Compare commits

..

497 Commits

Author SHA1 Message Date
titanz 4f8b8f799b
repo update
2 years ago
Slavi Pantaleev 413049feea Remove shell configuration for better compatibility
2 years ago
Slavi Pantaleev ba166cd258
Merge pull request #2603 from etkecc/agru
2 years ago
Aine 34a03cf732
safely integrate agru, format justfile, format requirements.yml
2 years ago
Slavi Pantaleev e60febc9ca Use git for fetching the geerlingguy.docker role
2 years ago
Slavi Pantaleev 0ebad3d904
Merge pull request #2601 from etkecc/patch-201
2 years ago
Aine e04894de7c
Update borg 1.2.3 -> 1.2.4
2 years ago
jakicoll 4891d0d427
Remove the self-build stub, because self-build was not implemented
2 years ago
Paul N 9e5d88b2c3
Clarify task name and add user and group to templated env file
2 years ago
Jakob S e08bd55d75
Consolidate conditionals into a block, keep image
2 years ago
jakicoll 02d3763e25
Change comment
2 years ago
jakicoll 71a1190b38
Wording: change collection -> playbook
2 years ago
jakicoll adf1e78f04
Matrix Authentication Support for Jitsi
2 years ago
Slavi Pantaleev d725424f39
Merge pull request #2600 from etkecc/fix-honoroit-networks
2 years ago
Aine 6d5cf9cbcd
fix honoroit networks
2 years ago
Slavi Pantaleev 87567b3d0b
Merge pull request #2599 from etkecc/honoroit-networks
2 years ago
Aine 15ce377235
honoroit - add matrix_bot_honoroit_hostname into group vars
2 years ago
Aine 0b18f03195
honoroit - add proper networking configuration and traefik labels
2 years ago
Slavi Pantaleev 6b3ab052f6 Upgrade prometheus_node_exporter (v1.5.0-6 -> v1.5.0-7)
2 years ago
Slavi Pantaleev 7f8bc79947
Merge pull request #2597 from etkecc/patch-200
2 years ago
Aine 1a23016570
Update grafana v9.4.3 -> v9.4.7
2 years ago
Slavi Pantaleev 7be8943b64 Pin matrix-rageshake to 1.9.0
2 years ago
Slavi Pantaleev a086688867
Merge pull request #2596 from Zocker1999NET/patch-2
2 years ago
Slavi Pantaleev a54d8f82a0
Update configuring-playbook-ntfy.md
2 years ago
Felix Stupp e29af490c0
CHANGELOG: Add disabled ntfy web app
2 years ago
Felix Stupp 87b74e6c3e
ntfy doc: Describe web app & how to enable it
2 years ago
Slavi Pantaleev 69b2df629b Enable some recommended Coturn options in an effort to lower DDoS amplification factor
2 years ago
Slavi Pantaleev c222391e77 Upgrade Traefik (v2.9.8-2 -> v2.9.9-0)
2 years ago
Slavi Pantaleev 7a7c75c6a4 Upgrade prometheus_postgres_exporter (v0.11.1-2 -> v0.12.0-0)
2 years ago
Slavi Pantaleev 4a009480ae
Merge pull request #2593 from etkecc/patch-197
2 years ago
Slavi Pantaleev 01c565fc76
Merge pull request #2594 from etkecc/patch-198
2 years ago
Slavi Pantaleev 6ef8a30dc4
Merge pull request #2595 from etkecc/patch-199
2 years ago
Aine 045542be76
Update redis 7.0.9 -> 7.0.10
2 years ago
Aine 38fc864745
Update hookshot 3.0.0 -> 3.0.1
2 years ago
Aine 5c0cc0168c
Update prometheus v2.42.0 -> v2.43.0
2 years ago
Slavi Pantaleev 14b8efcad2 Replace matrix-prometheus with an external Prometheus role
2 years ago
Slavi Pantaleev d351213486 Upgrade prometheus_node_exporter (v1.5.0-4 -> v1.5.0-6)
2 years ago
Slavi Pantaleev 01db1ae9b7 Mention passlib
2 years ago
Slavi Pantaleev a1a37700b9 Update one more devture/ansible reference
2 years ago
Slavi Pantaleev a542a2ff41 Upgrade devture/ansible (2.13.6-r0-2 -> 2.13.6-r0-3)
2 years ago
Slavi Pantaleev 21c2bbb11f Add matrix_prometheus_nginxlog_exporter_container_network
2 years ago
Slavi Pantaleev ade312e6f6 Add matrix_hookshot_container_network
2 years ago
Slavi Pantaleev 1b6a85e485 Do not consider prometheus-exporters as part of the prometheus group
2 years ago
Slavi Pantaleev abf96569e0 Add extra_args support to install-service justfile command
2 years ago
Slavi Pantaleev d974c0c166 Make yamllint happy
2 years ago
Slavi Pantaleev 220d80ac3a Move matrix-aux outside of this playbook
2 years ago
Slavi Pantaleev be3a733b69
Merge pull request #2588 from ctwelve/patch-1
2 years ago
Justin Croonenberghs 39f53e81d0
Update sliding sync doc for external DB users
2 years ago
titanz 9fd152a3ec
doesnt work yet
2 years ago
Slavi Pantaleev e726c97edc
Merge pull request #2584 from Kab1r/fix/sliding-sync-sync-url
2 years ago
Slavi Pantaleev 3e84e354a8 Add "install-service" justfile command
2 years ago
Slavi Pantaleev 2c233492db
Merge pull request #2585 from etkecc/patch-196
2 years ago
Aine b01e7b1ae5
update ntfy 2.1.2 -> 2.2.0
2 years ago
Kabir Kwatra 8202acf742
fix(sliding-sync): use external syncv3 server url
2 years ago
Slavi Pantaleev 4198d04ec8
Merge pull request #2582 from etkecc/prometheus-node-exporter-changes
2 years ago
Aine 88dc5e0de0
migrate prometheus-node-exporter's var
2 years ago
Slavi Pantaleev 8f0bef347a
Merge pull request #2581 from array-in-a-matrix/master
2 years ago
Array in a Matrix dd1712d457
fix typo
2 years ago
array-in-a-matrix f1c0321a8c add relay api database for dendrite
2 years ago
Slavi Pantaleev 554915bd74
Merge pull request #2579 from etkecc/patch-195
2 years ago
Slavi Pantaleev 01cf29ecf4
Merge pull request #2578 from etkecc/patch-194
2 years ago
Slavi Pantaleev 00c00cf69b
Merge pull request #2577 from etkecc/patch-193
2 years ago
Aine 7ef804f62f
Update hookshot 2.7.0 -> 3.0.0
2 years ago
Aine e6552a9c3b
Update mautrix-whatsapp 0.8.2 -> 0.8.3
2 years ago
Aine 281bad125d
Update mautrix-discord 0.1.1 -> 0.2.0
2 years ago
Slavi Pantaleev 56b0706863 Fix default database name
2 years ago
Slavi Pantaleev eae9565cde
Merge pull request #2575 from etkecc/patch-192
2 years ago
Aine ff6e7f0ac5
Update borgmatic 1.7.8 -> 1.7.9
2 years ago
Slavi Pantaleev ee4bac1988 Upgrade matrix-corporal (2.5.1 -> 2.5.2)
2 years ago
Slavi Pantaleev d6975e4ab8 Upgrade com.devture.ansible.role.postgres
2 years ago
Slavi Pantaleev 2b49ae79ca Use just for Postgres maintenance command examples
2 years ago
Slavi Pantaleev 636142c4e0 matrix-bot-chatgpt role refactoring
2 years ago
Slavi Pantaleev a55c6b1b5a Remove non-functional variable matrix_bot_chatgpt_loglevel
2 years ago
Slavi Pantaleev 9afc46de72 Update matrix_bot_chatgpt_matrix_blacklist/matrix_bot_chatgpt_matrix_whitelist comment
2 years ago
Slavi Pantaleev cc890297f8
Merge pull request #2573 from etkecc/patch-191
2 years ago
Aine eaa3be2825
Update element 1.11.24 -> 1.11.25
2 years ago
Slavi Pantaleev 99cc5e4b2f Fix file name typo
2 years ago
Slavi Pantaleev 4bd1b6bb50
Merge pull request #2570 from array-in-a-matrix/patch-20
2 years ago
Array in a Matrix a63860ac75
fix typo
2 years ago
Slavi Pantaleev fab6c03609 Allow some new endpoints to work on workers
2 years ago
Slavi Pantaleev 40c094f486
Merge pull request #2569 from FSG-Cat/patch-1
2 years ago
Catalan Lover 5cd3a6188e
Upgrade Synapse from 1.78.0 to 1.79.0
2 years ago
Slavi Pantaleev 4c1db32ef9 Rename some Dendrite variables to improve consistency
2 years ago
Slavi Pantaleev fd2f497ac0 Fix variable names
2 years ago
Slavi Pantaleev 75cc50d2ab
Merge pull request #2567 from array-in-a-matrix/patch-18
2 years ago
Slavi Pantaleev 38cb0a7c85
Merge pull request #2565 from array-in-a-matrix/master
2 years ago
Slavi Pantaleev bef13fe495
Merge branch 'master' into master
2 years ago
Slavi Pantaleev c747891cfe
Merge pull request #2566 from array-in-a-matrix/search
2 years ago
Array in a Matrix 4f0f6bd995
Update dendrite.yaml.j2
2 years ago
Array in a Matrix c93eb1dbf7
Update dendrite.yaml.j2
2 years ago
Array in a Matrix d0aa5a1f6a
Update main.yml
2 years ago
array-in-a-matrix 734848a27b added full text search for dendrite
2 years ago
array-in-a-matrix 40f067148d added dynamic thumbnails var
2 years ago
Slavi Pantaleev cf7f9701b7 urlencode matrix_synapse_auto_compressor_database_username/matrix_synapse_auto_compressor_database_password
2 years ago
Slavi Pantaleev e5c5a9b02b
Merge pull request #2561 from etkecc/synapse-auto-compressor
2 years ago
Slavi Pantaleev d3a0ef22b6 Announce matrix-synapse-auto-compressor
2 years ago
Slavi Pantaleev bb89d7b3fb Fix self-building for matrix-synapse-auto-compressor
2 years ago
Slavi Pantaleev 7422337c26 Add missing matrix-synapse-auto-compressor.timer in systemd service list
2 years ago
Slavi Pantaleev 328d0d8a5f Move synapse-auto-compressor Postgres argument to an environment variable
2 years ago
Slavi Pantaleev 26d5719df4 Make matrix-synapse-auto-compressor live in its own container network
2 years ago
Slavi Pantaleev 0f2e568b30 Add validation tasks to matrix-synapse-auto-compressor
2 years ago
Slavi Pantaleev ca69fce648 Add missing group vars for matrix-synapse-auto-compressor
2 years ago
Slavi Pantaleev b28d779c6c Add matrix-synapse-auto-compressor section in group_vars/matrix_servers
2 years ago
Slavi Pantaleev 43ae0b2943 Minor rewording
2 years ago
Aine bf3677a9b5
add synapse_auto_compressor
2 years ago
Slavi Pantaleev 1bdd3e2503
Merge pull request #2560 from etkecc/patch-190
2 years ago
Aine 122a834a7f
update prometheus-node-exporter 1.5.0-2 -> 1.5.0-3
2 years ago
Slavi Pantaleev 70af9a4481 Upgrade Traefik (v2.9.8-1 -> v2.9.8-2) - not using unprivileged ports anymore
2 years ago
Slavi Pantaleev d999e984da
Merge pull request #2553 from array-in-a-matrix/patch-17
2 years ago
Slavi Pantaleev dceb781e16
Merge pull request #2554 from joecool1029/gptbump
2 years ago
Joe Kappus f2ebb5a91d
Bump ChatGPT version and add new config settings
2 years ago
Array in a Matrix 06a390b6b8
Update configuring-playbook-cactus-comments.md
2 years ago
Slavi Pantaleev 0d93ee8c46
Merge pull request #2548 from etkecc/patch-189
2 years ago
Aine cdb1452d17
Update jitsi stable-8252 -> stable-8319
2 years ago
Slavi Pantaleev dddfee16bc Fix all 300+ ansible-lint-reported errors
2 years ago
Slavi Pantaleev bf95204860 Mention Element X Android not being quite ready for testing yet
2 years ago
Slavi Pantaleev 6c1a39e6e9 Announce sliding-sync support
2 years ago
Slavi Pantaleev 023fe3ea08 Add sliding-sync support
2 years ago
Slavi Pantaleev 2a872e95fc Mention external roles in the FAQ
2 years ago
Slavi Pantaleev db4070fc75 Remove some nginx references
2 years ago
Slavi Pantaleev 6e3aab6594 Make devture-traefik to matrix-traefik migration code a little safer
2 years ago
Slavi Pantaleev 26fdae3797 Upgrade com.devture.ansible.role.container_socket_proxy
2 years ago
Slavi Pantaleev e21c44347f Add Traefik Dashboard warning
2 years ago
Slavi Pantaleev 30f1034767 Remove matrix_playbook_traefik_role_enabled variable and devture-traefik references
2 years ago
Slavi Pantaleev adcc6d9723 Relocate Traefik (to matrix-traefik.service && /matrix/traefik base path)
2 years ago
Slavi Pantaleev bf2b540807 Harden Traefik security by accessing the Docker API through docker-socket-proxy
2 years ago
Slavi Pantaleev 449b51588e Remove usage of undefined matrix_bot_go_neb_identifier variable
2 years ago
Slavi Pantaleev d9ce9064f6
Merge pull request #2542 from etkecc/patch-188
2 years ago
Aine 493de7316c
update honoroit 0.9.16 -> 0.9.17
2 years ago
Slavi Pantaleev 6724b60d88
Merge pull request #2541 from etkecc/patch-187
2 years ago
Aine 6a6761cb88
Update ntfy 2.1.1 -> 2.1.2
2 years ago
Slavi Pantaleev 10b5350370 Add Traefik support to Go-NEB bot
2 years ago
Slavi Pantaleev 6085e3a816 Add validation tasks for Etherpad migration (matrix_etherpad -> etherpad)
2 years ago
Slavi Pantaleev 2457ac0f6a
Merge pull request #2538 from etkecc/patch-186
2 years ago
Aine e588f5eaec
update grafana 9.4.2 -> 9.4.3
2 years ago
Slavi Pantaleev f8966cd8da Default etherpad_hostname to matrix_server_fqn_etherpad for backward compatibility
2 years ago
Slavi Pantaleev 8acfcf8bf1
Merge pull request #2537 from etkecc/patch-185
2 years ago
Slavi Pantaleev 70b67b12bc Upgrade com.devture.ansible.role.postgres_backup
2 years ago
Slavi Pantaleev 0dcfc74fc8 Upgrade com.devture.ansible.role.traefik_certs_dumper
2 years ago
Slavi Pantaleev 49b7d805ee Upgrade com.devture.ansible.role.traefik
2 years ago
Slavi Pantaleev c49875e71c
Merge pull request #2536 from etkecc/patch-184
2 years ago
Aine bb19de4a5f
update borgmatic 1.7.7 -> 1.7.8
2 years ago
Aine 47cfec726f
update grafana 9.4.1 -> 9.4.2
2 years ago
Slavi Pantaleev 849248b165 Upgrade Etherpad role (v1.8.18-1 -> v1.8.18-2)
2 years ago
Slavi Pantaleev 795c335395 Upgrade Etherpad role (v1.8.18-0 -> v1.8.18-1)
2 years ago
Slavi Pantaleev 124fbeda04 Switch to using an external Etherpad role
2 years ago
Slavi Pantaleev ae76db4d77 Upgrade com.devture.ansible.role.traefik_certs_dumper for wait time increase (60 -> 180 sec.)
2 years ago
Slavi Pantaleev 2e2691e96b
Merge pull request #2534 from FSG-Cat/draupnir
2 years ago
Slavi Pantaleev 4f74d21ba8 Upgrade devture/ansible (2.13.6-r0-1 -> 2.13.6-r0-2)
2 years ago
Catalan Lover 4ccd3f79de
Fix Draupnir config
2 years ago
Slavi Pantaleev 606c1907bb
Merge pull request #2533 from etkecc/patch-183
2 years ago
Slavi Pantaleev 227d9d8209 Fix variable name typo
2 years ago
Aine 4cd9e65d6d
update ntfy 2.1.0 -> 2.1.1
2 years ago
Slavi Pantaleev adc18251a9 Upgrade com.devture.ansible.role.traefik (2.9.6 -> 2.9.8)
2 years ago
Slavi Pantaleev a4b401c4da Upgrade com.devture.ansible.role.traefik and improve front-Traefik-with-another-proxy docs
2 years ago
Slavi Pantaleev 8db2c0498a Upgrade Synapse (v1.77.0 -> v1.78.0)
2 years ago
Slavi Pantaleev d6371a0781 Upgrade ddclient (v3.10.0-ls110 -> v3.10.0-ls111)
2 years ago
Slavi Pantaleev 468bed653e Upgrade Redis (v7.0.7-0 -> v7.0.9-0)
2 years ago
Slavi Pantaleev ba2a3caaf3 Minor improvements to docs/configuring-playbook-ssl-certificates.md
2 years ago
Slavi Pantaleev d8c2e1a98c
Merge pull request #2530 from plui29989/master
2 years ago
Slavi Pantaleev 7331d314c4
Improve wording
2 years ago
Slavi Pantaleev b0845984b3 Only enable Traefik certs dumper if the ACME certificate resolver for Traefik is enabled
2 years ago
Slavi Pantaleev f7149103e4 Remove matrix_playbook_traefik_certs_dumper_role_enabled in favor of just devture_traefik_certs_dumper_enabled
2 years ago
Slavi Pantaleev f372403d22
Merge pull request #2531 from array-in-a-matrix/master
2 years ago
array-in-a-matrix c3900aaf1b remove devture services
2 years ago
plui29989 4b17a1e73a formatting
2 years ago
plui29989 32e700f076 Add doc for self-signed certificates
2 years ago
Slavi Pantaleev 79685c728b
Merge pull request #2528 from etkecc/patch-182
2 years ago
Slavi Pantaleev 2da914e1bb
Merge pull request #2527 from etkecc/patch-181
2 years ago
Aine 0fe1d1f9ec
Update element 1.11.23 -> 1.11.24
2 years ago
Aine 0aede060f3
Update grafana 9.3.6 -> 9.4.1
2 years ago
Slavi Pantaleev 6fe739a2cb Remove unnecessary variable
2 years ago
Slavi Pantaleev bb90536874 Fix variable name typos in docs/configuring-playbook-postgres-backup.md
2 years ago
Slavi Pantaleev 73f09d4bb0 Remove fronting matrix-nginx-proxy example
2 years ago
Slavi Pantaleev a5e216b837
Merge pull request #2526 from jalemann/master
2 years ago
Slavi Pantaleev faa074f7af Improve wording
2 years ago
Slavi Pantaleev 91660f7433 Improve wordng in examples/nginx/README.md
2 years ago
Slavi Pantaleev 7716c306f1 Split Traefik rules for Matrix Client and Matrix Federation APIs
2 years ago
Slavi Pantaleev b388a01ab7 Wire all certResolver variables to devture_traefik_certResolver_primary
2 years ago
Slavi Pantaleev 9e7415afa2 Ensure Buscarron is part of the Postgres network
2 years ago
Jost Alemann 84e6677bc0
in own webserver doc link to nginx fronting traefik example
2 years ago
Jost Alemann 89b9fca85c
remove duplicate of playbook config instructions
2 years ago
Jost Alemann 8dacdb038b
add: nginx example conf + readme for fronting playbooks traefik with own nginx
2 years ago
Slavi Pantaleev e6ba7cc2c9 Upgrade com.devture.ansible.role.traefik
2 years ago
Jost Alemann 724373b123
add nginx to list of own webserver example configs
2 years ago
Slavi Pantaleev 2c8dffc51c
Merge pull request #2525 from thomwiggers/patch-8
2 years ago
Thom Wiggers d544f746e8
Update irc appservice
2 years ago
Slavi Pantaleev d5910d0421 Upgrade com.devture.ansible.role.docker_sdk_for_python
2 years ago
Slavi Pantaleev 058a54fd05 Add native Traefik support to Dimension
2 years ago
Slavi Pantaleev b84f25309b Add matrix_homeserver_container_network
2 years ago
Slavi Pantaleev cdd23aafc6 Add matrix_conduit_container_network/matrix_conduit_container_additional_networks
2 years ago
Slavi Pantaleev 9e4ecf4ac9 Add matrix_dendrite_container_network/matrix_dendrite_container_additional_networks
2 years ago
Slavi Pantaleev 31857ea9bb Upgrade com.devture.ansible.role.traefik_certs_dumper
2 years ago
Slavi Pantaleev 7c622bd249 Upgrade com.devture.ansible.role.traefik
2 years ago
Slavi Pantaleev f0463b0a10
Merge pull request #2520 from Jaffex/master
2 years ago
Slavi Pantaleev 835f2d482e
Merge pull request #2519 from etkecc/patch-180
2 years ago
Jan 05b3f6565b
Update CHANGELOG.md
2 years ago
Jan ffff236167
Update configuring-playbook-own-webserver.md
2 years ago
Aine 7852d5eb26
update mautrix-telegram 0.12.2 -> 0.13.0
2 years ago
Slavi Pantaleev 0452619820 Add Related plabooks
2 years ago
Slavi Pantaleev 71ae825f6a Switch default reverse-proxy to Traefik, force reverse-proxy choice on existing users
2 years ago
Slavi Pantaleev 67e97cd2dc Redo etke.cc section in the README
2 years ago
Slavi Pantaleev c57ffa4332
Merge pull request #2518 from etkecc/patch-179
2 years ago
Aine e625e9aa5b
fix postgres version detection in the borg role
2 years ago
Slavi Pantaleev d20ff688db Add native Traefik support to Sygnal
2 years ago
Slavi Pantaleev eb213c1195
Merge pull request #2517 from etkecc/patch-178
2 years ago
Aine 252e542bc5
Update ntfy 2.0.1 -> 2.1.0
2 years ago
Slavi Pantaleev 348dd8e76b Remove double space
2 years ago
Slavi Pantaleev 8df7ad47cd Fix rageshake project description in defaults/main.yml
2 years ago
Slavi Pantaleev ccb5b37842 Fix some typos on the Buscarron docs page
2 years ago
Slavi Pantaleev 725b2beed7 Add native Traefik support to Buscarron
2 years ago
Slavi Pantaleev 3852a740bc Mention that Buscarron is aggressive when it comes to banning
2 years ago
Slavi Pantaleev bc5dda2b3a Reorder some Buscarron default variables and fix some typos
2 years ago
Slavi Pantaleev d7578880b6 Fix typo on Rageshake documentation page
2 years ago
Slavi Pantaleev 63408096cf Fix up Buscarron description on its documentation page
2 years ago
Slavi Pantaleev 0220c851e8 Add multiple container networks support to Buscarron
2 years ago
Slavi Pantaleev 6c2d397853 Fix inaccurate Buscarron project description comment
2 years ago
Slavi Pantaleev c5dbeeae91
Merge pull request #2510 from gnunicorn/ben-adding-rageshake
2 years ago
Slavi Pantaleev a45c70fd66 Announce Rageshake support
2 years ago
Slavi Pantaleev b5e9ff5926 Add Rageshake documentation
2 years ago
Slavi Pantaleev 233e253264 Add native Traefik support to rageshake
2 years ago
Slavi Pantaleev 4c64e092d0 Fix rageshake self-building
2 years ago
Slavi Pantaleev 39be2ef71a Fix matrix_rageshake_container_src_files_path value
2 years ago
Slavi Pantaleev 9a8ebf3d8c matrix_rageshake_docker_ -> matrix_rageshake_container_
2 years ago
Slavi Pantaleev 5934de84be Reorder matrix-rageshake default variables a bit
2 years ago
Slavi Pantaleev 306679103b Require self-building of rageshake for arm64
2 years ago
Slavi Pantaleev 8339ebdf58 Redo the way matryx-rageshake configuration is done
2 years ago
Slavi Pantaleev a51c9521a8 Rename some task files
2 years ago
Slavi Pantaleev db0104978f Extract api_prefix rageshake configuration into matrix_rageshake_config_api_prefix
2 years ago
Slavi Pantaleev 19e0b8374b Enable matrix_rageshake_enabled in the role by default
2 years ago
Slavi Pantaleev d513c0f446 Document why the rageshake version is master
2 years ago
Slavi Pantaleev 55f43dcc6d Fixup matrix-rageshake section in group vars
2 years ago
Slavi Pantaleev 5adec0bef2
Merge pull request #2516 from Tupsi/patch-2
2 years ago
Tupsi c139d139a5
Update configuring-playbook-own-webserver.md
2 years ago
Slavi Pantaleev 53f8a0c6ae Upgrade com.devture.ansible.role.traefik
2 years ago
Benjamin Kampmann 40f037b36d Add rageshake server
2 years ago
Slavi Pantaleev c8022c1a18 Remove useless explicit daemon reload in matrix-user-creator
2 years ago
Slavi Pantaleev 0af6e6d9d9 Make wait time for matrix-user-creator configurable and increase default (7 -> 10 sec.)
2 years ago
Slavi Pantaleev 84c5b44bea Upgrade com.devture.ansible.role.docker_sdk_for_python
2 years ago
Slavi Pantaleev 643acfcb5b Make synapse-s3-storage-provider periodic migration schedule customizable
2 years ago
Slavi Pantaleev d04132759b
Merge pull request #2511 from igogold/patch-1
2 years ago
Slavi Pantaleev 4caeab9117
Fix spacing around Jinja2 filters
2 years ago
Igor Goldenberg 620247673e Allow configure default country code in element welcome page.
2 years ago
Slavi Pantaleev 41a5b2dca2
Merge pull request #2509 from etkecc/patch-177
2 years ago
Aine cbc8f0c6e6
Update borgmatic 1.7.6 -> 1.7.7
2 years ago
Slavi Pantaleev 1c10a7727c Upgrade ddclient (v3.10.0-ls106 -> v3.10.0-ls110)
2 years ago
Slavi Pantaleev 7340246a9b
Merge pull request #2508 from FSG-Cat/draupnir
2 years ago
Catalan Lover 65e7aa2406
Update Draupnir from v1.80.0 to v1.80.1
2 years ago
Catalan Lover 601b67c02d
Update Draupnir Config
2 years ago
Slavi Pantaleev d7e69cfa1e
Merge pull request #2507 from Bergruebe/patch-1
2 years ago
Bergrübe 0c33597ec1
Merge branch 'spantaleev:master' into patch-1
2 years ago
Bergrübe ba429f6a40
Added matrix_nginx_proxy_https_enabled to the own-nginx documentation
2 years ago
Slavi Pantaleev 8e592fb0c1 Upgrade grafana role (v9.3.6-1 -> v9.3.6-2)
2 years ago
Slavi Pantaleev 6cdbde01d7 Fix various Traefik headers syntax
2 years ago
Slavi Pantaleev 30185a04e9
Merge pull request #2505 from tilosp/patch-1
2 years ago
Tilo Spannagel 6438f1ff42
Add matrix_playbook_ssl_enabled: true to configuring-playbook-own-webserver.md
2 years ago
