From ee2badf7a6558cded771f8769b1a714065ee7e3b Mon Sep 17 00:00:00 2001 From: Kolja Lampe Date: Mon, 5 Sep 2022 11:01:31 +0200 Subject: [PATCH 01/38] Correctly refer to the placeholder --- docs/configuring-playbook-bot-matrix-registration-bot.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuring-playbook-bot-matrix-registration-bot.md b/docs/configuring-playbook-bot-matrix-registration-bot.md index 739f0869..a3e4bbeb 100644 --- a/docs/configuring-playbook-bot-matrix-registration-bot.md +++ b/docs/configuring-playbook-bot-matrix-registration-bot.md @@ -56,7 +56,7 @@ ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start ## Usage -To use the bot, create a **non-encrypted** room and invite `@bot.matrix-registration-bot:DOMAIN` (where `YOUR_DOMAIN` is your base domain, not the `matrix.` domain). +To use the bot, create a **non-encrypted** room and invite `@bot.matrix-registration-bot:DOMAIN` (where `DOMAIN` is your base domain, not the `matrix.` domain). In this room send `help` and the bot will reply with all options. From 5f9f891322effa21d81c468cdcde701b6ba8c72c Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 5 Sep 2022 20:04:21 +0300 Subject: [PATCH 02/38] Fix misleading comment Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/2086 --- roles/matrix-conduit/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-conduit/defaults/main.yml b/roles/matrix-conduit/defaults/main.yml index 48a1ed1b..366321b9 100644 --- a/roles/matrix-conduit/defaults/main.yml +++ b/roles/matrix-conduit/defaults/main.yml @@ -38,7 +38,7 @@ matrix_conduit_max_request_size: 20_000_000 # Maximum number of open files for Conduit's embedded RocksDB database # See https://github.com/facebook/rocksdb/wiki/RocksDB-Tuning-Guide#tuning-other-options -# If not specified, Conduit defaults to a relatively low value of 20 +# By default, Conduit uses a relatively low value of 20. matrix_conduit_rocksdb_max_open_files: 64 # Enables registration. If set to false, no users can register on this server. From 48a1ab0d22496580d9d7eb14a863cbd9f5ce37a9 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 6 Sep 2022 12:16:09 +0300 Subject: [PATCH 03/38] Upgrade Grafana (9.1.2 -> 9.1.3) --- roles/matrix-grafana/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-grafana/defaults/main.yml b/roles/matrix-grafana/defaults/main.yml index 0b57de77..dcd07bf5 100644 --- a/roles/matrix-grafana/defaults/main.yml +++ b/roles/matrix-grafana/defaults/main.yml @@ -5,7 +5,7 @@ matrix_grafana_enabled: false -matrix_grafana_version: 9.1.2 +matrix_grafana_version: 9.1.3 matrix_grafana_docker_image: "{{ matrix_container_global_registry_prefix }}grafana/grafana:{{ matrix_grafana_version }}" matrix_grafana_docker_image_force_pull: "{{ matrix_grafana_docker_image.endswith(':latest') }}" From 8b40ca8daaa61fdf60bb04f5ff201ee54e942c6d Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 6 Sep 2022 12:16:27 +0300 Subject: [PATCH 04/38] Upgrade ddclient (v3.9.1-ls97 -> v3.9.1-ls98) --- roles/matrix-dynamic-dns/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-dynamic-dns/defaults/main.yml b/roles/matrix-dynamic-dns/defaults/main.yml index 8354e1d9..8a5e7cdf 100644 --- a/roles/matrix-dynamic-dns/defaults/main.yml +++ b/roles/matrix-dynamic-dns/defaults/main.yml @@ -7,7 +7,7 @@ matrix_dynamic_dns_enabled: true # The dynamic dns daemon interval matrix_dynamic_dns_daemon_interval: '300' -matrix_dynamic_dns_version: v3.9.1-ls97 +matrix_dynamic_dns_version: v3.9.1-ls98 # The docker container to use when in mode matrix_dynamic_dns_docker_image: "{{ matrix_dynamic_dns_docker_image_name_prefix }}linuxserver/ddclient:{{ matrix_dynamic_dns_version }}" From b92ff748e46e98c55f05aec46bb7047142810216 Mon Sep 17 00:00:00 2001 From: Aine Date: Fri, 9 Sep 2022 10:47:00 +0300 Subject: [PATCH 05/38] Update Postmoogle 0.9.0 -> 0.9.1 --- docs/configuring-dns.md | 33 ++++++++++++------- docs/configuring-playbook-bot-postmoogle.md | 3 ++ group_vars/matrix_servers | 2 ++ roles/matrix-bot-postmoogle/defaults/main.yml | 16 +++++++-- roles/matrix-bot-postmoogle/templates/env.j2 | 5 ++- .../systemd/matrix-bot-postmoogle.service.j2 | 2 ++ 6 files changed, 45 insertions(+), 16 deletions(-) diff --git a/docs/configuring-dns.md b/docs/configuring-dns.md index ca7c08b0..e03a8cb8 100644 --- a/docs/configuring-dns.md +++ b/docs/configuring-dns.md @@ -28,18 +28,22 @@ If you are using Cloudflare DNS, make sure to disable the proxy and set all reco ## DNS settings for optional services/features -| Type | Host | Priority | Weight | Port | Target | -| ----- | ---------------------------- | -------- | ------ | ---- | ---------------------- | -| SRV | `_matrix-identity._tcp` | 10 | 0 | 443 | `matrix.` | -| CNAME | `dimension` | - | - | - | `matrix.` | -| CNAME | `jitsi` | - | - | - | `matrix.` | -| CNAME | `stats` | - | - | - | `matrix.` | -| CNAME | `goneb` | - | - | - | `matrix.` | -| CNAME | `sygnal` | - | - | - | `matrix.` | -| CNAME | `ntfy` | - | - | - | `matrix.` | -| CNAME | `hydrogen` | - | - | - | `matrix.` | -| CNAME | `cinny` | - | - | - | `matrix.` | -| CNAME | `buscarron` | - | - | - | `matrix.` | +| Type | Host | Priority | Weight | Port | Target | +| ----- | ------------------------------ | -------- | ------ | ---- | --------------------------- | +| SRV | `_matrix-identity._tcp` | 10 | 0 | 443 | `matrix.` | +| CNAME | `dimension` | - | - | - | `matrix.` | +| CNAME | `jitsi` | - | - | - | `matrix.` | +| CNAME | `stats` | - | - | - | `matrix.` | +| CNAME | `goneb` | - | - | - | `matrix.` | +| CNAME | `sygnal` | - | - | - | `matrix.` | +| CNAME | `ntfy` | - | - | - | `matrix.` | +| CNAME | `hydrogen` | - | - | - | `matrix.` | +| CNAME | `cinny` | - | - | - | `matrix.` | +| CNAME | `buscarron` | - | - | - | `matrix.` | +| MX | `matrix` | 10 | 0 | - | `matrix.` | +| TXT | `matrix` | - | - | - | `v=spf1 ip4: -all` | +| TXT | `_dmarc.matrix` | - | - | - | `v=DMARC1; p=quarantine;` | +| TXT | `postmoogle._domainkey.matrix` | - | - | - | get it from `!pm dkim` | ## Subdomains setup @@ -77,3 +81,8 @@ This is an optional feature for the optionally-installed [ma1sd service](configu Note: This `_matrix-identity._tcp` SRV record for the identity server is different from the `_matrix._tcp` that can be used for Synapse delegation. See [howto-server-delegation.md](howto-server-delegation.md) for more information about delegation. When you're done with the DNS configuration and ready to proceed, continue with [Getting the playbook](getting-the-playbook.md). + +## `_dmarc`, `postmoogle._domainkey` TXT and `matrix` MX records setup + +To make the [postmoogle](https://gitlab.com/etke.cc/postmoogle) email bridge enable its email sending features, you need to configure +SPF (TXT), DMARC (TXT), DKIM (TXT) and MX records diff --git a/docs/configuring-playbook-bot-postmoogle.md b/docs/configuring-playbook-bot-postmoogle.md index 70ac57b6..31566da9 100644 --- a/docs/configuring-playbook-bot-postmoogle.md +++ b/docs/configuring-playbook-bot-postmoogle.md @@ -35,6 +35,9 @@ matrix_bot_postmoogle_enabled: true matrix_bot_postmoogle_password: PASSWORD_FOR_THE_BOT ``` +You will also need to add several DNS records so that postmoogle can send emails. +See [Configuring DNS](configuring-dns.md). + ## Installing diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 074e06e9..6f841168 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1791,6 +1791,8 @@ matrix_ssl_domains_to_obtain_certificates_for: | + ([matrix_server_fqn_ntfy] if matrix_ntfy_enabled else []) + + ([matrix_bot_postmoogle_domain] if matrix_bot_postmoogle_enabled else []) + + ([matrix_domain] if matrix_nginx_proxy_base_domain_serving_enabled else []) + matrix_ssl_additional_domains_to_obtain_certificates_for diff --git a/roles/matrix-bot-postmoogle/defaults/main.yml b/roles/matrix-bot-postmoogle/defaults/main.yml index 10c4255b..718480e3 100644 --- a/roles/matrix-bot-postmoogle/defaults/main.yml +++ b/roles/matrix-bot-postmoogle/defaults/main.yml @@ -9,7 +9,7 @@ matrix_bot_postmoogle_docker_repo: "https://gitlab.com/etke.cc/postmoogle.git" matrix_bot_postmoogle_docker_repo_version: "{{ 'main' if matrix_bot_postmoogle_version == 'latest' else matrix_bot_postmoogle_version }}" matrix_bot_postmoogle_docker_src_files_path: "{{ matrix_base_data_path }}/postmoogle/docker-src" -matrix_bot_postmoogle_version: v0.9.0 +matrix_bot_postmoogle_version: v0.9.1 matrix_bot_postmoogle_docker_image: "{{ matrix_bot_postmoogle_docker_image_name_prefix }}postmoogle:{{ matrix_bot_postmoogle_version }}" matrix_bot_postmoogle_docker_image_name_prefix: "{{ 'localhost/' if matrix_bot_postmoogle_container_image_self_build else 'registry.gitlab.com/etke.cc/' }}" matrix_bot_postmoogle_docker_image_force_pull: "{{ matrix_bot_postmoogle_docker_image.endswith(':latest') }}" @@ -17,6 +17,7 @@ matrix_bot_postmoogle_docker_image_force_pull: "{{ matrix_bot_postmoogle_docker_ matrix_bot_postmoogle_base_path: "{{ matrix_base_data_path }}/postmoogle" matrix_bot_postmoogle_config_path: "{{ matrix_bot_postmoogle_base_path }}/config" matrix_bot_postmoogle_data_path: "{{ matrix_bot_postmoogle_base_path }}/data" +matrix_bot_postmoogle_ssl_path: "{{ matrix_ssl_config_dir_path }}" # A list of extra arguments to pass to the container matrix_bot_postmoogle_container_extra_arguments: [] @@ -110,11 +111,20 @@ matrix_bot_postmoogle_noencryption: false matrix_bot_postmoogle_domain: "{{ matrix_server_fqn_matrix }}" -# in-container port +# Mandatory TLS, even on plain SMTP port +matrix_bot_postmoogle_tls_required: false + +# in-container ports matrix_bot_postmoogle_port: '2525' +matrix_bot_postmoogle_tls_port: '25587' -# on-host port +# on-host ports matrix_bot_postmoogle_smtp_host_bind_port: '25' +matrix_bot_postmoogle_smtps_host_bind_port: '587' + +# in-container SSL paths +matrix_bot_postmoogle_tls_cert: "/ssl/live/{{ matrix_bot_postmoogle_domain }}/fullchain.pem" +matrix_bot_postmoogle_tls_key: "/ssl/live/{{ matrix_bot_postmoogle_domain }}/privkey.pem" # Additional environment variables to pass to the postmoogle container # diff --git a/roles/matrix-bot-postmoogle/templates/env.j2 b/roles/matrix-bot-postmoogle/templates/env.j2 index 7c0d10be..304e0dd8 100644 --- a/roles/matrix-bot-postmoogle/templates/env.j2 +++ b/roles/matrix-bot-postmoogle/templates/env.j2 @@ -10,7 +10,10 @@ POSTMOOGLE_MAXSIZE={{ matrix_bot_postmoogle_maxsize }} POSTMOOGLE_SENTRY={{ matrix_bot_postmoogle_sentry }} POSTMOOGLE_LOGLEVEL={{ matrix_bot_postmoogle_loglevel }} POSTMOOGLE_NOENCRYPTION={{ matrix_bot_postmoogle_noencryption }} -POSTMOOGLE_USERS={{ matrix_bot_postmoogle_users | join(' ') }} POSTMOOGLE_ADMINS={{ matrix_bot_postmoogle_admins | join(' ') }} +POSTMOOGLE_TLS_PORT={{ matrix_bot_postmoogle_tls_port }} +POSTMOOGLE_TLS_CERT={{ matrix_bot_postmoogle_tls_cert }} +POSTMOOGLE_TLS_KEY={{ matrix_bot_postmoogle_tls_key }} +POSTMOOGLE_TLS_REQUIRED={{ matrix_bot_postmoogle_tls_required }} {{ matrix_bot_postmoogle_environment_variables_extension }} diff --git a/roles/matrix-bot-postmoogle/templates/systemd/matrix-bot-postmoogle.service.j2 b/roles/matrix-bot-postmoogle/templates/systemd/matrix-bot-postmoogle.service.j2 index 38eb89a6..8250d20a 100644 --- a/roles/matrix-bot-postmoogle/templates/systemd/matrix-bot-postmoogle.service.j2 +++ b/roles/matrix-bot-postmoogle/templates/systemd/matrix-bot-postmoogle.service.j2 @@ -24,7 +24,9 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-bot-postmoogle --network={{ matrix_docker_network }} \ --env-file={{ matrix_bot_postmoogle_config_path }}/env \ -p {{ matrix_bot_postmoogle_smtp_host_bind_port }}:{{ matrix_bot_postmoogle_port }} \ + -p {{ matrix_bot_postmoogle_smtps_host_bind_port }}:{{ matrix_bot_postmoogle_tls_port }} \ --mount type=bind,src={{ matrix_bot_postmoogle_data_path }},dst=/data \ + --mount type=bind,src={{ matrix_bot_postmoogle_ssl_path }},dst=/ssl \ {% for arg in matrix_bot_postmoogle_container_extra_arguments %} {{ arg }} \ {% endfor %} From 692a7af36afcb301d3e16fc9c2924681871cda2e Mon Sep 17 00:00:00 2001 From: Aine Date: Fri, 9 Sep 2022 13:19:25 +0300 Subject: [PATCH 06/38] postmoogle feedback --- docs/configuring-dns.md | 2 +- group_vars/matrix_servers | 3 ++ roles/matrix-bot-postmoogle/defaults/main.yml | 30 ++++++++++++++----- .../systemd/matrix-bot-postmoogle.service.j2 | 6 +++- .../tasks/ssl/setup_ssl_lets_encrypt.yml | 2 +- .../tasks/ssl/setup_ssl_manually_managed.yml | 2 +- .../tasks/ssl/setup_ssl_self_signed.yml | 2 +- 7 files changed, 34 insertions(+), 13 deletions(-) diff --git a/docs/configuring-dns.md b/docs/configuring-dns.md index e03a8cb8..05cb4b7a 100644 --- a/docs/configuring-dns.md +++ b/docs/configuring-dns.md @@ -84,5 +84,5 @@ When you're done with the DNS configuration and ready to proceed, continue with ## `_dmarc`, `postmoogle._domainkey` TXT and `matrix` MX records setup -To make the [postmoogle](https://gitlab.com/etke.cc/postmoogle) email bridge enable its email sending features, you need to configure +To make the [postmoogle](configuring-playbook-bot-postmoogle.md) email bridge enable its email sending features, you need to configure SPF (TXT), DMARC (TXT), DKIM (TXT) and MX records diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 6f841168..2c14a917 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1210,6 +1210,9 @@ matrix_bot_buscarron_container_image_self_build: "{{ matrix_architecture not in # We don't enable bots by default. matrix_bot_postmoogle_enabled: false +matrix_bot_postmoogle_ssl_path: "{{ matrix_ssl_config_dir_path }}" +matrix_bot_postmoogle_tls_cert: "/ssl/live/{{ matrix_bot_postmoogle_domain }}/fullchain.pem" +matrix_bot_postmoogle_tls_key: "/ssl/live/{{ matrix_bot_postmoogle_domain }}/privkey.pem" matrix_bot_postmoogle_systemd_required_services_list: | {{ diff --git a/roles/matrix-bot-postmoogle/defaults/main.yml b/roles/matrix-bot-postmoogle/defaults/main.yml index 718480e3..6f7a96cc 100644 --- a/roles/matrix-bot-postmoogle/defaults/main.yml +++ b/roles/matrix-bot-postmoogle/defaults/main.yml @@ -17,7 +17,6 @@ matrix_bot_postmoogle_docker_image_force_pull: "{{ matrix_bot_postmoogle_docker_ matrix_bot_postmoogle_base_path: "{{ matrix_base_data_path }}/postmoogle" matrix_bot_postmoogle_config_path: "{{ matrix_bot_postmoogle_base_path }}/config" matrix_bot_postmoogle_data_path: "{{ matrix_bot_postmoogle_base_path }}/data" -matrix_bot_postmoogle_ssl_path: "{{ matrix_ssl_config_dir_path }}" # A list of extra arguments to pass to the container matrix_bot_postmoogle_container_extra_arguments: [] @@ -111,20 +110,35 @@ matrix_bot_postmoogle_noencryption: false matrix_bot_postmoogle_domain: "{{ matrix_server_fqn_matrix }}" -# Mandatory TLS, even on plain SMTP port -matrix_bot_postmoogle_tls_required: false - # in-container ports matrix_bot_postmoogle_port: '2525' matrix_bot_postmoogle_tls_port: '25587' # on-host ports matrix_bot_postmoogle_smtp_host_bind_port: '25' -matrix_bot_postmoogle_smtps_host_bind_port: '587' +matrix_bot_postmoogle_submission_host_bind_port: '587' + +### SSL +## on-host SSL dir +matrix_bot_postmoogle_ssl_path: "" + +## in-container SSL paths +# matrix_bot_postmoogle_tls_cert is the SSL certificate's certificate. +# This is likely set via group_vars/matrix_servers, so you don't need to set it. +# If you do need to set it manually, note that this is an in-container path. +# To mount a certificates volumes into the container, use matrix_bot_postmoogle_ssl_path +# Example value: /ssl/live/{{ matrix_bot_postmoogle_domain }}/fullchain.pem +matrix_bot_postmoogle_tls_cert: "" + +# matrix_bot_postmoogle_tls_key is the SSL certificate's key. +# This is likely set via group_vars/matrix_servers, so you don't need to set it. +# If you do need to set it manually, note that this is an in-container path. +# To mount a certificates volumes into the container, use matrix_bot_postmoogle_ssl_path +# Example value: /ssl/live/{{ matrix_bot_postmoogle_domain }}/privkey.pem +matrix_bot_postmoogle_tls_key: "" -# in-container SSL paths -matrix_bot_postmoogle_tls_cert: "/ssl/live/{{ matrix_bot_postmoogle_domain }}/fullchain.pem" -matrix_bot_postmoogle_tls_key: "/ssl/live/{{ matrix_bot_postmoogle_domain }}/privkey.pem" +# Mandatory TLS, even on plain SMTP port +matrix_bot_postmoogle_tls_required: false # Additional environment variables to pass to the postmoogle container # diff --git a/roles/matrix-bot-postmoogle/templates/systemd/matrix-bot-postmoogle.service.j2 b/roles/matrix-bot-postmoogle/templates/systemd/matrix-bot-postmoogle.service.j2 