
{% if matrix_mxisd_matrixorg_forwarding_enabled %}
forward:
servers: ['matrix-org']
{% endif %}
threepid:
medium:
email:
identity:
from: {{ matrix_mailer_sender_address }}
connectors:
smtp:
host: matrix-mailer
port: 587
tls: 0
synapseSql:
enabled: {{ matrix_mxisd_synapsesql_enabled }}
type: {{ matrix_mxisd_synapsesql_type }}
connection: {{ matrix_mxisd_synapsesql_connection }}
matrix_mxisd_configuration_extension_yaml: |
# Your custom YAML configuration for mxisd goes here.
# This configuration extends the default starting configuration (`matrix_mxisd_configuration_yaml`).
#
# You can override individual variables from the default configuration, or introduce new ones.
#
# If you need something more special, you can take full control by
# completely redefining `matrix_mxisd_configuration_yaml`.
#
# Example configuration extension follows:
#
# ldap:
# enabled: true
# connection:
# host: ldapHostnameOrIp
# tls: false
# port: 389
# baseDns: ['OU=Users,DC=example,DC=org']
# bindDn: CN=My Mxisd User,OU=Users,DC=example,DC=org
# bindPassword: TheUserPassword
# Doing `|from_yaml` when the extension contains nothing yields an empty string ("").
# We need to ensure it's a dictionary or `|combine` (when building `matrix_mxisd_configuration`) will fail later.
matrix_mxisd_configuration_extension: "{{ matrix_mxisd_configuration_extension_yaml|from_yaml if matrix_mxisd_configuration_extension_yaml|from_yaml else {} }}"
# Holds the final mxisd configuration (a combination of the default and its extension).
# You most likely don't need to touch this variable. Instead, see `matrix_mxisd_configuration_yaml`.
matrix_mxisd_configuration: "{{ matrix_mxisd_configuration_yaml|from_yaml|combine(matrix_mxisd_configuration_extension, recursive=True) }}"
# Enable this to add support for matrix-corporal.
# See: https://github.com/devture/matrix-corporal
matrix_corporal_enabled: false
matrix_corporal_docker_image: "devture/matrix-corporal:1.2.2"
matrix_corporal_base_path: "{{ matrix_base_data_path }}/corporal"
matrix_corporal_config_dir_path: "{{ matrix_corporal_base_path }}/config"
matrix_corporal_cache_dir_path: "{{ matrix_corporal_base_path }}/cache"
matrix_corporal_var_dir_path: "{{ matrix_corporal_base_path }}/var"
matrix_corporal_matrix_timeout_milliseconds: 45000
matrix_corporal_reconciliation_retry_interval_milliseconds: 30000
matrix_corporal_reconciliation_user_id_local_part: "matrix-corporal"
matrix_corporal_http_api_enabled: false
matrix_corporal_http_api_auth_token: ""
# Matrix Corporal policy provider configuration (goes directly into the configuration's `PolicyProvider` value)
matrix_corporal_policy_provider_config: ""
matrix_corporal_debug: false
# By default, this playbook installs the Riot.IM web UI on the `hostname_riot` domain.
# If you wish to connect to your Matrix server by other means,
# you may wish to disable this.
matrix_riot_web_enabled: true
matrix_riot_web_docker_image: "bubuntux/riot-web:v0.17.8"
matrix_riot_web_data_path: "{{ matrix_base_data_path }}/riot-web"
# Riot config.json customizations
matrix_riot_web_disable_custom_urls: true
matrix_riot_web_disable_guests: true
matrix_riot_web_integrations_ui_url: "https://scalar.vector.im/"
matrix_riot_web_integrations_rest_url: "https://scalar.vector.im/api"
matrix_riot_web_integrations_widgets_urls: "https://scalar.vector.im/api"
matrix_riot_web_integrations_jitsi_widget_url: "https://scalar.vector.im/api/widgets/jitsi.html"
# Riot public room directory server(s)
matrix_riot_web_roomdir_servers: ['matrix.org']
matrix_riot_web_welcome_user_id: "@riot-bot:matrix.org"
# Riot home.html customizations
# Default home.html template file
matrix_riot_web_homepage_template: "{{ role_path }}/templates/riot-web/home.html.j2"
# Show general discussion about Matrix and Riot row
matrix_riot_web_homepage_template_general: true
# Show Matrix technical discussions row
matrix_riot_web_homepage_template_technical: true