Slavi Pantaleev 5e7f30a129 Fix appservice-discord/appservice-slack/appservice-webhooks port troubles with external reverse-proxy
2 years ago
Slavi Pantaleev a758301bf6 Upgrade geerlingguy.docker (6.0.4 -> 6.1.0)
2 years ago
Slavi Pantaleev 0da308e24d Upgrade com.devture.ansible.role.traefik
2 years ago
Slavi Pantaleev ecde8a46f8
Merge pull request #2503 from etkecc/patch-176
2 years ago
Aine 886d1cddd0
Update ntfy v2.0.0-1 -> v2.0.1-0
2 years ago
Slavi Pantaleev a3ae414d43
Merge pull request #2501 from array-in-a-matrix/patch-15
2 years ago
Array in a Matrix 89f2fa53c0
remove comment regarding nginx in traefik doc
2 years ago
Slavi Pantaleev 5df89a44b3 Add support for customizing Synapse templates
2 years ago
Slavi Pantaleev 9775218850 Add matrix_synapse_email_app_name variable
2 years ago
Slavi Pantaleev 632026513e Add matrix_synapse_uid, matrix_synapse_gid and matrix_synapse_username
2 years ago
Slavi Pantaleev 154d077ec7 Upgrade ntfy (v2.0.0-0 -> v2.0.0-1)
2 years ago
Slavi Pantaleev 990a6369e1 Switch to using an external Redis role
2 years ago
Slavi Pantaleev 519b32543c Add matrix_synapse_container_network and matrix_synapse_container_additional_networks
2 years ago
Slavi Pantaleev 0ce2121d01 Fix variable typo in validation task
2 years ago
Slavi Pantaleev b291459bf3 Fix syntax error
2 years ago
Slavi Pantaleev 964aa0e84d Switch to using an external Ntfy role
2 years ago
Slavi Pantaleev 38c4e464c1 Fix self-check for Hydrogen and Cinny when running under a subpath
2 years ago
Slavi Pantaleev 941e768362
Merge pull request #2497 from etkecc/patch-175
2 years ago
Aine 954920dd4f
Update ntfy 1.31.0 -> 2.0.0
2 years ago
Slavi Pantaleev 8fd8f12a0d
Merge pull request #2493 from etkecc/patch-174
2 years ago
Slavi Pantaleev 0289695cbb
Merge pull request #2492 from etkecc/patch-173
2 years ago
Aine 64ec1db077
Update mautrix-whatsapp 0.8.1 -> 0.8.2
2 years ago
Aine 649f6512ca
Update mautrix-discord 0.1.0 -> 0.1.1
2 years ago
Slavi Pantaleev e80b98c3ad Do not mount SSL certificates into Coturn if TLS is disabled for it
2 years ago
Slavi Pantaleev 93bb117a29 Mention Traefik changes causing backward-compatibility break for own-webserver (non-nginx-proxy) users
2 years ago
Slavi Pantaleev 1e085b432b
Merge pull request #2491 from Cadair/patch-1
2 years ago
Stuart Mumford 8a471b97a1
Update configuring-playbook-bridge-mautrix-slack.md
2 years ago
Slavi Pantaleev bb7895678c Fix typo
2 years ago
Slavi Pantaleev 4c7d054b37
Merge pull request #2489 from etkecc/patch-172
2 years ago
Aine 4fe6015464
Update ntfy 1.30.1 -> 1.31.0
2 years ago
Slavi Pantaleev 7c5826f1c3 Break dependency between matrix-prometheus-nginxlog-exporter and the Grafana role
2 years ago
Slavi Pantaleev 1006b8d899 Replace matrix-grafana with an external role
2 years ago
Slavi Pantaleev 94124263a7 Add matrix_prometheus_container_network/matrix_prometheus_container_additional_networks
2 years ago
Slavi Pantaleev 59a3646c66 Make .editorconfig for group_vars/matrix_servers cleaner
2 years ago
Slavi Pantaleev b6d45304b4 Make sure group_vars/matrix_servers is indented like other YAML files (with 2 spaces)
2 years ago
Slavi Pantaleev b648d4579f Make it clear that certain matrix_nginx_proxy_* variables are necessary for now, even with Traefik
2 years ago
Slavi Pantaleev 0b9dc56edf Add type support to matrix_coturn_container_additional_volumes
2 years ago
Slavi Pantaleev 89fea3ef3c
Merge pull request #2488 from array-in-a-matrix/patch-14
2 years ago
Array in a Matrix 7fca8dc986
Update README.md
2 years ago
Slavi Pantaleev 1f0da1103a
Merge pull request #2485 from etkecc/patch-171
2 years ago
Slavi Pantaleev c85d48c45c Remove Traefik labels for Hydrogen & Cinny from matrix-nginx-proxy
2 years ago
Aine 4045d72e7b
update postmoogle 0.9.13 -> 0.9.14
2 years ago
Slavi Pantaleev 4d24e9bb7f
Merge pull request #2484 from etkecc/patch-170
2 years ago
Slavi Pantaleev 73fa9817fc
Merge pull request #2483 from etkecc/patch-169
2 years ago
Aine 3570808633
Update synapse 1.76.0 -> 1.77.0
2 years ago
Aine c98f40c836
Update hydrogen 0.3.7 -> 0.3.8
2 years ago
Slavi Pantaleev 51cfd7b777
Merge pull request #2481 from moan0s/update
2 years ago
Julian-Samuel Gebühr 6727aa55ec Bump element version
2 years ago
Slavi Pantaleev f28e7ef9c7 Add (native) Traefik support to matrix-client-cinny
2 years ago
Slavi Pantaleev 3bace0c7b9 Add matrix_synapse_admin_hostname and rename matrix_synapse_admin_public_endpoint (to matrix_synapse_admin_path_prefix)
2 years ago
Slavi Pantaleev 2e74187050 Add matrix_client_element_hostname and matrix_client_element_path_prefix variables
2 years ago
Slavi Pantaleev eb7292f274 Add matrix_client_hydrogen_hostname and fix Hydrogen serving at non-root-path
2 years ago
Slavi Pantaleev 6a52be7987 Add (native) Traefik support to matrix-client-hydrogen
2 years ago
Slavi Pantaleev 64e2b26ed5 Fix Hydrogen failing to start
2 years ago
Slavi Pantaleev 799cbb44fb Add the ability to control (Traefik) routing priority for Element and synapse-admin
2 years ago
Slavi Pantaleev 5c7cd70684 Make use of the existing matrix_synapse_admin_public_endpoint variable
2 years ago
Slavi Pantaleev c33ed94352 Add security headers to synapse-admin (on Traefik)
2 years ago
Slavi Pantaleev 71597132e0 Move around some matrix-client-element variables
2 years ago
Slavi Pantaleev 5ab5f28d14 Add support for running synapse-admin (on Traefik) at the root path
2 years ago
Slavi Pantaleev ff1338e003 Add support for hosting Element (on Traefik) at a subpath
2 years ago
Slavi Pantaleev e34174b1b4 Add various security headers to matrix-client-element when behind Traefik
2 years ago
Slavi Pantaleev e51e4eec09 Add (native) Traefik support to matrix-client-element
2 years ago
Slavi Pantaleev f2ed5e4b04 Delete /matrix/nginx-proxy/conf.d/matrix-client-element.conf if matrix_nginx_proxy_proxy_element_enabled not enabled
2 years ago
Slavi Pantaleev c0060753b5
Merge pull request #2477 from etkecc/patch-168
2 years ago
Slavi Pantaleev b2d8718233 Fix synapse-admin reverse-proxying regression for "playbook-managed-nginx"
2 years ago
Aine 9f820a506a
Update postmoogle 0.9.12 -> 0.9.13
2 years ago
Slavi Pantaleev 6cda711c0b Fix incorrect host_bind_port syntax (extra `:`) affecting certain deployments
2 years ago
Slavi Pantaleev 31aa87fdb6
Merge pull request #2475 from etkecc/patch-167
2 years ago
Slavi Pantaleev 3d9aa8387e Add (native) Traefik support to synapse-admin
2 years ago
Aine f6f7bbd2a1
Update coturn 4.6.1-r1 -> 4.6.1-r2
2 years ago
Slavi Pantaleev 80935a5194 Fix broken backup_borg link
2 years ago
Slavi Pantaleev 06f5be4fa5 Announce matrix-backup-borg extraction
2 years ago
Slavi Pantaleev 5d14621916 Fix outdated documentation leading to matrix-backup-borg
2 years ago
Slavi Pantaleev e78c52a63a
Merge pull request #2473 from etkecc/patch-166
2 years ago
Aine 33b4f7031b
restore borg prefixes
2 years ago
Slavi Pantaleev 266195ab45 Upgrade backup_borg (v1.2.3-1.7.5-1 -> v1.2.3-1.7.6-0)
2 years ago
Slavi Pantaleev 65730b84d3 Upgrade backup_borg (v1.2.3-1.7.5-0 -> v1.2.3-1.7.5-1)
2 years ago
Slavi Pantaleev 23f7720247 Add missing backup_borg_base_path override
2 years ago
Slavi Pantaleev 38904c08b0 Wire backup_borg_username
2 years ago
Slavi Pantaleev 78c35136b2 Replace matrix-backup-borg with an external role
2 years ago
Slavi Pantaleev f81aa4a927
Merge pull request #2470 from Techno-Disaster/td/oops
2 years ago
td af10d350bc fix: missing endif in client well-known
2 years ago
Jayesh Nirve 6939a3d6d3
fix: only add element related entries to client well-known if element is enabled (#2453)
2 years ago
Slavi Pantaleev 2be5ba45db
Merge pull request #2466 from array-in-a-matrix/patch-13
2 years ago
Array in a Matrix 79413e7717
updated dendrite
2 years ago
Slavi Pantaleev 972043cfaf Fix trying to start devture-traefik when not necessarily enabled
2 years ago
Slavi Pantaleev f1a1ce8a91
Merge pull request #2464 from spantaleev/traefik
2 years ago
Slavi Pantaleev bc4cb7bb6a Update configuring-playbook-own-webserver.md with matrix_playbook_reverse_proxy_type awareness
2 years ago
Slavi Pantaleev 73435dfe10 Announce Traefik support
2 years ago
Slavi Pantaleev b3f6436a0d Do not enable the Traefik role when reverse-proxy = other-traefik-container
2 years ago
Slavi Pantaleev 709e528f60
Merge pull request #2462 from FSG-Cat/patch-4
2 years ago
Slavi Pantaleev e41840e184
Merge pull request #2463 from JokerGermany/patch-1
2 years ago
JokerGermany 17e3c2157e
Add Draupnir to the Readme
2 years ago
Catalan Lover cba63bd4b9
Upgrade Drapunir from 1.8.0 Beta to 1.8.0 release.
2 years ago
Slavi Pantaleev 4ab915f385
Merge pull request #2460 from FSG-Cat/Mjolnir/Drapunir-Crash-on-start/Dimension-Crash-on-start
2 years ago
Catalan Lover be471250dd
Move services that crash without hs connectivity to after proxy.
2 years ago
Slavi Pantaleev 6b0650641b Update matrix_playbook_reverse_proxy_type documentation
2 years ago
Slavi Pantaleev 94be74e633 Improve traefik-certs-dumper defaults for other-traefik-container setups
2 years ago
Slavi Pantaleev f37a7a21f1 Delay Postmoogle startup to help Traefik-based setups
2 years ago
Slavi Pantaleev 8309a21303 Rename reverse proxy types and fix Hookshot http/https urlPrefix issue
2 years ago
Slavi Pantaleev 3f2cb840b9 Merge branch 'master' into traefik
2 years ago
Slavi Pantaleev ad22bdb884 Do not run matrix-user-verification-service validation tasks unless the service is enabled
2 years ago
Slavi Pantaleev 7142ff422d Ensure matrix_user_verification_service_uvs_access_token is always defined
2 years ago
Slavi Pantaleev 97f65e8dff Minor fixes to allow for Traefik without SSL
2 years ago
Slavi Pantaleev ddad722e78
Merge pull request #2458 from etkecc/patch-164
2 years ago
Aine a1ef28681a
Update Hydrogen 0.3.6 -> 0.3.7
2 years ago
Slavi Pantaleev a5afa4eac9 Merge branch 'master' into traefik
2 years ago
Slavi Pantaleev c773a005ae Fix broken link to Matrix User Verification Service
2 years ago
Slavi Pantaleev 28d2eb593c Add matrix_playbook_reverse_proxy_type variable which influences all other services
2 years ago
Slavi Pantaleev 8263228ffb
Merge pull request #2457 from FSG-Cat/patch-3
2 years ago
Slavi Pantaleev 06ccd71edc Merge branch 'master' into traefik
2 years ago
Catalan Lover 29be262f3b
Fix formating error in Draupnir docs
2 years ago
Slavi Pantaleev 6db3c8f2ad Announce Matrix Authentication Support for Jitsi
2 years ago
Slavi Pantaleev f6ab162fff Remove systemd-reloading handler in matrix-user-verification-service
2 years ago
Slavi Pantaleev e1bfa2a7d6 Fix ansible-lint-reported errors
2 years ago
Slavi Pantaleev 43a6a035a0 Skip removing /.well-known/element directory to suppress ansible-lint error
2 years ago
Slavi Pantaleev 01ccec2dbe Merge branch 'master' into pr-jitsi-matrix-authentication
2 years ago
Slavi Pantaleev 600aaa0bc7 Announce Draupnir support
2 years ago
Slavi Pantaleev 7cdf59d79b
Merge pull request #2451 from FSG-Cat/draupnir
2 years ago
Slavi Pantaleev 0a15e56641
Fix typo
2 years ago
Slavi Pantaleev d6c8ea3742
Merge pull request #2452 from borisrunakov/update-matrix-chatgpt-bot
2 years ago
ntallasv f71cd3a760 fix linting in validate_config.yml
2 years ago
ntallasv 4221b64a98 update configuring-playbook-bot-chatgpt.md
2 years ago
ntallasv b738486684 update validate_config.yml
2 years ago
Slavi Pantaleev 7fb7e7cd69
Merge pull request #2454 from etkecc/patch-163
2 years ago
Aine d32f80bf29
Update postmoogle 0.9.11 -> 0.9.12
2 years ago
ntallasv 9615855cfa update matrix-chatgpt-bot
2 years ago
Slavi Pantaleev c289996cd9 Upgrade com.devture.ansible.role.traefik
2 years ago
Slavi Pantaleev a5683a6449 Upgrade com.devture.ansible.role.traefik and rename some variables
2 years ago
Catalan Lover ddcb1735e2
Add draupnir as valid prefix to resolve a bug
2 years ago
Catalan Lover a717590aa5
Rename systemd service file from mjolnir to draupnir
2 years ago
Catalan Lover 79a4e57fbd
Add draupnir docs.
2 years ago
Catalan Lover 7b42ff4b75
Finalise moving draupnir to a fully testable state.
2 years ago
Slavi Pantaleev 88a26758e1 Merge branch 'master' into traefik
2 years ago
Slavi Pantaleev c71567477a Stop using deprecated matrix_bot_postmoogle_domain variable in group vars
2 years ago
Slavi Pantaleev 1338963b6c Add support for obtaining additional SSL certificates via Traefik
2 years ago
Catalan Lover 9092d4bb6b
Push draupnir version from develop to v1.80.0-beta.0
2 years ago
Catalan Lover 78b1ebd5af
commit main.yml for draupnir and set target ver to develop
2 years ago
Catalan Lover 563cf1a4ba
Initial commit for draupnir.
2 years ago
Slavi Pantaleev 49a1985750 Fix Postmoogle systemd service description
2 years ago
Slavi Pantaleev 9a71a5696b Allow Postmoogle to work with SSL certificates extracted from Traefik
2 years ago
Slavi Pantaleev ddf6b2d4ee Handle matrix_playbook_reverse_proxy_type being "none" when deciding on Coturn certificate parameters
2 years ago
Slavi Pantaleev d44d4b637f Allow Coturn to work with SSL certificates extracted from Traefik
2 years ago
Slavi Pantaleev c07630ed51 Add com.devture.ansible.role.traefik_certs_dumper role
2 years ago
Slavi Pantaleev 65b8e0f4ef
Merge pull request #2446 from etkecc/patch-162
2 years ago
Aine 2eb2ad0ad7
Update heisenbridge 1.14.1 -> 1.14.2
2 years ago
Slavi Pantaleev 2b9061a5d3 Add support for reverse-proxying the base domain via Traefik
2 years ago
Slavi Pantaleev 6c17671abd Upgrade synapse-admin (0.8.6 -> 0.8.7) and drop reverse-proxy workaround
2 years ago
Slavi Pantaleev 66baef5bf6 Fix matrix-synapse-reverse-proxy-companion.service stopping during uninstallation
2 years ago
jakicoll 6a205a83f6 Change renamed variables matrix_systemd_path -> devture_systemd_docker_base_systemd_path
2 years ago
jakicoll 6cffec14ea fixup! Remove the self-build stub, because self-build was not implemented
2 years ago
jakicoll be634168ac Make the linter happy.
2 years ago
jakicoll f3ca4a0632 Remove unnecessary comment.
2 years ago
jakicoll 7848d865a5 Also define the vars to be overwritten in group vars within the role vars.
2 years ago
Paul N 70bea81df7 Introduced flags to (1) enable/disable Auth (2) enable/disable openid_server_name pinning. Updated validate_config.yml and added new checks to verify.
2 years ago
Paul N 96dd86d33b Set default values where sensible and remove unnecessary conditionals in .env.j2.
2 years ago
Paul N d67d8c07f5 Remove remnant comment.
2 years ago
jakicoll 6b206b3763 Move checks into validate_config.yml.
2 years ago
jakicoll 6499b6536a Decoupling: Do not use variables user-verification-service role inside the jitsi role.
2 years ago
Paul N 1d99f17b4a Disable matrix-user-verification-service in group_vars and update docs accordingly.
2 years ago
Paul N 50c1e9d695 Set matrix_user_verification_service_uvs_homeserver_url in the role defaults and updated docs accordingly.
2 years ago
Paul N 07d9ea5e87 Stick to port 3003 instead of changing the port based on the status of grafana.
2 years ago
jakicoll 0e0ae2f3e6 Assign default log level in role instead of matrix_servers file.
2 years ago
jakicoll bf5e633656 Remove the self-build stub, because self-build was not implemented
2 years ago
Paul N b89f5b7ff5
Clarify task name and add user and group to templated env file
2 years ago
Jakob S 6913d368c8
Consolidate conditionals into a block, keep image
2 years ago
jakicoll f53731756d Change comment
2 years ago
Slavi Pantaleev 8155f780e5 Add support for reverse-proxying Matric (Client & Federation) via Traefik
2 years ago
jakicoll 94830b582b Wording: change collection -> playbook
2 years ago
Slavi Pantaleev f983604695 Initial work on Traefik support
2 years ago
Slavi Pantaleev 946bbe9734 Upgrade prometheus_node_exporter (v1.5.0-1 -> v1.5.0-2)
2 years ago
Slavi Pantaleev 5de5b5c62c Upgrade prometheus_postgres_exporter (v0.11.1-1 -> v0.11.1-2)
2 years ago
Slavi Pantaleev 4d6a8d049d Add matrix_nginx_proxy_container_network variable
2 years ago
Slavi Pantaleev e018663ba4 Attach ma1sd/nginx-proxy/synapse-reverse-proxy-companion to additional networks in a better way
2 years ago
Slavi Pantaleev 045ed94d43 Upgrade prometheus_postgres_exporter (v0.11.1-0 -> v0.11.1-1)
2 years ago
Slavi Pantaleev be78b74fbd Switch from matrix-prometheus-postgres-exporter to an external prometheus_postgres_exporter role
2 years ago
Slavi Pantaleev 2d7d5d4bab Use new security-opt syntax (: -> =)
2 years ago
Slavi Pantaleev 919f9701ce
Merge pull request #2443 from FSG-Cat/patch-2
2 years ago
Catalan Lover 4d49f1f56e
Update Prometheus to v2.42.0 from v2.41.0
2 years ago
Slavi Pantaleev 4027531957
Merge pull request #2440 from etkecc/patch-161
2 years ago
Aine c11f772e78
Fix python packages path in synapse container
2 years ago
Slavi Pantaleev 7cb140b987
Downgrade Prometheus (v2.42.0 -> v2.41.0) until a container image gets published
2 years ago
Slavi Pantaleev d42ef7d243
Merge pull request #2439 from etkecc/patch-160
2 years ago
Slavi Pantaleev c8ce83c725
Merge pull request #2438 from etkecc/patch-159
2 years ago
Slavi Pantaleev c65d165c1b
Merge pull request #2437 from etkecc/patch-158
2 years ago
Aine 0f208ed053
Update synapse 1.75.0 -> 1.76.0; default room version 9 -> 10
2 years ago
Aine 82d870fddf
Update prometheus 2.41.0 -> 2.42.0
2 years ago
Aine 5300740f70
Update element 1.11.21 -> 1.11.22
2 years ago
Slavi Pantaleev c7767e9bc8 Upgrade Coturn (4.6.1-r0 -> 4.6.1-r1)
2 years ago
Slavi Pantaleev 66bb2943b4
Merge pull request #2436 from etkecc/patch-157
2 years ago
Slavi Pantaleev f5a85af47d
Merge pull request #2435 from etkecc/patch-156
2 years ago
Aine 68ca23d709
Update jitsi stable-8218 -> stable-8252
2 years ago
Aine d70076c805
Update element 1.11.20 -> 1.11.21
2 years ago
Slavi Pantaleev dae1640070
Merge pull request #2433 from etkecc/patch-155
2 years ago
Aine 8c2b77bf0c
Update cinny 2.2.3 -> 2.2.4
2 years ago
Slavi Pantaleev 611a74bde2 Use |to_json in mautrix metrics configuration
2 years ago
Slavi Pantaleev d7c0239e40 Enable metrics endpoint for mautrix bridges by default when Prometheus is enabled
2 years ago
Slavi Pantaleev d82d0ad84b Add _metrics_proxying_enabled variables to mautrix bridges
2 years ago
Slavi Pantaleev cad83ddca6
Merge pull request #2427 from alemairebe/mautrix-metrics
2 years ago
Slavi Pantaleev f9a496c29c
Merge pull request #2432 from shalzz/patch/slack
2 years ago
Shaleen Jain df9931f719 mautrix-slack: add team name in channel name template
2 years ago
Slavi Pantaleev 389d6c978f
Merge pull request #2431 from etkecc/patch-154
2 years ago
Slavi Pantaleev 5482a9d5d0
Merge pull request #2429 from etkecc/patch-152
2 years ago
Slavi Pantaleev 1dc8f59a38
Merge pull request #2430 from etkecc/patch-153
2 years ago
Aine 4f69b22a6e
Update borgmatic 1.7.5 -> 1.7.6
2 years ago
Aine a9a17d803e
Update maubot 0.3.1 -> 0.4.0
2 years ago
Aine 111303208a
Update mautrix-discord latest -> 0.1.0
2 years ago
Adrien le Maire 9eaf6944e3 add nginx proxy connfig for mautrix metrics
2 years ago
Adrien le Maire 691ef13cab template metric toggle for mautrix bridges supporting it
2 years ago
Slavi Pantaleev e588c42088 Improve synapse-admin reverse-proxying fix
2 years ago
Slavi Pantaleev 6a31fba346 Fix synapse-admin reverse-proxying regression caused by 0.8.6
2 years ago
Slavi Pantaleev 29818abaf5
Merge pull request #2423 from etkecc/patch-150
2 years ago
Aine f165aa5d48
Update synapse-admin 0.8.5 -> 0.8.6
2 years ago
Slavi Pantaleev 546535982b
Merge pull request #2422 from bertybuttface/patch-1
2 years ago
bertybuttface 7b5ced3037
Fix linting issue.
2 years ago
bertybuttface d66a2949f6
Update env.j2
2 years ago
bertybuttface 7e1408ea65
Bump ChatGPT version and add new config settings
2 years ago
Slavi Pantaleev 430a55902c
Merge pull request #2420 from bertybuttface/patch-1
2 years ago
Slavi Pantaleev 784043cc5d
Ensure OPENAI_PRO is true/false (not True/False)
2 years ago
Slavi Pantaleev e43ba65dd3 Upgrade prometheus_node_exporter (v1.5.0-0 -> v1.5.0-1)
2 years ago
Slavi Pantaleev 864b64d015 Mention the new no-multicast-peers default in Coturn config
2 years ago
Slavi Pantaleev f1c9052fe5 Make it obvious that running Coturn in host-networking mode requires manual firewall changes
2 years ago
Slavi Pantaleev 867737fe0b Upgrade Grafana (9.3.4 -> 9.3.6)
2 years ago
Slavi Pantaleev aafa8f019c Allow matrix_coturn_docker_network to be set to 'host' to use host-networking
2 years ago
Slavi Pantaleev bb0faa6bc3 Block various private network ranges via denied_peer_ips for Coturn by default
2 years ago
Slavi Pantaleev 773cb7d37e Make no-tcp-relay Coturn configuration property configurable
2 years ago
Slavi Pantaleev bf23d63f82 Add matrix_coturn_additional_configuration
2 years ago
Slavi Pantaleev 4c9f96722f Add no-multicast-peers to Coturn config by default
2 years ago
bertybuttface 18c3903def
Update env.j2
2 years ago
bertybuttface ad58858a96
Upgrade matrix-chatgpt (1.2.3 -> 1.3.2)
2 years ago
Slavi Pantaleev 803d5c129e
Merge pull request #2419 from RhysRdm/jitsi-jigasi-user-population
2 years ago
rhys d01de9f33d Fix lint errors
2 years ago
rhys 547b01d618 Added option to allow user to set jigasi user and password for AUTH
2 years ago
Slavi Pantaleev 39b0300797
Merge pull request #2418 from etkecc/patch-149
2 years ago
Aine 6afd3c59eb
Update grafana 9.3.2 -> 9.3.4
2 years ago
Slavi Pantaleev d0d2c94493
Merge pull request #2417 from array-in-a-matrix/patch-12
2 years ago
Array in a Matrix 47165e8902
updated dendrite version
2 years ago
Slavi Pantaleev 54e5e4b6b9
Merge pull request #2416 from moan0s/fix_cactus_comments
2 years ago
Slavi Pantaleev c4d1347466
Fix typos
2 years ago
Julian-Samuel Gebühr 18d8d41e14 Fix client js and css download (load compiled version)
2 years ago
jakicoll 42e4e50f5b Matrix Authentication Support for Jitsi
2 years ago