index 8250d20a..fa45a3a4 100644 --- a/roles/matrix-bot-postmoogle/templates/systemd/matrix-bot-postmoogle.service.j2 +++ b/roles/matrix-bot-postmoogle/templates/systemd/matrix-bot-postmoogle.service.j2 @@ -24,9 +24,13 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-bot-postmoogle --network={{ matrix_docker_network }} \ --env-file={{ matrix_bot_postmoogle_config_path }}/env \ -p {{ matrix_bot_postmoogle_smtp_host_bind_port }}:{{ matrix_bot_postmoogle_port }} \ - -p {{ matrix_bot_postmoogle_smtps_host_bind_port }}:{{ matrix_bot_postmoogle_tls_port }} \ + {% if matrix_bot_postmoogle_ssl_path %} + -p {{ matrix_bot_postmoogle_submission_host_bind_port }}:{{ matrix_bot_postmoogle_tls_port }} \ + {% endif %} --mount type=bind,src={{ matrix_bot_postmoogle_data_path }},dst=/data \ + {% if matrix_bot_postmoogle_ssl_path %} --mount type=bind,src={{ matrix_bot_postmoogle_ssl_path }},dst=/ssl \ + {% endif %} {% for arg in matrix_bot_postmoogle_container_extra_arguments %} {{ arg }} \ {% endfor %} diff --git a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml index 0e5339a9..f2afe2ff 100644 --- a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml +++ b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml @@ -26,7 +26,7 @@ - name: Obtain Let's Encrypt certificates ansible.builtin.include_tasks: "{{ role_path }}/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml" - with_items: "{{ matrix_ssl_domains_to_obtain_certificates_for }}" + with_items: "{{ matrix_ssl_domains_to_obtain_certificates_for | unique }}" loop_control: loop_var: domain_name diff --git a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_manually_managed.yml b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_manually_managed.yml index f6fc5a81..769af323 100644 --- a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_manually_managed.yml +++ b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_manually_managed.yml @@ -2,7 +2,7 @@ - name: Verify certificates ansible.builtin.include_tasks: "{{ role_path }}/tasks/ssl/setup_ssl_manually_managed_verify_for_domain.yml" - with_items: "{{ matrix_ssl_domains_to_obtain_certificates_for }}" + with_items: "{{ matrix_ssl_domains_to_obtain_certificates_for | unique }}" loop_control: loop_var: domain_name when: "matrix_ssl_retrieval_method == 'manually-managed'" diff --git a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed.yml b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed.yml index 3a7f1958..918b74db 100644 --- a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed.yml +++ b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed.yml @@ -5,7 +5,7 @@ - name: Generate self-signed certificates ansible.builtin.include_tasks: "{{ role_path }}/tasks/ssl/setup_ssl_self_signed_obtain_for_domain.yml" - with_items: "{{ matrix_ssl_domains_to_obtain_certificates_for }}" + with_items: "{{ matrix_ssl_domains_to_obtain_certificates_for | unique }}" loop_control: loop_var: domain_name when: "matrix_ssl_retrieval_method == 'self-signed'" From 98b9e2cd848397acfdf1c5573385a2ff7462beb7 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 9 Sep 2022 14:36:53 +0300 Subject: [PATCH 07/38] Add "Component" column to optional-DNS-records table --- docs/configuring-dns.md | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/docs/configuring-dns.md b/docs/configuring-dns.md index 05cb4b7a..8b80613a 100644 --- a/docs/configuring-dns.md +++ b/docs/configuring-dns.md @@ -28,22 +28,22 @@ If you are using Cloudflare DNS, make sure to disable the proxy and set all reco ## DNS settings for optional services/features -| Type | Host | Priority | Weight | Port | Target | -| ----- | ------------------------------ | -------- | ------ | ---- | --------------------------- | -| SRV | `_matrix-identity._tcp` | 10 | 0 | 443 | `matrix.` | -| CNAME | `dimension` | - | - | - | `matrix.` | -| CNAME | `jitsi` | - | - | - | `matrix.` | -| CNAME | `stats` | - | - | - | `matrix.` | -| CNAME | `goneb` | - | - | - | `matrix.` | -| CNAME | `sygnal` | - | - | - | `matrix.` | -| CNAME | `ntfy` | - | - | - | `matrix.` | -| CNAME | `hydrogen` | - | - | - | `matrix.` | -| CNAME | `cinny` | - | - | - | `matrix.` | -| CNAME | `buscarron` | - | - | - | `matrix.` | -| MX | `matrix` | 10 | 0 | - | `matrix.` | -| TXT | `matrix` | - | - | - | `v=spf1 ip4: -all` | -| TXT | `_dmarc.matrix` | - | - | - | `v=DMARC1; p=quarantine;` | -| TXT | `postmoogle._domainkey.matrix` | - | - | - | get it from `!pm dkim` | +| Type | Host | Priority | Weight | Port | Target | Used by component | +| ----- | ------------------------------ | -------- | ------ | ---- | --------------------------- | ----------------------------------------------------------------------------------------------------------------------- | +| SRV | `_matrix-identity._tcp` | 10 | 0 | 443 | `matrix.` | [ma1sd](configuring-playbook-ma1sd.md) identity server | +| CNAME | `dimension` | - | - | - | `matrix.` | [Dimension](configuring-playbook-dimension.md) integration server | +| CNAME | `jitsi` | - | - | - | `matrix.` | [Jitsi](configuring-playbook-jitsi.md) video-conferencing platform | +| CNAME | `stats` | - | - | - | `matrix.` | [Prometheus/Grafana](configuring-playbook-prometheus-grafana.md) monitoring system | +| CNAME | `goneb` | - | - | - | `matrix.` | [Go-NEB](configuring-playbook-bot-go-neb.md) bot | +| CNAME | `sygnal` | - | - | - | `matrix.` | [Sygnal](configuring-playbook-sygnal.md) push notification gateway | +| CNAME | `ntfy` | - | - | - | `matrix.` | [ntfy](configuring-playbook-ntfy.md) push notifications server | +| CNAME | `hydrogen` | - | - | - | `matrix.` | [Hydrogen](configuring-playbook-client-hydrogen.md) web client | +| CNAME | `cinny` | - | - | - | `matrix.` | [Cinny](configuring-playbook-client-cinny.md) web client | +| CNAME | `buscarron` | - | - | - | `matrix.` | [Buscarron](configuring-playbook-bot-buscarron.md) helpdesk bot | +| MX | `matrix` | 10 | 0 | - | `matrix.` | [Postmoogle](configuring-playbook-bot-postmoogle.md)/[Email2Matrix](configuring-playbook-email2matrix.md) email bridges | +| TXT | `matrix` | - | - | - | `v=spf1 ip4: -all` | [Postmoogle](configuring-playbook-bot-postmoogle.md)/[Email2Matrix](configuring-playbook-email2matrix.md) email bridges | +| TXT | `_dmarc.matrix` | - | - | - | `v=DMARC1; p=quarantine;` | [Postmoogle](configuring-playbook-bot-postmoogle.md)/[Email2Matrix](configuring-playbook-email2matrix.md) email bridges | +| TXT | `postmoogle._domainkey.matrix` | - | - | - | get it from `!pm dkim` | [Postmoogle](configuring-playbook-bot-postmoogle.md)/[Email2Matrix](configuring-playbook-email2matrix.md) email bridges | ## Subdomains setup From 5825a0c9195b990b727d5c0d507671281f01da71 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian-Samuel=20Geb=C3=BChr?= Date: Fri, 9 Sep 2022 13:37:52 +0200 Subject: [PATCH 08/38] Cactus comments (#2089) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Add construct for cactus comments role * Adjust config files * Add docker self build to defaults * Adjust tasks * Fix smaller syntax errors * Fix env argument * Add tmp path to allow container writing there Background why I did this: https://docs.gunicorn.org/en/stable/settings.html#worker-tmp-dir * Change port back to 5000 as not configurable in container * Try to add appservice config file for synapse to use * Inject appservice file * Correct copied variable name * Comment out unused app service file injection would need mounting the appservice file to the synapse container i guess * Move role before synapse to be able to inject during runtime * Remove unused parts * Change default user id to mirror official docs * Add docs * Update roles/matrix-cactus-comments/tasks/setup_install.yml Co-authored-by: Slavi Pantaleev * Update roles/matrix-cactus-comments/templates/cactus_appservice.yaml.j2 Co-authored-by: Slavi Pantaleev * Generate secrets if necessary, adjust docs * Rename cactusbot userid * Shorten salt strings Co-authored-by: Slavi Pantaleev * Use tmpfs instead of persistent mount * Remove proxy option as it is nonsense * Add download and serving of cc-client files * Add documentation on client * Clarify docs a bit * Add nginx proxy to required services Signed-off-by: Julian-Samuel Gebühr * Use container address Signed-off-by: Julian-Samuel Gebühr * Correct comment of user id Signed-off-by: Julian-Samuel Gebühr * Use releases or local distributed client Signed-off-by: Julian-Samuel Gebühr * Move homeserver url to defaults Signed-off-by: Julian-Samuel Gebühr * Correct truth value Signed-off-by: Julian-Samuel Gebühr * Add documentation of variables Co-authored-by: Slavi Pantaleev * Tabs vs. spaces Co-authored-by: Slavi Pantaleev * Make nginx root configurable Signed-off-by: Julian-Samuel Gebühr * Complete ake nginx root configurable Signed-off-by: Julian-Samuel Gebühr * Fix file permission Signed-off-by: Julian-Samuel Gebühr * Fix lint errors Signed-off-by: Julian-Samuel Gebühr Signed-off-by: Julian-Samuel Gebühr Co-authored-by: Slavi Pantaleev --- README.md | 2 + docs/configuring-playbook-cactus-comments.md | 63 ++++++++ docs/configuring-playbook.md | 2 + docs/container-images.md | 2 + group_vars/matrix_servers | 29 ++++ .../matrix-cactus-comments/defaults/main.yml | 58 ++++++++ roles/matrix-cactus-comments/tasks/init.yml | 67 +++++++++ roles/matrix-cactus-comments/tasks/main.yml | 23 +++ .../tasks/setup_install.yml | 138 ++++++++++++++++++ .../tasks/setup_uninstall.yml | 36 +++++ .../tasks/validate_config.yml | 10 ++ .../templates/cactus_appservice.yaml.j2 | 19 +++ roles/matrix-cactus-comments/templates/env.j2 | 6 + .../systemd/matrix-cactus-comments.service.j2 | 36 +++++ setup.yml | 1 + 15 files changed, 492 insertions(+) create mode 100644 docs/configuring-playbook-cactus-comments.md create mode 100644 roles/matrix-cactus-comments/defaults/main.yml create mode 100644 roles/matrix-cactus-comments/tasks/init.yml create mode 100644 roles/matrix-cactus-comments/tasks/main.yml create mode 100644 roles/matrix-cactus-comments/tasks/setup_install.yml create mode 100644 roles/matrix-cactus-comments/tasks/setup_uninstall.yml create mode 100644 roles/matrix-cactus-comments/tasks/validate_config.yml create mode 100644 roles/matrix-cactus-comments/templates/cactus_appservice.yaml.j2 create mode 100644 roles/matrix-cactus-comments/templates/env.j2 create mode 100644 roles/matrix-cactus-comments/templates/systemd/matrix-cactus-comments.service.j2 diff --git a/README.md b/README.md index 221e8a85..e545d18f 100644 --- a/README.md +++ b/README.md @@ -137,6 +137,8 @@ Using this playbook, you can get the following services configured on your serve - (optional) the [Buscarron](https://gitlab.com/etke.cc/buscarron) bot - see [docs/configuring-playbook-bot-buscarron.md](docs/configuring-playbook-bot-buscarron.md) for setup documentation +- (optional) [Cactus Comments](https://cactus.chat), a federated comment system built on matrix - see [docs/configuring-playbook-cactus-comments.md](docs/configuring-playbook-cactus-comments.md) for setup documentation + Basically, this playbook aims to get you up-and-running with all the necessities around Matrix, without you having to do anything else. **Note**: the list above is exhaustive. It includes optional or even some advanced components that you will most likely not need. diff --git a/docs/configuring-playbook-cactus-comments.md b/docs/configuring-playbook-cactus-comments.md new file mode 100644 index 00000000..b62d33b2 --- /dev/null +++ b/docs/configuring-playbook-cactus-comments.md @@ -0,0 +1,63 @@ +# Setting up Cactus Comments (optional) + +The playbook can install and configure [Cactus Comments](https://cactus.chat) for you. + +Cactus Comments is a **federated comment system** built on Matrix. The role allows you to self-host the system. +It respects your privacy, and puts you in control. + +See the project's [documentation](https://cactus.chat/docs/getting-started/introduction/) to learn what it +does and why it might be useful to you. + + +## Configuration + +Add the following block to your `vars.yaml` and make sure to exchange the tokens to randomly generated values. + +```ỳaml +################# +## Cactus Chat ## +################# + +matrix_cactus_comments_enabled: true + +# To allow guest comments without users needing to log in, you need to have guest registration enabled. +# To do this you need to uncomment one of the following lines (depending if you are using synapse or dentrite as a homeserver) +# If you don't know which one you use: The default is synapse ;) +# matrix_synapse_allow_guest_access: true +# matrix_dentrite_allow_guest_access +``` + +## Installing + +After configuring the playbook, run the [installation](installing.md) command again: + +``` +ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start +``` + + +## Usage + +To get started wit cactus comments message @bot.cactusbot:your-homeserver.com and type `help` to make sure it works. +Then register a site by typing: `register `. You will then be invited into a moderation room. +Now you are good to go and can include the comment section on your website! + +**Careful:** To really make use of self-hosting you need change a few things in comparison to the official docs! + +Insert the following snippet into you page and make sure to replace `example.com` with your base domain! + + +```html + + +
+ +``` diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index b3b44b5f..b17f902f 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -179,3 +179,5 @@ When you're done with all the configuration you'd like to do, continue with [Ins - [Setting up the Sygnal push gateway](configuring-playbook-sygnal.md) (optional) - [Setting up the ntfy push notifications server](configuring-playbook-ntfy.md) (optional) + +- [Setting up a Cactus Comments server](configuring-playbook-cactus-comments.md) - a federated comment system built on Matrix (optional) diff --git a/docs/container-images.md b/docs/container-images.md index b16babff..737a4457 100644 --- a/docs/container-images.md +++ b/docs/container-images.md @@ -117,3 +117,5 @@ These services are not part of our default installation, but can be enabled by [ - [matrixdotorg/sygnal](https://hub.docker.com/r/matrixdotorg/sygnal/) - [Sygnal](https://github.com/matrix-org/sygnal) is a reference Push Gateway for Matrix - [binwiederhier/ntfy](https://hub.docker.com/r/binwiederhier/ntfy/) - [ntfy](https://ntfy.sh/) is a self-hosted, UnifiedPush-compatible push notifications server + +- [cactuscomments/cactus-appservice](https://hub.docker.com/r/cactuscomments/cactus-appservice/) - [Cactus Comments](https://cactus.chat) a federated comment system built on Matrix diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 2c14a917..d96af363 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1332,6 +1332,35 @@ matrix_backup_borg_systemd_required_services_list: | # /matrix-backup-borg # ###################################################################### +###################################################################### +# +# matrix-cactus-comments +# +###################################################################### + +matrix_cactus_comments_enabled: false + +# Derive secret values from homeserver secret +matrix_cactus_comments_as_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'cactus.as.token') | to_uuid }}" +matrix_cactus_comments_hs_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'cactus.hs.token') | to_uuid }}" + +matrix_cactus_comments_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm32', 'arm64'] }}" +matrix_cactus_comments_systemd_required_services_list: | + {{ + (['docker.service']) + + + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) + + + (['matrix-' + matrix_homeserver_implementation + '.service']) + }} + +matrix_cactus_comments_client_nginx_path: {{ '/cactus-comments/' if matrix_nginx_proxy_enabled else matrix_cactus_comments_client_path + '/' }} + +###################################################################### +# +# /matrix-cactus-comments +# +###################################################################### ###################################################################### # diff --git a/roles/matrix-cactus-comments/defaults/main.yml b/roles/matrix-cactus-comments/defaults/main.yml new file mode 100644 index 00000000..dbd5b844 --- /dev/null +++ b/roles/matrix-cactus-comments/defaults/main.yml @@ -0,0 +1,58 @@ +--- +# Cactus Comments is a federated comment