# Show building services on Matrix row
matrix_riot_web_homepage_template_building: true
# Show contributing code to Matrix and Riot row
matrix_riot_web_homepage_template_contributing: true
# Matrix mautrix is a Matrix <-> Telegram bridge
# Enable telegram bridge
matrix_mautrix_telegram_enabled: false
matrix_mautrix_telegram_docker_image: "tulir/mautrix-telegram:v0.4.0"
matrix_mautrix_telegram_base_path: "{{ matrix_base_data_path }}/mautrix-telegram"
# Get your own API keys at https://my.telegram.org/apps
matrix_mautrix_telegram_api_id: YOUR_TELEGRAM_APP_ID
matrix_mautrix_telegram_api_hash: YOUR_TELEGRAM_API_HASH
# Mautrix telegram public endpoint to log in to telegram
# Use an uuid so it's not easily discoverable
matrix_mautrix_telegram_public_endpoint: "/{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'telegram') | to_uuid }}"
# Matrix mautrix is a Matrix <-> Whatsapp bridge
# Enable whatsapp bridge
matrix_mautrix_whatsapp_enabled: false
matrix_mautrix_whatsapp_docker_image: "tulir/mautrix-whatsapp:latest"
matrix_mautrix_whatsapp_base_path: "{{ matrix_base_data_path }}/mautrix-whatsapp"
# By default, this playbook sets up its own nginx proxy server on port 80/443.
# This is fine if you're dedicating the whole server to Matrix.
# But in case that's not the case, you may wish to prevent that
# and take care of proxying by yourself.
matrix_nginx_proxy_enabled: true
matrix_nginx_proxy_docker_image: "nginx:1.15.8-alpine"
matrix_nginx_proxy_data_path: "{{ matrix_base_data_path }}/nginx-proxy"
matrix_nginx_proxy_confd_path: "{{ matrix_nginx_proxy_data_path }}/conf.d"
# The addresses where the Matrix Client API is.
# Certain extensions (like matrix-corporal) may override this in order to capture all traffic.
matrix_nginx_proxy_matrix_client_api_addr_with_proxy_container: "matrix-synapse:8008"
matrix_nginx_proxy_matrix_client_api_addr_sans_proxy_container: "localhost:8008"
# Specifies when to reload the matrix-nginx-proxy service so that
# a new SSL certificate could go into effect.
matrix_nginx_proxy_reload_cron_time_definition: "20 4 */5 * *"
# Specifies which SSL protocols to use when serving Riot and Synapse
# Note TLSv1.3 is not yet available in dockerized nginx
# See: https://github.com/nginxinc/docker-nginx/issues/190
matrix_nginx_proxy_ssl_protocols: "TLSv1.1 TLSv1.2"
# By default, this playbook automatically retrieves and auto-renews
# free SSL certificates from Let's Encrypt.
#
# The following retrieval methods are supported:
# - "lets-encrypt" - the playbook obtains free SSL certificates from Let's Encrypt
# - "self-signed" - the playbook generates and self-signs certificates
# - "manually-managed" - lets you manage certificates by yourself (manually; see below)
#
# If you decide to manage certificates by yourself (`matrix_ssl_retrieval_method: manually-managed`),
# you'd need to drop them into the directory specified by `matrix_ssl_config_dir_path`
# obeying the following hierarchy:
# - <matrix_ssl_config_dir_path>/live/<domain>/fullchain.pem
# - <matrix_ssl_config_dir_path>/live/<domain>/privkey.pem
# where <domain> refers to the domains that you need (usually `hostname_matrix` and `hostname_riot`).
matrix_ssl_retrieval_method: "lets-encrypt"
# Controls whether to obtain production or staging certificates from Let's Encrypt.
matrix_ssl_lets_encrypt_staging: false
matrix_ssl_lets_encrypt_certbot_docker_image: "certbot/certbot:v0.30.0"
matrix_ssl_lets_encrypt_certbot_standalone_http_port: 2402
matrix_ssl_lets_encrypt_support_email: "{{ host_specific_matrix_ssl_lets_encrypt_support_email }}"
matrix_ssl_base_path: "{{ matrix_base_data_path }}/ssl"
matrix_ssl_config_dir_path: "{{ matrix_ssl_base_path }}/config"
matrix_ssl_log_dir_path: "{{ matrix_ssl_base_path }}/log"
# Variables to Control which parts of the role run.
run_setup: true
run_import_postgres: true
run_upgrade_postgres: true
run_start: true
run_register_user: true
run_import_sqlite_db: true
run_import_media_store: true
run_self_check: true