@ -19,6 +19,10 @@ trim_trailing_whitespace = true
indent_style = space
indent_size = 2
[group_vars/matrix_servers]
indent_style = space
indent_size = 2
# Markdown Files
#
# Two spaces at the end of a line in Markdown mean "new line",

@ -1,10 +1,385 @@
# 2023-03-22
## ntfy Web App is disabled by default
ntfy provides a web app, which is now disabled by default, because it may be unknown to and unused by most users of this playbook. You can enable it by setting `ntfy_web_root: "app"` (see [ntfy documentation](docs/configuring-playbook-ntfy.md)).
This change was already applied a while before this entry, but as some users were reporting the missing web app, this entry was added (see [#2529](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/2529)).
# 2023-03-21
## The matrix-prometheus role lives independently now
**TLDR**: the `matrix-prometheus` role is now included from the [ansible-role-prometheus](https://github.com/mother-of-all-self-hosting/ansible-role-prometheus) repository, part of the [MASH playbook](https://github.com/mother-of-all-self-hosting/mash-playbook). Some variables have been renamed. All functionality remains intact.
The `matrix-prometheus` role has been relocated in its own repository, part of the [MASH playbook](https://github.com/mother-of-all-self-hosting/mash-playbook) project - an Ansible playbook for self-hosting [a growing list of FOSS software](https://github.com/mother-of-all-self-hosting/mash-playbook/blob/main/docs/supported-services.md). If hosting a Prometheus stack on the Matrix server itself did not stand right with you or you always wanted to host most stuff, you can now use this new playbook to do so.
Extracting the Prometheus role out of this Matrix playbook required huge internal refactoring to the way the Prometheus configuration (scraping jobs) is generated. If you notice any breakage after upgrading, let us know.
You need to **update you roles** (`just roles` or `make roles`) regardless of whether you're using Prometheus or not.
If you're making use of Prometheus via this playbook, you will need to update variable references in your `vars.yml` file:
- `matrix_prometheus_docker_image_` -> `matrix_prometheus_container_image_`
- `matrix_prometheus_` -> `prometheus_`
- some other internal variables have changed, but the playbook will tell you about them
# 2023-03-12
## synapse-auto-compressor support
Thanks to [Aine](https://gitlab.com/etke.cc) of [etke.cc](https://etke.cc/), the playbook can now set up [rust-synapse-compress-state](https://github.com/matrix-org/rust-synapse-compress-state)'s `synapse_auto_compressor` tool to run periodically.
If enabled, `synapse_auto_compressor` runs on a schedule and compresses your Synapse database's `state_groups` table. It was possible to run `rust-synapse-compress-state` manually via the playbook even before - see [Compressing state with rust-synapse-compress-state](docs/maintenance-synapse.md#compressing-state-with-rust-synapse-compress-state). However, using `synapse_auto_compressor` is better, because:
- it runs on a more up-to-date version of `rust-synapse-compress-state`
- it's a set-it-and-forget-it tool that you can enable and never have to deal with manual compression anymore
This tool needs to be enabled manually, for now. In the future, we're considering enabling it by default for all Synapse installations.
See our [Setting up synapse-auto-compressor](docs/configuring-playbook-synapse-auto-compressor.md) documentation to get started.
# 2023-03-07
## Sliding Sync Proxy (Element X) support
Thanks to [Benjamin Kampmann](https://github.com/gnunicorn) for [getting it started](https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/2515), [FSG-Cat](https://github.com/FSG-Cat) for fixing it up and me ([Slavi](https://github.com/spantaleev)) for polishing it up, the playbook can now install and configure the [sliding-sync proxy](https://github.com/matrix-org/sliding-sync).
The upcoming Element X clients ([Element X iOS](https://github.com/vector-im/element-x-ios) and [Element X Android](https://github.com/vector-im/element-x-android)) require the `sliding-sync` proxy to do their job. **These clients are still in beta** (especially Element X Android, which requires manual compilation to get it working with a non-`matrix.org` homeseserver). Playbook users can now easily give these clients a try and help test them thanks to us having `sliding-sync` support.
To get started, see our [Setting up Sliding Sync Proxy](docs/configuring-playbook-sliding-sync-proxy.md) documentation page.
# 2023-03-02
## The matrix-etherpad role lives independently now
**TLDR**: the `matrix-etherpad` role is now included from [another repository](https://gitlab.com/etke.cc/roles/etherpad). Some variables have been renamed. All functionality remains intact.
You need to **update you roles** (`just roles` or `make roles`) regardless of whether you're using Etherpad or not.
If you're making use of Etherpad via this playbook, you will need to update variable references in your `vars.yml` file:
- Rename `matrix_etherpad_public_endpoint` to `etherpad_path_prefix`
- Replace `matrix_etherpad_mode: dimension` with:
- for `matrix-nginx-proxy` users:
- `etherpad_nginx_proxy_dimension_integration_enabled: true`
- `etherpad_hostname: "{{ matrix_server_fqn_dimension }}"`
- for Traefik users:
- define your own `etherpad_hostname` and `etherpad_path_prefix` as you see fit
- Rename all other variables:
- `matrix_etherpad_docker_image_` -> `matrix_etherpad_container_image_`
- `matrix_etherpad_` -> `etherpad_`
Along with this relocation, the new role also:
- supports [self-building](docs/self-building.md), so it should work on `arm32` and `arm64` architectures
- has native Traefik reverse-proxy support (Etherpad requests no longer go through `matrix-nginx-proxy` when using Traefik)
# 2023-02-26
## Traefik is the default reverse-proxy now
**TLDR**: new installations will now default to Traefik as their reverse-proxy. Existing users need to explicitly choose their reverse-proxy type. [Switching to Traefik](#how-do-i-switch-my-existing-setup-to-traefik) is strongly encouraged. `matrix-nginx-proxy` may break over time and will ultimately be removed.
As mentioned 2 weeks ago in [(Backward Compatibility) Reverse-proxy configuration changes and initial Traefik support](#backward-compatibility-reverse-proxy-configuration-changes-and-initial-traefik-support), the playbook is moving to Traefik as its default SSL-terminating reverse-proxy.
Until now, we've been doing the migration gradually and keeping full backward compatibility. New installations were defaulting to `matrix-nginx-proxy` (just like before), while existing installations were allowed to remain on `matrix-nginx-proxy` as well. This makes things very difficult for us, because we need to maintain and think about lots of different setups:
- Traefik managed by the playbook
- Traefik managed by the user in another way
- another reverse-proxy on the same host (`127.0.0.1` port exposure)
- another reverse-proxy on another host (`0.0.0.0` port exposure)
- `matrix-nginx-proxy` - an `nginx` container managed by the playbook
- `nginx` webserver operated by the user, running without a container on the same server
Each change we do and each new feature that comes in needs to support all these different ways of reverse-proxying. Because `matrix-nginx-proxy` was the default and pretty much everyone was (and still is) using it, means that new PRs also come with `matrix-nginx-proxy` as their main focus and Traefik as an afterthought, which means we need to spend hours fixing up Traefik support.
We can't spend all this time maintaining so many different configurations anymore. Traefik support has been an option for 2 weeks and lots of people have already migrated their server and have tested things out. Traefik is what we use and preferentially test for.
It's time for the **next step in our migration process** to Traefik and elimination of `matrix-nginx-proxy`:
- Traefik is now the default reverse-proxy for new installations
- All existing users need to explicitly choose their reverse-proxy type by defining the `matrix_playbook_reverse_proxy_type` variable in their `vars.yml` configuration file. We strongly encourage existing users to [switch the Traefik](#how-to-switch-an-existing-setup-to-traefik), as the nginx setup is bound to become more and more broken over time until it's ultimately removed
### How do I switch my existing setup to Traefik?
**For users who are on `matrix-nginx-proxy`** (the default reverse-proxy provided by the playbook), switching to Traefik can happen with a simple configuration change. Follow this section from 2 weeks ago: [How do I explicitly switch to Traefik right now?](#how-do-i-explicitly-switch-to-traefik-right-now).
If you experience trouble:
1. Follow [How do I remain on matrix-nginx-proxy?](#how-do-i-remain-on-matrix-nginx-proxy) to bring your server back online using the old reverse-proxy
2. Ask for help in our [support channels](README.md#support)
3. Try switching to Traefik again later
**For users with a more special reverse-proxying setup** (another nginx server, Apache, Caddy, etc.), the migration may not be so smooth. Follow the [Using your own webserver](docs/configuring-playbook-own-webserver.md) guide. Ideally, your custom reverse-proxy will be configured in such a way that it **fronts the Traefik reverse-proxy** provided by the playbook. Other means of reverse-proxying are more fragile and may be deprecated in the future.
### I already use my own Traefik server. How do I plug that in?
See the [Traefik managed by the playbook](docs/configuring-playbook-own-webserver.md#traefik-managed-by-the-playbook) section.
### Why is matrix-nginx-proxy used even after switching to Traefik?
This playbook manages many different services. All these services were initially integrated with `matrix-nginx-proxy`.
While we migrate all these components to have native Traefik support, some still go through nginx internally (Traefik -> local `matrix-nginx-proxy` -> component).
As time goes on, internal reliance on `matrix-nginx-proxy` will gradually decrease until it's completely removed.
### How do I remain on matrix-nginx-proxy?
Most new work and testing targets Traefik, so remaining on nginx is **not** "the good old stable" option, but rather the "still available, but largely untested and likely to be broken very soon" option.
To proceed regardless of this warning, add `matrix_playbook_reverse_proxy_type: playbook-managed-nginx` to your configuration.
At some point in the **near** future (days, or even weeks at most), we hope to completely get rid of `matrix-nginx-proxy` (or break it enough to make it unusable), so you **will soon be forced to migrate** anyway. Plan your migration accordingly.
### How do I keep using my own other reverse-proxy?
We recommend that you follow the guide for [Fronting the integrated reverse-proxy webserver with another reverse-proxy](docs/configuring-playbook-own-webserver.md#fronting-the-integrated-reverse-proxy-webserver-with-another-reverse-proxy).
# 2023-02-25
## Rageshake support
Thanks to [Benjamin Kampmann](https://github.com/gnunicorn), the playbook can now install and configure the [Rageshake](https://github.com/matrix-org/rageshake) bug report server.
Additional details are available in [Setting up Rageshake](docs/configuring-playbook-rageshake.md).
# 2023-02-17
## Synapse templates customization support
The playbook can now help you customize Synapse's templates.
Additional details are available in the [Customizing templates](docs/configuring-playbook-synapse.md#customizing-templates) section of our Synapse documentation.
## The matrix-redis role lives independently now
**TLDR**: the `matrix-redis` role is now included from another repository. Some variables have been renamed. All functionality remains intact.
The `matrix-redis` role (which configures [Redis](https://redis.io/)) has been extracted from the playbook and now lives in its [own repository](https://gitlab.com/etke.cc/roles/redis). This makes it possible to easily use it in other Ansible playbooks.
You need to **update you roles** (`just roles` or `make roles`) regardless of whether you're enabling Ntfy or not. If you're making use of Ntfy via this playbook, you will need to update variable references in your `vars.yml` file (`matrix_redis_` -> `redis_`).
## The matrix-ntfy role lives independently now
**TLDR**: the `matrix-ntfy` role is now included from another repository. Some variables have been renamed. All functionality remains intact.
The `matrix-ntfy` role (which configures [Ntfy](https://ntfy.sh/)) has been extracted from the playbook and now lives in its [own repository](https://gitlab.com/etke.cc/roles/ntfy). This makes it possible to easily use it in other Ansible playbooks.
You need to **update you roles** (`just roles` or `make roles`) regardless of whether you're enabling Ntfy or not. If you're making use of Ntfy via this playbook, you will need to update variable references in your `vars.yml` file (`matrix_ntfy_` -> `ntfy_`).
# 2023-02-15
## The matrix-grafana role lives independently now
**TLDR**: the `matrix-grafana` role is now included from another repository. Some variables have been renamed. All functionality remains intact.
The `matrix-grafana` role (which configures [Grafana](docs/configuring-playbook-prometheus-grafana.md)) has been extracted from the playbook and now lives in its [own repository](https://gitlab.com/etke.cc/roles/grafana). This makes it possible to easily use it in other Ansible playbooks.
You need to **update you roles** (`just roles` or `make roles`) regardless of whether you're enabling Grafana or not. If you're making use of Grafana via this playbook, you will need to update variable references in your `vars.yml` file (`matrix_grafana_` -> `grafana_`).
# 2023-02-13
## The matrix-backup-borg role lives independently now
**TLDR**: the `matrix-backup-borg` role is now included from another repository. Some variables have been renamed. All functionality remains intact.
Thanks to [moan0s](https://github.com/moan0s), the `matrix-backup-borg` role (which configures [Borg backups](docs/configuring-playbook-backup-borg.md)) has been extracted from the playbook and now lives in its [own repository](https://gitlab.com/etke.cc/roles/backup_borg). This makes it possible to easily use it in other Ansible playbooks and will become part of [nextcloud-docker-ansible-deploy](https://github.com/spantaleev/nextcloud-docker-ansible-deploy) soon.
You need to **update you roles** (`just roles` or `make roles`) regardless of whether you're enabling Borg backup functionality or not. If you're making use of Borg backups via this playbook, you will need to update variable references in your `vars.yml` file (`matrix_backup_borg_` -> `backup_borg_`).
# 2023-02-12
## (Backward Compatibility) Reverse-proxy configuration changes and initial Traefik support
**TLDR**:
- there's a new `matrix_playbook_reverse_proxy_type` variable (see [roles/custom/matrix-base/defaults/main.yml](roles/custom/matrix-base/defaults/main.yml)), which lets you tell the playbook what reverse-proxy setup you'd like to have. This makes it easier for people who want to do reverse-proxying in other ways.
- the default reverse-proxy (`matrix_playbook_reverse_proxy_type`) is still `playbook-managed-nginx` (via `matrix-nginx-proxy`), for now. **Existing `matrix-nginx-proxy` users should not observe any changes** and can stay on this for now.
- **Users who use their [own other webserver](docs/configuring-playbook-own-webserver.md) (e.g. Apache, etc.) need to change** `matrix_playbook_reverse_proxy_type` to something like `other-on-same-host`, `other-on-another-host` or `other-nginx-non-container`
- we now have **optional [Traefik](https://traefik.io/) support**, so you could easily host Matrix and other Traefik-native services in containers on the same server. Traefik support is still experimental (albeit, good enough) and will improve over time. It does work, but certain esoteric features may not be there yet.
- **Traefik will become the default reverse-proxy in the near future**. `matrix-nginx-proxy` will either remain as an option, or be completely removed to simplify the playbook
### Motivation for redoing our reverse-proxy setup
The playbook has supported various reverse-proxy setups for a long time.
We have various configuration variables (`matrix_nginx_proxy_enabled`, various `_host_bind_port` variables, etc.) which allow the playbook to adapt to these different setups. The whole situation was messy though - hard to figure out and with lots of variables to toggle to make things work as you'd expect - huge **operational complexity**.
We love containers, proven by the fact that **everything** that this playbook manages runs in a container. Yet, we weren't allowing people to easily host other web-exposed containers alongside Matrix services on the same server. We were using `matrix-nginx-proxy` (our integrated [nginx](https://nginx.org/) server), which was handling web-exposure and SSL termination for our own services, but we **weren't helping you with all your other containers**.
People who were **using `matrix-nginx-proxy`** were on the happy path on which everything worked well by default (Matrix-wise), **but** could not easily run other web-exposed services on their Matrix server because `matrix-nginx-proxy` was occupying ports `80` and `443`. Other services which wanted to get web exposure either had to be plugged into `matrix-nginx-proxy` (somewhat difficult) or people had to forgo using `matrix-nginx-proxy` in favor of something else.
Of those that decided to forgo `matrix-nginx-proxy`, many were **using nginx** on the same server without a container. This was likely some ancient nginx version, depending on your choice of distro. The Matrix playbook was trying to be helpful and even with `matrix_nginx_proxy_enabled: false` was still generating nginx configuration in `/matrix/nginx-proxy/conf.d`. Those configuration files were adapted for inclusion into an nginx server running locally. Disabling the `matrix-nginx-proxy` role like this, yet still having it produce files is a bit disgusting, but it's what we've had since the early beginnings of this playbook.
Others still, wanted to run Matrix locally (no SSL certificates), regardless of which web server technology this relied on, and then **reverse-proxy from another machine on the network** which was doing SSL termination. These people were:
- *either* relying on `matrix_nginx_proxy_enabled: false` as well, combined with exposing services manually (setting `_bind_port` variables)
- *or* better yet, they were keeping `matrix-nginx-proxy` enabled, but in `http`-only mode (no SSL certificate retrieval).
Despite this operational complexity, things worked and were reasonably flexible to adapt to all these situations.
When using `matrix-nginx-proxy` as is, we still had another problem - one of **internal playbook complexity**. Too many services need to be web-exposed (port 80/443, SSL certificates). Because of this, they all had to integrate with the `matrix-nginx-proxy` role. Tens of different roles explicitly integrating with `matrix-nginx-proxy` is not what we call clean. The `matrix-nginx-proxy` role contains variables for many of these roles (yikes). Other roles were more decoupled from it and were injecting configuration into `matrix-nginx-proxy` at runtime - see all the `inject_into_nginx_proxy.yml` task files in this playbook (more decoupled, but still.. yikes).
The next problem is one of **efficiency, interoperability and cost-saving**. We're working on other playbooks:
- [vaultwarden-docker-ansible-deploy](https://github.com/spantaleev/vaultwarden-docker-ansible-deploy) for hosting the [Vaultwarden](https://github.com/dani-garcia/vaultwarden) server - an alternative implementation of the [Bitwarden](https://bitwarden.com/) password manager
- [gitea-docker-ansible-deploy](https://github.com/spantaleev/gitea-docker-ansible-deploy) - for hosting the [Gitea](https://gitea.io/) git source code hosting service
- [nextcloud-docker-ansible-deploy](https://github.com/spantaleev/nextcloud-docker-ansible-deploy) - for hosting the [Nextcloud](https://nextcloud.com/) groupware platform
We'd love for users to be able to **seamlessly use all these playbooks (and others, even) against a single server**. We don't want `matrix-nginx-proxy` to have a monopoly on port `80`/`443` and make it hard for other services to join in on the party. Such a thing forces people into running multiple servers (one for each service), which does provide nice security benefits, but is costly and ineffiecient. We'd like to make self-hosting these services cheap and easy.
These other playbooks have been using [Traefik](https://traefik.io/) as their default reverse-proxy for a long time. They can all coexist nicely together (as an example, see the [Interoperability](https://github.com/spantaleev/nextcloud-docker-ansible-deploy/blob/master/docs/configuring-playbook-interoperability.md) documentation for the [Nextcloud playbook](https://github.com/spantaleev/nextcloud-docker-ansible-deploy)). Now that this playbook is gaining Traefik support, it will be able to interoperate with them. If you're going this way, make sure to have the Matrix playbook install Traefik and have the others use `*_reverse_proxy_type: other-traefik-container`.
Finally, at [etke.cc - a managed Matrix server hosting service](https://etke.cc) (built on top of this playbook, and coincidentally [turning 2 years old today](https://etke.cc/news/upsyw4ykbtgmwhz8k7ukldx0zbbfq-fh0iqi3llixi0/) 🎉), we're allowing people to host some additional services besides Matrix components. Exposing these services to the web requires ugly hacks and configuration files being dropped into `/matrix/nginx-proxy/conf.d`. We believe that everything should run in independent containers and be exposed to the web via a Traefik server, without a huge Ansible role like `matrix-nginx-proxy` that everything else needs to integrate with.
### How do these changes fix all these problems?
The new `matrix_playbook_reverse_proxy_type` lets you easily specify your preferred reverse-proxy type, including `other-on-same-host`, `other-on-another-host` and `none`, so people who'd like to reverse-proxy with their own web server have more options now.
Using Traefik greatly simplifies things, so going forward we'll have a simpler and easier to maintain playbook, which is also interoperable with other services.
Traefik is a web server, which has been specifically **designed for reverse-proxying to services running in containers**. It's ideal for usage in an Ansible playbook which runs everything in containers.
**Traefik obtains SSL certificates automatically**, so there's no need for plugging additional tools like [Certbot](https://certbot.eff.org/) into your web server (like we were doing in the `matrix-nginx-proxy` role). No more certificate renewal timers, web server reloading timers, etc. It's just simpler.
Traefik is a **modern web server**. [HTTP/3](https://doc.traefik.io/traefik/routing/entrypoints/#http3) is supported already (experimentally) and will move to stable soon, in the upcoming Traefik v3 release.
Traefik does not lock important functionality we'd like to use into [plus packages like nginx does](https://www.nginx.com/products/nginx/), leading us to resolve to configuration workarounds. The default Traefik package is good enough as it is.
### Where we're at right now?
`matrix_playbook_reverse_proxy_type` still defaults to a value of `playbook-managed-nginx`.
Unless we have some regression, **existing `matrix-nginx-proxy` users should be able to update their Matrix server and not observe any changes**. Their setup should still remain on nginx and everything should still work as expected.
**Users using [their own webservers](docs/configuring-playbook-own-webserver.md) will need to change `matrix_playbook_reverse_proxy_type`** to something like `other-on-same-host`, `other-on-another-host` or `other-nginx-non-container`. Previously, they could toggle `matrix_nginx_proxy_enabled` to `false`, and that made the playbook automatically expose services locally. Currently, we only do this if you change the reverse-proxy type to `other-on-same-host`, `other-on-another-host` or `other-nginx-non-container`.
#### How do I explicitly switch to Traefik right now?
**Users who wish to migrate to Traefik** today, can do so by **adding** this to their configuration:
```yaml
matrix_playbook_reverse_proxy_type: playbook-managed-traefik
devture_traefik_config_certificatesResolvers_acme_email: YOUR_EMAIL_ADDRESS
```
You may still need to keep certain old `matrix_nginx_proxy_*` variables (like `matrix_nginx_proxy_base_domain_serving_enabled`), even when using Traefik. For now, we recommend keeping all `matrix_nginx_proxy_*` variables just in case. In the future, reliance on `matrix-nginx-proxy` will be removed.
Switching to Traefik will obtain new SSL certificates from Let's Encrypt (stored in `/matrix/traefik/ssl/acme.json`). **The switch is reversible**. You can always go back to `playbook-managed-nginx` if Traefik is causing you trouble.
**Note**: toggling `matrix_playbook_reverse_proxy_type` between Traefik and nginx will uninstall the Traefik role and all of its data (under `/matrix/traefik`), so you may run into a Let's Encrypt rate limit if you do it often.
Treafik directly reverse-proxies to **some** services right now, but for most other services it goes through `matrix-nginx-proxy` (e.g. Traefik -> `matrix-nginx-proxy` -> [Ntfy](docs/configuring-playbook-ntfy.md)). So, even if you opt into Traefik, you'll still see `matrix-nginx-proxy` being installed in local-only mode. This will improve with time.
Some services (like [Coturn](docs/configuring-playbook-turn.md) and [Postmoogle](docs/configuring-playbook-bot-postmoogle.md)) cannot be reverse-proxied to directly from Traefik, so they require direct access to SSL certificate files extracted out of Traefik. The playbook does this automatically thanks to a new [com.devture.ansible.role.traefik_certs_dumper](https://github.com/devture/com.devture.ansible.role.traefik_certs_dumper) role utilizing the [traefik-certs-dumper](https://github.com/ldez/traefik-certs-dumper) tool.
Our Traefik setup mostly works, but certain esoteric features may not work. If you have a default setup, we expect you to have a good experience.
### Where we're going in the near future?
The `matrix-nginx-proxy` role is quite messy. It manages both nginx and Certbot and its certificate renewal scripts and timers. It generates configuration even when the role is disabled (weird). Although it doesn't directly reach into variables from other roles, it has explicit awareness of various other services that it reverse-proxies to (`roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-ntfy.conf.j2`, etc.). We'd like to clean this up. The only way is probably to just get rid of the whole thing at some point.
For now, `matrix-nginx-proxy` will stay around.
As mentioned above, Traefik still reverse-proxies to some (most) services by going through a local-only `matrix-nginx-proxy` server. This has allowed us to add Traefik support to the playbook early on (without having to rework all services), but is not the final goal. We'll **work on making each service support Traefik natively**, so that traffic will not need to go through `matrix-nginx-proxy` anymore. In the end, choosing Traefik should only give you a pure Traefik installation with no `matrix-nginx-proxy` in sight.
As Traefik support becomes complete and proves to be stable for a while, especially as a playbook default, we will **most likely remove `matrix-nginx-proxy` completely**. It will likely be some months before this happens though. Keeping support for both Traefik and nginx in the playbook will be a burden, especially with most of us running Traefik in the future. The Traefik role should do everything nginx does in a better and cleaner way. Users who use their own `nginx` server on the Matrix server will be inconvenienced, as nothing will generate ready-to-include nginx configuration for them. Still, we hope it won't be too hard to migrate their setup to another way of doing things, like:
- not using nginx anymore. A common reason for using nginx until now was that you were running other containers and you need your own nginx to reverse-proxy to all of them. Just switch them to Traefik as well.
- running Traefik in local-only mode (`devture_traefik_config_entrypoint_web_secure_enabled: false`) and using some nginx configuration which reverse-proxies to Traefik (we should introduce examples for this in `examples/nginx`).
### How do I help?
You can help by:
- **explicitly switching your server to Traefik** right now (see example configuration in [How do I explicitly switch to Traefik right now?](#how-do-i-explicitly-switch-to-traefik-right-now) above), testing, reporting troubles
- **adding native Traefik support to a role** (requires adding Traefik labels, etc.) - for inspiration, see these roles ([prometheus_node_exporter](https://gitlab.com/etke.cc/roles/prometheus_node_exporter), [prometheus_postgres_exporter](https://gitlab.com/etke.cc/roles/prometheus_postgres_exporter)) and how they're hooked into the playbook via [group_vars/matrix_servers](group_vars/matrix_servers).
- **adding reverse-proxying examples for nginx users** in `examples/nginx`. People who insist on using their own `nginx` server on the same Matrix host, can run Traefik in local-only mode (`devture_traefik_config_entrypoint_web_secure_enabled: false`) and reverse-proxy to the Traefik server
# 2023-02-10
## Matrix Authentication Support for Jitsi
Thanks to [Jakob S.](https://github.com/jakicoll) ([zakk gGmbH](https://github.com/zakk-it)), Jitsi can now use Matrix for authentication (via [Matrix User Verification Service](https://github.com/matrix-org/matrix-user-verification-service)).
Additional details are available in the [Authenticate using Matrix OpenID (Auth-Type 'matrix')](docs/configuring-playbook-jitsi.md#authenticate-using-matrix-openid-auth-type-matrix).
## Draupnir moderation tool (bot) support
Thanks to [FSG-Cat](https://github.com/FSG-Cat), the playbook can now install and configure the [Draupnir](https://github.com/Gnuxie/Draupnir) moderation tool (bot). Draupnir is a fork of [Mjolnir](docs/configuring-playbook-bot-mjolnir.md) (which the playbook has supported for a long time) maintained by Mjolnir's former lead developer.
Additional details are available in [Setting up Draupnir](docs/configuring-playbook-bot-draupnir.md).
# 2023-02-05
## The matrix-prometheus-postgres-exporter role lives independently now
**TLDR**: the `matrix-prometheus-postgres-exporter` role is now included from another repository. Some variables have been renamed. All functionality remains intact.
The `matrix-prometheus-postgres-exporter` role (which configures [Prometheus Postgres Exporter](https://github.com/prometheus-community/postgres_exporter)) has been extracted from the playbook and now lives in its own repository at https://gitlab.com/etke.cc/roles/prometheus_postgres_exporter
It's still part of the playbook, but is now installed via `ansible-galaxy` (by running `just roles` / `make roles`). Some variables have been renamed (`matrix_prometheus_postgres_exporter_` -> `prometheus_postgres_exporter_`, etc.). The playbook will report all variables that you need to rename to get upgraded. All functionality remains intact.
The `matrix-prometheus-services-proxy-connect` role has bee adjusted to help integrate the new `prometheus_postgres_exporter` role with our own services (`matrix-nginx-proxy`)
Other roles which aren't strictly related to Matrix are likely to follow this fate of moving to their own repositories. Extracting them out allows other Ansible playbooks to make use of these roles easily.
# 2023-01-26
## Coturn can now use host-networking
Large Coturn deployments (with a huge range of ports specified via `matrix_coturn_turn_udp_min_port` and `matrix_coturn_turn_udp_max_port`) experience a huge slowdown with how Docker publishes all these ports (setting up firewall forwarding rules), which leads to a very slow Coturn service startup and shutdown.
Such deployments don't need to run Coturn within a private container network anymore. Coturn can now run with host-networking by using configuration like this:
```yaml
matrix_coturn_docker_network: host
```
With such a configuration, **Docker no longer needs to configure thousands of firewall forwarding rules** each time Coturn starts and stops.
This, however, means that **you will need to ensure these ports are open** in your firewall yourself.
Thanks to us [tightening Coturn security](#backward-compatibility-tightening-coturn-security-can-lead-to-connectivity-issues), running Coturn with host-networking should be safe and not expose neither other services running on the host, nor other services running on the local network.
## (Backward Compatibility) Tightening Coturn security can lead to connectivity issues
**TLDR**: users who run and access their Matrix server on a private network (likely a small minority of users) may experience connectivity issues with our new default Coturn blocklists. They may need to override `matrix_coturn_denied_peer_ips` and remove some IP ranges from it.
Inspired by [this security article](https://www.rtcsec.com/article/cve-2020-26262-bypass-of-coturns-access-control-protection/), we've decided to make use of Coturn's `denied-peer-ip` functionality to prevent relaying network traffic to certain private IP subnets. This ensures that your Coturn server won't accidentally try to forward traffic to certain services running on your local networks. We run Coturn in a container and in a private container network by default, which should prevent such access anyway, but having additional block layers in place is better.
If you access your Matrix server from a local network and need Coturn to relay to private IP addresses, you may observe that relaying is now blocked due to our new default `denied-peer-ip` lists (specified in `matrix_coturn_denied_peer_ips`). If you experience such connectivity problems, consider overriding this setting in your `vars.yml` file and removing certain networks from it.
We've also added `no-multicast-peers` to the default Coturn configuration, but we don't expect this to cause trouble for most people.
# 2023-01-21
## The matrix-prometheus-node-exporter role lives independently now
**TLDR**: the `matrix-prometheus-node-exporter` role is now included from another repository. Some variables have been renamed. All functionality remains intact.
The `matrix-prometheus-node-exporter` role (which configures [Prometheus node exporter](https://github.com/prometheus/node_exporter)) has been extracted from the playbook and now lives in its own repository at https://gitlab.com/etke.cc/roles/prometheus_node_exporter.
The `matrix-prometheus-node-exporter` role (which configures [Prometheus node exporter](https://github.com/prometheus/node_exporter)) has been extracted from the playbook and now lives in its own repository at https://gitlab.com/etke.cc/roles/prometheus_node_exporter
It's still part of the playbook, but is now installed via `ansible-galaxy` (by running `just roles` / `make roles`). Some variables have been renamed (`matrix_prometheus_node_exporter_` -> `prometheus_node_exporter_`, etc.). The playbook will report all variables that you need to rename to get upgraded. All functionality remains intact.
@ -192,11 +567,11 @@ Various services (like Dimension, etc.) still talk to Synapse via `matrix-nginx-
Until now, [Etherpad](https://etherpad.org/) (which [the playbook could install for you](docs/configuring-playbook-etherpad.md)) required the [Dimension integration manager](docs/configuring-playbook-dimension.md) to also be installed, because Etherpad was hosted on the Dimension domain (at `dimension.DOMAIN/etherpad`).
From now on, Etherpad can be installed in `standalone` mode on `etherpad.DOMAIN` and used even without Dimension. This is much more versatile, so the playbook now defaults to this new mode (`matrix_etherpad_mode: standalone`).
From now on, Etherpad can be installed in `standalone` mode on `etherpad.DOMAIN` and used even without Dimension. This is much more versatile, so the playbook now defaults to this new mode (`etherpad_mode: standalone`).
If you've already got both Etherpad and Dimension in use you could:
- **either** keep hosting Etherpad under the Dimension domain by adding `matrix_etherpad_mode: dimension` to your `vars.yml` file. All your existing room widgets will continue working at the same URLs and no other changes will be necessary.
- **either** keep hosting Etherpad under the Dimension domain by adding `etherpad_mode: dimension` to your `vars.yml` file. All your existing room widgets will continue working at the same URLs and no other changes will be necessary.
- **or**, you could change to hosting Etherpad separately on `etherpad.DOMAIN`. You will need to [configure a DNS record](docs/configuring-dns.md) for this new domain. You will also need to reconfigure Dimension to use the new pad URLs (`https://etherpad.DOMAIN/...`) going forward (refer to our [configuring Etherpad documentation](docs/configuring-playbook-etherpad.md)). All your existing room widgets (which still use `https://dimension.DOMAIN/etherpad/...`) will break as Etherpad is not hosted there anymore. You will need to re-add them or to consider not using `standalone` mode
@ -483,14 +858,14 @@ See our [Setting up the ntfy push notifications server](docs/configuring-playboo
**If you are using the [Hookshot bridge](docs/configuring-playbook-bridge-hookshot.md)**, you may find that:
1. **Metrics may not be enabled by default anymore**:
- If Prometheus is enabled (`matrix_prometheus_enabled: true`), then Hookshot metrics will be enabled automatically (`matrix_hookshot_metrics_enabled: true`). These metrics will be collected from the local (in-container) Prometheus over the container network.
- If Prometheus is enabled (`prometheus_enabled: true`), then Hookshot metrics will be enabled automatically (`matrix_hookshot_metrics_enabled: true`). These metrics will be collected from the local (in-container) Prometheus over the container network.
- **If Prometheus is not enabled** (you are either not using Prometheus or are using an external one), **Hookshot metrics will not be enabled by default anymore**. Feel free to enable them by setting `matrix_hookshot_metrics_enabled: true`. Also, see below.
2. When metrics are meant to be **consumed by an external Prometheus server**, `matrix_hookshot_metrics_proxying_enabled` needs to be set to `true`, so that metrics would be exposed (proxied) "publicly" on `https://matrix.DOMAIN/metrics/hookshot`. To make use of this, you'll also need to enable the new `https://matrix.DOMAIN/metrics/*` endpoints mentioned above, using `matrix_nginx_proxy_proxy_matrix_metrics_enabled`. Learn more in our [Collecting metrics to an external Prometheus server](docs/configuring-playbook-prometheus-grafana.md#collecting-metrics-to-an-external-prometheus-server) documentation.
3. **We've changed the URL we're exposing Hookshot metrics at** for external Prometheus servers. Until now, you were advised to consume Hookshot metrics from `https://stats.DOMAIN/hookshot/metrics` (working in conjunction with `matrix_nginx_proxy_proxy_synapse_metrics`). From now on, **this no longer works**. As described above, you need to start consuming metrics from `https://matrix.DOMAIN/metrics/hookshot`.
**If you're using node-exporter** (`matrix_prometheus_node_exporter_enabled: true`) and would like to collect its metrics from an external Prometheus server, see `matrix_prometheus_node_exporter_metrics_proxying_enabled` described in our [Collecting metrics to an external Prometheus server](docs/configuring-playbook-prometheus-grafana.md#collecting-metrics-to-an-external-prometheus-server) documentation. You will be able to collect its metrics from `https://matrix.DOMAIN/metrics/node-exporter`.
**If you're using [postgres-exporter](docs/configuring-playbook-prometheus-postgres.md)** (`matrix_prometheus_postgres_exporter_enabled: true`) and would like to collect its metrics from an external Prometheus server, see `matrix_prometheus_postgres_exporter_metrics_proxying_enabled` described in our [Collecting metrics to an external Prometheus server](docs/configuring-playbook-prometheus-grafana.md#collecting-metrics-to-an-external-prometheus-server) documentation. You will be able to collect its metrics from `https://matrix.DOMAIN/metrics/postgres-exporter`.
**If you're using [postgres-exporter](docs/configuring-playbook-prometheus-postgres.md)** (`prometheus_postgres_exporter_enabled: true`) and would like to collect its metrics from an external Prometheus server, see `matrix_prometheus_services_proxy_connect_prometheus_postgres_exporter_metrics_proxying_enabled` described in our [Collecting metrics to an external Prometheus server](docs/configuring-playbook-prometheus-grafana.md#collecting-metrics-to-an-external-prometheus-server) documentation. You will be able to collect its metrics from `https://matrix.DOMAIN/metrics/postgres-exporter`.
**If you're using Synapse** and would like to collect its metrics from an external Prometheus server, you may find that:

@ -18,6 +18,15 @@ We run all services in [Docker](https://www.docker.com/) containers (see [the co
[Installation](docs/README.md) (upgrades) and some maintenance tasks are automated using [Ansible](https://www.ansible.com/) (see [our Ansible guide](docs/ansible.md)).
## Self-hosting or SaaS
This Ansible playbook tries to make self-hosting and maintaining a Matrix server fairly easy. Still, running any service smoothly requires knowledge, time and effort.
If you like the [FOSS](https://en.wikipedia.org/wiki/Free_and_open-source_software) spirit of this Ansible playbook, but prefer to put the responsibility on someone else, you can also [get a managed Matrix server from etke.cc](https://etke.cc/) - a service built on top of this Ansible playbook, which can help you run a Matrix server with ease.
If you like learning and experimentation, but would rather reduce future maintenance effort, you can even go for a hybrid approach - self-hosting manually using this Ansible playbook at first and then transferring server maintenance to etke.cc at a later time.
## Supported services
Using this playbook, you can get the following list of services configured on your server. Basically, this playbook aims to get you up-and-running with all the necessities around Matrix, without you having to do anything else.
@ -32,7 +41,7 @@ You can always re-run the playbook later to add or remove components.
The homeserver is the backbone of your matrix system. Choose one from the following list.
| Name | Default? | Description | Documentation |
| ---- | -------- | ----------- | ------------- |
| ---- | -------- | ----------- | ------------- |
| [Synapse](https://github.com/matrix-org/synapse) | ✓ | Storing your data and managing your presence in the [Matrix](http://matrix.org/) network | [Link](docs/configuring-playbook-synapse.md) |
| [Conduit](https://conduit.rs) | x | Storing your data and managing your presence in the [Matrix](http://matrix.org/) network. Conduit is a lightweight open-source server implementation of the Matrix Specification with a focus on easy setup and low system requirements | [Link](docs/configuring-playbook-conduit.md) |
| [Dendrite](https://github.com/matrix-org/dendrite) | x | Storing your data and managing your presence in the [Matrix](http://matrix.org/) network. Dendrite is a second-generation Matrix homeserver written in Go, an alternative to Synapse. | [Link](docs/configuring-playbook-dendrite.md) |
@ -57,10 +66,11 @@ Services that run on the server to make the various parts of your installation w
| ---- | -------- | ----------- | ------------- |
| [PostgreSQL](https://www.postgresql.org/)| ✓ | Database for Synapse. [Using an external PostgreSQL server](docs/configuring-playbook-external-postgres.md) is also possible. | [Link](docs/configuring-playbook-external-postgres.md) |
| [Coturn](https://github.com/coturn/coturn) | ✓ | STUN/TURN server for WebRTC audio/video calls | [Link](docs/configuring-playbook-turn.md) |
| [nginx](http://nginx.org/) | ✓ | Web server, listening on ports 80 and 443 - standing in front of all the other services. Using your own webserver [is possible](docs/configuring-playbook-own-webserver.md) | [Link](docs/configuring-playbook-nginx.md) |
| [Let's Encrypt](https://letsencrypt.org/) | ✓ | Free SSL certificate, which secures the connection to the Synapse server and the Element web UI | [Link](docs/configuring-playbook-ssl-certificates.md) |
| [Traefik](https://doc.traefik.io/traefik/) | ✓ | Web server, listening on ports 80, 443 and 8448 - standing in front of all the other services. Using your own webserver [is possible](docs/configuring-playbook-own-webserver.md) | [Link](docs/configuring-playbook-traefik.md) |
| [nginx](http://nginx.org/) | x | (Deprecated) Web server, listening on ports 80, 443 and 8448 - standing in front of all the other services. Deprecated in favor of Traefik | [Link](docs/configuring-playbook-nginx.md) |
| [Let's Encrypt](https://letsencrypt.org/) | ✓ | Free SSL certificate, which secures the connection to all components | [Link](docs/configuring-playbook-ssl-certificates.md) |
| [ma1sd](https://github.com/ma1uta/ma1sd) | x | Matrix Identity Server | [Link](docs/configuring-playbook-ma1sd.md)
| [Exim](https://www.exim.org/) | ✓ | Mail server, through which all Matrix services send outgoing email (can be configured to relay through another SMTP server) | - |
| [Exim](https://www.exim.org/) | ✓ | Mail server, through which all Matrix services send outgoing email (can be configured to relay through another SMTP server) | [Link](docs/configuring-playbook-email.md) |
| [Dimension](https://github.com/turt2live/matrix-dimension) | x | An open source integrations manager for matrix clients | [Link](docs/configuring-playbook-dimension.md) |
| [Sygnal](https://github.com/matrix-org/sygnal) | x | Push gateway | [Link](docs/configuring-playbook-sygnal.md) |
| [ntfy](https://ntfy.sh) | x | Push notifications server | [Link](docs/configuring-playbook-ntfy.md) |
@ -71,7 +81,7 @@ Services that run on the server to make the various parts of your installation w
Extend and modify how users are authenticated on your homeserver.
| Name | Default? | Description | Documentation |
| ---- | -------- | ----------- | ------------- |
| ---- | -------- | ----------- | ------------- |
| [matrix-synapse-rest-auth](https://github.com/ma1uta/matrix-synapse-rest-password-provider) (advanced) | x | REST authentication password provider module | [Link](docs/configuring-playbook-rest-auth.md) |
|[matrix-synapse-shared-secret-auth](https://github.com/devture/matrix-synapse-shared-secret-auth) (advanced) | x | Password provider module | [Link](docs/configuring-playbook-shared-secret-auth.md) |
| [matrix-synapse-ldap3](https://github.com/matrix-org/matrix-synapse-ldap3) (advanced) | x | LDAP Auth password provider module | [Link](configuring-playbook-ldap-auth.md) |
@ -135,6 +145,7 @@ Bots provide various additional functionality to your installation.
| [Postmoogle](https://gitlab.com/etke.cc/postmoogle) | x | Email to matrix bot | [Link](docs/configuring-playbook-bot-postmoogle.md) |
| [Go-NEB](https://github.com/matrix-org/go-neb) | x | A multi functional bot written in Go | [Link](docs/configuring-playbook-bot-go-neb.md) |
| [Mjolnir](https://github.com/matrix-org/mjolnir) | x | A moderation tool for Matrix | [Link](docs/configuring-playbook-bot-mjolnir.md) |
| [Draupnir](https://github.com/Gnuxie/Draupnir) | x | A moderation tool for Matrix (Fork of Mjolnir) | [Link](docs/configuring-playbook-bot-draupnir.md) |
| [Buscarron](https://gitlab.com/etke.cc/buscarron) | x | Web forms (HTTP POST) to matrix | [Link](docs/configuring-playbook-bot-buscarron.md) |
| [matrix-chatgpt-bot](https://github.com/matrixgpt/matrix-chatgpt-bot) | x | ChatGPT from matrix | [Link](docs/configuring-playbook-bot-chatgpt.md) |
@ -148,6 +159,7 @@ Services that help you in administrating and monitoring your matrix installation
| [synapse-admin](https://github.com/Awesome-Technologies/synapse-admin) | x | A web UI tool for administrating users and rooms on your Matrix server | [Link](docs/configuring-playbook-synapse-admin.md) |
| Metrics and Graphs | x | Consists of the [Prometheus](https://prometheus.io) time-series database server, the Prometheus [node-exporter](https://prometheus.io/docs/guides/node-exporter/) host metrics exporter, and the [Grafana](https://grafana.com/) web UI | [Link](docs/configuring-playbook-prometheus-grafana.md) |
| [Borg](https://borgbackup.org) | x | Backups | [Link](docs/configuring-playbook-backup-borg.md) |
| [Rageshake](https://github.com/matrix-org/rageshake) | x | Bug report server | [Link](docs/configuring-playbook-rageshake.md) |
### Misc
@ -155,6 +167,8 @@ Various services that don't fit any other category.
| Name | Default? | Description | Documentation |
| ---- | -------- | ----------- | ------------- |
| [sliding-sync](https://github.com/matrix-org/sliding-sync)| x | Sliding Sync support for clients which require it (e.g. Element X) | [Link](docs/configuring-playbook-sliding-sync-proxy.md) |
| [synapse_auto_compressor](https://github.com/matrix-org/rust-synapse-compress-state/#automated-tool-synapse_auto_compressor) | x | A cli tool that automatically compresses `state_groups` database table in background. | [Link](docs/configuring-playbook-synapse-auto-compressor.md) |
| [synapse-simple-antispam](https://github.com/t2bot/synapse-simple-antispam) (advanced) | x | A spam checker module | [Link](docs/configuring-playbook-synapse-simple-antispam.md) |
| [Matrix Corporal](https://github.com/devture/matrix-corporal) (advanced) | x | Reconciliator and gateway for a managed Matrix server | [Link](docs/configuring-playbook-matrix-corporal.md) |
| [Etherpad](https://etherpad.org) | x | An open source collaborative text editor | [Link](docs/configuring-playbook-etherpad.md) |
@ -183,6 +197,16 @@ When updating the playbook, refer to [the changelog](CHANGELOG.md) to catch up w
- GitHub issues: [spantaleev/matrix-docker-ansible-deploy/issues](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues)
## Services by the community
## Related
You may also be interested in these other Ansible playbooks:
- [gitea-docker-ansible-deploy](https://github.com/spantaleev/gitea-docker-ansible-deploy) - for deploying a [Gitea](https://gitea.io/) git version-control server
- [nextcloud-docker-ansible-deploy](https://github.com/spantaleev/nextcloud-docker-ansible-deploy) - for deploying a [Nextcloud](https://nextcloud.com/) server
- [peertube-docker-ansible-deploy](https://github.com/spantaleev/peertube-docker-ansible-deploy) - for deploying a [PeerTube](https://joinpeertube.org/) video-platform server
- [vaultwarden-docker-ansible-deploy](https://github.com/spantaleev/vaultwarden-docker-ansible-deploy) - for deploying a [Vaultwarden](https://github.com/dani-garcia/vaultwarden) password manager server (unofficial [Bitwarden](https://bitwarden.com/) compatible server)
- [etke.cc](https://etke.cc) - matrix-docker-ansible-deploy and system stuff "as a service". That service will create your matrix homeserver on your domain and server (doesn't matter if it's cloud provider or on an old laptop in the corner of your room), (optional) maintains it (server's system updates, cleanup, security adjustments, tuning, etc.; matrix homeserver updates & maintenance) and (optional) provide full-featured email service for your domain
They're all making use of Traefik as their reverse-proxy, so it should be easy to host all these services on the same server. Follow the `docs/configuring-playbook-interoperability.md` documentation in each playbook.