system built on Matrix + +matrix_cactus_comments_enabled: true +matrix_cactus_comments_serve_client_enabled: true +matrix_cactus_comments_container_image_self_build: false +matrix_cactus_comments_docker_repo: "https://gitlab.com/cactus-comments/cactus-appservice.git" +matrix_cactus_comments_docker_repo_version: "{{ matrix_cactus_comments_version if matrix_cactus_comments_version != 'latest' else 'main' }}" +matrix_cactus_comments_docker_src_files_path: "{{ matrix_cactus_comments_base_path }}/docker-src" + + +matrix_cactus_comments_base_path: "{{ matrix_base_data_path }}/cactus-comments" +matrix_cactus_comments_container_tmp_path: "{{ matrix_cactus_comments_base_path }}/tmp" +matrix_cactus_comments_client_path: "{{ matrix_cactus_comments_base_path }}/client" +matrix_cactus_comments_client_file_permissions: "0644" + +matrix_cactus_comments_app_service_config_file: "{{ matrix_cactus_comments_base_path }}/cactus_appservice.yaml" +matrix_cactus_comments_app_service_env_file: "{{ matrix_cactus_comments_base_path }}/cactus.env" + +matrix_cactus_comments_as_token: '' +matrix_cactus_comments_hs_token: '' +matrix_cactus_comments_homeserver_url: "{{ matrix_homeserver_container_url }}" +matrix_cactus_comments_user_id: "bot.cactusbot" +matrix_cactus_comments_tmp_directory_size_mb: 1 + +matrix_cactus_comments_container_port: 5000 + +matrix_cactus_comments_version: latest +matrix_cactus_comments_docker_image: "{{ matrix_container_global_registry_prefix }}cactuscomments/cactus-appservice:{{ matrix_cactus_comments_version }}" +matrix_cactus_comments_docker_image_force_pull: "{{ matrix_cactus_comments_docker_image.endswith(':latest') }}" + +# matrix_cactus_comments_client_version specifies the version of the cactus-client release to use. +# For available versions, see: https://gitlab.com/cactus-comments/cactus-client/-/releases +# Also see: `matrix_cactus_comments_client_local_dir` +matrix_cactus_comments_client_version: "0.13.0" + +# matrix_cactus_comments_client_local_dir specifies a local directory (on the Ansible controller, not on the remote server) with cactus-client files to use. +# This is an alternative to `matrix_cactus_comments_client_version`, to be used when you'd like to +# provide the files locally / manually. +matrix_cactus_comments_client_local_dir: '' + +# matrix_cactus_comments_client_nginx_path specifies the path where nginx can access the client files. +# The default value assumes a container setup. If you're running nginx without a container, consider adjusting this path +matrix_cactus_comments_client_nginx_path: "/cactus-comments/" + +# matrix_cactus_comments_client_endpoint specifies where nginx will serve the files in nginx is enabled +matrix_cactus_comments_client_endpoint: "/cactus-comments/" + +# List of systemd services that matrix-cactus-comments.service depends on +matrix_bot_cactus_comments_systemd_required_services_list: ['docker.service'] + +# List of systemd services that matrix-cactus-comments.service wants +matrix_bot_cactus_comments_systemd_wanted_services_list: [] + +# A list of extra arguments to pass to the container +matrix_cactus_comments_container_extra_arguments: [] + +matrix_cactus_comments_environment_variables_extension: '' diff --git a/roles/matrix-cactus-comments/tasks/init.yml b/roles/matrix-cactus-comments/tasks/init.yml new file mode 100644 index 00000000..78cdd319 --- /dev/null +++ b/roles/matrix-cactus-comments/tasks/init.yml @@ -0,0 +1,67 @@ +--- + +- ansible.builtin.set_fact: + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-cactus-comments.service'] }}" + when: matrix_cactus_comments_enabled | bool + +# If the matrix-synapse role is not used, these variables may not exist. +- ansible.builtin.set_fact: + matrix_homeserver_container_runtime_injected_arguments: > + {{ + matrix_homeserver_container_runtime_injected_arguments | default([]) + + + ["--mount type=bind,src={{ matrix_cactus_comments_app_service_config_file }},dst=/matrix-cactus-comments.yaml,ro"] + }} + + matrix_homeserver_app_service_runtime_injected_config_files: > + {{ + matrix_homeserver_app_service_runtime_injected_config_files | default([]) + + + ["/matrix-cactus-comments.yaml"] + }} + when: matrix_cactus_comments_enabled | bool + +- block: + - name: Fail if matrix-nginx-proxy role already executed + ansible.builtin.fail: + msg: >- + Trying to append Cactus Comment's reverse-proxying configuration to matrix-nginx-proxy, + but it's pointless since the matrix-nginx-proxy role had already executed. + To fix this, please change the order of roles in your playbook, + so that the matrix-nginx-proxy role would run after the matrix-cactus-comments role. + when: matrix_nginx_proxy_role_executed | default(False) | bool + + - name: Mount volume + ansible.builtin.set_fact: + matrix_nginx_proxy_container_additional_volumes: > + {{ + matrix_nginx_proxy_container_additional_volumes | default([]) + + + [{"src": "{{ matrix_cactus_comments_client_path }}", "dst": "/cactus-comments/cactus-comments", "options": "ro"}] + }} + - name: Generate Cactus Comment proxying configuration for matrix-nginx-proxy + ansible.builtin.set_fact: + matrix_cactus_comments_nginx_proxy_configuration: | + location {{ matrix_cactus_comments_client_endpoint }} { + root {{ matrix_cactus_comments_client_nginx_path }}; + } + when: "matrix_nginx_proxy_enabled | default(False) | bool" + - name: Register Cactus Comment proxying configuration with matrix-nginx-proxy + ansible.builtin.set_fact: + matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: | + {{ + matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks | default([]) + + + [matrix_cactus_comments_nginx_proxy_configuration] + }} + - name: Warn about reverse-proxying if matrix-nginx-proxy not used + ansible.builtin.debug: + msg: >- + NOTE: You've enabled Cactus Comments but are not using the matrix-nginx-proxy + reverse proxy. + Please make sure that you're proxying client files in {{ matrix_cactus_comments_client_path }} correctly + when: "not matrix_nginx_proxy_enabled | default(False) | bool" + + tags: + - always + when: matrix_cactus_comments_enabled | bool and matrix_cactus_comments_serve_client_enabled | bool diff --git a/roles/matrix-cactus-comments/tasks/main.yml b/roles/matrix-cactus-comments/tasks/main.yml new file mode 100644 index 00000000..857e2db1 --- /dev/null +++ b/roles/matrix-cactus-comments/tasks/main.yml @@ -0,0 +1,23 @@ +--- + +- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" + tags: + - always + +- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" + when: "run_setup | bool and matrix_cactus_comments_enabled | bool" + tags: + - setup-all + - setup-cactus-comments + +- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_install.yml" + when: "run_setup | bool and matrix_cactus_comments_enabled | bool" + tags: + - setup-all + - setup-cactus-comments + +- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" + when: "run_setup | bool and not matrix_cactus_comments_enabled | bool" + tags: + - setup-all + - setup-cactus-comments diff --git a/roles/matrix-cactus-comments/tasks/setup_install.yml b/roles/matrix-cactus-comments/tasks/setup_install.yml new file mode 100644 index 00000000..8e6bb68e --- /dev/null +++ b/roles/matrix-cactus-comments/tasks/setup_install.yml @@ -0,0 +1,138 @@ +--- + +- name: Ensure cactus comments paths exist + ansible.builtin.file: + path: "{{ item.path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - {path: "{{ matrix_cactus_comments_base_path }}", when: true} + - {path: "{{ matrix_cactus_comments_client_path }}", when: true} + - {path: "{{ matrix_cactus_comments_container_tmp_path }}", when: true} + - {path: "{{ matrix_cactus_comments_docker_src_files_path }}", when: matrix_cactus_comments_container_image_self_build} + when: "item.when | bool" + +- name: Ensure cactus comments environment file created + ansible.builtin.template: + src: "{{ role_path }}/templates/env.j2" + dest: "{{ matrix_cactus_comments_app_service_env_file }}" + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + mode: 0640 + +- name: Ensure cactus comments appservice file created + ansible.builtin.template: + src: "{{ role_path }}/templates/cactus_appservice.yaml.j2" + dest: "{{ matrix_cactus_comments_app_service_config_file }}" + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + mode: 0640 + +- name: Ensure cactus comments image is pulled + docker_image: + name: "{{ matrix_cactus_comments_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_cactus_comments_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_cactus_comments_docker_image_force_pull }}" + when: "not matrix_cactus_comments_container_image_self_build | bool" + register: result + retries: "{{ matrix_container_retries_count }}" + delay: "{{ matrix_container_retries_delay }}" + until: result is not failed + +- name: Ensure cactus comments repository is present on self-build + ansible.builtin.git: + repo: "{{ matrix_cactus_comments_docker_repo }}" + version: "{{ matrix_cactus_comments_docker_repo_version }}" + dest: "{{ matrix_cactus_comments_docker_src_files_path }}" + force: "yes" + become: true + become_user: "{{ matrix_user_username }}" + register: matrix_cactus_comments_git_pull_results + when: "matrix_cactus_comments_container_image_self_build | bool" + +- name: Ensure cactus comments image is built + docker_image: + name: "{{ matrix_cactus_comments_docker_image }}" + source: build + force_source: "{{ matrix_cactus_comments_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mailer_git_pull_results.changed }}" + build: + dockerfile: Dockerfile + path: "{{ matrix_cactus_comments_docker_src_files_path }}" + pull: true + when: "matrix_cactus_comments_container_image_self_build | bool" + +- block: + - name: Download client binary to local folder + ansible.builtin.get_url: + url: "https://gitlab.com/cactus-comments/cactus-client/-/archive/v{{ matrix_cactus_comments_client_version }}/cactus-client-v{{ matrix_cactus_comments_client_version }}.tar.gz" + dest: "/tmp/cactus-comments-{{ matrix_cactus_comments_client_version }}.tar.gz" + mode: '0644' + register: _download_client + until: _download_client is succeeded + retries: 5 + delay: 2 + check_mode: false + + - name: Unpack client + ansible.builtin.unarchive: + src: "/tmp/cactus-comments-{{ matrix_cactus_comments_client_version }}.tar.gz" + dest: "/tmp/" + remote_src: true + mode: 0600 + check_mode: false + + - name: Propagate client javascript file + ansible.builtin.copy: + src: "/tmp/cactus-client-v{{ matrix_cactus_comments_client_version }}/src/cactus.js" + remote_src: true + dest: "{{ matrix_cactus_comments_client_path }}/cactus.js" + mode: "{{ matrix_cactus_comments_client_file_permissions }}" + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + - name: Propagate client style file + ansible.builtin.copy: + src: "/tmp/cactus-client-v{{ matrix_cactus_comments_client_version }}/src/style.css" + remote_src: true + dest: "{{ matrix_cactus_comments_client_path }}/style.css" + mode: "{{ matrix_cactus_comments_client_file_permissions }}" + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + when: matrix_cactus_comments_client_local_dir | length == 0 + +- block: + - name: Propagate locally distributed client javascreipt + ansible.builtin.copy: + src: "{{ matrix_cactus_comments_client_local_dir }}/src/cactus.js" + dest: "{{ matrix_cactus_comments_client_path }}/cactus.js" + mode: "{{ matrix_cactus_comments_client_file_permissions }}" + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + - name: Propagate locally distributed client style.css + ansible.builtin.copy: + src: "{{ matrix_cactus_comments_client_local_dir }}/src/style.css" + dest: "{{ matrix_cactus_comments_client_path }}/style.css" + mode: "{{ matrix_cactus_comments_client_file_permissions }}" + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + when: matrix_cactus_comments_client_local_dir | length > 0 + +- name: Ensure matrix-cactus-comments.service installed + ansible.builtin.template: + src: "{{ role_path }}/templates/systemd/matrix-cactus-comments.service.j2" + dest: "{{ matrix_systemd_path }}/matrix-cactus-comments.service" + mode: 0644 + register: matrix_cactus_comments_systemd_service_result + +- name: Ensure systemd reloaded after matrix-cactus-comments.service installation + ansible.builtin.service: + daemon_reload: true + when: "matrix_cactus_comments_systemd_service_result.changed | bool" + +- name: Ensure matrix-cactus-comments.service restarted, if necessary + ansible.builtin.service: + name: "matrix-cactus-comments.service" + state: restarted diff --git a/roles/matrix-cactus-comments/tasks/setup_uninstall.yml b/roles/matrix-cactus-comments/tasks/setup_uninstall.yml new file mode 100644 index 00000000..011c04b8 --- /dev/null +++ b/roles/matrix-cactus-comments/tasks/setup_uninstall.yml @@ -0,0 +1,36 @@ +--- + +- name: Check existence of matrix-cactus-comments service + ansible.builtin.stat: + path: "{{ matrix_systemd_path }}/matrix-cactus-comments.service" + register: matrix_cactus_comments_service_stat + +- name: Ensure cactus comments is stopped + ansible.builtin.service: + name: matrix-cactus-comments + state: stopped + enabled: false + daemon_reload: true + register: stopping_result + when: "matrix_cactus_comments_service_stat.stat.exists | bool" + +- name: Ensure matrix-cactus-comments.service doesn't exist + ansible.builtin.file: + path: "{{ matrix_systemd_path }}/matrix-cactus-comments.service" + state: absent + when: "matrix_cactus_comments_service_stat.stat.exists | bool" + +- name: Ensure systemd reloaded after matrix-cactus-comments.service removal + ansible.builtin.service: + daemon_reload: true + when: "matrix_cactus_comments_service_stat.stat.exists | bool" + +- name: Ensure Matrix cactus comments paths don't exist + ansible.builtin.file: + path: "{{ matrix_cactus_comments_base_path }}" + state: absent + +- name: Ensure cactus comments Docker image doesn't exist + docker_image: + name: "{{ matrix_cactus_comments_docker_image }}" + state: absent diff --git a/roles/matrix-cactus-comments/tasks/validate_config.yml b/roles/matrix-cactus-comments/tasks/validate_config.yml new file mode 100644 index 00000000..094a203d --- /dev/null +++ b/roles/matrix-cactus-comments/tasks/validate_config.yml @@ -0,0 +1,10 @@ +--- + +- name: Fail if required settings not defined + ansible.builtin.fail: + msg: >- + You need to define a required configuration setting (`{{ item }}`). + when: "vars[item] == ''" + with_items: + - "matrix_cactus_comments_as_token" + - "matrix_cactus_comments_hs_token" diff --git a/roles/matrix-cactus-comments/templates/cactus_appservice.yaml.j2 b/roles/matrix-cactus-comments/templates/cactus_appservice.yaml.j2 new file mode 100644 index 00000000..bfcb4bb3 --- /dev/null +++ b/roles/matrix-cactus-comments/templates/cactus_appservice.yaml.j2 @@ -0,0 +1,19 @@ +# A unique, user-defined ID of the application service which will never change. +id: "Cactus Comments" + +# Where the cactus-appservice is hosted: +url: "http://matrix-cactus-comments:{{ matrix_cactus_comments_container_port }}" + +# Unique tokens used to authenticate requests between our service and the +# homeserver (and the other way). Use the sha256 hashes of something random. +# CHANGE THESE VALUES. +as_token: {{ matrix_cactus_comments_as_token | to_json }} +hs_token: {{ matrix_cactus_comments_hs_token | to_json }} + +# The user id of the cactusbot which can be used to register and moderate sites +sender_localpart: "{{ matrix_cactus_comments_user_id }}" + +namespaces: + aliases: + - exclusive: true + regex: "#comments_.