@ -1,41 +0,0 @@
---
- import_tasks: tasks/setup/main.yml
when: run_setup
- import_tasks: tasks/import/import_postgres.yml
tags:
- import-postgres
when: run_import_postgres
- import_tasks: tasks/upgrade_postgres.yml
tags:
- upgrade-postgres
when: run_upgrade_postgres
- import_tasks: tasks/start.yml
tags:
- start
when: run_start
- import_tasks: tasks/register_user.yml
tags:
- register-user
when: run_register_user
- import_tasks: tasks/import/import_sqlite_db.yml
tags:
- import-sqlite-db
when: run_import_sqlite_db
- import_tasks: tasks/import/import_media_store.yml
tags:
- import-media-store
when: run_import_media_store
- import_tasks: tasks/self_check/main.yml
delegate_to: 127.0.0.1
become: false
tags:
- self-check
when: run_self_check

@ -1,18 +0,0 @@
---
- import_tasks: tasks/self_check/self_check_dns.yml
- import_tasks: tasks/self_check/self_check_client_api.yml
- import_tasks: tasks/self_check/self_check_federation_api.yml
- import_tasks: tasks/self_check/self_check_riot_web.yml
when: "matrix_riot_web_enabled"
- import_tasks: tasks/self_check/self_check_mxisd.yml
when: "matrix_mxisd_enabled"
- import_tasks: tasks/self_check/self_check_well_known.yml
- import_tasks: tasks/self_check/self_check_corporal.yml
when: "matrix_corporal_enabled"

@ -1,77 +0,0 @@
---
- import_tasks: tasks/setup/setup_sanity_check.yml
tags:
- always
- import_tasks: tasks/setup/setup_base.yml
tags:
- setup-all
- import_tasks: tasks/setup/setup_main.yml
tags:
- setup-all
- import_tasks: tasks/setup/ssl/main.yml
tags:
- setup-all
- setup-ssl
- import_tasks: tasks/setup/setup_postgres.yml
tags:
- setup-all
- setup-postgres
- import_tasks: tasks/setup/setup_goofys.yml
tags:
- setup-all
- setup-goofys
- import_tasks: tasks/setup/setup_coturn.yml
tags:
- setup-all
- setup-coturn
- import_tasks: tasks/setup/setup_mailer.yml
tags:
- setup-all
- setup-mailer
- import_tasks: tasks/setup/setup_mxisd.yml
tags:
- setup-all
- setup-mxisd
- import_tasks: tasks/setup/setup_corporal_overrides.yml
tags:
- always
- import_tasks: tasks/setup/setup_corporal.yml
tags:
- setup-all
- setup-corporal
- import_tasks: tasks/setup/synapse/main.yml
tags:
- setup-all
- setup-synapse
- setup-coturn
- import_tasks: tasks/setup/setup_riot_web.yml
tags:
- setup-all
- setup-riot-web
- import_tasks: tasks/setup/setup_well_known.yml
tags:
- setup-all
- setup-mxisd
- setup-synapse
- setup-nginx-proxy
- setup-well-known
- import_tasks: tasks/setup/setup_nginx_proxy.yml
tags:
- setup-all
- setup-nginx-proxy
- setup-well-known