@ -0,0 +1,28 @@
import sys, main, os, uservar
key = os.environ.get('MATRIX_KEY')
def checks():
if uservar.ip is None:
print("ERROR: IP variable empty")
sys.exit()
if uservar.heisenberg_bridge == True and not uservar.heisenbridge_owner:
print("please fill in a matrix user")
sys.exit()
if uservar.appservice_discord_bridge and not uservar.appservice_discord_brige_client_id or not uservar.appservice_discord_bridge_token:
print("ERROR: fill out all appservice variables")
sys.exit()
if key is None and uservar.add_key == False:
homeserver_key = os.popen("pwgen -s 64 1").read()
homeserver_key = main.func(homeserver_key)
print("if ist durch")
with open('/home/{}/.bashrc'.format(main.user), 'a') as f:
f.write("export MATRIX_KEY={}".format(homeserver_key))
f.close()
elif key is not None and uservar.add_key == False:
homeserver_key = key
elif uservar.add_key == True:
homeserver_key = uservar.homeserver_key

@ -65,7 +65,7 @@ docker run -it --rm \
-w /work \
-v `pwd`:/work \
--entrypoint=/bin/sh \
docker.io/devture/ansible:2.13.6-r0-1
docker.io/devture/ansible:2.13.6-r0-3
```
Once you execute the above command, you'll be dropped into a `/work` directory inside a Docker container.
@ -86,7 +86,7 @@ docker run -it --rm \
-v `pwd`:/work \
-v $HOME/.ssh/id_rsa:/root/.ssh/id_rsa:ro \
--entrypoint=/bin/sh \
docker.io/devture/ansible:2.13.6-r0
docker.io/devture/ansible:2.13.6-r0-3
```
The above command tries to mount an SSH key (`$HOME/.ssh/id_rsa`) into the container (at `/root/.ssh/id_rsa`).

@ -6,9 +6,9 @@ That means your daily incremental backups can be stored in a fraction of the spa
You will need a remote server where borg will store the backups. There are hosted, borg compatible solutions available, such as [BorgBase](https://www.borgbase.com).
The backup will run based on `matrix_backup_borg_schedule` var (systemd timer calendar), default: 4am every day.
The backup will run based on `backup_borg_schedule` var (systemd timer calendar), default: 4am every day.
By default, if you're using the integrated Postgres database server (as opposed to [an external Postgres server](configuring-playbook-external-postgres.md)), Borg backups will also include dumps of your Postgres database. An alternative solution for backing up the Postgres database is [postgres backup](configuring-playbook-postgres-backup.md). If you decide to go with another solution, you can disable Postgres-backup support for Borg using the `matrix_backup_borg_postgresql_enabled` variable.
By default, if you're using the integrated Postgres database server (as opposed to [an external Postgres server](configuring-playbook-external-postgres.md)), Borg backups will also include dumps of your Postgres database. An alternative solution for backing up the Postgres database is [postgres backup](configuring-playbook-postgres-backup.md). If you decide to go with another solution, you can disable Postgres-backup support for Borg using the `backup_borg_postgresql_enabled` variable.
## Prerequisites
@ -38,11 +38,11 @@ cat PUBKEY | ssh USER@HOST 'dd of=.ssh/authorized_keys oflag=append conv=notrunc
Minimal working configuration (`inventory/host_vars/matrix.DOMAIN/vars.yml`) to enable borg backup:
```yaml
matrix_backup_borg_enabled: true
matrix_backup_borg_location_repositories:
backup_borg_enabled: true
backup_borg_location_repositories:
- ssh://USER@HOST/./REPO
matrix_backup_borg_storage_encryption_passphrase: "PASSPHRASE"
matrix_backup_borg_ssh_key_private: |
backup_borg_storage_encryption_passphrase: "PASSPHRASE"
backup_borg_ssh_key_private: |
-----BEGIN OPENSSH PRIVATE KEY-----
TG9yZW0gaXBzdW0gZG9sb3Igc2l0IGFtZXQsIGNvbnNlY3RldHVyIGFkaXBpc2NpbmcgZW
xpdCwgc2VkIGRvIGVpdXNtb2QgdGVtcG9yIGluY2lkaWR1bnQgdXQgbGFib3JlIGV0IGRv
@ -58,13 +58,13 @@ where:
* HOST - SSH host of a provider/server
* REPO - borg repository name, it will be initialized on backup start, eg: `matrix`, regarding Syntax see [Remote repositories](https://borgbackup.readthedocs.io/en/stable/usage/general.html#repository-urls)
* PASSPHRASE - passphrase used for encrypting backups, you may generate it with `pwgen -s 64 1` or use any password manager
* PRIVATE KEY - the content of the **private** part of the SSH key you created before. The whole key (all of its belonging lines) under `matrix_backup_borg_ssh_key_private` needs to be indented with 2 spaces
* PRIVATE KEY - the content of the **private** part of the SSH key you created before. The whole key (all of its belonging lines) under `backup_borg_ssh_key_private` needs to be indented with 2 spaces
To backup without encryption, add `matrix_backup_borg_encryption: 'none'` to your vars. This will also enable the `matrix_backup_borg_unknown_unencrypted_repo_access_is_ok` variable.
To backup without encryption, add `backup_borg_encryption: 'none'` to your vars. This will also enable the `backup_borg_unknown_unencrypted_repo_access_is_ok` variable.
`matrix_backup_borg_location_source_directories` defines the list of directories to back up: it's set to `{{ matrix_base_data_path }}` by default, which is the base directory for every service's data, such as Synapse, Postgres and the bridges. You might want to exclude certain directories or file patterns from the backup using the `matrix_backup_borg_location_exclude_patterns` variable.
`backup_borg_location_source_directories` defines the list of directories to back up: it's set to `{{ matrix_base_data_path }}` by default, which is the base directory for every service's data, such as Synapse, Postgres and the bridges. You might want to exclude certain directories or file patterns from the backup using the `backup_borg_location_exclude_patterns` variable.
Check the `roles/custom/matrix-backup-borg/defaults/main.yml` file for the full list of available options.
Check the [backup_borg role](https://gitlab.com/etke.cc/roles/backup_borg)'s [defaults/main.yml](https://gitlab.com/etke.cc/roles/backup_borg/-/blob/main/defaults/main.yml) file for the full list of available options.
## Installing

@ -2,8 +2,32 @@
The playbook can install and configure [buscarron](https://gitlab.com/etke.cc/buscarron) for you.
It's a bot you can use to setup **your own helpdesk on matrix**
It's a bot you can use to send any form (HTTP POST, HTML) to a (encrypted) matrix room
Buscarron is bot that receives HTTP POST submissions of web forms and forwards them to a Matrix room.
## Decide on a domain and path
By default, Buscarron is configured to use its own dedicated domain (`buscarron.DOMAIN`) and requires you to [adjust your DNS records](#adjusting-dns-records).
You can override the domain and path like this:
```yaml
# Switch to the domain used for Matrix services (`matrix.DOMAIN`),
# so we won't need to add additional DNS records for Buscarron.
matrix_bot_buscarron_hostname: "{{ matrix_server_fqn_matrix }}"
# Expose under the /buscarron subpath
matrix_bot_buscarron_path_prefix: /buscarron
```
**NOTE**: When using `matrix-nginx-proxy` instead of Traefik, you won't be able to override the path prefix. You can only override the domain, but that needs to happen using another variable: `matrix_server_fqn_buscarron` (e.g. `matrix_server_fqn_buscarron: "form.{{ matrix_domain }}"`).
## Adjusting DNS records
Once you've decided on the domain and path, **you may need to adjust your DNS** records to point the Buscarron domain to the Matrix server.
If you've decided to reuse the `matrix.` domain, you won't need to do any extra DNS configuration.
## Adjusting the playbook configuration
@ -31,16 +55,6 @@ matrix_bot_buscarron_forms:
matrix_bot_buscarron_spamlist: [] # (optional) list of emails/domains/hosts (with wildcards support) that should be rejected automatically
```
You will also need to add a DNS record so that buscarron can be accessed.
By default buscarron will use https://buscarron.DOMAIN so you will need to create an CNAME record for `buscarron`.
See [Configuring DNS](configuring-dns.md).
If you would like to use a different domain, add the following to your configuration file (changing it to use your preferred domain):
```yaml
matrix_server_fqn_buscarron: "form.{{ matrix_domain }}"
```
## Installing
@ -67,4 +81,12 @@ To use the bot, invite the `@bot.buscarron:DOMAIN` to the room you specified in
</form>
```
**NOTE**: to fight against spam, Buscarron is **very aggressive when it comes to banning** and will ban you if:
- if you hit the homepage (HTTP `GET` request to `/`)
- if you submit a form to the wrong URL (`POST` request to `/non-existing-form`)
- if `hasemail` is enabled for the form (like in the example above) and you don't submit an `email` field
If you get banned, you'd need to restart the process by running the playbook with `--tags=start` or running `systemctl restart matrix-bot-buscarron` on the server.
You can also refer to the upstream [documentation](https://gitlab.com/etke.cc/buscarron).

@ -32,11 +32,8 @@ Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.
```yaml
matrix_bot_chatgpt_enabled: true
# See instructions on
# https://www.npmjs.com/package/chatgpt
matrix_bot_chatgpt_openai_email: ''
matrix_bot_chatgpt_openai_password: ''
matrix_bot_chatgpt_openai_login_type: google
# Obtain a new API key from https://platform.openai.com/account/api-keys
matrix_bot_chatgpt_openai_api_key: ''
# This is the default username
# matrix_bot_chatgpt_matrix_bot_username_localpart: 'bot.chatgpt'

@ -0,0 +1,114 @@
# Setting up draupnir (optional)
The playbook can install and configure the [draupnir](https://github.com/Gnuxie/Draupnir) moderation bot for you.
See the project's [documentation](https://github.com/Gnuxie/Draupnir) to learn what it does and why it might be useful to you.
If your migrating from Mjolnir skip to step 5b.
## 1. Register the bot account
The playbook does not automatically create users for you. The bot requires an access token to be able to connect to your homeserver.
You **need to register the bot user manually** before setting up the bot.
Choose a strong password for the bot. You can generate a good password with a command like this: `pwgen -s 64 1`.
You can use the playbook to [register a new user](registering-users.md):
```
ansible-playbook -i inventory/hosts setup.yml --extra-vars='username=bot.draupnir password=PASSWORD_FOR_THE_BOT admin=no' --tags=register-user
```
If you would like draupnir to be able to deactivate users, move aliases, shutdown rooms, etc then it must be a server admin so you need to change `admin=no` to `admin=yes` in the command above.
## 2. Get an access token
Refer to the documentation on [how to obtain an access token](obtaining-access-tokens.md).
## 3. Make sure the account is free from rate limiting
You will need to prevent Synapse from rate limiting the bot's account. This is not an optional step. If you do not do this step draupnir will crash. This can be done using Synapse's [admin API](https://matrix-org.github.io/synapse/latest/admin_api/user_admin_api.html#override-ratelimiting-for-users). This can also be manually done by editing the Synapse database. Manually editing the Synapse database is rarely a good idea. Please ask for help if you are uncomfortable with these steps.
1. Copy the statement below into a text editor.
```
INSERT INTO ratelimit_override VALUES ('@bot.draupnir:DOMAIN', 0, 0);
```
1. Change the username (`@bot.draupnir:DOMAIN`) to the username you used when you registered the bot's account. You must change `DOMAIN` to your server's domain.
1. Get a database terminal by following these steps: [maintenance-postgres.md#getting-a-database-terminal](maintenance-postgres.md#getting-a-database-terminal)
1. Connect to Synapse's database by typing `\connect synapse` into the database terminal
1. Paste in the `INSERT INTO` command that you edited and press enter.
You can run `SELECT * FROM ratelimit_override;` to see if it worked. If the output looks like this:
```
user_id | messages_per_second | burst_count
-----------------------+---------------------+-------------
@bot.draupnir:raim.ist | 0 | 0`
```
then you did it correctly.
## 4. Create a management room
Using your own account, create a new invite only room that you will use to manage the bot. This is the room where you will see the status of the bot and where you will send commands to the bot, such as the command to ban a user from another room. Anyone in this room can control the bot so it is important that you only invite trusted users to this room. The room must be unencrypted since the playbook does not support installing Pantalaimon yet.
Once you have created the room you need to copy the room ID so you can tell the bot to use that room. In Element you can do this by going to the room's settings, clicking Advanced, and then coping the internal room ID. The room ID will look something like `!QvgVuKq0ha8glOLGMG:DOMAIN`.
Finally invite the `@bot.draupnir:DOMAIN` account you created earlier into the room.
## 5a. Adjusting the playbook configuration
Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file (adapt to your needs):
You must replace `ACCESS_TOKEN_FROM_STEP_2_GOES_HERE` and `ROOM_ID_FROM_STEP_4_GOES_HERE` with the your own values.
```yaml
matrix_bot_draupnir_enabled: true
matrix_bot_draupnir_access_token: "ACCESS_TOKEN_FROM_STEP_2_GOES_HERE"
matrix_bot_draupnir_management_room: "ROOM_ID_FROM_STEP_4_GOES_HERE"
```
## 5b. Migrating from Mjolnir (Only required if migrating.)
Replace your `matrix_bot_mjolnir` config with `matrix_bot_draupnir` config. Also disable mjolnir if you're doing migration.
That is all you need to do due to that Draupnir can complete migration on its own.
## 6. Installing
After configuring the playbook, run the [installation](installing.md) command:
```
ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start
```
## Usage
You can refer to the upstream [documentation](https://github.com/Gnuxie/Draupnir) for additional ways to use and configure draupnir. Check out their [quickstart guide](https://github.com/matrix-org/draupnir/blob/main/docs/moderators.md#quick-usage) for some basic commands you can give to the bot.
You can configure additional options by adding the `matrix_bot_draupnir_configuration_extension_yaml` variable to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file.
For example to change draupnir's `recordIgnoredInvites` option to `true` you would add the following to your `vars.yml` file.
```yaml
matrix_bot_draupnir_configuration_extension_yaml: |
# Your custom YAML configuration goes here.
# This configuration extends the default starting configuration (`matrix_bot_draupnir_configuration_yaml`).
#
# You can override individual variables from the default configuration, or introduce new ones.
#
# If you need something more special, you can take full control by
# completely redefining `matrix_bot_draupnir_configuration_yaml`.
recordIgnoredInvites: true
```

@ -24,6 +24,31 @@ ansible-playbook -i inventory/hosts setup.yml --extra-vars='username=bot.go-neb
Once the user is created you can [obtain an access token](obtaining-access-tokens.md).
## Decide on a domain and path
By default, Go-NEB is configured to use its own dedicated domain (`goneb.DOMAIN`) and requires you to [adjust your DNS records](#adjusting-dns-records).
You can override the domain and path like this:
```yaml
# Switch to the domain used for Matrix services (`matrix.DOMAIN`),
# so we won't need to add additional DNS records for Go-NEB.
matrix_bot_go_neb_hostname: "{{ matrix_server_fqn_matrix }}"
# Expose under the /go-neb subpath
matrix_bot_go_neb_path_prefix: /go-neb
```
**NOTE**: When using `matrix-nginx-proxy` instead of Traefik, you won't be able to override the path prefix. You can only override the domain, but that needs to happen using another variable: `matrix_server_fqn_go_neb` (e.g. `matrix_server_fqn_go_neb: "mybot.{{ matrix_domain }}"`).
## Adjusting DNS records
Once you've decided on the domain and path, **you may need to adjust your DNS** records to point the Go-NEB domain to the Matrix server.
If you've decided to reuse the `matrix.` domain, you won't need to do any extra DNS configuration.
## Adjusting the playbook configuration
Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file (adapt to your needs):
@ -193,9 +218,7 @@ matrix_bot_go_neb_services:
## Installing
Don't forget to add `goneb.<your-domain>` to DNS as described in [Configuring DNS](configuring-dns.md) before running the playbook.
After configuring the playbook, run the [installation](installing.md) command again:
After potentially [adjusting DNS records](#adjusting-dns-records) and configuring the playbook, run the [installation](installing.md) command again:
```
ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start

@ -8,8 +8,6 @@ The playbook can install and configure [mautrix-slack](https://github.com/mautri
See the project's [documentation](https://docs.mau.fi/bridges/go/slack/index.html) to learn what it does and why it might be useful to you.
Note that as of Oct 2022, support for multiple Matrix users using the bot is incomplete. Different users do not yet share the bridged channels. Everyone gets their own copy.
See the [features and roadmap](https://github.com/mautrix/slack/blob/main/ROADMAP.md) for more information.

@ -24,7 +24,7 @@ matrix_cactus_comments_enabled: true
# To do this you need to uncomment one of the following lines (depending if you are using synapse or dentrite as a homeserver)
# If you don't know which one you use: The default is synapse ;)
# matrix_synapse_allow_guest_access: true
# matrix_dentrite_allow_guest_access
# matrix_dentrite_allow_guest_access: true
```
## Installing

@ -6,14 +6,29 @@ If you're just installing Matrix services for the first time, please continue wi
**Note**: This playbook now supports running [Dimension](https://dimension.t2bot.io) in both a federated and [unfederated](https://github.com/turt2live/matrix-dimension/blob/master/docs/unfederated.md) environments. This is handled automatically based on the value of `matrix_synapse_federation_enabled`. Enabling Dimension, means that the `openid` API endpoints will be exposed on the Matrix Federation port (usually `8448`), even if [federation](configuring-playbook-federation.md) is disabled. It's something to be aware of, especially in terms of firewall whitelisting (make sure port `8448` is accessible).
## Prerequisites
## Decide on a domain and path
The `dimension.<your-domain>` DNS record must be created. See [Configuring your DNS server](configuring-dns.md) on how to set up DNS record correctly.
By default, Dimension is configured to use its own dedicated domain (`dimension.DOMAIN`) and requires you to [adjust your DNS records](#adjusting-dns-records).
You can override the domain and path like this:
```yaml
# Switch to another hostname compared to the default (`dimension.{{ matrix_domain }}`)
matrix_dimension_hostname: "integrations.{{ matrix_domain }}"
```
While there is a `matrix_dimension_path_prefix` variable for changing the path where Dimension is served, overriding it is not possible right now due to [this Dimension issue](https://github.com/turt2live/matrix-dimension/issues/510). You must serve Dimension at a dedicated subdomain until this issue is solved.
## Adjusting DNS records
Once you've decided on the domain and path, **you may need to adjust your DNS** records to point the Dimension domain to the Matrix server.
## Enable
[Dimension integrations manager](https://dimension.t2bot.io) installation is disabled by default. You can enable it in your configuration file (`inventory/host_vars/matrix.<your-domain>/vars.yml`):
To enable Dimension, add this to your configuration file (`inventory/host_vars/matrix.<your-domain>/vars.yml`):
```yaml
matrix_dimension_enabled: true
@ -54,7 +69,7 @@ For more information on how to acquire an access token, visit [https://t2bot.io/
## Installation
After these variables have been set, please run the following command to re-run setup and to restart Dimension:
After these variables have been set and you have potentially [adjusted your DNS records](#adjusting-dns-records), please run the following command to re-run setup and to restart Dimension:
```
ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start

@ -1,19 +1,41 @@
# Setting up Etherpad (optional)
[Etherpad](https://etherpad.org) is is an open source collaborative text editor that can be embedded in a Matrix chat room using the [Dimension integrations manager](https://dimension.t2bot.io) or used as standalone web app.
[Etherpad](https://etherpad.org) is an open source collaborative text editor that can be embedded in a Matrix chat room using the [Dimension integrations manager](https://dimension.t2bot.io) or used as standalone web app.
When enabled together with the Jitsi audio/video conferencing system (see [our docs on Jitsi](configuring-playbook-jitsi.md)), it will be made available as an option during the conferences.
## Prerequisites
## Decide on a domain and path
Etherpad can be installed in 2 modes:
By default, Etherpad is configured to use its own dedicated domain (`etherpad.DOMAIN`) and requires you to [adjust your DNS records](#adjusting-dns-records).
- (default) `standalone` mode (`matrix_etherpad_mode: standalone`) - Etherpad will be hosted on `etherpad.<your-domain>` (`matrix_server_fqn_etherpad`), so the DNS record for this domian must be created. See [Configuring your DNS server](configuring-dns.md) on how to set up the `etherpad` DNS record correctly
You can override the domain and path like this:
- `dimension` mode (`matrix_etherpad_mode: dimension`) - Etherpad will be hosted on `dimension.<your-domain>/etherpad` (`matrix_server_fqn_dimension`). This requires that you **first** configure the **Dimension integrations manager** as described in [the playbook documentation](configuring-playbook-dimension.md)
```yaml
# Switch to the domain used for Matrix services (`matrix.DOMAIN`),
# so we won't need to add additional DNS records for Etherpad.
etherpad_hostname: "{{ matrix_server_fqn_matrix }}"
# Expose under the /etherpad subpath
etherpad_path_prefix: /etherpad
```
**NOTE**: When using the old `matrix-nginx-proxy` reverse-proxy instead of Traefik, you have only 2 choices:
- serving Etherpad at its own dedicated domain:
- you need to set the domain using the `matrix_server_fqn_etherpad` variable (not `etherpad_hostname`)
- you must use `etherpad_path_prefix: /`
- serving Etherpad at the [Dimension](configuring-playbook-dimension.md) integration manager's domain (`matrix_server_fqn_dimension`)
- you need to have Dimension enabled
- you need to add `etherpad_path_prefix: /etherpad` or another prefix (different than `/`)
- you need to add `etherpad_nginx_proxy_dimension_integration_enabled: true` to enable this integration
## Adjusting DNS records
We recomend that you go with the default (`standalone`) mode, which makes Etherpad independent and allows it to be used with or without Dimension.
Once you've decided on the domain and path, **you may need to adjust your DNS** records to point the Etherpad domain to the Matrix server.
If you've decided to reuse the `matrix.` domain, you won't need to do any extra DNS configuration.
## Installing
@ -21,48 +43,51 @@ We recomend that you go with the default (`standalone`) mode, which makes Etherp
[Etherpad](https://etherpad.org) installation is disabled by default. You can enable it in your configuration file (`inventory/host_vars/matrix.<your-domain>/vars.yml`):
```yaml
matrix_etherpad_enabled: true
# Uncomment below if you'd like to install Etherpad on the Dimension domain (not recommended)
# matrix_etherpad_mode: dimension
etherpad_enabled: true
# Uncomment below to enable the admin web UI
# matrix_etherpad_admin_username: admin
# matrix_etherpad_admin_password: some-password
# etherpad_admin_username: admin
# etherpad_admin_password: some-password
```
If enabled, the admin web-UI should then be available on `https://etherpad.<your-domain>/admin` (or `https://dimension.<your-domain>/etherpad/admin`, if `matrix_etherpad_mode: dimension`)
Then, [run the installation process](installing.md) again (e.g. `just install-all`).
## Usage
The Etherpad UI should be available at `https://etherpad.<your-domain>`, while the admin UI (if enabled) should then be available at `https://etherpad.<your-domain>/admin`.
If you've [decided on another hostname or path-prefix](#decide-on-a-domain-and-path) (e.g. `https://matrix.DOMAIN/etherpad`), adjust these URLs accordingly before usage.
## Managing / Deleting old pads
### Managing / Deleting old pads
If you want to manage and remove old unused pads from Etherpad, you will first need to able Admin access as described above.
Then from the plugin manager page (`https://etherpad.<your-domain>/admin/plugins` or `https://dimension.<your-domain>/etherpad/admin/plugins`), install the `adminpads2` plugin. Once installed, you should have a "Manage pads" section in the Admin web-UI.
Then from the plugin manager page (`https://etherpad.<your-domain>/admin/plugins`, install the `adminpads2` plugin. Once installed, you should have a "Manage pads" section in the Admin web-UI.
## How to use Etherpad widgets without an Integration Manager (like Dimension)
### How to use Etherpad widgets without an Integration Manager (like Dimension)
This is how it works in Element, it might work quite similar with other clients:
To integrate a standalone etherpad in a room, create your pad by visiting `https://etherpad.DOMAIN`. When the pad opens, copy the URL and send a command like this to the room: `/addwidget URL`. You will then find your integrated Etherpad within the right sidebar in the `Widgets` section.
## Set Dimension default to the self-hosted Etherpad (optional)
### Set Dimension default to the self-hosted Etherpad (optional)
If you decided to install [Dimension integration manager](configuring-playbook-dimension.md) alongside Etherpad, the Dimension administrator users can configure the default URL template.
The Dimension configuration menu can be accessed with the sprocket icon as you begin to add a widget to a room in Element. There you will find the Etherpad Widget Configuration action beneath the _Widgets_ tab.
### Removing the integrated Etherpad chat
#### Removing the integrated Etherpad chat
If you wish to disable the Etherpad chat button, you can do it by appending `?showChat=false` to the end of the pad URL, or the template. Examples:
- `https://etherpad.<your-domain>/p/$roomId_$padName?showChat=false` (for the default - `matrix_etherpad_mode: standalone`)
If you wish to disable the Etherpad chat button, you can do it by appending `?showChat=false` to the end of the pad URL, or the template.
- `https://dimension.<your-domain>/etherpad/p/$roomId_$padName?showChat=false` (for `matrix_etherpad_mode: dimension`)
Example: `https://etherpad.<your-domain>/p/$roomId_$padName?showChat=false`
### Known issues
## Known issues
If your Etherpad widget fails to load, this might be due to Dimension generating a Pad name so long, the Etherpad app rejects it.
`$roomId_$padName` can end up being longer than 50 characters. You can avoid having this problem by altering the template so it only contains the three word random identifier `$padName`.