*" diff --git a/roles/matrix-cactus-comments/templates/env.j2 b/roles/matrix-cactus-comments/templates/env.j2 new file mode 100644 index 00000000..ab048961 --- /dev/null +++ b/roles/matrix-cactus-comments/templates/env.j2 @@ -0,0 +1,6 @@ +CACTUS_HS_TOKEN={{ matrix_cactus_comments_hs_token }} +CACTUS_AS_TOKEN={{ matrix_cactus_comments_as_token }} +CACTUS_HOMESERVER_URL={{ matrix_cactus_comments_homeserver_url }} +CACTUS_USER_ID=@{{ matrix_cactus_comments_user_id }}:{{ matrix_domain }} + +{{ matrix_cactus_comments_environment_variables_extension }} diff --git a/roles/matrix-cactus-comments/templates/systemd/matrix-cactus-comments.service.j2 b/roles/matrix-cactus-comments/templates/systemd/matrix-cactus-comments.service.j2 new file mode 100644 index 00000000..06825582 --- /dev/null +++ b/roles/matrix-cactus-comments/templates/systemd/matrix-cactus-comments.service.j2 @@ -0,0 +1,36 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=Cactus Comments +{% for service in matrix_bot_cactus_comments_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +{% for service in matrix_bot_cactus_comments_systemd_wanted_services_list %} +Wants={{ service }} +{% endfor %} +DefaultDependencies=no + +[Service] +Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-cactus-comments 2>/dev/null || true' +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-cactus-comments 2>/dev/null || true' + +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-cactus-comments \ + --log-driver=none \ + --cap-drop=ALL \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --read-only \ + --env-file {{ matrix_cactus_comments_app_service_env_file }} \ + --tmpfs=/tmp:rw,noexec,nosuid,size={{ matrix_cactus_comments_tmp_directory_size_mb }}m \ + --network={{ matrix_docker_network }} \ + {{ matrix_cactus_comments_docker_image }} + +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-cactus-comments 2>/dev/null || true' +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-cactus-comments 2>/dev/null || true' +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-cactus-comments + +[Install] +WantedBy=multi-user.target diff --git a/setup.yml b/setup.yml index 3b7d235d..bd78158c 100755 --- a/setup.yml +++ b/setup.yml @@ -46,6 +46,7 @@ - matrix-bot-postmoogle - matrix-bot-go-neb - matrix-bot-mjolnir + - matrix-cactus-comments - matrix-synapse - matrix-dendrite - matrix-conduit From d2dc9149a9c9d2475cddaa1b26dc64565f269894 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 9 Sep 2022 14:43:49 +0300 Subject: [PATCH 09/38] =?UTF-8?q?Fix=20YAML=20block=20(=E1=BB=B3aml=20->?= =?UTF-8?q?=20yaml)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/2089 --- docs/configuring-playbook-cactus-comments.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuring-playbook-cactus-comments.md b/docs/configuring-playbook-cactus-comments.md index b62d33b2..668d3cb6 100644 --- a/docs/configuring-playbook-cactus-comments.md +++ b/docs/configuring-playbook-cactus-comments.md @@ -13,7 +13,7 @@ does and why it might be useful to you. Add the following block to your `vars.yaml` and make sure to exchange the tokens to randomly generated values. -```ỳaml +```yaml ################# ## Cactus Chat ## ################# From c00a8d4099ed5011c818c999bd4a124a3f4e0fff Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 9 Sep 2022 14:47:53 +0300 Subject: [PATCH 10/38] Announce Cactus Comments support Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/2089 --- CHANGELOG.md | 9 +++++++++ docs/configuring-playbook-cactus-comments.md | 2 +- roles/matrix-cactus-comments/defaults/main.yml | 2 ++ 3 files changed, 12 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0e094858..df4957eb 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,12 @@ +# 2022-09-09 + +## Cactus Comments support + +Thanks to [Julian-Samuel Gebühr (@moan0s)](https://github.com/moan0s), the playbook can now set up [Cactus Comments](https://cactus.chat) - federated comment system for the web based on Matrix. + +See our [Setting up a Cactus Comments server](docs/configuring-playbook-cactus-comments.md) documentation to get started. + + # 2022-08-23 ## Postmoogle email bridge support diff --git a/docs/configuring-playbook-cactus-comments.md b/docs/configuring-playbook-cactus-comments.md index 668d3cb6..58a989e8 100644 --- a/docs/configuring-playbook-cactus-comments.md +++ b/docs/configuring-playbook-cactus-comments.md @@ -38,7 +38,7 @@ ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start ## Usage -To get started wit cactus comments message @bot.cactusbot:your-homeserver.com and type `help` to make sure it works. +To get started wit cactus comments message `@bot.cactusbot:your-homeserver.com` and type `help` to make sure it works. Then register a site by typing: `register `. You will then be invited into a moderation room. Now you are good to go and can include the comment section on your website! diff --git a/roles/matrix-cactus-comments/defaults/main.yml b/roles/matrix-cactus-comments/defaults/main.yml index dbd5b844..a4c50a66 100644 --- a/roles/matrix-cactus-comments/defaults/main.yml +++ b/roles/matrix-cactus-comments/defaults/main.yml @@ -1,5 +1,7 @@ --- # Cactus Comments is a federated comment system built on Matrix +# Project source code URL: https://gitlab.com/cactus-comments/cactus-appservice +# Project source code URL: https://gitlab.com/cactus-comments/cactus-client matrix_cactus_comments_enabled: true matrix_cactus_comments_serve_client_enabled: true From 71555341d1194e90561fa0d65f30764a047b4028 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 9 Sep 2022 14:49:46 +0300 Subject: [PATCH 11/38] Pin Cactus Comments version (latest -> 0.9.0) Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/2089 --- roles/matrix-cactus-comments/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-cactus-comments/defaults/main.yml b/roles/matrix-cactus-comments/defaults/main.yml index a4c50a66..224a5348 100644 --- a/roles/matrix-cactus-comments/defaults/main.yml +++ b/roles/matrix-cactus-comments/defaults/main.yml @@ -27,7 +27,7 @@ matrix_cactus_comments_tmp_directory_size_mb: 1 matrix_cactus_comments_container_port: 5000 -matrix_cactus_comments_version: latest +matrix_cactus_comments_version: 0.9.0 matrix_cactus_comments_docker_image: "{{ matrix_container_global_registry_prefix }}cactuscomments/cactus-appservice:{{ matrix_cactus_comments_version }}" matrix_cactus_comments_docker_image_force_pull: "{{ matrix_cactus_comments_docker_image.endswith(':latest') }}" From a4d8a4094bfe5bb3e100b3d2109e38690087fe9c Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 9 Sep 2022 15:02:45 +0300 Subject: [PATCH 12/38] Put "Component" column first in the optional-DNS configuration table Related to 98b9e2cd848397ac --- docs/configuring-dns.md | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/docs/configuring-dns.md b/docs/configuring-dns.md index 8b80613a..8d31ab3f 100644 --- a/docs/configuring-dns.md +++ b/docs/configuring-dns.md @@ -28,22 +28,22 @@ If you are using Cloudflare DNS, make sure to disable the proxy and set all reco ## DNS settings for optional services/features -| Type | Host | Priority | Weight | Port | Target | Used by component | -| ----- | ------------------------------ | -------- | ------ | ---- | --------------------------- | ----------------------------------------------------------------------------------------------------------------------- | -| SRV | `_matrix-identity._tcp` | 10 | 0 | 443 | `matrix.` | [ma1sd](configuring-playbook-ma1sd.md) identity server | -| CNAME | `dimension` | - | - | - | `matrix.` | [Dimension](configuring-playbook-dimension.md) integration server | -| CNAME | `jitsi` | - | - | - | `matrix.` | [Jitsi](configuring-playbook-jitsi.md) video-conferencing platform | -| CNAME | `stats` | - | - | - | `matrix.` | [Prometheus/Grafana](configuring-playbook-prometheus-grafana.md) monitoring system | -| CNAME | `goneb` | - | - | - | `matrix.` | [Go-NEB](configuring-playbook-bot-go-neb.md) bot | -| CNAME | `sygnal` | - | - | - | `matrix.` | [Sygnal](configuring-playbook-sygnal.md) push notification gateway | -| CNAME | `ntfy` | - | - | - | `matrix.` | [ntfy](configuring-playbook-ntfy.md) push notifications server | -| CNAME | `hydrogen` | - | - | - | `matrix.` | [Hydrogen](configuring-playbook-client-hydrogen.md) web client | -| CNAME | `cinny` | - | - | - | `matrix.` | [Cinny](configuring-playbook-client-cinny.md) web client | -| CNAME | `buscarron` | - | - | - | `matrix.` | [Buscarron](configuring-playbook-bot-buscarron.md) helpdesk bot | -| MX | `matrix` | 10 | 0 | - | `matrix.` | [Postmoogle](configuring-playbook-bot-postmoogle.md)/[Email2Matrix](configuring-playbook-email2matrix.md) email bridges | -| TXT | `matrix` | - | - | - | `v=spf1 ip4: -all` | [Postmoogle](configuring-playbook-bot-postmoogle.md)/[Email2Matrix](configuring-playbook-email2matrix.md) email bridges | -| TXT | `_dmarc.matrix` | - | - | - | `v=DMARC1; p=quarantine;` | [Postmoogle](configuring-playbook-bot-postmoogle.md)/[Email2Matrix](configuring-playbook-email2matrix.md) email bridges | -| TXT | `postmoogle._domainkey.matrix` | - | - | - | get it from `!pm dkim` | [Postmoogle](configuring-playbook-bot-postmoogle.md)/[Email2Matrix](configuring-playbook-email2matrix.md) email bridges | +| Used by component | Type | Host | Priority | Weight | Port | Target | +| ----------------------------------------------------------------------------------------------------------------------- | ----- | ------------------------------ | -------- | ------ | ---- | --------------------------- | +| [ma1sd](configuring-playbook-ma1sd.md) identity server | SRV | `_matrix-identity._tcp` | 10 | 0 | 443 | `matrix.` | +| [Dimension](configuring-playbook-dimension.md) integration server | CNAME | `dimension` | - | - | - | `matrix.` | +| [Jitsi](configuring-playbook-jitsi.md) video-conferencing platform | CNAME | `jitsi` | - | - | - | `matrix.` | +| [Prometheus/Grafana](configuring-playbook-prometheus-grafana.md) monitoring system | CNAME | `stats` | - | - | - | `matrix.` | +| [Go-NEB](configuring-playbook-bot-go-neb.md) bot | CNAME | `goneb` | - | - | - | `matrix.` | +| [Sygnal](configuring-playbook-sygnal.md) push notification gateway | CNAME | `sygnal` | - | - | - | `matrix.` | +| [ntfy](configuring-playbook-ntfy.md) push notifications server | CNAME | `ntfy` | - | - | - | `matrix.` | +| [Hydrogen](configuring-playbook-client-hydrogen.md) web client | CNAME | `hydrogen` | - | - | - | `matrix.` | +| [Cinny](configuring-playbook-client-cinny.md) web client | CNAME | `cinny` | - | - | - | `matrix.` | +| [Buscarron](configuring-playbook-bot-buscarron.md) helpdesk bot | CNAME | `buscarron` | - | - | - | `matrix.` | +| [Postmoogle](configuring-playbook-bot-postmoogle.md)/[Email2Matrix](configuring-playbook-email2matrix.md) email bridges | MX | `matrix` | 10 | 0 | - | `matrix.` | +| [Postmoogle](configuring-playbook-bot-postmoogle.md) email bridge | TXT | `matrix` | - | - | - | `v=spf1 ip4: -all` | +| [Postmoogle](configuring-playbook-bot-postmoogle.md) email bridge | TXT | `_dmarc.matrix` | - | - | - | `v=DMARC1; p=quarantine;` | +| [Postmoogle](configuring-playbook-bot-postmoogle.md) email bridge | TXT | `postmoogle._domainkey.matrix` | - | - | - | get it from `!pm dkim` | ## Subdomains setup From 5cfb0fb47799d2eac6ad0437a5548e44a5dd91f3 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 9 Sep 2022 15:06:12 +0300 Subject: [PATCH 13/38] Update Email2Matrix docs page --- docs/configuring-playbook-email2matrix.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/docs/configuring-playbook-email2matrix.md b/docs/configuring-playbook-email2matrix.md index 9bebe0e9..56e181f1 100644 --- a/docs/configuring-playbook-email2matrix.md +++ b/docs/configuring-playbook-email2matrix.md @@ -1,6 +1,7 @@ # Setting up Email2Matrix (optional) **Note**: email bridging can also happen via the [Postmoogle](configuring-playbook-bot-postmoogle.md) bot supported by the playbook. +Postmoogle is much more powerful and easier to use, so we recommend that you use it, instead of Email2Matrix. The playbook can install and configure [email2matrix](https://github.com/devture/email2matrix) for you. @@ -9,6 +10,10 @@ See the project's [documentation](https://github.com/devture/email2matrix/blob/m ## Preparation +### DNS configuration + +It's not strictly necessary, but you may increase the chances that incoming emails reach your server by adding an `MX` record for `matrix.DOMAIN`, as described in the [Configuring DNS](configuring-dns.md) documentation page. + ### Port availability Ensure that port 25 is available on your Matrix server and open in your firewall. From b510848c6d35501358b045e9de492c5dbbc7a176 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 9 Sep 2022 15:13:35 +0300 Subject: [PATCH 14/38] Mention that bot.cactusbot is created automatically Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/2089 --- docs/configuring-playbook-cactus-comments.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/docs/configuring-playbook-cactus-comments.md b/docs/configuring-playbook-cactus-comments.md index 58a989e8..00c76f54 100644 --- a/docs/configuring-playbook-cactus-comments.md +++ b/docs/configuring-playbook-cactus-comments.md @@ -38,8 +38,10 @@ ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start ## Usage -To get started wit cactus comments message `@bot.cactusbot:your-homeserver.com` and type `help` to make sure it works. -Then register a site by typing: `register `. You will then be invited into a moderation room. +Upon starting Cactus Comments, a `bot.cactusbot` user account is created automatically. + +To get started, send a `help` message to the `@bot.cactusbot:your-homeserver.com` bot to confirm it's working. +Then, register a site by typing: `register `. You will then be invited into a moderation room. Now you are good to go and can include the comment section on your website! **Careful:** To really make use of self-hosting you need change a few things in comparison to the official docs! From d6bd39c79d3f473d357559eb239eb4042f9b5feb Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 9 Sep 2022 15:18:57 +0300 Subject: [PATCH 15/38] Add missing quotes Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/2089 --- group_vars/matrix_servers | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index d96af363..31ca6133 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1354,7 +1354,7 @@ matrix_cactus_comments_systemd_required_services_list: | (['matrix-' + matrix_homeserver_implementation + '.service']) }} -matrix_cactus_comments_client_nginx_path: {{ '/cactus-comments/' if matrix_nginx_proxy_enabled else matrix_cactus_comments_client_path + '/' }} +matrix_cactus_comments_client_nginx_path: "{{ '/cactus-comments/' if matrix_nginx_proxy_enabled else matrix_cactus_comments_client_path + '/' }}" ###################################################################### # From 5c954b0d5a99482332bff90cae17abeb47068d71 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Fri, 9 Sep 2022 15:55:53 +0000 Subject: [PATCH 16/38] Update Grafana 9.1.3 -> 9.1.4 --- roles/matrix-grafana/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-grafana/defaults/main.yml b/roles/matrix-grafana/defaults/main.yml index dcd07bf5..5484ed19 100644 --- a/roles/matrix-grafana/defaults/main.yml +++ b/roles/matrix-grafana/defaults/main.yml @@ -5,7 +5,7 @@ matrix_grafana_enabled: false -matrix_grafana_version: 9.1.3 +matrix_grafana_version: 9.1.4 matrix_grafana_docker_image: "{{ matrix_container_global_registry_prefix }}grafana/grafana:{{ matrix_grafana_version }}" matrix_grafana_docker_image_force_pull: "{{ matrix_grafana_docker_image.endswith(':latest') }}" From 8778c14fe27c304507c156f3f86762e9acf15fff Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 9 Sep 2022 21:03:41 +0300 Subject: [PATCH 17/38] Upgrade Dendrite (0.9.6 -> 0.9.7) --- roles/matrix-dendrite/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-dendrite/defaults/main.yml b/roles/matrix-dendrite/defaults/main.yml index 28f542e1..db10bafc 100644 --- a/roles/matrix-dendrite/defaults/main.yml +++ b/roles/matrix-dendrite/defaults/main.yml @@ -6,7 +6,7 @@ matrix_dendrite_enabled: true matrix_dendrite_docker_image: "{{ matrix_dendrite_docker_image_name_prefix }}matrixdotorg/dendrite-monolith:{{ matrix_dendrite_docker_image_tag }}" matrix_dendrite_docker_image_name_prefix: "docker.io/" -matrix_dendrite_docker_image_tag: "v0.9.6" +matrix_dendrite_docker_image_tag: "v0.9.7" matrix_dendrite_docker_image_force_pull: "{{ matrix_dendrite_docker_image.endswith(':latest') }}" matrix_dendrite_base_path: "{{ matrix_base_data_path }}/dendrite" From 11f2cda21a9e8f8d3a060131c210c8cad55994bc Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 9 Sep 2022 21:06:17 +0300 Subject: [PATCH 18/38] Upgrade Certbot (1.28 -> 1.30) --- roles/matrix-nginx-proxy/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 8cf24a22..eec28bee 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -547,7 +547,7 @@ matrix_ssl_lets_encrypt_staging: false # Learn more here: https://eff-certbot.readthedocs.io/en/stable/using.html#changing-the-acme-server matrix_ssl_lets_encrypt_server: '' -matrix_ssl_lets_encrypt_certbot_docker_image: "{{ matrix_container_global_registry_prefix }}certbot/certbot:{{ matrix_ssl_architecture }}-v1.28.0" +matrix_ssl_lets_encrypt_certbot_docker_image: "{{ matrix_container_global_registry_prefix }}certbot/certbot:{{ matrix_ssl_architecture }}-v1.30.0" matrix_ssl_lets_encrypt_certbot_docker_image_force_pull: "{{ matrix_ssl_lets_encrypt_certbot_docker_image.endswith(':latest') }}" matrix_ssl_lets_encrypt_certbot_standalone_http_port: 2402 matrix_ssl_lets_encrypt_support_email: ~ From f12206676f295ad4533e308b54a6b8b4eea9ae89 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 13 Sep 2022 15:45:08 +0300 Subject: [PATCH 19/38] Upgrade Synapse (v1.66.0 -> 1.67.0) and remove `frontend_proxy` workers `frontend_proxy` workers have been superseded by `generic_worker` workers. Related to https://github.com/matrix-org/synapse/pull/13645 --- group_vars/matrix_servers | 1 - roles/matrix-nginx-proxy/defaults/main.yml | 1 - .../nginx/conf.d/matrix-synapse.conf.j2 | 30 ------------------- roles/matrix-synapse/defaults/main.yml | 8 +---- .../tasks/synapse/workers/init.yml | 12 -------- .../matrix-synapse/tasks/validate_config.yml | 3 ++ .../templates/synapse/worker.yaml.j2 | 4 +-- roles/matrix-synapse/vars/workers.yml | 29 ++---------------- 8 files changed, 8 insertions(+), 80 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 31ca6133..c0d831e1 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1762,7 +1762,6 @@ matrix_nginx_proxy_synapse_generic_worker_client_server_locations: "{{ matrix_sy matrix_nginx_proxy_synapse_generic_worker_federation_locations: "{{ matrix_synapse_workers_generic_worker_federation_endpoints }}" matrix_nginx_proxy_synapse_media_repository_locations: "{{matrix_synapse_workers_media_repository_endpoints|default([]) }}" matrix_nginx_proxy_synapse_user_dir_locations: "{{ matrix_synapse_workers_user_dir_endpoints|default([]) }}" -matrix_nginx_proxy_synapse_frontend_proxy_locations: "{{ matrix_synapse_workers_frontend_proxy_endpoints|default([]) }}" matrix_nginx_proxy_systemd_wanted_services_list: | {{ diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index eec28bee..a7484215 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -625,7 +625,6 @@ matrix_nginx_proxy_synapse_generic_worker_client_server_locations: [] matrix_nginx_proxy_synapse_generic_worker_federation_locations: [] matrix_nginx_proxy_synapse_media_repository_locations: [] matrix_nginx_proxy_synapse_user_dir_locations: [] -matrix_nginx_proxy_synapse_frontend_proxy_locations: [] # synapse content caching matrix_nginx_proxy_synapse_cache_enabled: false diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 index 735f4538..81e31a7c 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 @@ -3,7 +3,6 @@ {% set generic_workers = matrix_nginx_proxy_synapse_workers_list | selectattr('type', 'equalto', 'generic_worker') | list %} {% set media_repository_workers = matrix_nginx_proxy_synapse_workers_list | selectattr('type', 'equalto', 'media_repository') | list %} {% set user_dir_workers = matrix_nginx_proxy_synapse_workers_list | selectattr('type', 'equalto', 'user_dir') | list %} -{% set frontend_proxy_workers = matrix_nginx_proxy_synapse_workers_list | selectattr('type', 'equalto', 'frontend_proxy') | list %} {% if matrix_nginx_proxy_synapse_workers_enabled %} {% if matrix_nginx_proxy_synapse_cache_enabled %} proxy_cache_path {{ matrix_nginx_proxy_synapse_cache_path }} levels=1:2 keys_zone={{ matrix_nginx_proxy_synapse_cache_keys_zone_name }}:{{ matrix_nginx_proxy_synapse_cache_keys_zone_size }} inactive={{ matrix_nginx_proxy_synapse_cache_inactive_time }} max_size={{ matrix_nginx_proxy_synapse_cache_max_size_mb }}m; @@ -26,18 +25,6 @@ } {% endif %} - {% if frontend_proxy_workers %} - upstream frontend_proxy_upstream { - {% for worker in frontend_proxy_workers %} - {% if matrix_nginx_proxy_enabled %} - server "matrix-synapse-worker-{{ worker.type }}-{{ worker.instanceId }}:{{ worker.port }}"; - {% else %} - server "127.0.0.1:{{ worker.port }}"; - {% endif %} - {% endfor %} - } - {% endif %} - {% if media_repository_workers %} upstream media_repository_upstream { {% for worker in media_repository_workers %} @@ -120,23 +107,6 @@ server { } {% endfor %} {% endif %} - - {% if frontend_proxy_workers %} - # https://github.com/matrix-org/synapse/blob/master/docs/workers.md#synapseappfrontend_proxy - {% for location in matrix_nginx_proxy_synapse_frontend_proxy_locations %} - location ~ {{ location }} { - proxy_pass http://frontend_proxy_upstream$request_uri; - proxy_set_header Host $host; - } - {% endfor %} - {% if matrix_nginx_proxy_synapse_presence_disabled %} - # FIXME: keep in sync with synapse workers documentation manually - location ~ ^/_matrix/client/(api/v1|r0|v3|unstable)/presence/[^/]+/status { - proxy_pass http://frontend_proxy_upstream$request_uri; - proxy_set_header Host $host; - } - {% endif %} - {% endif %} {# Workers redirects END #} {% endif %} diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index a25d2d3f..a7dab5b6 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -9,7 +9,7 @@ matrix_synapse_container_image_self_build_repo: "https://github.com/matrix-org/s matrix_synapse_docker_image: "{{ matrix_synapse_docker_image_name_prefix }}matrixdotorg/synapse:{{ matrix_synapse_docker_image_tag }}" matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_container_image_self_build else matrix_container_global_registry_prefix }}" -matrix_synapse_version: v1.66.0 +matrix_synapse_version: v1.67.0 matrix_synapse_docker_image_tag: "{{ matrix_synapse_version }}" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" @@ -398,7 +398,6 @@ matrix_synapse_workers_presets: federation_sender_workers_count: 1 media_repository_workers_count: 0 user_dir_workers_count: 0 - frontend_proxy_workers_count: 0 one-of-each: generic_workers_count: 1 pusher_workers_count: 1 @@ -410,7 +409,6 @@ matrix_synapse_workers_presets: # user_dir workers are deprecated since Synapse v1.59. This will be removed. # See: https://github.com/matrix-org/synapse/blob/v1.59.0/docs/upgrade.md#deprecation-of-the-synapseappappservice-and-synapseappuser_dir-worker-application-types user_dir_workers_count: 0 - frontend_proxy_workers_count: 1 # Controls whether the matrix-synapse container exposes the various worker ports # (see `port` and `metrics_port` in `matrix_synapse_workers_enabled_list`) outside of the container. @@ -452,10 +450,6 @@ matrix_synapse_workers_user_dir_workers_count: 0 matrix_synapse_workers_user_dir_workers_port_range_start: 18661 matrix_synapse_workers_user_dir_workers_metrics_range_start: 19661 -matrix_synapse_workers_frontend_proxy_workers_count: "{{ matrix_synapse_workers_presets[matrix_synapse_workers_preset]['frontend_proxy_workers_count'] }}" -matrix_synapse_workers_frontend_proxy_workers_port_range_start: 18771 -matrix_synapse_workers_frontend_proxy_workers_metrics_range_start: 19771 - # Default list of workers to spawn. # # Unless you populate this manually, this list is dynamically generated diff --git a/roles/matrix-synapse/tasks/synapse/workers/init.yml b/roles/matrix-synapse/tasks/synapse/workers/init.yml index 4b007bc3..3aa61923 100644 --- a/roles/matrix-synapse/tasks/synapse/workers/init.yml +++ b/roles/matrix-synapse/tasks/synapse/workers/init.yml @@ -56,16 +56,6 @@ register: "matrix_synapse_workers_list_results_media_repository_workers" loop: "{{ range(0, matrix_synapse_workers_media_repository_workers_count | int) | list }}" -- name: Build frontend_proxy workers - ansible.builtin.set_fact: - worker: - type: 'frontend_proxy' - instanceId: "{{ matrix_synapse_workers_frontend_proxy_workers_port_range_start + item }}" - port: "{{ matrix_synapse_workers_frontend_proxy_workers_port_range_start + item }}" - metrics_port: "{{ matrix_synapse_workers_frontend_proxy_workers_metrics_range_start + item }}" - register: "matrix_synapse_workers_list_results_frontend_proxy_workers" - loop: "{{ range(0, matrix_synapse_workers_frontend_proxy_workers_count | int) | list }}" - - ansible.builtin.set_fact: matrix_synapse_dynamic_workers_list: "{{ matrix_synapse_dynamic_workers_list | default([]) + [item.ansible_facts.worker] }}" with_items: | @@ -79,8 +69,6 @@ matrix_synapse_workers_list_results_appservice_workers.results + matrix_synapse_workers_list_results_media_repository_workers.results - + - matrix_synapse_workers_list_results_frontend_proxy_workers.results }} - ansible.builtin.set_fact: diff --git a/roles/matrix-synapse/tasks/validate_config.yml b/roles/matrix-synapse/tasks/validate_config.yml index d32fce97..bcb71c75 100644 --- a/roles/matrix-synapse/tasks/validate_config.yml +++ b/roles/matrix-synapse/tasks/validate_config.yml @@ -62,6 +62,9 @@ - {'old': 'matrix_synapse_version_arm64', 'new': ''} - {'old': 'matrix_synapse_enable_group_creation', 'new': ''} - {'old': 'matrix_synapse_account_threepid_delegates_email', 'new': ''} + - {'old': 'matrix_synapse_workers_frontend_proxy_workers_count', 'new': ''} + - {'old': 'matrix_synapse_workers_frontend_proxy_workers_port_range_start', 'new': ''} + - {'old': 'matrix_synapse_workers_frontend_proxy_workers_metrics_range_start', 'new': ''} - name: (Deprecation) Catch and report renamed settings in matrix_synapse_configuration_extension_yaml ansible.builtin.fail: diff --git a/roles/matrix-synapse/templates/synapse/worker.yaml.j2 b/roles/matrix-synapse/templates/synapse/worker.yaml.j2 index 239de1f2..33789b0c 100644 --- a/roles/matrix-synapse/templates/synapse/worker.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/worker.yaml.j2 @@ -11,7 +11,7 @@ worker_replication_http_port: {{ matrix_synapse_replication_http_port }} {% set http_resources = [] %} -{% if matrix_synapse_worker_details.type in ['generic_worker', 'frontend_proxy', 'user_dir'] %} +{% if matrix_synapse_worker_details.type in ['generic_worker', 'user_dir'] %} {% set http_resources = http_resources + ['client'] %} {% endif %} {% if matrix_synapse_worker_details.type in ['generic_worker'] %} @@ -38,7 +38,7 @@ worker_listeners: {% endif %} {% endif %} -{% if matrix_synapse_worker_details.type == 'frontend_proxy' %} +{% if matrix_synapse_worker_details.type == 'generic_worker' %} worker_main_http_uri: http://matrix-synapse:{{ matrix_synapse_container_client_api_port }} {% endif %} diff --git a/roles/matrix-synapse/vars/workers.yml b/roles/matrix-synapse/vars/workers.yml index e535d2cc..3f34bcb2 100644 --- a/roles/matrix-synapse/vars/workers.yml +++ b/roles/matrix-synapse/vars/workers.yml @@ -55,10 +55,12 @@ matrix_synapse_workers_generic_worker_endpoints: - ^/_matrix/client/(api/v1|r0|v3|unstable)/search$ # Encryption requests + # Note that ^/_matrix/client/(r0|v3|unstable)/keys/upload/ requires `worker_main_http_uri` - ^/_matrix/client/(r0|v3|unstable)/keys/query$ - ^/_matrix/client/(r0|v3|unstable)/keys/changes$ - ^/_matrix/client/(r0|v3|unstable)/keys/claim$ - ^/_matrix/client/(r0|v3|unstable)/room_keys/ + - ^/_matrix/client/(r0|v3|unstable)/keys/upload/ # Registration/login requests - ^/_matrix/client/(api/v1|r0|v3|unstable)/login$ @@ -172,7 +174,6 @@ matrix_synapse_workers_generic_worker_endpoints: # Additionally, the writing of specific streams (such as events) can be moved off # of the main process to a particular worker. - # (This is only supported with Redis-based replication.) # To enable this, the worker must have a HTTP replication listener configured, # have a `worker_name` and be listed in the `instance_map` config. The same worker @@ -432,35 +433,9 @@ matrix_synapse_workers_user_dir_endpoints: # If `update_user_directory` is set to `false`, and this worker is not running, # the above endpoint may give outdated results. -matrix_synapse_workers_frontend_proxy_endpoints: - # Proxies some frequently-requested client endpoints to add caching and remove - # load from the main synapse. It can handle REST endpoints matching the following - # regular expressions: - - - ^/_matrix/client/(r0|v3|unstable)/keys/upload - - # If `use_presence` is False in the homeserver config, it can also handle REST - # endpoints matching the following regular expressions: - - # FIXME: ADDITIONAL CONDITIONS REQUIRED: to be enabled manually - # ^/_matrix/client/(api/v1|r0|v3|unstable)/presence/[^/]+/status - - # This "stub" presence handler will pass through `GET` request but make the - # `PUT` effectively a no-op. - - # It will proxy any requests it cannot handle to the main synapse instance. It - # must therefore be configured with the location of the main instance, via - # the `worker_main_http_uri` setting in the `frontend_proxy` worker configuration - # file. For example: - - # ```yaml - # worker_main_http_uri: http://127.0.0.1:8008 - # ``` - matrix_synapse_workers_avail_list: - appservice - federation_sender - - frontend_proxy - generic_worker - media_repository - pusher From afe5a016cb70238668709cf4704de2955a3376f7 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Tue, 13 Sep 2022 13:48:57 +0000 Subject: [PATCH 20/38] Update Grafana 9.1.4 -> 9.1.5 --- roles/matrix-grafana/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-grafana/defaults/main.yml b/roles/matrix-grafana/defaults/main.yml index 5484ed19..dda120a2 100644 --- a/roles/matrix-grafana/defaults/main.yml +++ b/roles/matrix-grafana/defaults/main.yml @@ -5,7 +5,7 @@ matrix_grafana_enabled: false -matrix_grafana_version: 9.1.4 +matrix_grafana_version: 9.1.5 matrix_grafana_docker_image: "{{ matrix_container_global_registry_prefix }}grafana/grafana:{{ matrix_grafana_version }}" matrix_grafana_docker_image_force_pull: "{{ matrix_grafana_docker_image.endswith(':latest') }}" From c29a39a6fb56754b9549fcd3ef9d8893336d6f16 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Tue, 13 Sep 2022 13:49:39 +0000 Subject: [PATCH 21/38] Update Element 1.11.4 -> 1.11.5 --- roles/matrix-client-element/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-client-element/defaults/main.yml b/roles/matrix-client-element/defaults/main.yml index c4e187a9..4898e9ca 100644 --- a/roles/matrix-client-element/defaults/main.yml +++ b/roles/matrix-client-element/defaults/main.yml @@ -10,7 +10,7 @@ matrix_client_element_container_image_self_build_repo: "https://github.com/vecto # - https://github.com/vector-im/element-web/issues/19544 matrix_client_element_container_image_self_build_low_memory_system_patch_enabled: "{{ ansible_memtotal_mb < 4096 }}" -matrix_client_element_version: v1.11.4 +matrix_client_element_version: v1.11.5 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}" matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}" From 83482721f8c849cd71f94ec933852e8d9b420e55 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Tue, 13 Sep 2022 13:51:32 +0000 Subject: [PATCH 22/38] Update Coturn 4.5.2-r14 -> 4.6.0-r0 --- roles/matrix-coturn/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-coturn/defaults/main.yml b/roles/matrix-coturn/defaults/main.yml index bc87d654..b2aff984 100644 --- a/roles/matrix-coturn/defaults/main.yml +++ b/roles/matrix-coturn/defaults/main.yml @@ -8,7 +8,7 @@ matrix_coturn_container_image_self_build_repo: "https://github.com/coturn/coturn matrix_coturn_container_image_self_build_repo_version: "docker/{{ matrix_coturn_version }}" matrix_coturn_container_image_self_build_repo_dockerfile_path: "docker/coturn/alpine/Dockerfile" -matrix_coturn_version: 4.5.2-r14 +matrix_coturn_version: 4.6.0-r0 matrix_coturn_docker_image: "{{ matrix_coturn_docker_image_name_prefix }}coturn/coturn:{{ matrix_coturn_version }}-alpine" matrix_coturn_docker_image_name_prefix: "{{ 'localhost/' if matrix_coturn_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_coturn_docker_image_force_pull: "{{ matrix_coturn_docker_image.endswith(':latest') }}" From 2edd9a056e7a5ac5bb6159ba7d504995f361df11 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Tue, 13 Sep 2022 13:52:36 +0000 Subject: [PATCH 23/38] Update Appservice IRC 0.34.0 -> 0.35.0 --- roles/matrix-bridge-appservice-irc/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-appservice-irc/defaults/main.yml b/roles/matrix-bridge-appservice-irc/defaults/main.yml index 93a8e084..fb0f3a33 100644 --- a/roles/matrix-bridge-appservice-irc/defaults/main.yml +++ b/roles/matrix-bridge-appservice-irc/defaults/main.yml @@ -11,7 +11,7 @@ matrix_appservice_irc_docker_src_files_path: "{{ matrix_base_data_path }}/appser # matrix_appservice_irc_version used to contain the full Docker image tag (e.g. `release-X.X.X`). # It's a bare version number now. We try to somewhat retain compatibility below. -matrix_appservice_irc_version: 0.34.0 +matrix_appservice_irc_version: 0.35.0 matrix_appservice_irc_docker_image: "{{ matrix_container_global_registry_prefix }}matrixdotorg/matrix-appservice-irc:{{ matrix_appservice_irc_docker_image_tag }}" matrix_appservice_irc_docker_image_tag: "{{ 'latest' if matrix_appservice_irc_version == 'latest' else ('release-' + matrix_appservice_irc_version) }}" matrix_appservice_irc_docker_image_force_pull: "{{ matrix_appservice_irc_docker_image.endswith(':latest') }}" From 17e6c52cbf64882cca428ece1f0dc6730b0a813f Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Tue, 13 Sep 2022 13:53:45 +0000 Subject: [PATCH 24/38] Update Dendrite 0.9.7 -> 0.9.8 --- roles/matrix-dendrite/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-dendrite/defaults/main.yml b/roles/matrix-dendrite/defaults/main.yml index db10bafc..2a6c4fd6 100644 --- a/roles/matrix-dendrite/defaults/main.yml +++ b/roles/matrix-dendrite/defaults/main.yml @@ -6,7 +6,7 @@ matrix_dendrite_enabled: true matrix_dendrite_docker_image: "{{ matrix_dendrite_docker_image_name_prefix }}matrixdotorg/dendrite-monolith:{{ matrix_dendrite_docker_image_tag }}" matrix_dendrite_docker_image_name_prefix: "docker.io/" -matrix_dendrite_docker_image_tag: "v0.9.7" +matrix_dendrite_docker_image_tag: "v0.9.8" matrix_dendrite_docker_image_force_pull: "{{ matrix_dendrite_docker_image.endswith(':latest') }}" matrix_dendrite_base_path: "{{ matrix_base_data_path }}/dendrite" From 6f02a916ec49c290898b9a36badf99a69b351c4d Mon Sep 17 00:00:00 2001 From: TheOneWithTheBraid Date: Sun, 21 Aug 2022 11:04:47 +0200 Subject: [PATCH 25/38] feat: include matrix_ldap_registration_proxy Fixes: #1144 Signed-off-by: TheOneWithTheBraid --- .../defaults/main.yml | 47 ++++++++++++++ .../tasks/init.yml | 11 ++++ .../tasks/main.yml | 30 +++++++++ ...f_check_matrix_ldap_registration_proxy.yml | 22 +++++++ .../tasks/setup_install.yml | 63 +++++++++++++++++++ .../tasks/setup_uninstall.yml | 36 +++++++++++ .../tasks/validate_config.yml | 0 .../templates/ldap-registration-proxy.env.j2 | 32 ++++++++++ .../matrix-ldap-registration-proxy.service.j2 | 43 +++++++++++++ .../vars/main.yml | 5 ++ 10 files changed, 289 insertions(+) create mode 100644 roles/matrix-ldap-registration-proxy/defaults/main.yml create mode 100644 roles/matrix-ldap-registration-proxy/tasks/init.yml create mode 100644 roles/matrix-ldap-registration-proxy/tasks/main.yml create mode 100644 roles/matrix-ldap-registration-proxy/tasks/self_check_matrix_ldap_registration_proxy.yml create mode 100644 roles/matrix-ldap-registration-proxy/tasks/setup_install.yml create mode 100644 roles/matrix-ldap-registration-proxy/tasks/setup_uninstall.yml create mode 100644 roles/matrix-ldap-registration-proxy/tasks/validate_config.yml create mode 100644 roles/matrix-ldap-registration-proxy/templates/ldap-registration-proxy.env.j2 create mode 100644 roles/matrix-ldap-registration-proxy/templates/systemd/matrix-ldap-registration-proxy.service.j2 create mode 100644 roles/matrix-ldap-registration-proxy/vars/main.yml diff --git a/roles/matrix-ldap-registration-proxy/defaults/main.yml b/roles/matrix-ldap-registration-proxy/defaults/main.yml new file mode 100644 index 00000000..5516f4f9 --- /dev/null +++ b/roles/matrix-ldap-registration-proxy/defaults/main.yml @@ -0,0 +1,47 @@ +--- +# matrix_ldap_registration_proxy - Want to build a large-scale Matrix server using external registration on LDAP? +# Project source code URL: https://gitlab.com/activism.international/matrix_ldap_registration_proxy + +matrix_ldap_registration_proxy_enabled: false + +matrix_ldap_registration_proxy_container_image_self_build_repo: "https://gitlab.com/activism.international/matrix_ldap_registration_proxy.git" +matrix_ldap_registration_proxy_container_image_self_build_branch: "{{ matrix_ldap_registration_proxy_version }}" + +matrix_ldap_registration_proxy_version: "296246afc6a9b3105e67fcf6621cf05ebc74b873" + +matrix_ldap_registration_proxy_base_path: "{{ matrix_base_data_path }}/matrix_ldap_registration_proxy" +# We need the docker src directory to be named matrix_ldap_registration_proxy. +matrix_ldap_registration_proxy_docker_src_files_path: "{{ matrix_ldap_registration_proxy_base_path }}/docker-src/matrix_ldap_registration_proxy" +matrix_ldap_registration_proxy_config_path: "{{ matrix_ldap_registration_proxy_base_path }}/config" + +matrix_ldap_registration_proxy_ldap_uri: "{{ matrix_synapse_ext_password_provider_ldap_uri }}" +matrix_ldap_registration_proxy_ldap_base_dn: "{{ matrix_synapse_ext_password_provider_ldap_base }}" +matrix_ldap_registration_proxy_ldap_user: "{{ matrix_synapse_ext_password_provider_ldap_bind_dn }}" +matrix_ldap_registration_proxy_ldap_password: "{{ matrix_synapse_ext_password_provider_ldap_bind_password }}" +matrix_ldap_registration_proxy_matrix_server_name: "{{ matrix_domain }}" +matrix_ldap_registration_proxy_matrix_server_url: "https://{{ matrix_server_fqn_matrix }}" + +# Controls whether the self-check feature should validate SSL certificates. +matrix_matrix_ldap_registration_proxy_self_check_validate_certificates: true + +matrix_ldap_registration_proxy_container_port: 8080 +# Controls whether the matrix_ldap_registration_proxy container exposes its HTTP port (tcp/{{ matrix_ldap_registration_proxy_container_port }} in the container). +# +# Takes an ":" or "" value (e.g. "127.0.0.1:8080"), or empty string to not expose. +matrix_ldap_registration_proxy_container_http_host_bind_port: '' + +# A list of extra arguments to pass to the container +matrix_ldap_registration_proxy_container_extra_arguments: [] + +# List of systemd services that matrix_ldap_registration_proxy.service depends on +matrix_ldap_registration_proxy_systemd_required_services_list: ['docker.service'] + +# List of systemd services that matrix_ldap_registration_proxy.service wants +matrix_ldap_registration_proxy_systemd_wanted_services_list: [] + +# Default ma1sd configuration template which covers the generic use case. +# You can customize it by controlling the various variables inside it. +matrix_ldap_registration_proxy_configuration_env: "{{ lookup('template', 'templates/ldap-registration-proxy.env.j2') }}" + +# Holds the final ma1sd configuration (a combination of the default and its extension). +matrix_ldap_registration_proxy_configuration: "{{ matrix_ldap_registration_proxy_configuration_env }}" diff --git a/roles/matrix-ldap-registration-proxy/tasks/init.yml b/roles/matrix-ldap-registration-proxy/tasks/init.yml new file mode 100644 index 00000000..312165cc --- /dev/null +++ b/roles/matrix-ldap-registration-proxy/tasks/init.yml @@ -0,0 +1,11 @@ +--- +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 +- name: Fail if trying to self-build on Ansible < 2.8 + ansible.builtin.fail: + msg: "To self-build the matrix_ldap_registration_proxy image, you should use Ansible 2.8 or higher. See docs/ansible.md" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_matrix_ldap_registration_proxy_container_image_self_build and matrix_matrix_ldap_registration_proxy_enabled | bool" + +- ansible.builtin.set_fact: + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-matrix-ldap-registration-proxy.service'] }}" + when: matrix_matrix_ldap_registration_proxy_enabled | bool diff --git a/roles/matrix-ldap-registration-proxy/tasks/main.yml b/roles/matrix-ldap-registration-proxy/tasks/main.yml new file mode 100644 index 00000000..720d27ba --- /dev/null +++ b/roles/matrix-ldap-registration-proxy/tasks/main.yml @@ -0,0 +1,30 @@ +--- + +- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" + tags: + - always + +- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" + when: "run_setup | bool and matrix_matrix_ldap_registration_proxy_enabled | bool" + tags: + - setup-all + - setup-matrix-ldap-registration-proxy + +- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_install.yml" + when: "run_setup | bool and matrix_matrix_ldap_registration_proxy_enabled | bool" + tags: + - setup-all + - setup-matrix-ldap-registration-proxy + +- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" + when: "run_setup | bool and not matrix_matrix_ldap_registration_proxy_enabled | bool" + tags: + - setup-all + - setup-matrix-ldap-registration-proxy + +- ansible.builtin.import_tasks: "{{ role_path }}/tasks/self_check_matrix_ldap_registration_proxy.yml" + delegate_to: 127.0.0.1 + become: false + when: "run_self_check | bool and matrix_matrix_ldap_registration_proxy_enabled | bool" + tags: + - self-check diff --git a/roles/matrix-ldap-registration-proxy/tasks/self_check_matrix_ldap_registration_proxy.yml b/roles/matrix-ldap-registration-proxy/tasks/self_check_matrix_ldap_registration_proxy.yml new file mode 100644 index 00000000..ce46c45a --- /dev/null +++ b/roles/matrix-ldap-registration-proxy/tasks/self_check_matrix_ldap_registration_proxy.yml @@ -0,0 +1,22 @@ +--- + +- ansible.builtin.set_fact: + matrix_ldap_registration_proxy_url_endpoint_public: "https://{{ matrix_server_fqn_matrix }}/_matrix/client/r0/register" + +- name: Check matrix_ldap_registration_proxy Service + ansible.builtin.uri: + url: "{{ matrix_ldap_registration_proxy_url_endpoint_public }}" + follow_redirects: none + validate_certs: "{{ matrix_matrix_ldap_registration_proxy_self_check_validate_certificates }}" + check_mode: false + register: result_matrix_ldap_registration_proxy + ignore_errors: true + +- name: Fail if matrix_ldap_registration_proxy Service not working + ansible.builtin.fail: + msg: "Failed checking matrix_ldap_registration_proxy is up at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_ldap_registration_proxy_url_endpoint_public }}`). Is matrix_ldap_registration_proxy running? Is port 443 open in your firewall? Full error: {{ result_matrix_ldap_registration_proxy }}" + when: "result_matrix_ldap_registration_proxy.failed or 'json' not in result_matrix_ldap_registration_proxy" + +- name: Report working matrix_ldap_registration_proxy Service + ansible.builtin.debug: + msg: "matrix_ldap_registration_proxy at `{{ matrix_server_fqn_matrix }}` is working (checked endpoint: `{{ matrix_ldap_registration_proxy_url_endpoint_public }}`)" diff --git a/roles/matrix-ldap-registration-proxy/tasks/setup_install.yml b/roles/matrix-ldap-registration-proxy/tasks/setup_install.yml new file mode 100644 index 00000000..1f0307ec --- /dev/null +++ b/roles/matrix-ldap-registration-proxy/tasks/setup_install.yml @@ -0,0 +1,63 @@ +--- + +- name: Ensure matrix_ldap_registration_proxy paths exist + ansible.builtin.file: + path: "{{ item.path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - {path: "{{ matrix_ldap_registration_proxy_config_path }}", when: true} + - {path: "{{ matrix_ldap_registration_proxy_docker_src_files_path }}", when: true} + when: "item.when | bool" + +- ansible.builtin.set_fact: + matrix_ldap_registration_proxy_requires_restart: false + +- name: Ensure matrix_ldap_registration_proxy repository is present on self-build + ansible.builtin.git: + repo: "{{ matrix_ldap_registration_proxy_container_image_self_build_repo }}" + dest: "{{ matrix_ldap_registration_proxy_docker_src_files_path }}" + version: "{{ matrix_ldap_registration_proxy_container_image_self_build_branch }}" + force: "yes" + become: true + become_user: "{{ matrix_user_username }}" + register: matrix_ldap_registration_proxy_git_pull_results + +- name: Ensure matrix_ldap_registration_proxy Docker image is built + docker_image: + name: "{{ matrix_ldap_registration_proxy_docker_image }}" + source: build + force_source: "{{ matrix_ldap_registration_proxy_git_pull_results.changed }}" + build: + dockerfile: Dockerfile + path: "{{ matrix_ldap_registration_proxy_docker_src_files_path }}" + pull: true + when: true + +- name: Ensure matrix_ldap_registration_proxy config installed + ansible.builtin.copy: + content: "{{ matrix_ldap_registration_proxy_configuration }}" + dest: "{{ matrix_ldap_registration_proxy_config_path }}/ldap-registration-proxy.env" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure matrix-ldap-registration-proxy.service installed + ansible.builtin.template: + src: "{{ role_path }}/templates/systemd/matrix-ldap-registration-proxy.service.j2" + dest: "{{ matrix_systemd_path }}/matrix-ldap-registration-proxy.service" + mode: 0644 + register: matrix_ldap_registration_proxy_systemd_service_result + +- name: Ensure systemd reloaded after matrix-ldap-registration-proxy.service installation + ansible.builtin.service: + daemon_reload: true + when: "matrix_ldap_registration_proxy_systemd_service_result.changed | bool" + +- name: Ensure matrix-ldap-registration-proxy.service restarted, if necessary + ansible.builtin.service: + name: "matrix-ldap-registration-proxy.service" + state: restarted + when: "matrix_ldap_registration_proxy_requires_restart | bool" diff --git a/roles/matrix-ldap-registration-proxy/tasks/setup_uninstall.yml b/roles/matrix-ldap-registration-proxy/tasks/setup_uninstall.yml new file mode 100644 index 00000000..cc542edf --- /dev/null +++ b/roles/matrix-ldap-registration-proxy/tasks/setup_uninstall.yml @@ -0,0 +1,36 @@ +--- + +- name: Check existence of matrix-matrix_ldap_registration_proxy service + ansible.builtin.stat: + path: "{{ matrix_systemd_path }}/matrix-ldap-registration-proxy.service" + register: matrix_matrix_ldap_registration_proxy_service_stat + +- name: Ensure matrix-matrix_ldap_registration_proxy is stopped + ansible.builtin.service: + name: matrix-matrix_ldap_registration_proxy + state: stopped + enabled: false + daemon_reload: true + register: stopping_result + when: "matrix_matrix_ldap_registration_proxy_service_stat.stat.exists | bool" + +- name: Ensure matrix-ldap-registration-proxy.service doesn't exist + ansible.builtin.file: + path: "{{ matrix_systemd_path }}/matrix-ldap-registration-proxy.service" + state: absent + when: "matrix_matrix_ldap_registration_proxy_service_stat.stat.exists | bool" + +- name: Ensure systemd reloaded after matrix-ldap-registration-proxy.service removal + ansible.builtin.service: + daemon_reload: true + when: "matrix_matrix_ldap_registration_proxy_service_stat.stat.exists | bool" + +- name: Ensure Matrix matrix_ldap_registration_proxy paths don't exist + ansible.builtin.file: + path: "{{ matrix_matrix_ldap_registration_proxy_base_path }}" + state: absent + +- name: Ensure matrix_ldap_registration_proxy Docker image doesn't exist + docker_image: + name: "{{ matrix_matrix_ldap_registration_proxy_docker_image }}" + state: absent diff --git a/roles/matrix-ldap-registration-proxy/tasks/validate_config.yml b/roles/matrix-ldap-registration-proxy/tasks/validate_config.yml new file mode 100644 index 00000000..e69de29b diff --git a/roles/matrix-ldap-registration-proxy/templates/ldap-registration-proxy.env.j2 b/roles/matrix-ldap-registration-proxy/templates/ldap-registration-proxy.env.j2 new file mode 100644 index 00000000..e7ee29ba --- /dev/null +++ b/roles/matrix-ldap-registration-proxy/templates/ldap-registration-proxy.env.j2 @@ -0,0 +1,32 @@ +# please specify the configuration here +# +# these settings are mandatory + +# The server to connect to. Please note it must be accessible from the Docker network +# example: `ldap://127.0.0.1:389` +LDAP_SERVER={{ matrix_ldap_registration_proxy_ldap_uri }} + +# the base DN used for user creation + +LDAP_BASE_DN={{ matrix_ldap_registration_proxy_ldap_base_dn }} + +# the privileged user used for user creation including it's DN +# example: `uid=admin,cn=users,cn=accounts,dc=example,dc=org` + +LDAP_USER={{ matrix_ldap_registration_proxy_ldap_user }} + +# the password of the `LDAP_USER` used for authentication +LDAP_PASSWORD={{ matrix_ldap_registration_proxy_ldap_password }} + +# the human-readable server name of your Matrix server as used in the Matrix ID +# example: `example.org` +MATRIX_SERVER_NAME={{ matrix_ldap_registration_proxy_matrix_server_name }} + +# the url to access the Matrix server API without trailing `/` +# example: `https://matrix.example.org` +MATRIX_SERVER_URL={{ matrix_ldap_registration_proxy_matrix_server_url }} + +# these settings are optional: + +# Specify the port to listen on. Default to 8080 +LISTEN_PORT={{ matrix_ldap_registration_proxy_container_port }} diff --git a/roles/matrix-ldap-registration-proxy/templates/systemd/matrix-ldap-registration-proxy.service.j2 b/roles/matrix-ldap-registration-proxy/templates/systemd/matrix-ldap-registration-proxy.service.j2 new file mode 100644 index 00000000..afbabe72 --- /dev/null +++ b/roles/matrix-ldap-registration-proxy/templates/systemd/matrix-ldap-registration-proxy.service.j2 @@ -0,0 +1,43 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=matrix_ldap_registration_proxy +{% for service in matrix_ldap_registration_proxy_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +{% for service in matrix_ldap_registration_proxy_systemd_wanted_services_list %} +Wants={{ service }} +{% endfor %} +DefaultDependencies=no + +[Service] +Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-matrix_ldap_registration_proxy 2>/dev/null || true' +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-matrix_ldap_registration_proxy 2>/dev/null || true' + +# matrix_ldap_registration_proxy writes an SQLite shared library (libsqlitejdbc.so) to /tmp and executes it from there, +# so /tmp needs to be mounted with an exec option. +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-ldap-registration-proxy \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --read-only \ + --network={{ matrix_docker_network }} \ + {% if matrix_ldap_registration_proxy_container_http_host_bind_port %} + -p {{ matrix_ldap_registration_proxy_container_http_host_bind_port }}:{{ matrix_ldap_registration_proxy_container_port }} \ + {% endif %} + --env-file {{ matrix_ldap_registration_proxy_config_path }}/ldap-registration-proxy.env \ + {% for arg in matrix_ldap_registration_proxy_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_ldap_registration_proxy_docker_image }} + +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-ldap-registration-proxy 2>/dev/null || true' +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-ldap-registration-proxy 2>/dev/null || true' +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-ldap-registration-proxy + +[Install] +WantedBy=multi-user.target diff --git a/roles/matrix-ldap-registration-proxy/vars/main.yml b/roles/matrix-ldap-registration-proxy/vars/main.yml new file mode 100644 index 00000000..3adc735e --- /dev/null +++ b/roles/matrix-ldap-registration-proxy/vars/main.yml @@ -0,0 +1,5 @@ +--- + +# Doing `|from_yaml` when the extension contains nothing yields an empty string (""). +# We need to ensure it's a dictionary or `|combine` (when building `matrix_ma1sd_configuration`) will fail later. +matrix_ma1sd_configuration_extension: "{{ matrix_ma1sd_configuration_extension_yaml | from_yaml if matrix_ma1sd_configuration_extension_yaml | from_yaml else {} }}" From 8e76d712df66e7c0191e064562d8ae563cb79736 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian-Samuel=20Geb=C3=BChr?