@ -1,11 +0,0 @@
# These overrides run with the `always` tag,
# because they're important not only for the `setup-corporal` tag, but for other tags too.
#
# We want an nginx-proxy rebuild (`--tags=setup-nginx-proxy`) to also go through here
# and be affected by these overrides.
- name: Override configuration specifying where the Matrix Client API is
set_fact:
matrix_nginx_proxy_matrix_client_api_addr_with_proxy_container: "matrix-corporal:41080"
matrix_nginx_proxy_matrix_client_api_addr_sans_proxy_container: "localhost:41080"
when: "matrix_corporal_enabled"

@ -1,8 +0,0 @@
---
- name: Verify certificates
include_tasks: "{{ role_path }}/tasks/setup/ssl/setup_ssl_manually_managed_verify_for_domain.yml"
with_items: "{{ domains_requiring_certificates }}"
loop_control:
loop_var: domain_name
when: "matrix_ssl_retrieval_method == 'manually-managed'"

@ -1,11 +0,0 @@
---
- import_tasks: tasks/setup/synapse/ext/setup_synapse_ext_rest_auth.yml
- import_tasks: tasks/setup/synapse/ext/setup_synapse_ext_shared_secret_auth.yml
- import_tasks: tasks/setup/synapse/ext/setup_synapse_ext_ldap_auth.yml
- import_tasks: tasks/setup/synapse/ext/setup_synapse_ext_mautrix_telegram.yml
- import_tasks: tasks/setup/synapse/ext/setup_synapse_ext_mautrix_whatsapp.yml

@ -1,7 +0,0 @@
---
- import_tasks: tasks/setup/synapse/setup_synapse_pre.yml
- import_tasks: tasks/setup/synapse/ext/main.yml
- import_tasks: tasks/setup/synapse/setup_synapse_main.yml

@ -1,87 +0,0 @@
---
- name: Ensure matrix-postgres autoruns and is restarted
service:
name: matrix-postgres
enabled: yes
state: restarted
daemon_reload: yes
when: "not matrix_postgres_use_external"
- name: Ensure matrix-goofys autoruns and is restarted
service:
name: matrix-goofys
enabled: yes
state: restarted
daemon_reload: yes
when: matrix_s3_media_store_enabled
- name: Ensure matrix-coturn autoruns and is restarted
service:
name: matrix-coturn
enabled: yes
state: restarted
daemon_reload: yes
- name: Ensure matrix-mailer autoruns and is restarted
service:
name: matrix-mailer
enabled: yes
state: restarted
daemon_reload: yes
when: matrix_mailer_enabled
- name: Ensure matrix-mxisd autoruns and is restarted
service:
name: matrix-mxisd
enabled: yes
state: restarted
daemon_reload: yes
when: matrix_mxisd_enabled
- name: Ensure matrix-synapse autoruns and is restarted
service:
name: matrix-synapse
enabled: yes
state: restarted
daemon_reload: yes
- name: Ensure matrix-riot-web autoruns and is restarted
service:
name: matrix-riot-web
enabled: yes
state: restarted
daemon_reload: yes
when: matrix_riot_web_enabled
- name: Ensure matrix-nginx-proxy autoruns and is restarted
service:
name: matrix-nginx-proxy
enabled: yes
state: restarted
daemon_reload: yes
when: matrix_nginx_proxy_enabled
- name: Ensure matrix-corporal autoruns and is restarted
service:
name: matrix-corporal
enabled: yes
state: restarted
daemon_reload: yes
when: matrix_corporal_enabled
- name: Ensure matrix-mautrix-telegram autoruns and is restarted
service:
name: matrix-mautrix-telegram
enabled: yes
state: restarted
daemon_reload: yes
when: matrix_mautrix_telegram_enabled
- name: Ensure matrix-mautrix-whatsapp autoruns and is restarted
service:
name: matrix-mautrix-whatsapp
enabled: yes
state: restarted
daemon_reload: yes
when: matrix_mautrix_whatsapp_enabled