@ -39,7 +39,17 @@ By default the Jitsi Meet instance does not require any kind of login and is ope
If you're fine with such an open Jitsi instance, please skip to [Apply changes](#apply-changes).
If you would like to control who is allowed to open meetings on your new Jitsi instance, then please follow this step to enable Jitsi's authentication and guests mode. With authentication enabled, all meeting rooms have to be opened by a registered user, after which guests are free to join. If a registered host is not yet present, guests are put on hold in individual waiting rooms.
If you would like to control who is allowed to open meetings on your new Jitsi instance, then please follow the following steps to enable Jitsi's authentication and optionally guests mode.
Currently, there are three supported authentication modes: 'internal' (default), 'matrix' and 'ldap'.
**Note:** Authentication is not tested via the playbook's self-checks.
We therefore recommend that you manually verify if authentication is required by jitsi.
For this, try to manually create a conference on jitsi.DOMAIN in your browser.
### Authenticate using Jitsi accounts (Auth-Type 'internal')
The default authentication mechanism is 'internal' auth, which requires jitsi-accounts to be setup and is the recommended setup, as it also works in federated rooms.
With authentication enabled, all meeting rooms have to be opened by a registered user, after which guests are free to join.
If a registered host is not yet present, guests are put on hold in individual waiting rooms.
Add these lines to your `inventory/host_vars/matrix.DOMAIN/vars.yml` configuration:
@ -53,20 +63,39 @@ matrix_jitsi_prosody_auth_internal_accounts:
password: "another-password"
```
**Caution:** Accounts added here and subsquently removed will not be automatically removed from the Prosody server until user account cleaning is integrated into the playbook.
**Caution:** Accounts added here and subsequently removed will not be automatically removed from the Prosody server until user account cleaning is integrated into the playbook.
**If you get an error** like this: "Error: Account creation/modification not supported.", it's likely that you had previously installed Jitsi without auth/guest support. In such a case, you should look into [Rebuilding your Jitsi installation](#rebuilding-your-jitsi-installation).
### Authenticate using Matrix OpenID (Auth-Type 'matrix')
### (Optional) LDAP authentication
**Attention: Probably breaks jitsi in federated rooms and does not allow sharing conference links with guests.**
The default authentication mode of Jitsi is `internal`, however LDAP is also supported. An example LDAP configuration could be:
Using this authentication type require a [Matrix User Verification Service](https://github.com/matrix-org/matrix-user-verification-service).
By default, this playbook creates and configures a user-verification-service to run locally, see [configuring-user-verification-service](configuring-playbook-user-verification-service.md).
To enable set this configuration at host level:
```yaml
matrix_jitsi_enable_auth: true
matrix_jitsi_auth_type: "matrix"
<<<<<<< HEAD
=======
matrix_user_verification_service_enabled: true
>>>>>>> 413049feea13fe5bece06ae0c331514b62d706d2
```
For more information see also [https://github.com/matrix-org/prosody-mod-auth-matrix-user-verification](https://github.com/matrix-org/prosody-mod-auth-matrix-user-verification).
### Authenticate using LDAP (Auth-Type 'ldap')
An example LDAP configuration could be:
```yaml
matrix_jitsi_enable_auth: true
matrix_jitsi_auth_type: ldap
matrix_jitsi_ldap_url: "ldap://ldap.DOMAIN"
matrix_jitsi_ldap_base: "OU=People,DC=DOMAIN
matrix_jitsi_ldap_base: "OU=People,DC=DOMAIN"
#matrix_jitsi_ldap_binddn: ""
#matrix_jitsi_ldap_bindpw: ""
matrix_jitsi_ldap_filter: "uid=%u"
@ -200,7 +229,19 @@ matrix_nginx_proxy_proxy_jitsi_additional_jvbs:
Applied together this will allow you to provision extra JVB instances which will register themselves with the prosody service and be available for jicofo
to route conferences too.
## (Optional) Enable Gravatar
In the default Jisti Meet configuration, gravatar.com is enabled as an avatar service. This results in third party request leaking data to gravatar.
Since element already sends the url of configured Matrix avatars to Jitsi, we disabled gravatar.
To enable Gravatar set:
```yaml
matrix_jitsi_disable_gravatar: false
```
**Beware:** This leaks information to a third party, namely the Gravatar-Service (unless configured otherwise: gravatar.com).
Besides metadata, this includes the matrix user_id and possibly the room identifier (via `referrer` header).
## Apply changes

@ -1,7 +1,6 @@
# Configure Nginx (optional, advanced)
By default, this playbook installs its own nginx webserver (in a Docker container) which listens on ports 80 and 443.
If that's alright, you can skip this.
**Note**: the playbook is [in the process of moving to Traefik](../CHANGELOG.md#reverse-proxy-configuration-changes-and-initial-traefik-support). Traefik is already the default reverse-proxy for new installations and existing users are also strongly encouraged to switch to Traefik. As such, this **nginx documentation below may be incomplete or misleading**.
## Using Nginx status

@ -15,17 +15,23 @@ Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.
```yaml
# Enabling it is the only required setting
matrix_ntfy_enabled: true
ntfy_enabled: true
# Some other options
matrix_server_fqn_ntfy: "ntfy.{{ matrix_domain }}"
matrix_ntfy_configuration_extension_yaml: |
log_level: DEBUG
# This is the default hostname.
# Uncomment the line below and change it, if you'd like.
# matrix_server_fqn_ntfy: "ntfy.{{ matrix_domain }}"
# Uncomment to enable the ntfy web app (disabled by default)
# ntfy_web_root: app # defaults to "disable"
# Uncomment and change to inject additional configuration options.
# ntfy_configuration_extension_yaml: |
# log_level: DEBUG
```
For a more complete list of variables that you could override, see `roles/custom/matrix-ntfy/defaults/main.yml`.
For a more complete list of variables that you could override, see the [`defaults/main.yml` file](https://gitlab.com/etke.cc/roles/ntfy/-/blob/main/defaults/main.yml) of the ntfy Ansible role.
For a complete list of ntfy config options that you could put in `matrix_ntfy_configuration_extension_yaml`, see the [ntfy config documentation](https://ntfy.sh/docs/config/#config-options).
For a complete list of ntfy config options that you could put in `ntfy_configuration_extension_yaml`, see the [ntfy config documentation](https://ntfy.sh/docs/config/#config-options).
## Installing
@ -78,6 +84,12 @@ If the matrix app asks, "Choose a distributor: FCM Fallback or ntfy", then choos
If the matrix app doesn't seem to pick it up, try restarting it and try the Troubleshooting section below.
### Web App
ntfy also has a web app to subscribe to and push to topics from the browser. This may be helpful to further troubleshoot UnifiedPush problems or to use ntfy for other purposes. The web app only runs in the browser locally (after downloading the JavaScript).
The web app is disabled in this playbook by default as the expectation is that most users won't use it. You can either use the [official hosted one](https://ntfy.sh/app) (it supports using other public reachable ntfy instances) or host it yourself by setting `ntfy_web_root: "app"` and re-running Ansible.
## Troubleshooting

@ -1,202 +1,49 @@
# Using your own webserver, instead of this playbook's nginx proxy (optional, advanced)
# Using your own webserver, instead of this playbook's Traefik reverse-proxy (optional, advanced)
**Note**: the playbook is [in the process of moving to Traefik](../CHANGELOG.md#reverse-proxy-configuration-changes-and-initial-traefik-support). The **documentation below may be incomplete or misleading**.
By default, this playbook installs its own nginx webserver (called `matrix-nginx-proxy`, in a Docker container) which listens on ports 80 and 443.
If that's alright, you can skip this.
If you don't want this playbook's nginx webserver to take over your server's 80/443 ports like that,
and you'd like to use your own webserver (be it nginx, Apache, Varnish Cache, etc.), you can.
There are **2 ways you can go about it**, if you'd like to use your own webserver:
- [Method 1: Disabling the integrated nginx reverse-proxy webserver](#method-1-disabling-the-integrated-nginx-reverse-proxy-webserver)
- [Method 2: Fronting the integrated nginx reverse-proxy webserver with another reverse-proxy](#method-2-fronting-the-integrated-nginx-reverse-proxy-webserver-with-another-reverse-proxy)
## Method 1: Disabling the integrated nginx reverse-proxy webserver
This method is about completely disabling the integrated nginx reverse-proxy webserver and replicating its behavior using another webserver.
If that other webserver is `nginx`, you'd be able to include configuration files generated by the playbook into your `nginx` webserver.
If you'd like to use another webserver (not `nginx`), you'd need to do things manually. We have examples for other webservers below.
For an alternative (which keeps `matrix-nginx-proxy` around and connects your other reverse-proxy with it), make sure to check Method #2.
### Preparation
Soon, this default will change and the playbook will install its own [Traefik](https://traefik.io/) reverse-proxy instead.
No matter which external webserver you decide to go with, you'll need to:
## Traefik
1) Make sure your web server user (something like `http`, `apache`, `www-data`, `nginx`) is part of the `matrix` group. You should run something like this: `usermod -a -G matrix nginx`. This allows your webserver user to access files owned by the `matrix` group. When using an external nginx webserver, this allows it to read configuration files from `/matrix/nginx-proxy/conf.d`. When using another server, it would make other files, such as `/matrix/static-files/.well-known`, accessible to it.
[Traefik](https://traefik.io/) will be the default reverse-proxy for the playbook in the near future.
2) Edit your configuration file (`inventory/host_vars/matrix.<your-domain>/vars.yml`)
- to disable the integrated nginx server:
There are 2 ways to use Traefik with this playbook, as described below.
```yaml
matrix_nginx_proxy_enabled: false
```
- if using an external server on another host, add the `<service>_http_host_bind_port` or `<service>_http_bind_port` variables for the services that will be exposed by the external server on the other host. The actual name of the variable is listed in the `roles/<service>/defaults/vars.yml` file for each service. Most variables follow the `<service>_http_host_bind_port` format.
### Traefik managed by the playbook
These variables will make Docker expose the ports on all network interfaces instead of localhost only.
[Keep in mind that there are some security concerns if you simply proxy everything.](https://github.com/matrix-org/synapse/blob/master/docs/reverse_proxy.md#synapse-administration-endpoints)
Here are the variables required for the default configuration (Synapse and Element)
```
matrix_synapse_reverse_proxy_companion_container_client_api_host_bind_port: '0.0.0.0:8008'
matrix_synapse_reverse_proxy_companion_container_federation_api_host_bind_port: '0.0.0.0:8048'
matrix_client_element_container_http_host_bind_port: "0.0.0.0:8765"
```
3) **If you'll manage SSL certificates by yourself**, edit your configuration file (`inventory/host_vars/matrix.<your-domain>/vars.yml`) to disable SSL certificate retrieval:
To switch to Traefik now, use configuration like this:
```yaml
matrix_ssl_retrieval_method: none
```
**Note**: During [installation](installing.md), unless you've disabled SSL certificate management (`matrix_ssl_retrieval_method: none`), the playbook would need 80 to be available, in order to retrieve SSL certificates. **Please manually stop your other webserver while installing**. You can start it back up afterwards.
### Using your own external nginx webserver
Once you've followed the [Preparation](#preparation) guide above, it's time to set up your external nginx server.
Even with `matrix_nginx_proxy_enabled: false`, the playbook still generates some helpful files for you in `/matrix/nginx-proxy/conf.d`.
Those configuration files are adapted for use with an external web server (one not running in the container network).
You can most likely directly use the config files installed by this playbook at: `/matrix/nginx-proxy/conf.d`. Just include them in your own `nginx.conf` like this: `include /matrix/nginx-proxy/conf.d/*.conf;`
Note that if your nginx version is old, it might not like our default choice of SSL protocols (particularly the fact that the brand new `TLSv1.3` protocol is enabled). You can override the protocol list by redefining the `matrix_nginx_proxy_ssl_protocols` variable. Example:
matrix_playbook_reverse_proxy_type: playbook-managed-traefik
```yaml
# Custom protocol list (removing `TLSv1.3`) to suit your nginx version.
matrix_nginx_proxy_ssl_protocols: "TLSv1.2"
devture_traefik_config_certificatesResolvers_acme_email: YOUR_EMAIL_ADDRESS
```
If you are experiencing issues, try updating to a newer version of Nginx. As a data point in May 2021 a user reported that Nginx 1.14.2 was not working for them. They were getting errors about socket leaks. Updating to Nginx 1.19 fixed their issue.
### Using your own external Apache webserver
Once you've followed the [Preparation](#preparation) guide above, you can take a look at the [examples/apache](../examples/apache) directory for a sample configuration.
### Using your own external caddy webserver
After following the [Preparation](#preparation) guide above, you can take a look at the [examples/caddy](../examples/caddy) directory and [examples/caddy2](../examples/caddy2) directory for a sample configuration for Caddy v1 and v2, respectively.
### Using your own HAproxy reverse proxy
After following the [Preparation](#preparation) guide above, you can take a look at the [examples/haproxy](../examples/haproxy) directory for a sample configuration. In this case HAproxy is used as a reverse proxy and a simple Nginx container is used to serve statically `.well-known` files.
### Using another external webserver
Feel free to look at the [examples/apache](../examples/apache) directory, or the [template files in the matrix-nginx-proxy role](../roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/).
## Method 2: Fronting the integrated nginx reverse-proxy webserver with another reverse-proxy
This method is about leaving the integrated nginx reverse-proxy webserver be, but making it not get in the way (using up important ports, trying to retrieve SSL certificates, etc.).
This will install Traefik in the place of `matrix-nginx-proxy`. Traefik will manage SSL certificates for all services seamlessly.
If you wish to use another webserver, the integrated nginx reverse-proxy webserver usually gets in the way because it attempts to fetch SSL certificates and binds to ports 80, 443 and 8448 (if Matrix Federation is enabled).
**Note**: during the transition period, `matrix-nginx-proxy` will still be installed in local-only mode. Do not be alarmed to see `matrix-nginx-proxy` running even when you've chosen Traefik as your reverse-proxy. In the future, we'll be able to run without nginx, but we're not there yet.
You can disable such behavior and make the integrated nginx reverse-proxy webserver only serve traffic locally (or over a local network).
You would need some configuration like this:
### Traefik managed by you
```yaml
# Do not retrieve SSL certificates. This shall be managed by another webserver or other means.
matrix_ssl_retrieval_method: none
# Do not try to serve HTTPS, since we have no SSL certificates.
# Disabling this also means services will be served on the HTTP port
# (`matrix_nginx_proxy_container_http_host_bind_port`).
matrix_nginx_proxy_https_enabled: false
# Do not listen for HTTP on port 80 globally (default), listen on the loopback interface.
# If you'd like, you can make it use the local network as well and reverse-proxy from another local machine.
matrix_nginx_proxy_container_http_host_bind_port: '127.0.0.1:81'
# Likewise, expose the Matrix Federation port on the loopback interface.
# Since `matrix_nginx_proxy_https_enabled` is set to `false`, this federation port will serve HTTP traffic.
# If you'd like, you can make it use the local network as well and reverse-proxy from another local machine.
#
# You'd most likely need to expose it publicly on port 8448 (8449 was chosen for the local port to prevent overlap).
matrix_nginx_proxy_container_federation_host_bind_port: '127.0.0.1:8449'
# Coturn relies on SSL certificates that have already been obtained.
# Since we don't obtain any certificates (`matrix_ssl_retrieval_method: none` above), it won't work by default.
# An alternative is to tweak some of: `matrix_coturn_tls_enabled`, `matrix_coturn_tls_cert_path` and `matrix_coturn_tls_key_path`.
matrix_coturn_enabled: false
# Trust the reverse proxy to send the correct `X-Forwarded-Proto` header as it is handling the SSL connection.
matrix_nginx_proxy_trust_forwarded_proto: true
# Trust and use the other reverse proxy's `X-Forwarded-For` header.
matrix_nginx_proxy_x_forwarded_for: '$proxy_add_x_forwarded_for'
```
With this, nginx would still be in use, but it would not bother with anything SSL related or with taking up public ports.
matrix_playbook_reverse_proxy_type: other-traefik-container
All services would be served locally on `127.0.0.1:81` and `127.0.0.1:8449` (as per the example configuration above).
matrix_playbook_reverse_proxyable_services_additional_network: your-traefik-network
You can then set up another reverse-proxy server on ports 80/443/8448 for all of the expected domains and make traffic go to these local ports.
The expected domains vary depending on the services you have enabled (`matrix.DOMAIN` for sure; `element.DOMAIN`, `dimension.DOMAIN` and `jitsi.DOMAIN` are optional).
devture_traefik_certs_dumper_ssl_dir_path: "/path/to/your/traefiks/acme.json/directory"
```
### Sample configuration for running behind Traefik 2.0
In this mode all roles will still have Traefik labels attached. You will, however, need to configure your Traefik instance and its entrypoints.
Below is a sample configuration for using this playbook with a [Traefik](https://traefik.io/) 2.0 reverse proxy.
By default, the playbook congiures services use a `web-secure` (443) and `matrix-federation` (8448) entrypoints, as well as a `default` certificate resolver.
```yaml
# Disable generation and retrieval of SSL certs
matrix_ssl_retrieval_method: none
# Configure Nginx to only use plain HTTP
matrix_nginx_proxy_https_enabled: false
# Don't bind any HTTP or federation port to the host
# (Traefik will proxy directly into the containers)
matrix_nginx_proxy_container_http_host_bind_port: ''
matrix_nginx_proxy_container_federation_host_bind_port: ''
# Trust the reverse proxy to send the correct `X-Forwarded-Proto` header as it is handling the SSL connection.
matrix_nginx_proxy_trust_forwarded_proto: true
# Trust and use the other reverse proxy's `X-Forwarded-For` header.
matrix_nginx_proxy_x_forwarded_for: '$proxy_add_x_forwarded_for'
# Disable Coturn because it needs SSL certs
# (Clients can, though exposing IP address, use Matrix.org TURN)
matrix_coturn_enabled: false
# All containers need to be on the same Docker network as Traefik
# (This network should already exist and Traefik should be using this network)
matrix_docker_network: 'traefik'
matrix_nginx_proxy_container_extra_arguments:
# May be unnecessary depending on Traefik config, but can't hurt
- '--label "traefik.enable=true"'
# The Nginx proxy container will receive traffic from these subdomains
- '--label "traefik.http.routers.matrix-nginx-proxy.rule=Host(`{{ matrix_server_fqn_matrix }}`,`{{ matrix_server_fqn_element }}`,`{{ matrix_server_fqn_dimension }}`,`{{ matrix_server_fqn_jitsi }}`)"'
# (The 'web-secure' entrypoint must bind to port 443 in Traefik config)
- '--label "traefik.http.routers.matrix-nginx-proxy.entrypoints=web-secure"'
# (The 'default' certificate resolver must be defined in Traefik config)
- '--label "traefik.http.routers.matrix-nginx-proxy.tls.certResolver=default"'
# Traefik requires that we declare which service this router is using
- '--label "traefik.http.routers.matrix-nginx-proxy.service=matrix-nginx-proxy"'
# The Nginx proxy container uses port 8080 internally
- '--label "traefik.http.services.matrix-nginx-proxy.loadbalancer.server.port=8080"'
# Federation
- '--label "traefik.http.routers.matrix-nginx-proxy-federation.rule=Host(`{{ matrix_server_fqn_matrix }}`)"'
# (The 'federation' entrypoint must bind to port 8448 in Traefik config)
- '--label "traefik.http.routers.matrix-nginx-proxy-federation.entrypoints=federation"'
# (The 'default' certificate resolver must be defined in Traefik config)
- '--label "traefik.http.routers.matrix-nginx-proxy-federation.tls.certResolver=default"'
# Traefik requires that we declare which service this router is using
- '--label "traefik.http.routers.matrix-nginx-proxy-federation.service=matrix-nginx-proxy-federation"'
# The Nginx proxy container uses port `matrix_nginx_proxy_proxy_matrix_federation_port (8448) internally
- '--label "traefik.http.services.matrix-nginx-proxy-federation.loadbalancer.server.port={{ matrix_nginx_proxy_proxy_matrix_federation_port }}"'
- '--label "traefik.http.services.matrix-nginx-proxy-federation.loadbalancer.server.scheme={{ "https" if matrix_nginx_proxy_https_enabled else "http" }}"'
```
You need to configure 3 entrypoints for your Traefik server: `web` (TCP port `80`), `web-secure` (TCP port `443`) and `matrix-federation` (TCP port `8448`).
This method uses labels attached to the Nginx and Synapse containers to provide the Traefik Docker provider with the information it needs to proxy `matrix.DOMAIN`, `element.DOMAIN`, `dimension.DOMAIN` and `jitsi.DOMAIN`. Some [static configuration](https://docs.traefik.io/v2.0/reference/static-configuration/file/) is required in Traefik; namely, having endpoints on ports 443 and 8448 and having a certificate resolver.
Below is some configuration for running Traefik yourself, although we recommend using [Traefik managed by the playbook](#traefik-managed-by-the-playbook).
Note that this configuration on its own does **not** redirect traffic on port 80 (plain HTTP) to port 443 for HTTPS, which may cause some issues, since the built-in Nginx proxy usually does this. If you are not already doing this in Traefik, it can be added to Traefik in a [file provider](https://docs.traefik.io/v2.0/providers/file/) as follows:
@ -226,7 +73,7 @@ version: "3.3"
services:
traefik:
image: "traefik:v2.3"
image: "docker.io/traefik:v2.9.6"
restart: always
container_name: "traefik"
networks:
@ -252,3 +99,128 @@ networks:
traefik:
external: true
```
## Another webserver
If you don't wish to use Traefik or `matrix-nginx-proxy`, you can also use your own webserver.
Doing this is possible, but requires manual work.
There are 2 ways to go about it:
- (recommended) [Fronting the integrated reverse-proxy webserver with another reverse-proxy](#fronting-the-integrated-reverse-proxy-webserver-with-another-reverse-proxy) - using a playbook-managed reverse-proxy (either `matrix-nginx-proxy` or Traefik), disabling SSL termination for it, exposing this reverse-proxy on a few local ports (e.g. `127.0.0.1:81`, etc.) and forwarding traffic from your own webserver to those few ports
- (difficult) [Using no reverse-proxy on the Matrix side at all](#using-no-reverse-proxy-on-the-matrix-side-at-all) disabling all playbook-managed reverse-proxies (no `matrix-nginx-proxy`, no Traefik)
### Fronting the integrated reverse-proxy webserver with another reverse-proxy
This method is about leaving the integrated reverse-proxy webserver be, but making it not get in the way (using up important ports, trying to retrieve SSL certificates, etc.).
If you wish to use another webserver, the integrated reverse-proxy webserver usually gets in the way because it attempts to fetch SSL certificates and binds to ports 80, 443 and 8448 (if Matrix Federation is enabled).
You can disable such behavior and make the integrated reverse-proxy webserver only serve traffic locally (or over a local network).
This is the recommended way for using another reverse-proxy, because the integrated one would act as a black box and wire all Matrix services correctly. You would only need to reverse-proxy a few individual domains and ports over to it.
To front Traefik with another reverse-proxy, you would need some configuration like this:
```yaml
matrix_playbook_reverse_proxy_type: playbook-managed-traefik
# Ensure that public urls use https
matrix_playbook_ssl_enabled: true
# Disable the web-secure (port 443) endpoint, which also disables SSL certificate retrieval
devture_traefik_config_entrypoint_web_secure_enabled: false
# If your reverse-proxy runs on another machine, consider using `0.0.0.0:81`, just `81` or `SOME_IP_ADDRESS_OF_THIS_MACHINE:81`
devture_traefik_container_web_host_bind_port: '127.0.0.1:81'
# We bind to `127.0.0.1` by default (see above), so trusting `X-Forwarded-*` headers from
# a reverse-proxy running on the local machine is safe enough.
devture_traefik_config_entrypoint_web_forwardedHeaders_insecure: true
# Or, if you're publishing the port (`devture_traefik_container_web_host_bind_port` above) to a public network interfaces:
# - remove the `devture_traefik_config_entrypoint_web_forwardedHeaders_insecure` variable definition above
# - uncomment and adjust the line below
# devture_traefik_config_entrypoint_web_forwardedHeaders_trustedIPs: ['IP-ADDRESS-OF-YOUR-REVERSE-PROXY']
# Likewise (to `devture_traefik_container_web_host_bind_port` above),
# if your reverse-proxy runs on another machine, consider changing the `host_bind_port` setting below.
devture_traefik_additional_entrypoints_auto:
- name: matrix-federation
port: 8449
host_bind_port: '127.0.0.1:8449'
config: {}
# If your reverse-proxy runs on another machine, remove the config above and use this config instead:
# config:
# forwardedHeaders:
# insecure: true
# # trustedIPs: ['IP-ADDRESS-OF-YOUR-REVERSE-PROXY']
```
For an example where the playbook's Traefik reverse-proxy is fronted by [Nginx](https://nginx.org/) running on the same server, see [Nginx reverse-proxy fronting the playbook's Traefik](../examples/nginx/README.md).
### Using no reverse-proxy on the Matrix side at all
Instead of [Fronting the integrated reverse-proxy webserver with another reverse-proxy](#fronting-the-integrated-reverse-proxy-webserver-with-another-reverse-proxy), you can also go another way -- completely disabling the playbook-managed reverse-proxy. You would then need to reverse-proxy from your own webserver directly to Matrix services.
This is more difficult, as you would need to handle the configuration for each service manually. Enabling additional services would come with extra manual work you need to do.
If your webserver is on the same machine, sure your web server user (something like `http`, `apache`, `www-data`, `nginx`) is part of the `matrix` group. You should run something like this: `usermod -a -G matrix nginx`. This allows your webserver user to access files owned by the `matrix` group. When using an external nginx webserver, this allows it to read configuration files from `/matrix/nginx-proxy/conf.d`. When using another server, it would make other files, such as `/matrix/static-files/.well-known`, accessible to it.
#### Using your own nginx reverse-proxy running on the same machine
**WARNING**: this type of setup is not maintained and will be removed in the future. We recommend that you go for [Fronting the integrated reverse-proxy webserver with another reverse-proxy](#fronting-the-integrated-reverse-proxy-webserver-with-another-reverse-proxy) instead.
If you'll be using `nginx` running on the same machine (not in a container), you can make the playbook help you generate configuration for `nginx` with this configuration:
```yaml
matrix_playbook_reverse_proxy_type: other-nginx-non-container
# If you want https configured in /matrix/nginx-proxy/conf.d/
matrix_nginx_proxy_https_enabled: true
# If you will manage SSL certificates yourself, uncomment the line below
# matrix_ssl_retrieval_method: none
# If you're using an old nginx version, consider using a custom protocol list
# (removing `TLSv1.3` that is enabled by default) to suit your nginx version.
# matrix_nginx_proxy_ssl_protocols: "TLSv1.2"
```
You can most likely directly use the config files installed by this playbook at: `/matrix/nginx-proxy/conf.d`. Just include them in your own `nginx.conf` like this: `include /matrix/nginx-proxy/conf.d/*.conf;`
#### Using your own reverse-proxy running on the same machine or elsewhere
**WARNING**: this is difficult to set up, likely not very well supported and will be removed in the future. We recommend that you go for [Fronting the integrated reverse-proxy webserver with another reverse-proxy](#fronting-the-integrated-reverse-proxy-webserver-with-another-reverse-proxy) instead.
To reverse-proxy manually for each service, use configuration like this:
```yaml
# If your reverse-proxy runs on the same machine:
matrix_playbook_reverse_proxy_type: other-on-same-host
# Or, if it runs on another machine:
# matrix_playbook_reverse_proxy_type: other-on-another-host
# Or, optionally customize the network interface prefix (note the trailing `:` character).
# For other-on-same-host, the interface defaults to `127.0.0.1:`.
# For other-on-another-host, the interface defaults to `0.0.0.0:`.
# matrix_playbook_service_host_bind_interface_prefix: '192.168.30.4:'
```
With this configuration, each service will be exposed on a custom port. Example:
- Synapse will be exposed on port `8008`
- [Grafana](configuring-playbook-prometheus-grafana.md) will be exposed on port `3000`
- [synapse-admin](configuring-playbook-synapse-admin.md) will be exposed on port `8766`
You can capture traffic for these services and forward it to their port.
Some of these services are configured with certain default expecations with regard to hostname, path, etc., so it's not completely arbitrary where you can host them (unless you change the defaults).
For each new playbook service that you enable, you'll need special handling.
The [`examples/`](../examples/) directory contains examples for various servers: Caddy, Apache, HAproxy, Nginx, etc.