= Date: Sun, 4 Sep 2022 08:44:49 +0200 Subject: [PATCH 26/38] Remove ma1sd leftovers --- roles/matrix-ldap-registration-proxy/vars/main.yml | 5 ----- 1 file changed, 5 deletions(-) delete mode 100644 roles/matrix-ldap-registration-proxy/vars/main.yml diff --git a/roles/matrix-ldap-registration-proxy/vars/main.yml b/roles/matrix-ldap-registration-proxy/vars/main.yml deleted file mode 100644 index 3adc735e..00000000 --- a/roles/matrix-ldap-registration-proxy/vars/main.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- - -# Doing `|from_yaml` when the extension contains nothing yields an empty string (""). -# We need to ensure it's a dictionary or `|combine` (when building `matrix_ma1sd_configuration`) will fail later. -matrix_ma1sd_configuration_extension: "{{ matrix_ma1sd_configuration_extension_yaml | from_yaml if matrix_ma1sd_configuration_extension_yaml | from_yaml else {} }}" From 91e75d650ec69eb205fdcf59324c26f7d3fb9111 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian-Samuel=20Geb=C3=BChr?= Date: Sun, 4 Sep 2022 08:46:56 +0200 Subject: [PATCH 27/38] Validate that basic LDAP settings are provided --- .../tasks/validate_config.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/roles/matrix-ldap-registration-proxy/tasks/validate_config.yml b/roles/matrix-ldap-registration-proxy/tasks/validate_config.yml index e69de29b..6b52af9c 100644 --- a/roles/matrix-ldap-registration-proxy/tasks/validate_config.yml +++ b/roles/matrix-ldap-registration-proxy/tasks/validate_config.yml @@ -0,0 +1,12 @@ +--- + +- name: Fail if required settings not defined + ansible.builtin.fail: + msg: >- + You need to define a required configuration setting (`{{ item }}`). + when: "vars[item] == ''" + with_items: + - "matrix_ldap_registration_proxy_ldap_uri" + - "matrix_ldap_registration_proxy_ldap_base_dn" + - "matrix_ldap_registration_proxy_ldap_user" + - "matrix_ldap_registration_proxy_ldap_password" From 42230b6765e972d37d6ae4eb2ad008e9de0e8346 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian-Samuel=20Geb=C3=BChr?= Date: Sun, 4 Sep 2022 08:53:26 +0200 Subject: [PATCH 28/38] Make role enabled in role but turn it off in group vars --- group_vars/matrix_servers | 14 ++++++++++++++ .../defaults/main.yml | 2 +- 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index c0d831e1..1898d9f7 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1570,6 +1570,20 @@ matrix_jitsi_etherpad_base: "{{ matrix_etherpad_base_url if matrix_etherpad_enab # /matrix-jitsi # ###################################################################### +###################################################################### +# +# matrix-ldap-registration-proxy +# +###################################################################### + +# This is only for users with a specific LDAP setup +matrix_ldap_registration_proxy_enabled: false + +###################################################################### +# +# /matrix-ldap-registration-proxy +# +###################################################################### ###################################################################### # diff --git a/roles/matrix-ldap-registration-proxy/defaults/main.yml b/roles/matrix-ldap-registration-proxy/defaults/main.yml index 5516f4f9..44a670c1 100644 --- a/roles/matrix-ldap-registration-proxy/defaults/main.yml +++ b/roles/matrix-ldap-registration-proxy/defaults/main.yml @@ -2,7 +2,7 @@ # matrix_ldap_registration_proxy - Want to build a large-scale Matrix server using external registration on LDAP? # Project source code URL: https://gitlab.com/activism.international/matrix_ldap_registration_proxy -matrix_ldap_registration_proxy_enabled: false +matrix_ldap_registration_proxy_enabled: true matrix_ldap_registration_proxy_container_image_self_build_repo: "https://gitlab.com/activism.international/matrix_ldap_registration_proxy.git" matrix_ldap_registration_proxy_container_image_self_build_branch: "{{ matrix_ldap_registration_proxy_version }}" From b6fee92f0e3d43ad6e8ffc82195fb3e8ad872aac Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian-Samuel=20Geb=C3=BChr?= Date: Sun, 4 Sep 2022 08:56:03 +0200 Subject: [PATCH 29/38] Avoid cross-referencing of variables in role, move to group vars --- group_vars/matrix_servers | 6 ++++++ roles/matrix-ldap-registration-proxy/defaults/main.yml | 8 ++++---- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 1898d9f7..a204093e 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1579,6 +1579,12 @@ matrix_jitsi_etherpad_base: "{{ matrix_etherpad_base_url if matrix_etherpad_enab # This is only for users with a specific LDAP setup matrix_ldap_registration_proxy_enabled: false +# Use the LDAP values specified for the synapse role to setup LDAP proxy +matrix_ldap_registration_proxy_ldap_uri: "{{ matrix_synapse_ext_password_provider_ldap_uri }}" +matrix_ldap_registration_proxy_ldap_base_dn: "{{ matrix_synapse_ext_password_provider_ldap_base }}" +matrix_ldap_registration_proxy_ldap_user: "{{ matrix_synapse_ext_password_provider_ldap_bind_dn }}" +matrix_ldap_registration_proxy_ldap_password: "{{ matrix_synapse_ext_password_provider_ldap_bind_password }}" + ###################################################################### # # /matrix-ldap-registration-proxy diff --git a/roles/matrix-ldap-registration-proxy/defaults/main.yml b/roles/matrix-ldap-registration-proxy/defaults/main.yml index 44a670c1..4165c591 100644 --- a/roles/matrix-ldap-registration-proxy/defaults/main.yml +++ b/roles/matrix-ldap-registration-proxy/defaults/main.yml @@ -14,10 +14,10 @@ matrix_ldap_registration_proxy_base_path: "{{ matrix_base_data_path }}/matrix_ld matrix_ldap_registration_proxy_docker_src_files_path: "{{ matrix_ldap_registration_proxy_base_path }}/docker-src/matrix_ldap_registration_proxy" matrix_ldap_registration_proxy_config_path: "{{ matrix_ldap_registration_proxy_base_path }}/config" -matrix_ldap_registration_proxy_ldap_uri: "{{ matrix_synapse_ext_password_provider_ldap_uri }}" -matrix_ldap_registration_proxy_ldap_base_dn: "{{ matrix_synapse_ext_password_provider_ldap_base }}" -matrix_ldap_registration_proxy_ldap_user: "{{ matrix_synapse_ext_password_provider_ldap_bind_dn }}" -matrix_ldap_registration_proxy_ldap_password: "{{ matrix_synapse_ext_password_provider_ldap_bind_password }}" +matrix_ldap_registration_proxy_ldap_uri: "" +matrix_ldap_registration_proxy_ldap_base_dn: "" +matrix_ldap_registration_proxy_ldap_user: "" +matrix_ldap_registration_proxy_ldap_password: "" matrix_ldap_registration_proxy_matrix_server_name: "{{ matrix_domain }}" matrix_ldap_registration_proxy_matrix_server_url: "https://{{ matrix_server_fqn_matrix }}" From b4fdc622fd671b94d9a1fd5a50751938ca495d89 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian-Samuel=20Geb=C3=BChr?= Date: Sun, 4 Sep 2022 08:59:07 +0200 Subject: [PATCH 30/38] Remove ma1sd leftovers --- roles/matrix-ldap-registration-proxy/defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-ldap-registration-proxy/defaults/main.yml b/roles/matrix-ldap-registration-proxy/defaults/main.yml index 4165c591..15f59749 100644 --- a/roles/matrix-ldap-registration-proxy/defaults/main.yml +++ b/roles/matrix-ldap-registration-proxy/defaults/main.yml @@ -39,9 +39,9 @@ matrix_ldap_registration_proxy_systemd_required_services_list: ['docker.service' # List of systemd services that matrix_ldap_registration_proxy.service wants matrix_ldap_registration_proxy_systemd_wanted_services_list: [] -# Default ma1sd configuration template which covers the generic use case. +# Default LDAP configuration template which covers the generic use case. # You can customize it by controlling the various variables inside it. matrix_ldap_registration_proxy_configuration_env: "{{ lookup('template', 'templates/ldap-registration-proxy.env.j2') }}" -# Holds the final ma1sd configuration (a combination of the default and its extension). +# Holds the final LDAP configuration (a combination of the default and its extension). matrix_ldap_registration_proxy_configuration: "{{ matrix_ldap_registration_proxy_configuration_env }}" From bdfd84e146069290a0942b928bf58ada6e5e3729 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian-Samuel=20Geb=C3=BChr?= Date: Sun, 4 Sep 2022 09:09:09 +0200 Subject: [PATCH 31/38] Use a template option for the env with variable extension --- .../matrix-ldap-registration-proxy/defaults/main.yml | 11 ++++++----- .../tasks/setup_install.yml | 4 ++-- .../templates/ldap-registration-proxy.env.j2 | 3 +++ 3 files changed, 11 insertions(+), 7 deletions(-) diff --git a/roles/matrix-ldap-registration-proxy/defaults/main.yml b/roles/matrix-ldap-registration-proxy/defaults/main.yml index 15f59749..469a2f29 100644 --- a/roles/matrix-ldap-registration-proxy/defaults/main.yml +++ b/roles/matrix-ldap-registration-proxy/defaults/main.yml @@ -39,9 +39,10 @@ matrix_ldap_registration_proxy_systemd_required_services_list: ['docker.service' # List of systemd services that matrix_ldap_registration_proxy.service wants matrix_ldap_registration_proxy_systemd_wanted_services_list: [] -# Default LDAP configuration template which covers the generic use case. -# You can customize it by controlling the various variables inside it. -matrix_ldap_registration_proxy_configuration_env: "{{ lookup('template', 'templates/ldap-registration-proxy.env.j2') }}" +# Additional environment variables to pass to the LDAP proxy environment variables. +# +# Example: +# matrix_ldap_registration_proxy_env_variables_extension: | +# KEY=value +matrix_ldap_registration_proxy_env_variables_extension: '' -# Holds the final LDAP configuration (a combination of the default and its extension). -matrix_ldap_registration_proxy_configuration: "{{ matrix_ldap_registration_proxy_configuration_env }}" diff --git a/roles/matrix-ldap-registration-proxy/tasks/setup_install.yml b/roles/matrix-ldap-registration-proxy/tasks/setup_install.yml index 1f0307ec..87037337 100644 --- a/roles/matrix-ldap-registration-proxy/tasks/setup_install.yml +++ b/roles/matrix-ldap-registration-proxy/tasks/setup_install.yml @@ -37,8 +37,8 @@ when: true - name: Ensure matrix_ldap_registration_proxy config installed - ansible.builtin.copy: - content: "{{ matrix_ldap_registration_proxy_configuration }}" + ansible.builtin.template: + src: "{{ role_path }}/templates/ldap-registration-proxy.env.j2" dest: "{{ matrix_ldap_registration_proxy_config_path }}/ldap-registration-proxy.env" mode: 0644 owner: "{{ matrix_user_username }}" diff --git a/roles/matrix-ldap-registration-proxy/templates/ldap-registration-proxy.env.j2 b/roles/matrix-ldap-registration-proxy/templates/ldap-registration-proxy.env.j2 index e7ee29ba..581a0b0d 100644 --- a/roles/matrix-ldap-registration-proxy/templates/ldap-registration-proxy.env.j2 +++ b/roles/matrix-ldap-registration-proxy/templates/ldap-registration-proxy.env.j2 @@ -30,3 +30,6 @@ MATRIX_SERVER_URL={{ matrix_ldap_registration_proxy_matrix_server_url }} # Specify the port to listen on. Default to 8080 LISTEN_PORT={{ matrix_ldap_registration_proxy_container_port }} + +# Use this to extend the configuration with custom variables +{{ matrix_ldap_registration_proxy_env_variables_extension }} From 7c79f78d03039c2ba25086dc6e8fea19f372e337 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian-Samuel=20Geb=C3=BChr?= Date: Sun, 4 Sep 2022 09:09:59 +0200 Subject: [PATCH 32/38] Remove selfcheck --- .../tasks/main.yml | 7 ------ ...f_check_matrix_ldap_registration_proxy.yml | 22 ------------------- 2 files changed, 29 deletions(-) delete mode 100644 roles/matrix-ldap-registration-proxy/tasks/self_check_matrix_ldap_registration_proxy.yml diff --git a/roles/matrix-ldap-registration-proxy/tasks/main.yml b/roles/matrix-ldap-registration-proxy/tasks/main.yml index 720d27ba..576fc1f4 100644 --- a/roles/matrix-ldap-registration-proxy/tasks/main.yml +++ b/roles/matrix-ldap-registration-proxy/tasks/main.yml @@ -21,10 +21,3 @@ tags: - setup-all - setup-matrix-ldap-registration-proxy - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/self_check_matrix_ldap_registration_proxy.yml" - delegate_to: 127.0.0.1 - become: false - when: "run_self_check | bool and matrix_matrix_ldap_registration_proxy_enabled | bool" - tags: - - self-check diff --git a/roles/matrix-ldap-registration-proxy/tasks/self_check_matrix_ldap_registration_proxy.yml b/roles/matrix-ldap-registration-proxy/tasks/self_check_matrix_ldap_registration_proxy.yml deleted file mode 100644 index ce46c45a..00000000 --- a/roles/matrix-ldap-registration-proxy/tasks/self_check_matrix_ldap_registration_proxy.yml +++ /dev/null @@ -1,22 +0,0 @@ ---- - -- ansible.builtin.set_fact: - matrix_ldap_registration_proxy_url_endpoint_public: "https://{{ matrix_server_fqn_matrix }}/_matrix/client/r0/register" - -- name: Check matrix_ldap_registration_proxy Service - ansible.builtin.uri: - url: "{{ matrix_ldap_registration_proxy_url_endpoint_public }}" - follow_redirects: none - validate_certs: "{{ matrix_matrix_ldap_registration_proxy_self_check_validate_certificates }}" - check_mode: false - register: result_matrix_ldap_registration_proxy - ignore_errors: true - -- name: Fail if matrix_ldap_registration_proxy Service not working - ansible.builtin.fail: - msg: "Failed checking matrix_ldap_registration_proxy is up at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_ldap_registration_proxy_url_endpoint_public }}`). Is matrix_ldap_registration_proxy running? Is port 443 open in your firewall? Full error: {{ result_matrix_ldap_registration_proxy }}" - when: "result_matrix_ldap_registration_proxy.failed or 'json' not in result_matrix_ldap_registration_proxy" - -- name: Report working matrix_ldap_registration_proxy Service - ansible.builtin.debug: - msg: "matrix_ldap_registration_proxy at `{{ matrix_server_fqn_matrix }}` is working (checked endpoint: `{{ matrix_ldap_registration_proxy_url_endpoint_public }}`)" From a03b5efc42a66c5357cf28cefce5f6c2cd786bbf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian-Samuel=20Geb=C3=BChr?