@ -0,0 +1,176 @@
matrix_synapse_docker_image: "matrixdotorg/synapse:v0.34.1.1-py3"
matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse"
matrix_synapse_config_dir_path: "{{ matrix_synapse_base_path }}/config"
matrix_synapse_run_path: "{{ matrix_synapse_base_path }}/run"
matrix_synapse_storage_path: "{{ matrix_synapse_base_path }}/storage"
matrix_synapse_media_store_path: "{{ matrix_synapse_storage_path }}/media-store"
matrix_synapse_ext_path: "{{ matrix_synapse_base_path }}/ext"
# Controls whether the Synapse container exposes the Client/Server API port (tcp/8008).
# Normally, matrix-nginx-proxy is enabled and nginx can reach Synapse over the container network.
# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose
# the Client/Server API's port to the local host (`127.0.0.1:8008`).
matrix_synapse_container_expose_client_server_api_port: "{{ not matrix_nginx_proxy_enabled }}"
matrix_synapse_in_container_python_packages_path: "/usr/local/lib/python3.6/site-packages"
# Specifies which template files to use when configuring Synapse.
# If you'd like to have your own different configuration, feel free to copy and paste
# the original files into your inventory (e.g. in `inventory/host_vars/<host>/`)
# and then change the specific host's `vars.yaml` file like this:
# matrix_synapse_template_synapse_homeserver: "{{ playbook_dir }}/inventory/host_vars/<host>/homeserver.yaml.j2"
matrix_synapse_template_synapse_homeserver: "{{ role_path }}/templates/synapse/homeserver.yaml.j2"
matrix_synapse_template_synapse_log: "{{ role_path }}/templates/synapse/synapse.log.config.j2"
matrix_synapse_macaroon_secret_key: ""
matrix_synapse_registration_shared_secret: "{{ matrix_synapse_macaroon_secret_key }}"
matrix_synapse_form_secret: "{{ matrix_synapse_macaroon_secret_key }}"
# These are the identity servers that would be trusted by Synapse if mxisd is NOT enabled
matrix_synapse_id_servers_public: ['vector.im', 'matrix.org']
# These are the identity servers that would be trusted by Synapse if mxisd IS enabled
matrix_synapse_id_servers_own: "['{{ hostname_matrix }}']"
# The final list of identity servers to use for Synapse.
# The first one would also be used as riot-web's default identity server.
matrix_synapse_trusted_third_party_id_servers: "{{ matrix_synapse_id_servers_own if matrix_mxisd_enabled else matrix_synapse_id_servers_public }}"
matrix_synapse_max_upload_size_mb: 10
matrix_synapse_max_log_file_size_mb: 100
matrix_synapse_max_log_files_count: 10
# Log levels
# Possible options are defined here https://docs.python.org/3/library/logging.html#logging-levels
# warning: setting log level to DEBUG will make synapse log sensitive information such
# as access tokens
matrix_synapse_log_level: "INFO"
matrix_synapse_storage_sql_log_level: "INFO"
matrix_synapse_root_log_level: "INFO"
# Rate limits
matrix_synapse_rc_messages_per_second: 0.2
matrix_synapse_rc_message_burst_count: 10.0
# Enable this to allow Synapse to report utilization statistics about your server to matrix.org
# (things like number of users, number of messages sent, uptime, load, etc.)
matrix_synapse_report_stats: false
# Controls whether the Matrix server will track presence status (online, offline, unavailable) for users.
# If users participate in large rooms with many other servers,
# disabling this will decrease server load significantly.
matrix_synapse_use_presence: true
# Controls whether people with access to the homeserver can register by themselves.
matrix_synapse_enable_registration: false
# Users who register on this homeserver will automatically be joined to these rooms.
# Rooms are to be specified using addresses (e.g. `#address:example.com`)
matrix_synapse_auto_join_rooms: []
# Controls whether auto-join rooms (`matrix_synapse_auto_join_rooms`) are to be created
# automatically if they don't already exist.
matrix_synapse_autocreate_auto_join_rooms: true
# Controls password-peppering for Matrix Synapse. Not to be changed after initial setup.
matrix_synapse_password_config_pepper: ""
# Controls the number of events that Matrix Synapse caches in memory.
matrix_synapse_event_cache_size: "100K"
# Controls cache sizes for Matrix Synapse via the SYNAPSE_CACHE_FACTOR environment variable.
# Raise this to increase cache sizes or lower it to potentially lower memory use.
# To learn more, see:
# - https://github.com/matrix-org/synapse#help-synapse-eats-all-my-ram
# - https://github.com/matrix-org/synapse/issues/3939
matrix_synapse_cache_factor: 0.5