@ -23,8 +23,8 @@ Refer to the table below for additional configuration variables and their defaul
|`devture_postgres_backup_keep_days`|`7`|Number of daily backups to keep|
|`devture_postgres_backup_keep_weeks`|`4`|Number of weekly backups to keep|
|`devture_postgres_backup_keep_months`|`12`|Number of monthly backups to keep|
|`devture_postgres_base_path` | `"{{ matrix_base_data_path }}/postgres-backup"` | Base path for postgres-backup. Also see `devture_postgres_data_path` |
|`devture_postgres_data_path` | `"{{ devture_postgres_base_path }}/data"` | Storage path for postgres-backup database backups |
|`devture_postgres_backup_base_path` | `"{{ matrix_base_data_path }}/postgres-backup"` | Base path for postgres-backup. Also see `devture_postgres_backup_data_path` |
|`devture_postgres_backup_data_path` | `"{{ devture_postgres_backup_base_path }}/data"` | Storage path for postgres-backup database backups |
## Installing

@ -7,27 +7,27 @@ You can enable this with the following settings in your configuration file (`inv
Remember to add `stats.<your-domain>` to DNS as described in [Configuring DNS](configuring-dns.md) before running the playbook.
```yaml
matrix_prometheus_enabled: true
prometheus_enabled: true
# You can remove this, if unnecessary.
prometheus_node_exporter_enabled: true
# You can remove this, if unnecessary.
matrix_prometheus_postgres_exporter_enabled: true
prometheus_postgres_exporter_enabled: true
# You can remove this, if unnecessary.
matrix_prometheus_nginxlog_exporter_enabled: true
matrix_grafana_enabled: true
grafana_enabled: true
matrix_grafana_anonymous_access: false
grafana_anonymous_access: false
# This has no relation to your Matrix user id. It can be any username you'd like.
# Changing the username subsequently won't work.
matrix_grafana_default_admin_user: "some_username_chosen_by_you"
grafana_default_admin_user: "some_username_chosen_by_you"
# Changing the password subsequently won't work.
matrix_grafana_default_admin_password: "some_strong_password_chosen_by_you"
grafana_default_admin_password: "some_strong_password_chosen_by_you"
```
By default, a [Grafana](https://grafana.com/) web user-interface will be available at `https://stats.<your-domain>`.
@ -39,13 +39,13 @@ The retention policy of Prometheus metrics is [15 days by default](https://prome
Name | Description
-----|----------
`matrix_prometheus_enabled`|[Prometheus](https://prometheus.io) is a time series database. It holds all the data we're going to talk about.
`prometheus_enabled`|[Prometheus](https://prometheus.io) is a time series database. It holds all the data we're going to talk about.
`prometheus_node_exporter_enabled`|[Node Exporter](https://prometheus.io/docs/guides/node-exporter/) is an addon of sorts to Prometheus that collects generic system information such as CPU, memory, filesystem, and even system temperatures
`matrix_prometheus_postgres_exporter_enabled`|[Postgres Exporter](configuring-playbook-prometheus-postgres.md) is an addon of sorts to expose Postgres database metrics to Prometheus.
`prometheus_postgres_exporter_enabled`|[Postgres Exporter](configuring-playbook-prometheus-postgres.md) is an addon of sorts to expose Postgres database metrics to Prometheus.
`matrix_prometheus_nginxlog_exporter_enabled`|[NGINX Log Exporter](configuring-playbook-prometheus-nginxlog.md) is an addon of sorts to expose NGINX logs to Prometheus.
`matrix_grafana_enabled`|[Grafana](https://grafana.com/) is the visual component. It shows (on the `stats.<your-domain>` subdomain) the dashboards with the graphs that we're interested in
`matrix_grafana_anonymous_access`|By default you need to log in to see graphs. If you want to publicly share your graphs (e.g. when asking for help in [`#synapse:matrix.org`](https://matrix.to/#/#synapse:matrix.org?via=matrix.org&via=privacytools.io&via=mozilla.org)) you'll want to enable this option.
`matrix_grafana_default_admin_user`<br>`matrix_grafana_default_admin_password`|By default Grafana creates a user with `admin` as the username and password. If you feel this is insecure and you want to change it beforehand, you can do that here
`grafana_enabled`|[Grafana](https://grafana.com/) is the visual component. It shows (on the `stats.<your-domain>` subdomain) the dashboards with the graphs that we're interested in
`grafana_anonymous_access`|By default you need to log in to see graphs. If you want to publicly share your graphs (e.g. when asking for help in [`#synapse:matrix.org`](https://matrix.to/#/#synapse:matrix.org?via=matrix.org&via=privacytools.io&via=mozilla.org)) you'll want to enable this option.
`grafana_default_admin_user`<br>`grafana_default_admin_password`|By default Grafana creates a user with `admin` as the username and password. If you feel this is insecure and you want to change it beforehand, you can do that here
## Security and privacy
@ -57,7 +57,7 @@ Most of our docker containers run with limited system access, but the `prometheu
## Collecting metrics to an external Prometheus server
**If the integrated Prometheus server is enabled** (`matrix_prometheus_enabled: true`), metrics are collected by it from each service via communication that happens over the container network. Each service does not need to expose its metrics "publicly".
**If the integrated Prometheus server is enabled** (`prometheus_enabled: true`), metrics are collected by it from each service via communication that happens over the container network. Each service does not need to expose its metrics "publicly".
When you'd like **to collect metrics from an external Prometheus server**, you need to expose service metrics outside of the container network.
@ -76,9 +76,9 @@ Name | Description
`matrix_synapse_metrics_proxying_enabled`|Set this to `true` to expose Synapse's metrics on `https://matrix.DOMAIN/metrics/synapse/main-process` and `https://matrix.DOMAIN/metrics/synapse/worker/TYPE-ID` (only takes effect if `matrix_nginx_proxy_proxy_matrix_metrics_enabled: true`). Read [below](#collecting-synapse-worker-metrics-to-an-external-prometheus-server) if you're running a Synapse worker setup (`matrix_synapse_workers_enabled: true`).
`prometheus_node_exporter_enabled`|Set this to `true` to enable the node (general system stats) exporter (locally, on the container network)
`matrix_prometheus_services_proxy_connect_prometheus_node_exporter_metrics_proxying_enabled`|Set this to `true` to expose the node (general system stats) metrics on `https://matrix.DOMAIN/metrics/node-exporter` (only takes effect if `matrix_nginx_proxy_proxy_matrix_metrics_enabled: true`)
`matrix_prometheus_postgres_exporter_enabled`|Set this to `true` to enable the [Postgres exporter](configuring-playbook-prometheus-postgres.md) (locally, on the container network)
`prometheus_postgres_exporter_enabled`|Set this to `true` to enable the [Postgres exporter](configuring-playbook-prometheus-postgres.md) (locally, on the container network)
`matrix_prometheus_nginxlog_exporter_enabled`|Set this to `true` to enable the [NGINX Log exporter](configuring-playbook-prometheus-nginxlog.md) (locally, on the container network)
`matrix_prometheus_postgres_exporter_metrics_proxying_enabled`|Set this to `true` to expose the [Postgres exporter](configuring-playbook-prometheus-postgres.md) metrics on `https://matrix.DOMAIN/metrics/postgres-exporter` (only takes effect if `matrix_nginx_proxy_proxy_matrix_metrics_enabled: true`)
`matrix_prometheus_services_proxy_connect_prometheus_postgres_exporter_metrics_proxying_enabled`|Set this to `true` to expose the [Postgres exporter](configuring-playbook-prometheus-postgres.md) metrics on `https://matrix.DOMAIN/metrics/postgres-exporter` (only takes effect if `matrix_nginx_proxy_proxy_matrix_metrics_enabled: true`)
`matrix_bridge_hookshot_metrics_enabled`|Set this to `true` to make [Hookshot](configuring-playbook-bridge-hookshot.md) expose metrics (locally, on the container network)
`matrix_bridge_hookshot_metrics_proxying_enabled`|Set this to `true` to expose the [Hookshot](configuring-playbook-bridge-hookshot.md) metrics on `https://matrix.DOMAIN/metrics/hookshot` (only takes effect if `matrix_nginx_proxy_proxy_matrix_metrics_enabled: true`)
`matrix_SERVICE_metrics_proxying_enabled`|Various other services/roles may provide similar `_metrics_enabled` and `_metrics_proxying_enabled` variables for exposing their metrics. Refer to each role for details. Only takes effect if `matrix_nginx_proxy_proxy_matrix_metrics_enabled: true`

@ -12,16 +12,16 @@ You can enable this role by adding the following settings in your configuration
matrix_prometheus_nginxlog_exporter_enabled: true
# required depency
matrix_prometheus_enabled: true
prometheus_enabled: true
# optional for visualization
matrix_grafana_enabled: true
grafana_enabled: true
```
x | Prerequisites | Variable | Description
|:--:|:--:|:--:|:--|
**REQUIRED** | `matrix-prometheus`| `matrix_prometheus_enabled`|[Prometheus](https://prometheus.io) is a time series database. It holds all the data we're going to talk about.
_Optional_ | [`matrix-grafana`](configuring-playbook-prometheus-grafana.md) | [`matrix_grafana_enabled`](configuring-playbook-prometheus-grafana.md)|[Grafana](https://grafana.com) is the visual component. It shows (on the `stats.<your-domain>` subdomain) graphs that we're interested in. When enabled the `NGINX PROXY` dashboard is automatically added.
**REQUIRED** | `matrix-prometheus`| `prometheus_enabled`|[Prometheus](https://prometheus.io) is a time series database. It holds all the data we're going to talk about.
_Optional_ | [`matrix-grafana`](configuring-playbook-prometheus-grafana.md) | [`grafana_enabled`](configuring-playbook-prometheus-grafana.md)|[Grafana](https://grafana.com) is the visual component. It shows (on the `stats.<your-domain>` subdomain) graphs that we're interested in. When enabled the `NGINX PROXY` dashboard is automatically added.
## Docker Image Compatibility
@ -56,4 +56,4 @@ The following variables may be of interest:
Name | Description
-----|----------
`matrix_nginx_proxy_proxy_matrix_metrics_enabled`|Set this to `true` to enable metrics exposure for various services on `https://matrix.DOMAIN/metrics/*`. Refer to the individual `matrix_SERVICE_metrics_proxying_enabled` variables below for exposing metrics for each individual service.
`matrix_nginx_proxy_proxy_matrix_metrics_enabled`|Set this to `true` to enable metrics exposure for various services on `https://matrix.DOMAIN/metrics/*`. Refer to the individual `matrix_SERVICE_metrics_proxying_enabled` variables below for exposing metrics for each individual service.

@ -6,17 +6,17 @@ You can enable this with the following settings in your configuration file (`inv
```yaml
matrix_prometheus_postgres_exporter_enabled: true
prometheus_postgres_exporter_enabled: true
```
## What does it do?
Name | Description
-----|----------
`matrix_prometheus_postgres_exporter_enabled`|Enable the postgres prometheus exporter. This sets up the docker container, connects it to the database and adds a 'job' to the prometheus config which tells prometheus about this new exporter. The default is 'false'
`matrix_prometheus_postgres_exporter_database_username`| The 'username' for the user that the exporter uses to connect to the database. The default is 'matrix_prometheus_postgres_exporter'
`matrix_prometheus_postgres_exporter_database_password`| The 'password' for the user that the exporter uses to connect to the database. By default, this is auto-generated by the playbook
`matrix_prometheus_postgres_exporter_metrics_proxying_enabled`|If set to `true`, exposes the Postgres exporter metrics on `https://matrix.DOMAIN/metrics/postgres-exporter` for usage with an [external Prometheus server](configuring-playbook-prometheus-grafana.md#collecting-metrics-to-an-external-prometheus-server) (only takes effect if `matrix_nginx_proxy_proxy_matrix_metrics_enabled: true`)
`prometheus_postgres_exporter_enabled`|Enable the postgres prometheus exporter. This sets up the docker container, connects it to the database and adds a 'job' to the prometheus config which tells prometheus about this new exporter. The default is 'false'
`prometheus_postgres_exporter_database_username`| The 'username' for the user that the exporter uses to connect to the database. The default is 'matrix_prometheus_postgres_exporter'
`prometheus_postgres_exporter_database_password`| The 'password' for the user that the exporter uses to connect to the database. By default, this is auto-generated by the playbook
`matrix_prometheus_services_proxy_connect_prometheus_postgres_exporter_metrics_proxying_enabled`|If set to `true`, exposes the Postgres exporter metrics on `https://matrix.DOMAIN/metrics/postgres-exporter` for usage with an [external Prometheus server](configuring-playbook-prometheus-grafana.md#collecting-metrics-to-an-external-prometheus-server) (only takes effect if `matrix_nginx_proxy_proxy_matrix_metrics_enabled: true`)
## More information

@ -0,0 +1,65 @@
# Setting up Rageshake (optional)
The playbook can install and configure the [rageshake](https://github.com/matrix-org/rageshake) bug report server for you.
This is useful if you're developing your own applications and would like to collect bug reports for them.
## Decide on a domain and path
By default, Rageshake is configured to use its own dedicated domain (`rageshake.DOMAIN`) and requires you to [adjust your DNS records](#adjusting-dns-records).
You can override the domain and path like this:
```yaml
# Switch to the domain used for Matrix services (`matrix.DOMAIN`),
# so we won't need to add additional DNS records for Rageshake.
matrix_rageshake_hostname: "{{ matrix_server_fqn_matrix }}"
# Expose under the /rageshake subpath
matrix_rageshake_path_prefix: /rageshake
```
**NOTE**: When using `matrix-nginx-proxy` instead of Traefik, you won't be able to override the path prefix. You can only override the domain, but that needs to happen using another variable: `matrix_server_fqn_rageshake` (e.g. `matrix_server_fqn_rageshake: "some-domain.{{ matrix_domain }}"`).
## Adjusting DNS records
Once you've decided on the domain and path, **you may need to adjust your DNS** records to point the Rageshake domain to the Matrix server.
If you've decided to reuse the `matrix.` domain, you won't need to do any extra DNS configuration.
## Enabling the Rageshake service
Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file (adapt to your needs):
```yaml
matrix_rageshake_enabled: true
```
Rageshake has various options which don't have dedicated Ansible variables. You can see the full list of options in the [`rageshake.sample.yaml` file](https://github.com/matrix-org/rageshake/blob/master/rageshake.sample.yaml).
To set these, you can make use of the `matrix_rageshake_configuration_extension_yaml` variable like this:
```yaml
matrix_rageshake_configuration_extension_yaml: |
github_token: secrettoken
github_project_mappings:
my-app: octocat/HelloWorld
```
## Installing
After configuring the playbook, run the [installation](installing.md) command again:
```
ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start
```
## Usage
Refer to the [rageshake documentation](https://github.com/matrix-org/rageshake) for available APIs, etc.

@ -0,0 +1,62 @@
# Setting up Sliding Sync Proxy (optional)
The playbook can install and configure [sliding-sync](https://github.com/matrix-org/sliding-sync) proxy for you.
Sliding Sync is an implementation of [MSC3575](https://github.com/matrix-org/matrix-spec-proposals/blob/kegan/sync-v3/proposals/3575-sync.md) and a prerequisite for running the new (**still beta**) Element X clients ([Element X iOS](https://github.com/vector-im/element-x-ios) and [Element X Android](https://github.com/vector-im/element-x-android)).
See the project's [documentation](https://github.com/matrix-org/sliding-sync) to learn more.
Element X iOS is [available on TestFlight](https://testflight.apple.com/join/uZbeZCOi).
Element X Android requires manual compilation to get it working with a non-`matrix.org` homeseserver. It's also less feature-complete than the iOS version.
**NOTE**: The Sliding Sync proxy **only works with the Traefik reverse-proxy**. If you have an old server installation (from the time `matrix-nginx-proxy` was our default reverse-proxy - `matrix_playbook_reverse_proxy_type: playbook-managed-nginx`), you won't be able to use Sliding Sync.
## Decide on a domain and path
By default, the Sliding Sync proxy is configured to be served on the Matrix domain (`matrix.DOMAIN`, controlled by `matrix_server_fqn_matrix`), under the `/sliding-sync` path.
This makes it easy to set it up, **without** having to [adjust your DNS records](#adjusting-dns-records).
If you'd like to run the Sliding Sync proxy on another hostname or path, use the `matrix_sliding_sync_hostname` and `matrix_sliding_sync_path_prefix` variables.
## Adjusting DNS records
If you've changed the default hostame, **you may need to adjust your DNS** records.
## Adjusting the playbook configuration
Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file:
```yaml
matrix_sliding_sync_enabled: true
```
## Installing
After potentially [adjusting DNS records](#adjusting-dns-records) and configuring the playbook, run the [installation](installing.md) command again: `just install-all`.
### External databases
Please note that, if your setup utilizes an external database, you must also establish configuration for the sliding sync proxy. Alter the defaults below to suit your configuration:
```yaml
matrix_sliding_sync_database_username: 'matrix_sliding_sync'
matrix_sliding_sync_database_password: ''
matrix_sliding_sync_database_hostname: ''
matrix_sliding_sync_database_port: 5432
matrix_sliding_sync_database_name: 'matrix_sliding_sync'
```
## Usage
You **don't need to do anything special** to make use of the Sliding Sync Proxy.
Simply open your client which supports Sliding Sync (like Element X) and log in.
When the Sliding Sync proxy is [installed](#installing), your `/.well-known/matrix/client` file is also updated. A new `org.matrix.msc3575.proxy` section and `url` property are added there and made to point to your Sliding Sync proxy's base URL (e.g. `https://matrix.DOMAIN/sliding-sync`).
This allows clients which support Sliding Sync to detect the Sliding Sync Proxy's URL and make use of it.

@ -1,112 +1,100 @@
# Adjusting SSL certificate retrieval (optional, advanced)
By default, this playbook retrieves and auto-renews free SSL certificates from [Let's Encrypt](https://letsencrypt.org/) for the domains it needs (`matrix.<your-domain>` and possibly `element.<your-domain>`)
By default, this playbook retrieves and auto-renews free SSL certificates from [Let's Encrypt](https://letsencrypt.org/) for the domains it needs (e.g. `matrix.<your-domain>` and others)
Those certificates are used when configuring the nginx reverse proxy installed by this playbook.
They can also be used for configuring [your own webserver](configuring-playbook-own-webserver.md), in case you're not using the integrated nginx server provided by the playbook.
This guide is about using the integrated Traefik server and doesn't apply if you're using [your own webserver](configuring-playbook-own-webserver.md).
If you need to retrieve certificates for other domains (e.g. your base domain) or more control over certificate retrieval, read below.
Things discussed in this document:
## Using staging Let's Encrypt certificates instead of real ones
- [Using self-signed SSL certificates](#using-self-signed-ssl-certificates), if you can't use Let's Encrypt or just need a test setup
For testing purposes, you may wish to use staging certificates provide by Let's Encrypt.
- [Using your own SSL certificates](#using-your-own-ssl-certificates), if you don't want to or can't use Let's Encrypt certificates, but are still interested in using the integrated nginx reverse proxy server
- [Not bothering with SSL certificates](#not-bothering-with-ssl-certificates), if you're using [your own webserver](configuring-playbook-own-webserver.md) and would rather this playbook leaves SSL certificate management to you
- [Obtaining SSL certificates for additional domains](#obtaining-ssl-certificates-for-additional-domains), if you'd like to host additional domains on the Matrix server and would like the playbook to help you obtain and renew certificates for those domains automatically
## Using self-signed SSL certificates
For private deployments (not publicly accessible from the internet), you may not be able to use Let's Encrypt certificates.
If self-signed certificates are alright with you, you can ask the playbook to generate such for you with the following configuration:
You can do this with the following configuration:
```yaml
matrix_ssl_retrieval_method: self-signed
devture_traefik_config_certificatesResolvers_acme_use_staging: true
```
If you get a `Cannot reach homeserver` error in Element, you will have to visit `https://matrix.<your-domain>` in your browser and agree to the certificate exception before you can login.
## Disabling SSL termination
## Using your own SSL certificates
For testing or other purposes, you may wish to install services without SSL termination and have services exposed to `http://` instead of `https://`.
If you'd like to manage SSL certificates by yourself and have the playbook use your certificate files, you can use the following configuration:
You can do this with the following configuration:
```yaml
matrix_ssl_retrieval_method: manually-managed
devture_traefik_config_entrypoint_web_secure_enabled: false
```
With such a configuration, the playbook would expect you to drop the SSL certificate files in the directory specified by `matrix_ssl_config_dir_path` (`/matrix/ssl/config` by default) obeying the following hierarchy:
- `<matrix_ssl_config_dir_path>/live/<domain>/fullchain.pem`
- `<matrix_ssl_config_dir_path>/live/<domain>/privkey.pem`
- `<matrix_ssl_config_dir_path>/live/<domain>/chain.pem`
where `<domain>` refers to the domains that you need (usually `matrix.<your-domain>` and `element.<your-domain>`).
## Not bothering with SSL certificates
If you're [using an external web server](configuring-playbook-own-webserver.md) which is not nginx, or you would otherwise want to manage its certificates without this playbook getting in the way, you can completely disable SSL certificate management with the following configuration:
```yaml
matrix_ssl_retrieval_method: none
```
With such a configuration, no certificates will be retrieved at all. You're free to manage them however you want.
## Obtaining SSL certificates for additional domains
The playbook tries to be smart about the certificates it will obtain for you.
By default, it obtains certificates for:
- `matrix.<your-domain>` (`matrix_server_fqn_matrix`)
- possibly for `element.<your-domain>`, unless you have disabled the [Element client component](configuring-playbook-client-element.md) using `matrix_client_element_enabled: false`
- possibly for `riot.<your-domain>`, if you have explicitly enabled Riot to Element redirection (for background compatibility) using `matrix_nginx_proxy_proxy_riot_compat_redirect_enabled: true`
- possibly for `hydrogen.<your-domain>`, if you have explicitly [set up Hydrogen client](configuring-playbook-client-hydrogen.md).
- possibly for `cinny.<your-domain>`, if you have explicitly [set up Cinny client](configuring-playbook-client-cinny.md).
- possibly for `dimension.<your-domain>`, if you have explicitly [set up Dimension](configuring-playbook-dimension.md).
- possibly for `goneb.<your-domain>`, if you have explicitly [set up Go-NEB bot](configuring-playbook-bot-go-neb.md).
- possibly for `jitsi.<your-domain>`, if you have explicitly [set up Jitsi](configuring-playbook-jitsi.md).
- possibly for `stats.<your-domain>`, if you have explicitly [set up Grafana](configuring-playbook-prometheus-grafana.md).
- possibly for `sygnal.<your-domain>`, if you have explicitly [set up Sygnal](configuring-playbook-sygnal.md).
- possibly for `ntfy.<your-domain>`, if you have explicitly [set up ntfy](configuring-playbook-ntfy.md).
- possibly for your base domain (`<your-domain>`), if you have explicitly configured [Serving the base domain](configuring-playbook-base-domain-serving.md)
If you are hosting other domains on the Matrix machine, you can make the playbook obtain and renew certificates for those other domains too.
To do that, simply define your own custom configuration like this:
```yaml
# In this example, we retrieve 2 extra certificates,
# one for the base domain (in the `matrix_domain` variable) and one for a hardcoded domain.
# Adding any other additional domains (hosted on the same machine) is possible.
matrix_ssl_additional_domains_to_obtain_certificates_for:
- '{{ matrix_domain }}'
- 'another.domain.example.com'
```
After redefining `matrix_ssl_domains_to_obtain_certificates_for`, to actually obtain certificates you should:
- make sure the web server occupying port 80 is stopped. If you are using matrix-nginx-proxy server (which is the default for this playbook), you need to stop it temporarily by running `systemctl stop matrix-nginx-proxy` on the server.
- re-run the SSL part of the playbook and restart all services: `ansible-playbook -i inventory/hosts setup.yml --tags=setup-ssl,start`
## Using self-signed SSL certificates
The certificate files would be made available in `/matrix/ssl/config/live/<your-other-domain>/...`.
If you'd like to use your own SSL certificates, instead of the default (SSL certificates obtained automatically via [ACME](https://en.wikipedia.org/wiki/Automatic_Certificate_Management_Environment) from [Let's Encrypt](https://letsencrypt.org/)):
For automated certificate renewal to work, each port `80` vhost for each domain you are obtaining certificates for needs to forward requests for `/.well-known/acme-challenge` to the certbot container we use for renewal.
- generate your self-signed certificate files
- follow the [Using your own SSL certificates](#using-your-own-ssl-certificates) documentation below
See how this is configured for the `matrix.` subdomain in `/matrix/nginx-proxy/conf.d/matrix-domain.conf`
Don't be alarmed if the above configuration file says port `8080`, instead of port `80`. It's due to port mapping due to our use of containers.
## Using your own SSL certificates
## Specify the SSL private key algorithm
To use your own SSL certificates with Traefik, you need to:
If you'd like to [specify the private key type](https://eff-certbot.readthedocs.io/en/stable/using.html#using-ecdsa-keys) used with Let's Encrypt, define your own custom configuration like this:
- disable [ACME](https://en.wikipedia.org/wiki/Automatic_Certificate_Management_Environment) / [Let's Encrypt](https://letsencrypt.org/) support
- put a custom Traefik configuration file on the server, with the help of this Ansible playbook (via the `matrix-aux` role) or manually
- register your custom configuration file with Traefik, by adding an extra provider of type [file](https://doc.traefik.io/traefik/providers/file/)
- put the SSL files on the server, with the help of this Ansible playbook (via the `matrix-aux` role) or manually
```yaml
matrix_ssl_lets_encrypt_key_type: ecdsa
# Disable ACME / Let's Encrypt support.
devture_traefik_config_certificatesResolvers_acme_enabled: false
# Disabling ACME support (above) automatically disables the creation of the SSL directory.
# Force-enable it here, because we'll add our certificate files there.
devture_traefik_ssl_dir_enabled: true
# Tell Traefik to load our custom configuration file (certificates.yml).
# The file is created below, in `matrix_aux_file_definitions`.
# The `/config/..` path is an in-container path, not a path on the host (like `/matrix/traefik/config`). Do not change it!
devture_traefik_configuration_extension_yaml: |
providers:
file:
filename: /config/certificates.yml
watch: true
# Use the matrix-aux role to create our custom files on the server.
# If you'd like to do this manually, you remove this `matrix_aux_file_definitions` variable.
matrix_aux_file_definitions:
# Create the privkey.pem file on the server by
# uploading a file from the computer where Ansible is running.
- dest: "{{ devture_traefik_ssl_dir_path }}/privkey.pem"
src: /path/on/your/Ansible/computer/to/privkey.pem
# Alternatively, comment out `src` above and uncomment the lines below to provide the certificate content inline.
# Note the indentation level.
# content: |
# FILE CONTENT
# HERE
# Create the cert.pem file on the server
# uploading a file from the computer where Ansible is running.
- dest: "{{ devture_traefik_ssl_dir_path }}/cert.pem"
src: /path/on/your/Ansible/computer/to/cert.pem
# Alternatively, comment out `src` above and uncomment the lines below to provide the certificate content inline.
# Note the indentation level.
# content: |
# FILE CONTENT
# HERE
# Create the custom Traefik configuration.
# The `/ssl/..` paths below are in-container paths, not paths on the host (/`matrix/traefik/ssl/..`). Do not change them!
- dest: "{{ devture_traefik_config_dir_path }}/certificates.yml"
content: |
tls:
certificates:
- certFile: /ssl/cert.pem
keyFile: /ssl/privkey.pem
stores:
default:
defaultCertificate:
certFile: /ssl/cert.pem
keyFile: /ssl/privkey.pem
```

@ -11,6 +11,31 @@ See the project's [documentation](https://github.com/matrix-org/sygnal) to learn
This optional playbook component is only useful to people who develop/build their own Matrix client applications themselves.
## Decide on a domain and path
By default, Sygnal is configured to use its own dedicated domain (`sygnal.DOMAIN`) and requires you to [adjust your DNS records](#adjusting-dns-records).
You can override the domain and path like this:
```yaml
# Switch to the domain used for Matrix services (`matrix.DOMAIN`),
# so we won't need to add additional DNS records for Sygnal.
matrix_sygnal_hostname: "{{ matrix_server_fqn_matrix }}"
# Expose under the /sygnal subpath
matrix_sygnal_path_prefix: /sygnal
```
**NOTE**: When using `matrix-nginx-proxy` instead of Traefik, you won't be able to override the path prefix. You can only override the domain, but that needs to happen using another variable: `matrix_server_fqn_sygnal` (e.g. `matrix_server_fqn_sygnal: "push.{{ matrix_domain }}"`).
## Adjusting DNS records
Once you've decided on the domain and path, **you may need to adjust your DNS** records to point the Sygnal domain to the Matrix server.
If you've decided to reuse the `matrix.` domain, you won't need to do any extra DNS configuration.
## Adjusting the playbook configuration
Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file (adapt to your needs):
@ -55,9 +80,7 @@ To do that, the above example configuration:
## Installing
Don't forget to add `sygnal.<your-domain>` to DNS as described in [Configuring DNS](configuring-dns.md) before running the playbook.
After configuring the playbook, run the [installation](installing.md) command again:
After configuring the playbook and potentially [adjusting your DNS records](#adjusting-dns-records), run the [installation](installing.md) command:
```
ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start
@ -66,6 +89,6 @@ ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start
## Usage
To make use of your Sygnal installation, you'd need to build your own Matrix client application, which uses the same API keys (for [GCM/FCM](https://firebase.google.com/docs/cloud-messaging/)) and certificates (for [APNS](https://developer.apple.com/notifications/)) and is also pointed to `https://sygnal.DOMAIN` as the configured push server.
To make use of your Sygnal installation, you'd need to build your own Matrix client application, which uses the same API keys (for [GCM/FCM](https://firebase.google.com/docs/cloud-messaging/)) and certificates (for [APNS](https://developer.apple.com/notifications/)) and is to your Sygnal URL endpoint (e.g. `https://sygnal.DOMAIN`).
Refer to Sygnal's [Notes for application developers](https://github.com/matrix-org/sygnal/blob/master/docs/applications.md) document.

@ -35,34 +35,6 @@ To use Synapse Admin, you need to have [registered at least one administrator ac
The Homeserver URL to use on Synapse Admin's login page is: `https://matrix.DOMAIN`
### Sample configuration for running behind Traefik 2.0
Below is a sample configuration for using this playbook with a [Traefik](https://traefik.io/) 2.0 reverse proxy.
This an extension to Traefik config sample in [own-webserver-documentation](./configuring-playbook-own-webserver.md).
```yaml
# Don't bind any HTTP or federation port to the host
# (Traefik will proxy directly into the containers)
matrix_synapse_admin_container_http_host_bind_port: ""
matrix_synapse_admin_container_extra_arguments:
# May be unnecessary depending on Traefik config, but can't hurt
- '--label "traefik.enable=true"'
# The Synapse Admin container will only receive traffic from this subdomain and path
- '--label "traefik.http.routers.matrix-synapse-admin.rule=(Host(`{{ matrix_server_fqn_matrix }}`) && Path(`{{matrix_synapse_admin_public_endpoint}}`))"'
# (Define your entrypoint)
- '--label "traefik.http.routers.matrix-synapse-admin.entrypoints=web-secure"'
# (The 'default' certificate resolver must be defined in Traefik config)
- '--label "traefik.http.routers.matrix-synapse-admin.tls.certResolver=default"'
# The Synapse Admin container uses port 80 by default
- '--label "traefik.http.services.matrix-synapse-admin.loadbalancer.server.port=80"'
```
### Sample configuration for running behind Caddy v2
Below is a sample configuration for using this playbook with a [Caddy](https://caddyserver.com/v2) 2.0 reverse proxy (non-default configuration where `matrix-nginx-proxy` is disabled - `matrix_nginx_proxy_enabled: false`).

@ -0,0 +1,36 @@
# Setting up synapse_auto_compressor
The playbook can install and configure [synapse_auto_compressor](https://github.com/matrix-org/rust-synapse-compress-state/#automated-tool-synapse_auto_compressor) for you.
It's a CLI tool that automatically compresses Synapse's `state_groups` database table in the background.
See the project's [documentation](https://github.com/matrix-org/rust-synapse-compress-state/#automated-tool-synapse_auto_compressor) to learn what it does and why it might be useful to you.
## Adjusting the playbook configuration
Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file:
```yaml
matrix_synapse_auto_compressor_enabled: true
```
## Installing
After configuring the playbook, run the [installation](installing.md) command again:
```
ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start
```
## Usage
After installation, `synapse_auto_compressor` will run automatically every day at `00:00:00` (as defined in `matrix_synapse_auto_compressor_calendar` by default).
## Manually start the tool
For testing your setup it can be helpful to not wait until 00:00. If you want to run the tool immediately, log onto the server
and run `systemctl start matrix-synapse-auto-compressor`. Running this command will not return control to your terminal until the compression run is done, which may take a long time.
Consider using [tmux](https://en.wikipedia.org/wiki/Tmux) if your SSH connection is unstable.