= Date: Sun, 4 Sep 2022 19:38:27 +0200 Subject: [PATCH 33/38] Add nginx rewrite for registration --- .../defaults/main.yml | 4 ++++ .../templates/nginx/conf.d/matrix-domain.conf.j2 | 14 ++++++++++++++ 2 files changed, 18 insertions(+) diff --git a/roles/matrix-ldap-registration-proxy/defaults/main.yml b/roles/matrix-ldap-registration-proxy/defaults/main.yml index 469a2f29..712e1101 100644 --- a/roles/matrix-ldap-registration-proxy/defaults/main.yml +++ b/roles/matrix-ldap-registration-proxy/defaults/main.yml @@ -30,6 +30,10 @@ matrix_ldap_registration_proxy_container_port: 8080 # Takes an ":" or "" value (e.g. "127.0.0.1:8080"), or empty string to not expose. matrix_ldap_registration_proxy_container_http_host_bind_port: '' +matrix_ldap_registration_proxy_registration_addr_with_container: "matrix-ldap_-egistration-proxy:{{ matrix_ldap_registration_proxy_container_port }}" +matrix_ldap_registration_proxy_registration_addr_sans_container: "127.0.0.1:{{ matrix_ldap_registration_proxy_container_port }}" + + # A list of extra arguments to pass to the container matrix_ldap_registration_proxy_container_extra_arguments: [] diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 index 2895ba14..0e16e3e3 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 @@ -129,6 +129,20 @@ } {% endif %} + {% if matrix_ldap_registration_proxy_enabled %} + location _matrix/client/r0/register { + {% if matrix_nginx_proxy_enabled %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "{{ matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_with_container }}"; + proxy_pass http://$backend/register; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_sans_container }}/register; + {% endif %} + } + {% endif %} + {% for configuration_block in matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks %} {{- configuration_block }} {% endfor %} From 94c9312bd0ee4d94145f889cf525775d2356d85c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian-Samuel=20Geb=C3=BChr?= Date: Mon, 5 Sep 2022 21:48:19 +0200 Subject: [PATCH 34/38] Remove matrix LDAP proxy config from nginx role --- .../templates/nginx/conf.d/matrix-domain.conf.j2 | 14 -------------- 1 file changed, 14 deletions(-) diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 index 0e16e3e3..2895ba14 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 @@ -129,20 +129,6 @@ } {% endif %} - {% if matrix_ldap_registration_proxy_enabled %} - location _matrix/client/r0/register { - {% if matrix_nginx_proxy_enabled %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver 127.0.0.11 valid=5s; - set $backend "{{ matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_with_container }}"; - proxy_pass http://$backend/register; - {% else %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_sans_container }}/register; - {% endif %} - } - {% endif %} - {% for configuration_block in matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks %} {{- configuration_block }} {% endfor %} From 19e61b0ad726d8b9592a02bb504b2089be91bf3b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian-Samuel=20Geb=C3=BChr?= Date: Mon, 5 Sep 2022 21:52:43 +0200 Subject: [PATCH 35/38] Inject nginx configuration for ldap proxy at runtime --- .../tasks/init.yml | 51 ++++++++++++++++++- 1 file changed, 49 insertions(+), 2 deletions(-) diff --git a/roles/matrix-ldap-registration-proxy/tasks/init.yml b/roles/matrix-ldap-registration-proxy/tasks/init.yml index 312165cc..15017333 100644 --- a/roles/matrix-ldap-registration-proxy/tasks/init.yml +++ b/roles/matrix-ldap-registration-proxy/tasks/init.yml @@ -4,8 +4,55 @@ - name: Fail if trying to self-build on Ansible < 2.8 ansible.builtin.fail: msg: "To self-build the matrix_ldap_registration_proxy image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_matrix_ldap_registration_proxy_container_image_self_build and matrix_matrix_ldap_registration_proxy_enabled | bool" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_ldap_registration_proxy_container_image_self_build and matrix_ldap_registration_proxy_enabled | bool" - ansible.builtin.set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-matrix-ldap-registration-proxy.service'] }}" - when: matrix_matrix_ldap_registration_proxy_enabled | bool + when: matrix_ldap_registration_proxy_enabled | bool + +- block: + - name: Fail if matrix-nginx-proxy role already executed + ansible.builtin.fail: + msg: >- + Trying to append Matrix LDAP registration proxy's reverse-proxying configuration to matrix-nginx-proxy, + but it's pointless since the matrix-nginx-proxy role had already executed. + To fix this, please change the order of roles in your playbook, + so that the matrix-nginx-proxy role would run after the matrix-bridge-mautrix-telegram role. + when: matrix_nginx_proxy_role_executed | default(False) | bool + + - name: Generate Matrix LDAP registration proxy proxying configuration for matrix-nginx-proxy + ansible.builtin.set_fact: + matrix_ldap_registration_proxy_matrix_nginx_proxy_configuration: | + location {{ matrix_ldap_registration_proxy_public_endpoint }} { + {% if matrix_nginx_proxy_enabled | default(False) %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "{{ matrix_ldap_registration_proxy_registration_addr_with_container }}"; + proxy_pass http://$backend/register;; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://{{ matrix_ldap_registration_proxy_registration_addr_sans_container }}/register; + {% endif %} + } + + - name: Register Matrix LDAP registration proxy proxying configuration with matrix-nginx-proxy + ansible.builtin.set_fact: + matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: | + {{ + matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks | default([]) + + + [matrix_ldap_registration_proxy_matrix_nginx_proxy_configuration] + }} + - name: Warn about reverse-proxying if matrix-nginx-proxy not used + ansible.builtin.debug: + msg: >- + NOTE: You've enabled the Matrix LDAP registration proxy bridge but are not using the matrix-nginx-proxy + reverse proxy. + Please make sure that you're proxying the `{{ matrix_ldap_registration_proxy_public_endpoint }}` + URL endpoint to the matrix-matrix-ldap-proxy container. + You can expose the container's port using the `matrix_ldap_registration_proxy_container_http_host_bind_port` variable. + when: "not matrix_nginx_proxy_enabled | default(False) | bool" + + tags: + - always + when: matrix_ldap_registration_proxy_enabled | bool and matrix_ldap_registration_proxy_appservice_public_enabled | bool From d33a668e6535c9ddab25289fbb50b1abd76667a2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian-Samuel=20Geb=C3=BChr?= Date: Mon, 5 Sep 2022 21:54:10 +0200 Subject: [PATCH 36/38] Add role to setup.yml --- setup.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/setup.yml b/setup.yml index bd78158c..723f87d9 100755 --- a/setup.yml +++ b/setup.yml @@ -60,6 +60,7 @@ - matrix-client-hydrogen - matrix-client-cinny - matrix-jitsi + - matrix-ldap-registration-proxy - matrix-ma1sd - matrix-dimension - matrix-etherpad From 1da77f03b16b0832b79189767b143668f226f7af Mon Sep 17 00:00:00 2001 From: TheOneWithTheBraid Date: Tue, 6 Sep 2022 09:01:35 +0000 Subject: [PATCH 37/38] fix: updated default variables Signed-off-by: TheOneWithTheBraid --- .../matrix-ldap-registration-proxy/defaults/main.yml | 7 ++++++- roles/matrix-ldap-registration-proxy/tasks/init.yml | 4 ++-- roles/matrix-ldap-registration-proxy/tasks/main.yml | 6 +++--- .../tasks/setup_uninstall.yml | 12 ++++++------ .../matrix-ldap-registration-proxy.service.j2 | 4 ++-- 5 files changed, 19 insertions(+), 14 deletions(-) diff --git a/roles/matrix-ldap-registration-proxy/defaults/main.yml b/roles/matrix-ldap-registration-proxy/defaults/main.yml index 712e1101..8f7a2e2d 100644 --- a/roles/matrix-ldap-registration-proxy/defaults/main.yml +++ b/roles/matrix-ldap-registration-proxy/defaults/main.yml @@ -7,6 +7,9 @@ matrix_ldap_registration_proxy_enabled: true matrix_ldap_registration_proxy_container_image_self_build_repo: "https://gitlab.com/activism.international/matrix_ldap_registration_proxy.git" matrix_ldap_registration_proxy_container_image_self_build_branch: "{{ matrix_ldap_registration_proxy_version }}" +matrix_ldap_registration_proxy_docker_image: "{{ matrix_ldap_registration_proxy_docker_image_name_prefix }}activism.international/matrix_ldap_registration_proxy:{{ matrix_ldap_registration_proxy_version }}" +matrix_ldap_registration_proxy_docker_image_name_prefix: "localhost/" + matrix_ldap_registration_proxy_version: "296246afc6a9b3105e67fcf6621cf05ebc74b873" matrix_ldap_registration_proxy_base_path: "{{ matrix_base_data_path }}/matrix_ldap_registration_proxy" @@ -14,6 +17,8 @@ matrix_ldap_registration_proxy_base_path: "{{ matrix_base_data_path }}/matrix_ld matrix_ldap_registration_proxy_docker_src_files_path: "{{ matrix_ldap_registration_proxy_base_path }}/docker-src/matrix_ldap_registration_proxy" matrix_ldap_registration_proxy_config_path: "{{ matrix_ldap_registration_proxy_base_path }}/config" +matrix_ldap_registration_proxy_appservice_public_enabled: false + matrix_ldap_registration_proxy_ldap_uri: "" matrix_ldap_registration_proxy_ldap_base_dn: "" matrix_ldap_registration_proxy_ldap_user: "" @@ -22,7 +27,7 @@ matrix_ldap_registration_proxy_matrix_server_name: "{{ matrix_domain }}" matrix_ldap_registration_proxy_matrix_server_url: "https://{{ matrix_server_fqn_matrix }}" # Controls whether the self-check feature should validate SSL certificates. -matrix_matrix_ldap_registration_proxy_self_check_validate_certificates: true +matrix_ldap_registration_proxy_self_check_validate_certificates: true matrix_ldap_registration_proxy_container_port: 8080 # Controls whether the matrix_ldap_registration_proxy container exposes its HTTP port (tcp/{{ matrix_ldap_registration_proxy_container_port }} in the container). diff --git a/roles/matrix-ldap-registration-proxy/tasks/init.yml b/roles/matrix-ldap-registration-proxy/tasks/init.yml index 15017333..f7ed52c5 100644 --- a/roles/matrix-ldap-registration-proxy/tasks/init.yml +++ b/roles/matrix-ldap-registration-proxy/tasks/init.yml @@ -7,7 +7,7 @@ when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_ldap_registration_proxy_container_image_self_build and matrix_ldap_registration_proxy_enabled | bool" - ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-matrix-ldap-registration-proxy.service'] }}" + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-ldap-registration-proxy.service'] }}" when: matrix_ldap_registration_proxy_enabled | bool - block: @@ -49,7 +49,7 @@ NOTE: You've enabled the Matrix LDAP registration proxy bridge but are not using the matrix-nginx-proxy reverse proxy. Please make sure that you're proxying the `{{ matrix_ldap_registration_proxy_public_endpoint }}` - URL endpoint to the matrix-matrix-ldap-proxy container. + URL endpoint to the matrix-ldap-proxy container. You can expose the container's port using the `matrix_ldap_registration_proxy_container_http_host_bind_port` variable. when: "not matrix_nginx_proxy_enabled | default(False) | bool" diff --git a/roles/matrix-ldap-registration-proxy/tasks/main.yml b/roles/matrix-ldap-registration-proxy/tasks/main.yml index 576fc1f4..5815774e 100644 --- a/roles/matrix-ldap-registration-proxy/tasks/main.yml +++ b/roles/matrix-ldap-registration-proxy/tasks/main.yml @@ -5,19 +5,19 @@ - always - ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup | bool and matrix_matrix_ldap_registration_proxy_enabled | bool" + when: "run_setup | bool and matrix_ldap_registration_proxy_enabled | bool" tags: - setup-all - setup-matrix-ldap-registration-proxy - ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_install.yml" - when: "run_setup | bool and matrix_matrix_ldap_registration_proxy_enabled | bool" + when: "run_setup | bool and matrix_ldap_registration_proxy_enabled | bool" tags: - setup-all - setup-matrix-ldap-registration-proxy - ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - when: "run_setup | bool and not matrix_matrix_ldap_registration_proxy_enabled | bool" + when: "run_setup | bool and not matrix_ldap_registration_proxy_enabled | bool" tags: - setup-all - setup-matrix-ldap-registration-proxy diff --git a/roles/matrix-ldap-registration-proxy/tasks/setup_uninstall.yml b/roles/matrix-ldap-registration-proxy/tasks/setup_uninstall.yml index cc542edf..3225a3ae 100644 --- a/roles/matrix-ldap-registration-proxy/tasks/setup_uninstall.yml +++ b/roles/matrix-ldap-registration-proxy/tasks/setup_uninstall.yml @@ -3,7 +3,7 @@ - name: Check existence of matrix-matrix_ldap_registration_proxy service ansible.builtin.stat: path: "{{ matrix_systemd_path }}/matrix-ldap-registration-proxy.service" - register: matrix_matrix_ldap_registration_proxy_service_stat + register: matrix_ldap_registration_proxy_service_stat - name: Ensure matrix-matrix_ldap_registration_proxy is stopped ansible.builtin.service: @@ -12,25 +12,25 @@ enabled: false daemon_reload: true register: stopping_result - when: "matrix_matrix_ldap_registration_proxy_service_stat.stat.exists | bool" + when: "matrix_ldap_registration_proxy_service_stat.stat.exists | bool" - name: Ensure matrix-ldap-registration-proxy.service doesn't exist ansible.builtin.file: path: "{{ matrix_systemd_path }}/matrix-ldap-registration-proxy.service" state: absent - when: "matrix_matrix_ldap_registration_proxy_service_stat.stat.exists | bool" + when: "matrix_ldap_registration_proxy_service_stat.stat.exists | bool" - name: Ensure systemd reloaded after matrix-ldap-registration-proxy.service removal ansible.builtin.service: daemon_reload: true - when: "matrix_matrix_ldap_registration_proxy_service_stat.stat.exists | bool" + when: "matrix_ldap_registration_proxy_service_stat.stat.exists | bool" - name: Ensure Matrix matrix_ldap_registration_proxy paths don't exist ansible.builtin.file: - path: "{{ matrix_matrix_ldap_registration_proxy_base_path }}" + path: "{{ matrix_ldap_registration_proxy_base_path }}" state: absent - name: Ensure matrix_ldap_registration_proxy Docker image doesn't exist docker_image: - name: "{{ matrix_matrix_ldap_registration_proxy_docker_image }}" + name: "{{ matrix_ldap_registration_proxy_docker_image }}" state: absent diff --git a/roles/matrix-ldap-registration-proxy/templates/systemd/matrix-ldap-registration-proxy.service.j2 b/roles/matrix-ldap-registration-proxy/templates/systemd/matrix-ldap-registration-proxy.service.j2 index afbabe72..4c68ed46 100644 --- a/roles/matrix-ldap-registration-proxy/templates/systemd/matrix-ldap-registration-proxy.service.j2 +++ b/roles/matrix-ldap-registration-proxy/templates/systemd/matrix-ldap-registration-proxy.service.j2 @@ -13,8 +13,8 @@ DefaultDependencies=no [Service] Type=simple Environment="HOME={{ matrix_systemd_unit_home_path }}" -ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-matrix_ldap_registration_proxy 2>/dev/null || true' -ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-matrix_ldap_registration_proxy 2>/dev/null || true' +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix_ldap_registration_proxy 2>/dev/null || true' +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix_ldap_registration_proxy 2>/dev/null || true' # matrix_ldap_registration_proxy writes an SQLite shared library (libsqlitejdbc.so) to /tmp and executes it from there, # so /tmp needs to be mounted with an exec option. From 54d5741ec14563a454f17982bccd527a0dec1e4d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian-Samuel=20Geb=C3=BChr?= Date: Tue, 6 Sep 2022 09:37:35 +0200 Subject: [PATCH 38/38] Fix typo --- roles/matrix-ldap-registration-proxy/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-ldap-registration-proxy/defaults/main.yml b/roles/matrix-ldap-registration-proxy/defaults/main.yml index 8f7a2e2d..2d2894c9 100644 --- a/roles/matrix-ldap-registration-proxy/defaults/main.yml +++ b/roles/matrix-ldap-registration-proxy/defaults/main.yml @@ -35,7 +35,7 @@ matrix_ldap_registration_proxy_container_port: 8080 # Takes an ":" or "" value (e.g. "127.0.0.1:8080"), or empty string to not expose. matrix_ldap_registration_proxy_container_http_host_bind_port: '' -matrix_ldap_registration_proxy_registration_addr_with_container: "matrix-ldap_-egistration-proxy:{{ matrix_ldap_registration_proxy_container_port }}" +matrix_ldap_registration_proxy_registration_addr_with_container: "matrix-ldap_registration-proxy:{{ matrix_ldap_registration_proxy_container_port }}" matrix_ldap_registration_proxy_registration_addr_sans_container: "127.0.0.1:{{ matrix_ldap_registration_proxy_container_port }}"