# Controls whether Matrix Synapse will federate at all.
# Disable this to completely isolate your server from the rest of the Matrix network.
matrix_synapse_federation_enabled: true
# A list of domain names that are allowed to federate with the given Matrix Synapse server.
# An empty list value (`[]`) will also effectively stop federation, but if that's the desired
# result, it's better to accomplish it by changing `matrix_synapse_federation_enabled`.
matrix_synapse_federation_domain_whitelist: ~
# A list of additional "volumes" to mount in the container.
# This list gets populated dynamically based on Synapse extensions that have been enabled.
# Contains definition objects like this: `{"src": "/outside", "dst": "/inside", "options": "rw|ro|slave|.."}
matrix_synapse_container_additional_volumes: []
# A list of additional loggers to register in synapse.log.config.
# This list gets populated dynamically based on Synapse extensions that have been enabled.
# Contains definition objects like this: `{"name": "..", "level": "DEBUG"}
matrix_synapse_additional_loggers: []
# A list of service config files
# This list gets populated dynamically based on Synapse extensions that have been enabled.
# Contains fs paths
matrix_synapse_app_service_config_files: []
# This is set dynamically during execution depending on whether
# any password providers have been enabled or not.
matrix_synapse_password_providers_enabled: false
# Enable this to activate the REST auth password provider module.
# See: https://github.com/kamax-io/matrix-synapse-rest-auth
matrix_synapse_ext_password_provider_rest_auth_enabled: false
matrix_synapse_ext_password_provider_rest_auth_download_url: "https://raw.githubusercontent.com/kamax-io/matrix-synapse-rest-auth/v0.1.1/rest_auth_provider.py"
matrix_synapse_ext_password_provider_rest_auth_endpoint: ""
matrix_synapse_ext_password_provider_rest_auth_registration_enforce_lowercase: false
matrix_synapse_ext_password_provider_rest_auth_registration_profile_name_autofill: true
matrix_synapse_ext_password_provider_rest_auth_login_profile_name_autofill: false
# Enable this to activate the Shared Secret Auth password provider module.
# See: https://github.com/devture/matrix-synapse-shared-secret-auth
matrix_synapse_ext_password_provider_shared_secret_auth_enabled: false
matrix_synapse_ext_password_provider_shared_secret_auth_download_url: "https://raw.githubusercontent.com/devture/matrix-synapse-shared-secret-auth/1.0.1/shared_secret_authenticator.py"
matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret: ""
# Enable this to activate LDAP password provider
matrix_synapse_ext_password_provider_ldap_enabled: false
matrix_synapse_ext_password_provider_ldap_uri: "ldap://ldap.mydomain.tld:389"
matrix_synapse_ext_password_provider_ldap_start_tls: true
matrix_synapse_ext_password_provider_ldap_base: ""
matrix_synapse_ext_password_provider_ldap_attributes_uid: "uid"
matrix_synapse_ext_password_provider_ldap_attributes_mail: "mail"
matrix_synapse_ext_password_provider_ldap_attributes_name: "cn"
matrix_synapse_ext_password_provider_ldap_bind_dn: ""
matrix_synapse_ext_password_provider_ldap_bind_password: ""
matrix_synapse_ext_password_provider_ldap_filter: ""
matrix_s3_media_store_enabled: false
matrix_s3_goofys_docker_image: "ewoutp/goofys:latest"
matrix_s3_media_store_bucket_name: "your-bucket-name"
matrix_s3_media_store_aws_access_key: "your-aws-access-key"
matrix_s3_media_store_aws_secret_key: "your-aws-secret-key"
matrix_s3_media_store_region: "eu-central-1"
# Matrix mautrix is a Matrix <-> Telegram bridge
# Enable telegram bridge
matrix_mautrix_telegram_enabled: false
matrix_mautrix_telegram_docker_image: "tulir/mautrix-telegram:v0.4.0"
matrix_mautrix_telegram_base_path: "{{ matrix_base_data_path }}/mautrix-telegram"
# Get your own API keys at https://my.telegram.org/apps
matrix_mautrix_telegram_api_id: YOUR_TELEGRAM_APP_ID
matrix_mautrix_telegram_api_hash: YOUR_TELEGRAM_API_HASH
# Mautrix telegram public endpoint to log in to telegram
# Use an uuid so it's not easily discoverable
matrix_mautrix_telegram_public_endpoint: "/{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'telegram') | to_uuid }}"
# Matrix mautrix is a Matrix <-> Whatsapp bridge
# Enable whatsapp bridge
matrix_mautrix_whatsapp_enabled: false
matrix_mautrix_whatsapp_docker_image: "tulir/mautrix-whatsapp:latest"
matrix_mautrix_whatsapp_base_path: "{{ matrix_base_data_path }}/mautrix-whatsapp"