@ -80,3 +80,42 @@ matrix_synapse_configuration_extension_yaml: |
backchannel_logout_enabled: true # Optional
```
## Customizing templates
[Templates](https://github.com/matrix-org/synapse/blob/develop/docs/templates.md) are used by Synapse for showing **certain web pages** handled by the server, as well as for **email notifications**.
This playbook allows you to customize the default templates (see the [`synapse/res/templates` directory](https://github.com/matrix-org/synapse/tree/develop/synapse/res/templates)).
If template customization is enabled, the playbook will build a custom container image based on the official one.
Your custom templates need to live in a public or private git repository. This repository will be cloned during Synapse image customization (during the playbook run).
To enable template customizations, use a configuration (`inventory/host_vars/matrix.DOMAIN/vars.yml`) like this:
```yaml
# If you'd like to ensure that the customized image is built each time the playbook runs, enable this.
# Otherwise, the customized image will only be rebuilt whenever the Synapse version changes (once every ~2 weeks).
# matrix_synapse_docker_image_customized_build_nocache: true
matrix_synapse_container_image_customizations_templates_enabled: true
# Our templates live in a templates/ directory within the repository.
# If they're at the root path, delete this line.
matrix_synapse_container_image_customizations_templates_in_container_template_files_relative_path: templates
matrix_synapse_container_image_customizations_templates_git_repository_url: git@github.com:organization/repository.git
matrix_synapse_container_image_customizations_templates_git_repository_branch: main
matrix_synapse_container_image_customizations_templates_git_repository_keyscan_enabled: true
matrix_synapse_container_image_customizations_templates_git_repository_keyscan_hostname: github.com
# If your git repository is public, do not define the private key (remove the variable).
matrix_synapse_container_image_customizations_templates_git_repository_ssh_private_key: |
-----BEGIN OPENSSH PRIVATE KEY-----
....
-----END OPENSSH PRIVATE KEY-----
```
As mentioned in Synapse's Templates documentation, Synapse will fall back to its own templates if a template is not found in that directory.
Due to this, it's recommended to only store and maintain template files in your repository if you need to make custom changes. Other files (which you don't need to change), should not be duplicated, so that you don't need to worry about getting out-of-sync with the original Synapse templates.

@ -0,0 +1,50 @@
# Configure Traefik (optional, advanced)
By default, this playbook installs and manages a [Traefik](https://doc.traefik.io/traefik/) reverse-proxy server, powered by the [com.devture.ansible.role.traefik](https://github.com/devture/com.devture.ansible.role.traefik) Ansible role.
This Ansible role support various configuration options. Feel free to consult its `default/main.yml` variables file.
## Adjusting SSL certificate retrieval
See the dedicated [Adjusting SSL certificate retrieval](configuring-playbook-ssl-certificates.md) documentation page.
## Increase logging verbosity
```yaml
devture_traefik_config_log_level: DEBUG
```
## Disable access logs
This will disable access logging.
```yaml
devture_traefik_config_accessLog_enabled: false
```
## Enable Traefik Dashboard
This will enable a Traefik [Dashboard](https://doc.traefik.io/traefik/operations/dashboard/) UI at `https://matrix.DOMAIN/dashboard/` (note the trailing `/`).
```yaml
devture_traefik_dashboard_enabled: true
devture_traefik_dashboard_hostname: "{{ matrix_server_fqn_matrix }}"
devture_traefik_dashboard_basicauth_enabled: true
devture_traefik_dashboard_basicauth_user: YOUR_USERNAME_HERE
devture_traefik_dashboard_basicauth_password: YOUR_PASSWORD_HERE
```
**WARNING**: enabling the dashboard on a hostname you use for something else (like `matrix_server_fqn_matrix` in the configuration above) may cause conflicts. Enabling the Traefik Dashboard makes Traefik capture all `/dashboard` and `/api` requests and forward them to itself. If any of the services hosted on the same hostname requires any of these 2 URL prefixes, you will experience problems. So far, we're not aware of any playbook services which occupy these endpoints and are likely to cause conflicts.
## Additional configuration
Use the `devture_traefik_configuration_extension_yaml` variable provided by the Traefik Ansible role to override or inject additional settings, even when no dedicated variable exists.
```yaml
# This is a contrived example.
# You can enable and secure the Dashboard using dedicated variables. See above.
devture_traefik_configuration_extension_yaml: |
api:
dashboard: true
```

@ -0,0 +1,153 @@
# Setting up Matrix User Verification Service (optional)
**[Matrix User Verification Service](https://github.com/matrix-org/matrix-user-verification-service) (hereafter: UVS) can only be installed after Matrix services are installed and running.**
If you're just installing Matrix services for the first time, please continue with the [Configuration](configuring-playbook.md) / [Installation](installing.md) flow and come back here later.
Currently, the main purpose of this role is to allow Jitsi to authenticate matrix users and check if they are authorized to join a conference. Please refer to the documentation of the [Matrix User Verification Service](https://github.com/matrix-org/matrix-user-verification-service) to understand how it works.
**Note**: enabling Matrix User Verification Service, means that the `openid` API endpoints will be exposed on the Matrix Federation port (usually `8448`), even if [federation](configuring-playbook-federation.md) is disabled.
If the Jitsi server is also configured by this playbook, all plugging of variables and secrets is handled in `group_vars/matrix_servers`.
__Some general concepts of UVS may be helpful to understand the rest, so here they are:__
UVS can be used to verify two claims:
* (A) Whether a given OpenID token is valid for a given server and
* (B) whether a user is member of a given room and the corresponding PowerLevel
Verifying an OpenID token id done by finding the corresponding Homeserver via '.well-known/matrix/server' for the given domain.
The configured `matrix_user_verification_service_uvs_homeserver_url` does **not** factor into this.
By default, this playbook only checks against `matrix_server_fqn_matrix`.
Therefore, the request will be made against the public openid API for `matrix_server_fqn_matrix`.
Verifying RoomMembership and PowerLevel is done against `matrix_user_verification_service_uvs_homeserver_url` which is by default done via the docker network.
UVS will verify the validity of the token beforehand though.
## Prerequisites
In order to use UVS, an admin token for the configured homeserver must be supplied. For now this means configuring Synapse and creating the token before installing UVS.
## Enable
<<<<<<< HEAD
[Matrix User Verification Service](https://github.com/matrix-org/matrix-user-verification-service) installation is disabled by default unless required by Jitsi (see group_vars/matrix_servers).
=======
[Matrix User Verification Service](https://github.com/matrix-org/matrix-user-verification-service) installation is disabled by default.
>>>>>>> 413049feea13fe5bece06ae0c331514b62d706d2
You can enable it in your configuration file (`inventory/host_vars/matrix.<your-domain>/vars.yml`):
```yaml
matrix_user_verification_service_enabled: true
```
## Configuration
The only required configuration variable is `matrix_user_verification_service_uvs_access_token` (see below).
For a list of all configuration options see the role defaults [`roles/matrix-user-verification-service/defaults/main.yml`](../roles/custom/matrix-user-verification-service/defaults/main.yml).
But be aware of all the plugging happening in `group_vars/matrix_servers`.
In the default configuration, the UVS Server is only reachable via the docker network, which is fine if e.g. Jitsi is also running in a container on the host.
<<<<<<< HEAD
However, it is possible to expose UVS via setting `matrix_user_verification_service_container_http_host_bind_port`. Be aware that the normally used port (3000) may collide with Grafana.
### Access token
The Synapse Access Token is used to verify RoomMembership and PowerLevel against the configured homeserver_url (which is plugged in group_vars).
=======
However, it is possible to expose UVS via setting `matrix_user_verification_service_container_http_host_bind_port`.
### Access token
The Synapse Access Token is used to verify RoomMembership and PowerLevel against `matrix_user_verification_service_uvs_homeserver_url`.
>>>>>>> 413049feea13fe5bece06ae0c331514b62d706d2
We recommend that you create a dedicated Matrix user for uvs (`uvs` is a good username).
Follow our [Registering users](registering-users.md) guide to register a user with administration privileges.
You are required to specify an access token (belonging to this new user) for UVS to work.
To get an access token for the UVS user, you can follow the documentation on [how to do obtain an access token](obtaining-access-tokens.md).
**Access tokens are sensitive information. Do not include them in any bug reports, messages, or logs. Do not share the access token with anyone.**
```yaml
matrix_user_verification_service_uvs_access_token: "YOUR ACCESS TOKEN HERE"
```
<<<<<<< HEAD
### (Optional) Auth Token
It is possible to set an API Auth Token to restrict access to the UVS. If this is set, anyone making a request to UVS must provide it via the header "Authorization: Bearer TOKEN"
=======
### (Optional) Custom Auth Token
It is possible to set an API Auth Token to restrict access to the UVS. If this is enabled, anyone making a request to UVS must provide it via the header "Authorization: Bearer TOKEN"
>>>>>>> 413049feea13fe5bece06ae0c331514b62d706d2
By default, the token will be derived from `matrix_homeserver_generic_secret_key` in `group_vars/matrix_servers`.
To set your own Token, simply put the following in your host_vars.
```yaml
matrix_user_verification_service_uvs_auth_token: "TOKEN"
```
In case Jitsi is also managed by this playbook and 'matrix' authentication in Jitsi is enabled, this collection will automatically configure Jitsi to use the configured auth token.
<<<<<<< HEAD
=======
### (Optional) Disable Auth
Authorization is enabled by default. To disable set
```yaml
matrix_user_verification_service_uvs_require_auth: false
```
in your host_vars.
>>>>>>> 413049feea13fe5bece06ae0c331514b62d706d2
### (Optional) Federation
In theory (however currently untested), UVS can handle federation. Simply set:
```yaml
<<<<<<< HEAD
matrix_user_verification_service_uvs_openid_verify_server_name: ~
```
using host_vars to override the group_vars.
=======
matrix_user_verification_service_uvs_pin_openid_verify_server_name: false
```
in your host_vars.
>>>>>>> 413049feea13fe5bece06ae0c331514b62d706d2
This will instruct UVS to verify the OpenID token against any domain given in a request.
Homeserver discovery is done via '.well-known/matrix/server' of the given domain.
## Installation
After these variables have been set, please run the following command to re-run setup and to restart UVS:
```
ansible-playbook -i inventory/hosts setup.yml --tags=setup-matrix-user-verification-service,start
```
## Logging
The configuration variable `UVS_LOG_LEVEL` can be set to:
- warning
- info
- debug
## TLS Certificate Checking
If the matrix Homeserver does not provide a valid TLS certificate, UVS will fail with the following error message:
> message: 'No response received: [object Object]',
This also applies to self-signed and let's encrypt staging certificates.
To disable certificate validation altogether (INSECURE! Not suitable for production use!) set: `NODE_TLS_REJECT_UNAUTHORIZED=0`
Alternatively, it is possible to inject your own CA certificates into the container by mounting a PEM file with additional trusted CAs into the container and pointing the `NODE_EXTRA_CA_CERTS` environment variable to it.

@ -59,9 +59,11 @@ When you're done with all the configuration you'd like to do, continue with [Ins
- [Serving your base domain using this playbook's nginx server](configuring-playbook-base-domain-serving.md) (optional)
- [Configure Nginx](configuring-playbook-nginx.md) (optional, advanced)
- [Configure the Traefik reverse-proxy](configuring-playbook-traefik.md) (optional, advanced)
- [Using your own webserver, instead of this playbook's nginx proxy](configuring-playbook-own-webserver.md) (optional, advanced)
- (Deprecated) [Configure the Nginx reverse-proxy](configuring-playbook-nginx.md) (optional, advanced)
- [Using your own webserver, instead of this playbook's default reverse-proxy](configuring-playbook-own-webserver.md) (optional, advanced)
- [Adjusting TURN server configuration](configuring-playbook-turn.md) (optional, advanced)
@ -99,6 +101,8 @@ When you're done with all the configuration you'd like to do, continue with [Ins
- [Setting up Matrix Corporal](configuring-playbook-matrix-corporal.md) (optional, advanced)
- [Matrix User Verification Service](configuring-playbook-user-verification-service.md) (optional, advanced)
### Bridging other networks
@ -177,6 +181,8 @@ When you're done with all the configuration you'd like to do, continue with [Ins
- [Setting up Mjolnir](configuring-playbook-bot-mjolnir.md) - a moderation tool/bot (optional)
- [Setting up Draupnir](configuring-playbook-bot-draupnir.md) - a moderation tool/bot, forked from Mjolnir and maintained by its former leader developer (optional)
- [Setting up Buscarron](configuring-playbook-bot-buscarron.md) - a bot you can use to send any form (HTTP POST, HTML) to a (encrypted) Matrix room (optional)
@ -189,8 +195,14 @@ When you're done with all the configuration you'd like to do, continue with [Ins
### Other specialized services
- [Setting up synapse-auto-compressor](configuring-playbook-synapse-auto-compressor.md) for compressing the database on Synapse homeservers (optional)
- [Setting up the Sliding Sync Proxy](configuring-playbook-sliding-sync-proxy.md) for clients which require Sliding Sync support (like Element X) (optional)
- [Setting up the Sygnal push gateway](configuring-playbook-sygnal.md) (optional)
- [Setting up the ntfy push notifications server](configuring-playbook-ntfy.md) (optional)
- [Setting up a Cactus Comments server](configuring-playbook-cactus-comments.md) - a federated comment system built on Matrix (optional)
- [Setting up the Rageshake bug report server](configuring-playbook-rageshake.md) (optional)

@ -125,7 +125,7 @@ This is similar to the [EMnify/matrix-synapse-auto-deploy](https://github.com/EM
- this one installs everything in a single directory (`/matrix` by default) and **doesn't "contaminate" your server** with files all over the place
- this one **doesn't necessarily take over** ports 80 and 443. By default, it sets up nginx for you there, but you can also [use your own webserver](configuring-playbook-own-webserver.md)
- this one **doesn't necessarily take over** ports 80 and 443. By default, it sets up [Traefik](https://doc.traefik.io/traefik/) for you there, but you can also [use your own webserver](configuring-playbook-own-webserver.md)
- this one **runs everything in Docker containers**, so it's likely more predictable and less fragile (see [Docker images used by this playbook](container-images.md))
@ -322,7 +322,7 @@ matrix_playbook_docker_installation_enabled: false
### I run another webserver on the same server where I wish to install Matrix. What now?
By default, we install a webserver for you (nginx), but you can also use [your own webserver](configuring-playbook-own-webserver.md).
By default, we install a webserver for you ([Traefik](https://doc.traefik.io/traefik/)), but you can also use [your own webserver](configuring-playbook-own-webserver.md).
### How is the effective configuration determined?
@ -336,12 +336,14 @@ Configuration variables are defined in multiple places in this playbook and are
### What configuration variables are available?
You can discover the variables you can override in each role (`role/matrix*/defaults/main.yml`).
You can discover the variables you can override in each role (`roles/*/*/defaults/main.yml`).
As described in [How is the effective configuration determined?](#how-is-the-effective-configuration-determined), these role-defaults may be overriden by values defined in `group_vars/matrix_servers`.
Refer to both of these for inspiration. Still, as mentioned in [Configuring the playbook](configuring-playbook.md), you're only ever supposed to edit your own `inventory/host_vars/matrix.DOMAIN/vars.yml` file and nothing else inside the playbook (unless you're meaning to contribute new features).
**Note**: some of the roles (`roles/galaxy/*`) live in separate repositories and are only installed after your run `just roles` (or `make roles`).
### I'd like to adjust some configuration which doesn't have a corresponding variable. How do I do it?
The playbook doesn't aim to expose all configuration settings for all services using variables.
@ -352,7 +354,9 @@ See [What configuration variables are available?](#what-configuration-variables-
Besides that, each role (component) aims to provide a `matrix_SOME_COMPONENT_configuration_extension_yaml` (or `matrix_SOME_COMPONENT_configuration_extension_json`) variable, which can be used to override the configuration.
Check each role's `role/matrix*/defaults/main.yml` for the corresponding variable and an example for how use it.
Check each role's `roles/*/*/defaults/main.yml` for the corresponding variable and an example for how use it.
**Note**: some of the roles (`roles/galaxy/*`) live in separate repositories and are only installed after your run `just roles` (or `make roles`).
## Installation
@ -461,15 +465,8 @@ After verifying that everything still works after the Postgres upgrade, you can
### How do I debug or force SSL certificate renewal?
SSL certificate renewal normally happens automatically via [systemd timers](https://wiki.archlinux.org/index.php/Systemd/Timers).
If you're having trouble with SSL certificate renewal, you can inspect the renewal logs using:
- `journalctl -fu matrix-ssl-lets-encrypt-certificates-renew.service`
- *or* by looking at the log files in `/matrix/ssl/log/`
To trigger renewal, run: `systemctl start matrix-ssl-lets-encrypt-certificates-renew.service`. You can then take a look at the logs again.
SSL certificates are managed automatically by the [Traefik](https://doc.traefik.io/traefik/) reverse-proxy server.
If you're using the integrated webserver (`matrix-nginx-proxy`), you can reload it manually like this: `systemctl reload matrix-nginx-proxy`. Reloading also happens periodically via a systemd timer.
If you're having trouble with SSL certificate renewal, check the Traefik logs (`journalctl -fu matrix-traefik`).
If you're [using your own webserver](configuring-playbook-own-webserver.md) instead of the integrated one (`matrix-nginx-proxy`) you may also need to reload/restart it, to make it pick up the renewed SSL certificate files.
If you're [using your own webserver](configuring-playbook-own-webserver.md) instead of the integrated one (Traefik), you should investigate in another way.

@ -20,17 +20,17 @@ Before doing the actual import, **you need to upload your Postgres dump file to
## Importing
To import, run this command (make sure to replace `<server-path-to-postgres-dump.sql>` with a file path on your server):
To import, run this command (make sure to replace `SERVER_PATH_TO_POSTGRES_DUMP_FILE` with a file path on your server):
```sh
ansible-playbook -i inventory/hosts setup.yml \
--extra-vars='server_path_postgres_dump=<server-path-to-postgres-dump.sql> postgres_default_import_database=matrix' \
--tags=import-postgres
just run-tags import-postgres \
--extra-vars=server_path_postgres_dump=SERVER_PATH_TO_POSTGRES_DUMP_FILE \
--extra-vars=postgres_default_import_database=matrix
```
**Notes**:
- `<server-path-to-postgres-dump.sql>` must be a file path to a Postgres dump file on the server (not on your local machine!)
- `SERVER_PATH_TO_POSTGRES_DUMP_FILE` must be a file path to a Postgres dump file on the server (not on your local machine!)
- `postgres_default_import_database` defaults to `matrix`, which is useful for importing multiple databases (for dumps made with `pg_dumpall`). If you're importing a single database (e.g. `synapse`), consider changing `postgres_default_import_database` accordingly
@ -86,7 +86,7 @@ In this case you can use the command suggested in the import task to clear the d
# systemctl start matrix-postgres
```
Now on your local machine run `ansible-playbook -i inventory/hosts setup.yml --tags=setup-postgres` to prepare the database roles etc.
Now on your local machine run `just run-tags setup-postgres` to prepare the database roles etc.
If not, you probably get this error. `synapse` is the correct table owner, but the role is missing in database.
```

@ -17,7 +17,7 @@ Here are some playbook tags that you should be familiar with:
- `install-all` - like `setup-all`, but skips uninstallation tasks. Useful for maintaining your setup quickly when its components remain unchanged. If you adjust your `vars.yml` to remove components, you'd need to run `setup-all` though, or these components will still remain installed
- `setup-SERVICE` (e.g. `setup-bot-postmoogle`) - runs the setup tasks only for a given role, but does not start/restart services. You can discover these additional tags in each role (`roles/*/main.yml`). Running per-component setup tasks is **not recommended**, as components sometimes depend on each other and running just the setup tasks for a given component may not be enough. For example, setting up the [mautrix-telegram bridge](configuring-playbook-bridge-mautrix-telegram.md), in addition to the `setup-mautrix-telegram` tag, requires database changes (the `setup-postgres` tag) as well as reverse-proxy changes (the `setup-nginx-proxy` tag).
- `setup-SERVICE` (e.g. `setup-bot-postmoogle`) - runs the setup tasks only for a given role, but does not start/restart services. You can discover these additional tags in each role (`roles/**/tasks/main.yml`). Running per-component setup tasks is **not recommended**, as components sometimes depend on each other and running just the setup tasks for a given component may not be enough. For example, setting up the [mautrix-telegram bridge](configuring-playbook-bridge-mautrix-telegram.md), in addition to the `setup-mautrix-telegram` tag, requires database changes (the `setup-postgres` tag) as well as reverse-proxy changes (the `setup-nginx-proxy` tag).
- `install-SERVICE` (e.g. `install-bot-postmoogle`) - like `setup-SERVICE`, but skips uninstallation tasks. See `install-all` above for additional information.

@ -41,7 +41,7 @@ To perform a `FULL` Postgres [VACUUM](https://www.postgresql.org/docs/current/sq
Example:
```bash
ansible-playbook -i inventory/hosts setup.yml --tags=run-postgres-vacuum,start
just run-tags run-postgres-vacuum,start
```
**Note**: this will automatically stop Synapse temporarily and restart it later. You'll also need plenty of available disk space in your Postgres data directory (usually `/matrix/postgres/data`).
@ -78,7 +78,9 @@ Upgrades must be performed manually.
This playbook can upgrade your existing Postgres setup with the following command:
ansible-playbook -i inventory/hosts setup.yml --tags=upgrade-postgres
```sh
just run-tags upgrade-postgres
```
**Warning: If you're using Borg Backup keep in mind that there is no official Postgres 15 support yet.**

@ -29,7 +29,9 @@ After deleting data, you may wish to run a [`FULL` Postgres `VACUUM`](./maintena
[rust-synapse-compress-state](https://github.com/matrix-org/rust-synapse-compress-state) can be used to optimize some `_state` tables used by Synapse. If your server participates in large rooms this is the most effective way to reduce the size of your database.
This tool should be safe to use (even when Synapse is running), but it's always a good idea to [make Postgres backups](./maintenance-postgres.md#backing-up-postgresql) first.
**Note**: besides running the `rust-synapse-compress-state` tool manually, you can also enable its `synapse-auto-compressor` tool by [Setting up synapse-auto-compressor](configuring-playbook-synapse-auto-compressor.md). The automatic tool will run on a schedule every day and you won't have to compress state manually ever again.
`rust-synapse-compress-state` should be safe to use (even when Synapse is running), but it's always a good idea to [make Postgres backups](./maintenance-postgres.md#backing-up-postgresql) first.
To ask the playbook to run rust-synapse-compress-state, execute:

@ -20,6 +20,8 @@ If your distro runs within an [LXC container](https://linuxcontainers.org/), you
- The [Ansible](http://ansible.com/) program being installed on your own computer. It's used to run this playbook and configures your server for you. Take a look at [our guide about Ansible](ansible.md) for more information, as well as [version requirements](ansible.md#supported-ansible-versions) and alternative ways to run Ansible.
- the [passlib](https://passlib.readthedocs.io/en/stable/index.html) Python library installed on the computer you run Ansible. On most distros, you need to install some `python-passlib` or `py3-passlib` package, etc.
- [`git`](https://git-scm.com/) is the recommended way to download the playbook to your computer. `git` may also be required on the server if you will be [self-building](self-building.md) components.
- [`just`](https://github.com/casey/just) for running `just roles`, etc. (see [`justfile`](../justfile)), although you can also run these commands manually

@ -0,0 +1,17 @@
# Nginx reverse-proxy fronting the playbook's integrated Traefik reverse-proxy
This directory contains a sample config that shows you how use the [nginx](https://nginx.org/) webserver to front the integrated [Traefik](https://traefik.io/) reverse-proxy webserver with another reverse-proxy.
## Prerequisite configuration
To get started, first follow the [front the integrated reverse-proxy webserver with another reverse-proxy](../../docs/configuring-playbook-own-webserver.md#fronting-the-integrated-reverse-proxy-webserver-with-another-reverse-proxy) instructions and update your playbook's configuration (`inventory/host_vars/matrix.<your-domain>/vars.yml`).
## Using the nginx configuration
Copy the [matrix.conf](matrix.conf) file to your nginx server's filesystem, modify it to your needs and include it your nginx configuration (e.g. `include /path/to/matrix.conf;`).
This configuration **disables SSL certificate retrieval**, so you will **need to obtain SSL certificates manually** (e.g. by using [certbot](https://certbot.eff.org/)) and set the appropriate path in `matrix.conf`. In the example nginx configuration, a single certificate is used for all subdomains (`matrix.DOMAIN`, `element.DOMAIN`, etc.). For your setup, may wish to change this and use separate `server` blocks and separate certificate files for each host.
Also note that your copy of the `matrix.conf` file has to be adapted to whatever services you are using. For example, remove `element.domain.com` from the `server_name` list if you don't use [Element](../../docs/configuring-playbook-client-element.md) web client or add `dimension.domain.com` to it if you do use the [Dimension](../../docs/configuring-playbook-dimension.md) integration manager.

@ -0,0 +1,96 @@
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
# TODO: add/remove services and their subdomains if you use/don't use them
# this example is using hosting something on the base domain and an element web client, so example.com and element.example.com are listed in addition to matrix.example.com
# if you don't use those, you can remove them
# if you use e.g. dimension on dimension.example.com, add dimension.example.com to the server_name list
server_name example.com matrix.example.com element.example.com;
location / {
# note: do not add a path (even a single /) after the port in `proxy_pass`,
# otherwise, nginx will canonicalise the URI and cause signature verification
# errors.
proxy_pass http://localhost:81;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
access_log /var/log/nginx/matrix.access.log;
error_log /var/log/nginx/matrix.error.log;
# Nginx by default only allows file uploads up to 1M in size
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
client_max_body_size 50M;
}
# TODO: adapt the path to your ssl certificate for the domains listed on server_name
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
# TODO: adapt the path to your ssl certificate for the domains listed on server_name
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
# settings for matrix federation
server {
# For the federation port
listen 8448 ssl http2 default_server;
listen [::]:8448 ssl http2 default_server;
server_name matrix.example.com;
location / {
proxy_pass http://localhost:8449;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
access_log /var/log/nginx/matrix.access.log;
error_log /var/log/nginx/matrix.error.log;
# Nginx by default only allows file uploads up to 1M in size
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
client_max_body_size 50M;
}
# TODO: adapt the path to your ssl certificate for the domains listed on server_name
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
# TODO: adapt the path to your ssl certificate for the domains listed on server_name
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
# ensure using https
# TODO: remove server blocks that you don't use / add server blocks for domains you do use
server {
if ($host = example.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
server_name example.com;
listen 80;
return 404; # managed by Certbot
}
server {
if ($host = matrix.example.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
server_name matrix.example.com;
listen 80;
return 404; # managed by Certbot
}
server {
if ($host = element.example.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
server_name element.example.com;
listen 80;
return 404; # managed by Certbot
}

@ -21,6 +21,11 @@ matrix_homeserver_implementation: synapse
# You can put any string here, but generating a strong one is preferred (e.g. `pwgen -s 64 1`).
matrix_homeserver_generic_secret_key: ''
# By default, the playbook manages its own Traefik (https://doc.traefik.io/traefik/) reverse-proxy server.
# It will retrieve SSL certificates for you on-demand and forward requests to all other components.
# For alternatives, see `docs/configuring-playbook-own-webserver.md`.
matrix_playbook_reverse_proxy_type: playbook-managed-traefik
# This is something which is provided to Let's Encrypt when retrieving SSL certificates for domains.
#
# In case SSL renewal fails at some point, you'll also get an email notification there.
@ -29,7 +34,7 @@ matrix_homeserver_generic_secret_key: ''
# you won't be required to define this variable (see `docs/configuring-playbook-ssl-certificates.md`).
#
# Example value: someone@example.com
matrix_ssl_lets_encrypt_support_email: ''
devture_traefik_config_certificatesResolvers_acme_email: ''
# A Postgres password to use for the superuser Postgres user (called `matrix` by default).
#

File diff suppressed because it is too large Load Diff

@ -1,44 +1,57 @@
# Shows help
default:
@just --list --justfile {{ justfile() }}
@just --list --justfile {{ justfile() }}
# Pulls external Ansible roles
roles:
rm -rf roles/galaxy
ansible-galaxy install -r requirements.yml -p roles/galaxy/ --force
#!/usr/bin/env sh
if [ -x "$(command -v agru)" ]; then
agru
else
rm -rf roles/galaxy
ansible-galaxy install -r requirements.yml -p roles/galaxy/ --force
fi
# Updates requirements.yml if there are any new tags available. Requires agru
update:
@agru -u
# Runs ansible-lint against all roles in the playbook
lint:
ansible-lint
ansible-lint
# Runs the playbook with --tags=install-all,ensure-matrix-users-created,start and optional arguments
install-all *extra_args: (run-tags "install-all,ensure-matrix-users-created,start" extra_args)
# Runs installation tasks for a single service
install-service service *extra_args:
just --justfile {{ justfile() }} run --tags=install-{{ service }},start-group --extra-vars=group={{ service }} {{ extra_args }}
# Runs the playbook with --tags=setup-all,ensure-matrix-users-created,start and optional arguments
setup-all *extra_args: (run-tags "setup-all,ensure-matrix-users-created,start" extra_args)
# Runs the playbook with the given list of arguments
run +extra_args:
time ansible-playbook -i inventory/hosts setup.yml {{ extra_args }}
time ansible-playbook -i inventory/hosts setup.yml {{ extra_args }}
# Runs the playbook with the given list of comma-separated tags and optional arguments
run-tags tags *extra_args:
just --justfile {{ justfile() }} run --tags={{ tags }} {{ extra_args }}
just --justfile {{ justfile() }} run --tags={{ tags }} {{ extra_args }}
# Runs the playbook in user-registration mode
register-user username password admin_yes_or_no *extra_args:
time ansible-playbook -i inventory/hosts setup.yml --tags=register-user --extra-vars="username={{ username }} password={{ password }} admin={{ admin_yes_or_no }}" {{ extra_args }}
time ansible-playbook -i inventory/hosts setup.yml --tags=register-user --extra-vars="username={{ username }} password={{ password }} admin={{ admin_yes_or_no }}" {{ extra_args }}
# Starts all services
start-all *extra_args: (run-tags "start-all" extra_args)
# Starts a specific service group
start-group group *extra_args:
@just --justfile {{ justfile() }} run-tags start-group --extra-vars="group={{ group }}" {{ extra_args }}
@just --justfile {{ justfile() }} run-tags start-group --extra-vars="group={{ group }}" {{ extra_args }}
# Stops all services
stop-all *extra_args: (run-tags "stop-all" extra_args)
# Stops a specific service group
stop-group group *extra_args:
@just --justfile {{ justfile() }} run-tags stop-group --extra-vars="group={{ group }}" {{ extra_args }}
@just --justfile {{ justfile() }} run-tags stop-group --extra-vars="group={{ group }}" {{ extra_args }}

@ -1,147 +1,41 @@
import os
import sys
import os, uservar, checks, setup, sys
domain=""
email=""
postgres_password=""
#leave empty for standard ssh port (22)
ssh_port = ""
#provide your public ip adress - you can lookup at wieistmeineip.at
ip = ""
#want to create the homeserver key on yourself? answer with True or False
add_key=True
#if True insert your generated key here (generate it with pwgen -s 64 1)
homeserver_key=""
#bridges, set variable <true> if you want to install them or <false> e.g: mautrix-bridge=true
mautrix_discord_bridge=True
mautrix_signal_bridge=True
heisenberg_bridge=True
#write your username in matrix format e.g @your-username:domain
heisenbridge_owner=""
#if true fill out client id and token, you would get that from the discord developers dashboard when creating a bot
appservice_discord_bridge=True
appservice_discord_brige_client_id="" #
appservice_discord_bridge_token=""
#want to run your own nginx server? set the ports where matrix-nginx should run and reverse proxy it from your nginx
http_port=
https_port=
if ip is None:
print("ERROR: IP variable empty")
sys.exit()
if heisenberg_bridge == True and not heisenbridge_owner:
print("please fill in a matrix user")
sys.exit()
if appservice_discord_bridge and not appservice_discord_brige_client_id or not appservice_discord_bridge_token:
print("ERROR: fill out all appservice variables")
sys.exit()
#os.system("sudo dnf install pwgen -y")
def func(string):
return ''.join(string.splitlines())
user=os.environ.get('USER')
key = os.environ.get('MATRIX_KEY')
print(key)
if key is None and add_key == False:
homeserver_key=os.popen("pwgen -s 64 1").read()
homeserver_key=func(homeserver_key)
print("if ist durch")
with open('/home/{}/.bashrc'.format(user), 'a') as f:
f.write("export MATRIX_KEY={}".format(homeserver_key))
f.close()
elif key is not None and add_key == False:
homeserver_key = key
print(key)
#print(key)
#print(key)
file_path = os.path.dirname(os.path.realpath(__file__))
yml_path= "{}/inventory/host_vars/matrix.{}".format(file_path, domain)
yml_path= "{}/inventory/host_uservar/matrix.{}".format(file_path, uservar.domain)
hosts_path = "{}/inventory/".format(file_path)
checks.checks()
try:
if not os.path.exists(yml_path):
os.makedirs(yml_path)
#os.mkdir(yml_path)
os.system("touch {}/vars.yml".format(yml_path))
os.system("touch {}/uservar.yml".format(yml_path))
os.system("touch {}/hosts".format(hosts_path))
with open('{}/hosts'.format(hosts_path), 'w') as f:
hosts_write = [
"[matrix_servers]\n",
"matrix.{} ansible_host={} ansible_port={} ansible_ssh_user=root".format(domain, ip, ssh_port)
"matrix.{} ansible_host={} ansible_port={} ansible_ssh_user=root".format(uservar.domain, uservar.ip, uservar.ssh_port)
]
f.writelines(hosts_write)
except OSError as e:
print(e)
with open('{}/foo.yml'.format(yml_path), 'r+') as f:
lines = [
'matrix_domain: {}\n'.format(domain),
'matrix_homeserver_implementation: synapse\n',
"matrix_homeserver_generic_secret_key: '{}' \n".format(homeserver_key),
'matrix_ssl_lets_encrypt_support_email: "{}" \n'.format(email),
"devture_postgres_connection_password: '{}' \n".format(postgres_password),
'matrix_well_known_matrix_support_enabled: true\n',
'matrix_nginx_proxy_base_domain_serving_enabled: true\n'
]
content = f.read()
#if "matrix_homeserver_generic_secret_key:" not in content:
# lines[0] = "matrix_homeserver_generic_secret_key: '{}' \n".format(homeserver_key)
for i, line in enumerate(lines):
get_line = line.split(": ")[0].strip()
get_var = line.split(": ")[1].strip()
print(get_var)
print(line)
if get_line not in content:
print("get_line wurde aufgerufen")
lines[i] = "{}: {}\n".format(get_line, get_var)
elif get_var not in content:
print(i)
lines[i] = "{}: {}\n".format(get_line, get_var)
f.seek(0)
f.truncate()
f.writelines(lines)
f.close()
if mautrix_discord_bridge:
with open('{}/foo.yml'.format(yml_path), 'a') as f:
f.write("matrix_mautrix_discord_enabled: true\n")
f.close()
if mautrix_signal_bridge:
with open('{}/foo.yml'.format(yml_path), 'a') as f:
f.write("matrix_mautrix_signal_enabled: true\n")
f.close()
if heisenberg_bridge:
with open('{}/foo.yml'.format(yml_path), 'a') as f:
heisenbridge = [
"matrix_heisenbridge_enabled: true\n",
'matrix_heisenbridge_owner: "{}"\n'.format(heisenbridge_owner),
"matrix_heisenbridge_identd_enabled: true\n"
]
f.writelines(heisenbridge)
f.close()
if appservice_discord_bridge:
with open('{}/foo.yml'.format(yml_path), 'a') as f:
appservice = [
"matrix_appservice_discord_enabled: true\n",
"matrix_appservice_discord_bridge_enableSelfServiceBridging: true\n",
'matrix_appservice_discord_client_id: "{}"\n'.format(appservice_discord_brige_client_id),
'matrix_appservice_discord_bot_token: "{}"\n'.format(appservice_discord_bridge_token)
]
f.writelines(appservice)
f.close()
if http_port is not None:
with open('{}/foo.yml'.format(yml_path), 'a') as f:
ports = [
"matrix_nginx_proxy_container_http_host_bind_port: '{}'\n".format(http_port),
"matrix_nginx_proxy_container_https_host_bind_port: '{}'\n".format(https_port)
]
f.writelines(ports)
f.close()
setup.setup()
os.system("just roles")
os.system("just install-all")
if __name__ == '__main__':
main()