@ -0,0 +1,5 @@
---
- import_tasks: "{{ role_path }}/tasks/ext/mautrix-telegram/init.yml"
- import_tasks: "{{ role_path }}/tasks/ext/mautrix-whatsapp/init.yml"

@ -0,0 +1,3 @@
- set_fact:
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-telegram'] }}"
when: matrix_mautrix_telegram_enabled

@ -19,7 +19,7 @@
- name: Ensure Matrix Mautrix telegram config installed
template:
src: "{{ role_path }}/templates/mautrix-telegram/config.yaml.j2"
src: "{{ role_path }}/templates/ext/mautrix-telegram/config.yaml.j2"
dest: "{{ matrix_mautrix_telegram_base_path }}/config.yaml"
mode: 0644
owner: "{{ matrix_user_username }}"
@ -28,7 +28,7 @@
- name: Ensure matrix-mautrix-telegram.service installed
template:
src: "{{ role_path }}/templates/systemd/matrix-mautrix-telegram.service.j2"
src: "{{ role_path }}/templates/ext/mautrix-telegram/systemd/matrix-mautrix-telegram.service.j2"
dest: "/etc/systemd/system/matrix-mautrix-telegram.service"
mode: 0644
when: "matrix_mautrix_telegram_enabled"

@ -0,0 +1,3 @@
- set_fact:
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-whatsapp'] }}"
when: matrix_mautrix_whatsapp_enabled

@ -19,7 +19,7 @@
- name: Ensure Matrix Mautrix whatsapp config installed
template:
src: "{{ role_path }}/templates/mautrix-whatsapp/config.yaml.j2"
src: "{{ role_path }}/templates/ext/mautrix-whatsapp/config.yaml.j2"
dest: "{{ matrix_mautrix_whatsapp_base_path }}/config.yaml"
mode: 0644
owner: "{{ matrix_user_username }}"
@ -28,7 +28,7 @@
- name: Ensure matrix-mautrix-whatsapp.service installed
template:
src: "{{ role_path }}/templates/systemd/matrix-mautrix-whatsapp.service.j2"
src: "{{ role_path }}/templates/ext/mautrix-whatsapp/systemd/matrix-mautrix-whatsapp.service.j2"
dest: "/etc/systemd/system/matrix-mautrix-whatsapp.service"
mode: 0644
when: "matrix_mautrix_whatsapp_enabled"

Some files were not shown because too many files have changed in this diff Show More

Loading…
Cancel
Save