@ -43,7 +43,7 @@
- role: galaxy/com.devture.ansible.role.postgres
- custom/matrix-redis
- galaxy/redis
- custom/matrix-corporal
- custom/matrix-bridge-appservice-discord
- custom/matrix-bridge-appservice-slack
@ -79,42 +79,56 @@
- custom/matrix-bot-postmoogle
- custom/matrix-bot-go-neb
- custom/matrix-bot-mjolnir
- custom/matrix-bot-draupnir
- custom/matrix-bot-chatgpt
- custom/matrix-cactus-comments
- custom/matrix-rageshake
- custom/matrix-synapse
- custom/matrix-synapse-auto-compressor
- custom/matrix-synapse-reverse-proxy-companion
- custom/matrix-dendrite
- custom/matrix-conduit
- custom/matrix-synapse-admin
- galaxy/prometheus_node_exporter
- custom/matrix-prometheus-postgres-exporter
- galaxy/prometheus_postgres_exporter
- custom/matrix-prometheus-nginxlog-exporter
- custom/matrix-prometheus
- custom/matrix-grafana
- galaxy/prometheus
- galaxy/grafana
- custom/matrix-prometheus-services-connect
- custom/matrix-prometheus-services-proxy-connect
- custom/matrix-registration
- custom/matrix-client-element
- custom/matrix-client-hydrogen
- custom/matrix-client-cinny
- custom/matrix-jitsi
- custom/matrix-user-verification-service
- custom/matrix-ldap-registration-proxy
- custom/matrix-ma1sd
- custom/matrix-dimension
- custom/matrix-etherpad
- galaxy/etherpad
- custom/etherpad-proxy-connect
- custom/matrix-sliding-sync
- custom/matrix-email2matrix
- custom/matrix-sygnal
- custom/matrix-ntfy
- galaxy/ntfy
- custom/matrix-nginx-proxy
- custom/matrix-coturn
- custom/matrix-aux
- role: galaxy/aux
- role: galaxy/com.devture.ansible.role.postgres_backup
- custom/matrix-backup-borg
- role: galaxy/backup_borg
- custom/matrix-user-creator
- custom/matrix-common-after
- role: galaxy/com.devture.ansible.role.container_socket_proxy
- role: galaxy/com.devture.ansible.role.traefik
- role: galaxy/com.devture.ansible.role.traefik_certs_dumper
- when: devture_systemd_service_manager_enabled | bool
role: galaxy/com.devture.ansible.role.systemd_service_manager

@ -1,34 +1,47 @@
---
- src: geerlingguy.docker
version: 6.0.4
- src: git+https://github.com/geerlingguy/ansible-role-docker
version: 6.1.0
name: geerlingguy.docker
- src: git+https://github.com/devture/com.devture.ansible.role.docker_sdk_for_python.git
version: 6ba3be490b6f4c6f35ea109aeb8e533fa231b3a5
version: 129c8590e106b83e6f4c259649a613c6279e937a
- src: git+https://github.com/devture/com.devture.ansible.role.playbook_help.git
version: c1f40e82b4d6b072b6f0e885239322bdaaaf554f
- src: git+https://github.com/devture/com.devture.ansible.role.systemd_docker_base.git
version: 327d2e17f5189ac2480d6012f58cf64a2b46efba
- src: git+https://github.com/devture/com.devture.ansible.role.timesync.git
version: 3d5bb2976815958cdce3f368fa34fb51554f899b
- src: git+https://github.com/devture/com.devture.ansible.role.playbook_state_preserver.git
version: ff2fd42e1c1a9e28e3312bbd725395f9c2fc7f16
- src: git+https://github.com/devture/com.devture.ansible.role.postgres.git
version: a1bb78d194434b38005f3a9e623bfa4b2c06c7bc
version: 38764398bf82b06a1736c3bfedc71dfd229e4b52
- src: git+https://github.com/devture/com.devture.ansible.role.postgres_backup.git
version: 77b1f9ae1aafa31c9078178c1036bf744c99d08b
version: 8e9ec48a09284c84704d7a2dce17da35f181574d
- src: git+https://github.com/devture/com.devture.ansible.role.systemd_service_manager.git
version: 6ccb88ac5fc27e1e70afcd48278ade4b564a9096
- src: git+https://github.com/devture/com.devture.ansible.role.playbook_runtime_messages.git
version: 9b4b088c62b528b73a9a7c93d3109b091dd42ec6
- src: git+https://gitlab.com/etke.cc/roles/prometheus_node_exporter.git
version: v1.5.0-0
version: v1.5.0-7
- src: git+https://gitlab.com/etke.cc/roles/prometheus_postgres_exporter.git
version: v0.12.0-0
- src: git+https://gitlab.com/etke.cc/roles/backup_borg.git
version: v1.2.4-1.7.9-0
- src: git+https://gitlab.com/etke.cc/roles/grafana.git
version: v9.4.7-0
- src: git+https://gitlab.com/etke.cc/roles/ntfy.git
version: v2.2.0-0
- src: git+https://gitlab.com/etke.cc/roles/redis.git
version: v7.0.10-0
- src: git+https://gitlab.com/etke.cc/roles/etherpad.git
version: v1.8.18-2
- src: git+https://github.com/devture/com.devture.ansible.role.container_socket_proxy.git
version: v0.1.1-1
- src: git+https://github.com/devture/com.devture.ansible.role.traefik.git
version: v2.9.9-0
- src: git+https://github.com/devture/com.devture.ansible.role.traefik_certs_dumper.git
version: v2.8.1-0
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-aux.git
version: v1.0.0-0
name: aux
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus.git
version: v2.43.0-0
name: prometheus

@ -0,0 +1,11 @@
---
# etherpad-proxy-connect is a compatibility role connecting the new Etherpad role with matrix-nginx-proxy.
# It adds back support for serving Etherpad under the Dimension domain (`matrix_server_fqn_dimension`).
# Controls whether Etherpad will be hosted under the Dimension domain when matrix-nginx-proxy is used (depending on matrix_playbook_reverse_proxy_type).
# If you're not using matrix-nginx-proxy, then this value has no effect.
etherpad_nginx_proxy_dimension_integration_enabled: false
# Controls the path at which Etherpad will be exposed on the Dimension domain.
etherpad_nginx_proxy_dimension_integration_path_prefix: "{{ etherpad_path_prefix }}"

@ -11,14 +11,14 @@
- name: Generate Etherpad proxying configuration for matrix-nginx-proxy
ansible.builtin.set_fact:
matrix_etherpad_matrix_nginx_proxy_configuration: |
rewrite ^{{ matrix_etherpad_public_endpoint }}$ {{ matrix_nginx_proxy_x_forwarded_proto_value }}://$server_name{{ matrix_etherpad_public_endpoint }}/ permanent;
etherpad_matrix_nginx_proxy_configuration: |
rewrite ^{{ etherpad_nginx_proxy_dimension_integration_path_prefix }}$ {{ matrix_nginx_proxy_x_forwarded_proto_value }}://$server_name{{ etherpad_nginx_proxy_dimension_integration_path_prefix }}/ permanent;
location {{ matrix_etherpad_public_endpoint }}/ {
location {{ etherpad_nginx_proxy_dimension_integration_path_prefix }}/ {
{% if matrix_nginx_proxy_enabled | default(False) %}
{# Use the embedded DNS resolver in Docker containers to discover the service #}
resolver 127.0.0.11 valid=5s;
proxy_pass http://matrix-etherpad:9001/;
proxy_pass http://{{ etherpad_identifier }}:9001/;
{# These are proxy directives needed specifically by Etherpad #}
proxy_buffering off;
proxy_http_version 1.1; # recommended with keepalive connections
@ -42,5 +42,5 @@
{{
matrix_nginx_proxy_proxy_dimension_additional_server_configuration_blocks | default([])
+
[matrix_etherpad_matrix_nginx_proxy_configuration]
[etherpad_matrix_nginx_proxy_configuration]
}}

@ -0,0 +1,12 @@
---
- when: etherpad_enabled | bool and etherpad_nginx_proxy_dimension_integration_enabled | bool
tags:
- install-all
- setup-all
- install-nginx-proxy
- setup-nginx-proxy
block:
- ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"
- ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml"

@ -0,0 +1,32 @@
---
- name: Fail if reverse-proxy is not nginx
when: matrix_playbook_reverse_proxy_type not in ['playbook-managed-nginx', 'other-nginx-non-container']
ansible.builtin.fail:
msg: >
Etherpad's integration into matrix-nginx-proxy's Dimension server only makes sense if you're using matrix-nginx-proxy.
`matrix_playbook_reverse_proxy_type` ({{ matrix_playbook_reverse_proxy_type }}) indicates that you're using another reverse-proxy.
If you're using Traefik, you should configure `etherpad_hostname` and `etherpad_path_prefix` instead.
- name: Fail if Dimension not enabled
when: not matrix_dimension_enabled
ansible.builtin.fail:
msg: >
Etherpad's integration into matrix-nginx-proxy's Dimension server only makes sense if you're using Dimension.
Looks like Dimension is not enabled in your configuration (judging by `matrix_dimension_enabled`).
Consider configuring `etherpad_hostname` and `etherpad_path_prefix` instead.
- name: Fail if Etherpad hostname does not match Dimension hostname
when: etherpad_hostname != matrix_server_fqn_dimension
ansible.builtin.fail:
msg: >
Etherpad's integration into matrix-nginx-proxy's Dimension server requires that you set `etherpad_hostname` to `matrix_server_fqn_dimension`.
Consider adding this to your configuration: `{% raw %}etherpad_hostname: "{{ matrix_server_fqn_dimension }}"{% endraw %}`
- name: Fail if / path prefix used for Etherpad
when: etherpad_nginx_proxy_dimension_integration_path_prefix == '/'
ansible.builtin.fail:
msg: >
Etherpad's integration into matrix-nginx-proxy's Dimension server only makes sense if you're using a non-`/` path for Etherpad.
You've chosen a path prefix of `/` in `etherpad_nginx_proxy_dimension_integration_path_prefix`.
The `/` path must go to Dimension itself, so you need to pick a different prefix (e.g. `/etherpad`).

@ -1,81 +0,0 @@
---
# matrix-aux is a role that manages auxiliary files and directories on your Matrix server.
#
# Certain components (like matrix-synapse, etc.) may sometimes require additional templates (email templates, privacy policies, etc.).
# This role allows such files to be managed by the playbook.
#
# Note that files and directories created via this role are not automatically made available for containers to use.
# If you use this role to put files in a directory that's already mounted into a container,
# you can access the files without additional work.
# Otherwise, you'd need to mount the file/directory to the container that needs it.
# Roles usually provide a `matrix_*_additional_volumes` or `matrix_*_container_extra_arguments` variable
# that you can use to mount an additional volume.
# The default permission mode when creating directories using `matrix_aux_directory_definitions`
matrix_aux_directory_default_mode: '0750'
# Holds a list of directories to create on the server.
#
# By default, directories are:
# - created with permissions as specified in `matrix_aux_directory_default_mode`
# - owned by the `matrix_user_username` user and `matrix_user_groupname` group (usually `matrix:matrix`)
#
# Example:
#
# matrix_aux_directory_definitions:
# - dest: /matrix/aux
#
# - dest: /matrix/another
# mode: '0700'
# owner: 'some-user'
# group: 'some-group'
matrix_aux_directory_definitions: []
# The default permission mode when creating directories using `matrix_aux_directory_definitions`
matrix_aux_file_default_mode: '0640'
# Holds a list of files to create on the server.
#
# By default, files are:
# - created with permissions as specified in `matrix_aux_file_default_mode`
# - owned by the `matrix_user_username` user and `matrix_user_groupname` group (usually `matrix:matrix`)
#
# You can define the file content inline (in your `vars.yml` file) or as an external file (see the example below).
# Defining the content inline in `vars.yml` has the benefit of not splitting your configuration into multiple files,
# but rather keeping everything inside `vars.yml` (which also gets backed up on the server in `/matrix/vars.yml`).
#
# Note: parent paths for files must exist.
# If you've defined a file with a destination of `/matrix/some/path/file.txt`,
# then you likely need to add `/matrix/some/path` to `matrix_aux_directory_definitions` as well.
# You don't need to do this for directories that the playbook already creates for you.
#
# Use a `content` key for text content and `src` with a location to a file for binary content.
# The `content` key does not support binary content (see https://github.com/ansible/ansible/issues/11594).
#
# Example:
#
# matrix_aux_file_definitions:
# - dest: "{{ matrix_synapse_config_dir_path }}/something.html"
# content: |
# <!doctype html>
# <html><body>Something</body></html>
#
# - dest: /matrix/aux/some-other-file.txt
# content: "Something"
# mode: '0600'
# owner: 'some-user'
# group: 'some-group'
#
# - dest: /matrix/aux/yet-another-file.txt
# content: "{{ lookup('template', '/path/to/file.txt.j2') }}"
# mode: '0600'
# owner: 'some-user'
# group: 'some-group'
#
# - dest: /matrix/aux/binary-file.dat
# src: "/path/to/binary.dat"
# mode: '0600'
# owner: 'some-user'
# group: 'some-group'
matrix_aux_file_definitions: []

@ -1,9 +0,0 @@
---
- block:
- ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup.yml"
tags:
- setup-all
- setup-aux-files
- install-all
- install-aux-files

@ -1,20 +0,0 @@
---
- name: Ensure AUX directories are created
ansible.builtin.file:
dest: "{{ item.dest }}"
state: directory
owner: "{{ item.owner | default(matrix_user_username) }}"
group: "{{ item.group | default(matrix_user_groupname) }}"
mode: "{{ item.mode | default(matrix_aux_directory_default_mode) }}"
with_items: "{{ matrix_aux_directory_definitions }}"
- name: Ensure AUX files are created
ansible.builtin.copy:
src: "{{ item.src if 'src' in item else omit }}"
content: "{{ item.content if 'content' in item else omit }}"
dest: "{{ item.dest }}"
owner: "{{ item.owner | default(matrix_user_username) }}"
group: "{{ item.group | default(matrix_user_groupname) }}"
mode: "{{ item.mode | default(matrix_aux_file_default_mode) }}"
with_items: "{{ matrix_aux_file_definitions }}"

@ -1,107 +0,0 @@
---
# Project source code URL: https://gitlab.com/etke.cc/borgmatic
matrix_backup_borg_enabled: true
matrix_backup_borg_base_path: "{{ matrix_base_data_path }}/backup-borg"
matrix_backup_borg_config_path: "{{ matrix_backup_borg_base_path }}/config"
matrix_backup_borg_container_image_self_build: false
matrix_backup_borg_docker_repo: "https://gitlab.com/etke.cc/borgmatic"
matrix_backup_borg_docker_repo_version: main
matrix_backup_borg_docker_src_files_path: "{{ matrix_backup_borg_base_path }}/docker-src"
# image and postgres version determined automatically, based on detected postgres server version (if enabled), otherwise latest is used
matrix_backup_borg_version: ""
matrix_backup_borg_postgres_version: ""
matrix_backup_borg_borg_version: 1.2.3
matrix_backup_borg_borgmatic_version: 1.7.5
matrix_backup_borg_docker_image: "{{ matrix_backup_borg_docker_image_name_prefix }}etke.cc/borgmatic:{{ matrix_backup_borg_version }}"
matrix_backup_borg_docker_image_name_prefix: "{{ 'localhost/' if matrix_backup_borg_container_image_self_build else 'registry.gitlab.com/' }}"
matrix_backup_borg_docker_image_force_pull: "{{ matrix_backup_borg_docker_image.endswith(':latest') or matrix_backup_borg_version | default('') == '' }}"
# A list of extra arguments to pass to the container
matrix_backup_borg_container_extra_arguments: []
# List of systemd services that matrix-backup-borg.service depends on
matrix_backup_borg_systemd_required_services_list: ['docker.service']
# List of systemd services that matrix-backup-borg.service wants
matrix_backup_borg_systemd_wanted_services_list: []
# systemd calendar configuration for the backup job
# the actual job may run with a delay (see matrix_backup_borg_schedule_randomized_delay_sec)
matrix_backup_borg_schedule: "*-*-* 04:00:00"
# the delay with which the systemd timer may run in relation to the `matrix_backup_borg_schedule` schedule
matrix_backup_borg_schedule_randomized_delay_sec: 2h
# what directories should be added to backup
matrix_backup_borg_location_source_directories: []
# postgres db backup
matrix_backup_borg_postgresql_enabled: true
matrix_backup_borg_supported_postgres_versions: ['12', '13', '14', '15']
matrix_backup_borg_postgresql_databases: []
matrix_backup_borg_postgresql_databases_hostname: ''
matrix_backup_borg_postgresql_databases_username: "matrix"
matrix_backup_borg_postgresql_databases_password: ""
matrix_backup_borg_postgresql_databases_port: 5432
# target repositories
matrix_backup_borg_location_repositories: []
# exclude following paths:
matrix_backup_borg_location_exclude_patterns: []
# borg encryption mode, only "repokey-*" and "none" are supported
matrix_backup_borg_encryption: repokey-blake2
# private ssh key used to connect to the borg repo
matrix_backup_borg_ssh_key_private: ""
# allow unencrypted repo access
matrix_backup_borg_unknown_unencrypted_repo_access_is_ok: "{{ matrix_backup_borg_encryption == 'none' }}"
# borg ssh command with ssh key
matrix_backup_borg_storage_ssh_command: ssh -o "StrictHostKeyChecking accept-new" -i /etc/borgmatic.d/sshkey
# compression algorithm
matrix_backup_borg_storage_compression: lz4
# archive name format
matrix_backup_borg_storage_archive_name_format: matrix-{now:%Y-%m-%d-%H%M%S}
# repository passphrase
matrix_backup_borg_storage_encryption_passphrase: ""
# retention configuration
matrix_backup_borg_retention_keep_hourly: 0
matrix_backup_borg_retention_keep_daily: 7
matrix_backup_borg_retention_keep_weekly: 4
matrix_backup_borg_retention_keep_monthly: 12
matrix_backup_borg_retention_keep_yearly: 2
# retention prefix
matrix_backup_borg_retention_prefix: matrix-
# Default borgmatic configuration template which covers the generic use case.
# You can customize it by controlling the various variables inside it.
#
# For a more advanced customization, you can extend the default (see `matrix_backup_borg_configuration_extension_yaml`)
# or completely replace this variable with your own template.
matrix_backup_borg_configuration_yaml: "{{ lookup('template', 'templates/config.yaml.j2') }}"
matrix_backup_borg_configuration_extension_yaml: |
# Your custom YAML configuration for borgmatic goes here.
# This configuration extends the default starting configuration (`matrix_borg_configuration_yaml`).
#
# You can override individual variables from the default configuration, or introduce new ones.
#
# If you need something more special, you can take full control by
# completely redefining `matrix_backup_borg_configuration_yaml`.
matrix_backup_borg_configuration_extension: "{{ matrix_backup_borg_configuration_extension_yaml | from_yaml if matrix_backup_borg_configuration_extension_yaml | from_yaml is mapping else {} }}"
# Holds the final borgmatic configuration (a combination of the default and its extension).
# You most likely don't need to touch this variable. Instead, see `matrix_backup_borg_configuration_yaml`.
matrix_backup_borg_configuration: "{{ matrix_backup_borg_configuration_yaml | from_yaml | combine(matrix_backup_borg_configuration_extension, recursive=True) }}"

@ -1,20 +0,0 @@
---
- block:
- ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"
when: "run_setup | bool and matrix_backup_borg_enabled | bool"
- ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml"
when: "run_setup | bool and matrix_backup_borg_enabled | bool"
tags:
- setup-all
- setup-backup-borg
- install-all
- install-backup-borg
- block:
- ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"
when: "run_setup | bool and not matrix_backup_borg_enabled | bool"
tags:
- setup-all
- setup-backup-borg

@ -1,107 +0,0 @@
---
- when: matrix_backup_borg_postgresql_enabled | bool and matrix_backup_borg_version == ''
block:
- name: Fail with matrix_backup_borg_version advice if Postgres not enabled
ansible.builtin.fail:
msg: >-
You are not running a built-in Postgres server (`devture_postgres_enabled: false`), so auto-detecting its version and setting `matrix_backup_borg_version` automatically based on that cannot happen.
Consider setting `matrix_backup_borg_version` to your Postgres version manually.
when: not devture_postgres_enabled
- ansible.builtin.include_role:
name: galaxy/com.devture.ansible.role.postgres
tasks_from: detect_existing_postgres_version
- name: Fail if detected Postgres version is unsupported
ansible.builtin.fail:
msg: "You cannot use borg backup with such an old version ({{ devture_postgres_detected_version }}) of Postgres. Consider upgrading - link to docs for upgrading Postgres: docs/maintenance-postgres.md#upgrading-postgresql"
when: "devture_postgres_detected_version not in matrix_backup_borg_supported_postgres_versions"
- name: Set the correct borg backup version to use
ansible.builtin.set_fact:
matrix_backup_borg_version: "{{ devture_postgres_detected_version }}-{{ matrix_backup_borg_borg_version }}-{{ matrix_backup_borg_borgmatic_version }}"
- name: Ensure borg paths exist
ansible.builtin.file:
path: "{{ item.path }}"
state: directory
mode: 0750
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_groupname }}"
with_items:
- {path: "{{ matrix_backup_borg_config_path }}", when: true}
- {path: "{{ matrix_backup_borg_docker_src_files_path }}", when: true}
when: "item.when | bool"
- name: Ensure borgmatic config is created
ansible.builtin.copy:
content: "{{ matrix_backup_borg_configuration | to_nice_yaml(indent=2, width=999999) }}"
dest: "{{ matrix_backup_borg_config_path }}/config.yaml"
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_groupname }}"
mode: 0640
- name: Ensure borg passwd is created
ansible.builtin.template:
src: "{{ role_path }}/templates/passwd.j2"
dest: "{{ matrix_backup_borg_config_path }}/passwd"
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_groupname }}"
mode: 0640
- name: Ensure borg ssh key is created
ansible.builtin.template:
src: "{{ role_path }}/templates/sshkey.j2"
dest: "{{ matrix_backup_borg_config_path }}/sshkey"
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_groupname }}"
mode: 0600
- name: Ensure borg image is pulled
community.docker.docker_image:
name: "{{ matrix_backup_borg_docker_image }}"
source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
force_source: "{{ matrix_backup_borg_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_backup_borg_docker_image_force_pull }}"
when: "not matrix_backup_borg_container_image_self_build | bool"
register: result
retries: "{{ devture_playbook_help_container_retries_count }}"
delay: "{{ devture_playbook_help_container_retries_delay }}"
until: result is not failed
- name: Ensure borg repository is present on self-build
ansible.builtin.git:
repo: "{{ matrix_backup_borg_docker_repo }}"
version: "{{ matrix_backup_borg_docker_repo_version }}"
dest: "{{ matrix_backup_borg_docker_src_files_path }}"
force: "yes"
become: true
become_user: "{{ matrix_user_username }}"
register: matrix_backup_borg_git_pull_results
when: "matrix_backup_borg_container_image_self_build | bool"
- name: Ensure borg image is built
community.docker.docker_image:
name: "{{ matrix_backup_borg_docker_image }}"
source: build
force_source: "{{ matrix_backup_borg_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mailer_git_pull_results.changed }}"
build:
dockerfile: Dockerfile
path: "{{ matrix_backup_borg_docker_src_files_path }}"
pull: true
when: "matrix_backup_borg_container_image_self_build | bool"
- name: Ensure matrix-backup-borg.service installed
ansible.builtin.template:
src: "{{ role_path }}/templates/systemd/matrix-backup-borg.service.j2"
dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-backup-borg.service"
mode: 0644
register: matrix_backup_borg_systemd_service_result
- name: Ensure matrix-backup-borg.timer installed
ansible.builtin.template:
src: "{{ role_path }}/templates/systemd/matrix-backup-borg.timer.j2"
dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-backup-borg.timer"
mode: 0644

@ -1,25 +0,0 @@
---
- name: Check existence of matrix-backup-borg service
ansible.builtin.stat:
path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-backup-borg.service"
register: matrix_backup_borg_service_stat
- when: matrix_backup_borg_service_stat.stat.exists | bool
block:
- name: Ensure matrix-backup-borg is stopped
ansible.builtin.service:
name: matrix-backup-borg
state: stopped
enabled: false
daemon_reload: true
- name: Ensure matrix-backup-borg.service doesn't exist
ansible.builtin.file:
path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-backup-borg.service"
state: absent
- name: Ensure matrix-backup-borg.timer doesn't exist
ansible.builtin.file:
path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-backup-borg.timer"
state: absent

@ -1,16 +0,0 @@
---
- name: Fail if required backup-borg settings not defined
ansible.builtin.fail:
msg: >-
You need to define a required configuration setting (`{{ item.name }}`).
when: "item.when | bool and vars[item.name] == ''"
with_items:
- {'name': 'matrix_backup_borg_ssh_key_private', when: true}
- {'name': 'matrix_backup_borg_location_repositories', when: true}
- {'name': 'matrix_backup_borg_postgresql_databases_hostname', when: "{{ matrix_backup_borg_postgresql_enabled }}"}
- name: Fail if encryption passphrase is undefined unless repository is unencrypted
ansible.builtin.fail:
msg: >-
You need to define a required passphrase using the `matrix_backup_borg_storage_encryption_passphrase` variable.
when: "matrix_backup_borg_storage_encryption_passphrase == '' and matrix_backup_borg_encryption != 'none'"

@ -1,43 +0,0 @@
#jinja2: lstrip_blocks: "True", trim_blocks: "True"
location:
source_directories: {{ matrix_backup_borg_location_source_directories|to_json }}
repositories: {{ matrix_backup_borg_location_repositories|to_json }}
one_file_system: true
exclude_patterns: {{ matrix_backup_borg_location_exclude_patterns|to_json }}
storage:
compression: {{ matrix_backup_borg_storage_compression|to_json }}
ssh_command: {{ matrix_backup_borg_storage_ssh_command|to_json }}
archive_name_format: {{ matrix_backup_borg_storage_archive_name_format|to_json }}
encryption_passphrase: {{ matrix_backup_borg_storage_encryption_passphrase|to_json }}
unknown_unencrypted_repo_access_is_ok: {{ matrix_backup_borg_unknown_unencrypted_repo_access_is_ok|to_json }}
retention:
keep_hourly: {{ matrix_backup_borg_retention_keep_hourly|to_json }}
keep_daily: {{ matrix_backup_borg_retention_keep_daily|to_json }}
keep_weekly: {{ matrix_backup_borg_retention_keep_weekly|to_json }}
keep_monthly: {{ matrix_backup_borg_retention_keep_monthly|to_json }}
keep_yearly: {{ matrix_backup_borg_retention_keep_yearly|to_json }}
prefix: {{ matrix_backup_borg_retention_prefix|to_json }}
consistency:
checks:
- repository
- archives
hooks:
{% if matrix_backup_borg_postgresql_enabled and matrix_backup_borg_postgresql_databases|length > 0 %}
postgresql_databases:
{% for database in matrix_backup_borg_postgresql_databases %}
- name: {{ database|to_json }}
hostname: {{ matrix_backup_borg_postgresql_databases_hostname|to_json }}
username: {{ matrix_backup_borg_postgresql_databases_username|to_json }}
password: {{ matrix_backup_borg_postgresql_databases_password|to_json }}
port: {{ matrix_backup_borg_postgresql_databases_port | int | to_json }}
{% endfor %}
{% endif %}
after_backup:
- echo "Backup created."
on_error:
- echo "Error while creating a backup."

@ -1,29 +0,0 @@
{# the passwd file with correct username, UID and GID is mandatory to work with borg over ssh, otherwise ssh connections will fail #}
root:x:0:0:root:/root:/bin/ash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/mail:/sbin/nologin
news:x:9:13:news:/usr/lib/news:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucppublic:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
man:x:13:15:man:/usr/man:/sbin/nologin
postmaster:x:14:12:postmaster:/var/mail:/sbin/nologin
cron:x:16:16:cron:/var/spool/cron:/sbin/nologin
ftp:x:21:21::/var/lib/ftp:/sbin/nologin
sshd:x:22:22:sshd:/dev/null:/sbin/nologin
at:x:25:25:at:/var/spool/cron/atjobs:/sbin/nologin
squid:x:31:31:Squid:/var/cache/squid:/sbin/nologin
xfs:x:33:33:X Font Server:/etc/X11/fs:/sbin/nologin
games:x:35:35:games:/usr/games:/sbin/nologin
cyrus:x:85:12::/usr/cyrus:/sbin/nologin
vpopmail:x:89:89::/var/vpopmail:/sbin/nologin
ntp:x:123:123:NTP:/var/empty:/sbin/nologin
smmsp:x:209:209:smmsp:/var/spool/mqueue:/sbin/nologin
guest:x:405:100:guest:/dev/null:/sbin/nologin
{{ matrix_user_username }}:x:{{ matrix_user_uid }}:{{ matrix_user_gid }}:Matrix:/tmp:/bin/ash
nobody:x:65534:65534:nobody:/:/sbin/nologin

@ -1 +0,0 @@
{{ matrix_backup_borg_ssh_key_private }}

@ -1,65 +0,0 @@
#jinja2: lstrip_blocks: "True"
[Unit]
Description=Matrix Borg Backup
{% for service in matrix_backup_borg_systemd_required_services_list %}
Requires={{ service }}
After={{ service }}
{% endfor %}
{% for service in matrix_backup_borg_systemd_wanted_services_list %}
Wants={{ service }}
{% endfor %}
DefaultDependencies=no
[Service]
Type=oneshot
Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}"
ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-backup-borg 2>/dev/null || true'
ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-backup-borg 2>/dev/null || true'
ExecStartPre=-{{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-backup-borg \
--log-driver=none \
--cap-drop=ALL \
--read-only \
--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
--network={{ matrix_docker_network }} \
--tmpfs=/tmp:rw,noexec,nosuid,size=100m \
--mount type=bind,src={{ matrix_backup_borg_config_path }}/passwd,dst=/etc/passwd,ro \
--mount type=bind,src={{ matrix_backup_borg_config_path }},dst=/etc/borgmatic.d,ro \
{% for source in matrix_backup_borg_location_source_directories %}
--mount type=bind,src={{ source }},dst={{ source }},ro \
{% endfor %}
{% for arg in matrix_backup_borg_container_extra_arguments %}
{{ arg }} \
{% endfor %}
{{ matrix_backup_borg_docker_image }} \
sh -c "borgmatic rcreate --encryption {{ matrix_backup_borg_encryption }}"
# The `CAP_DAC_OVERRIDE` capability is required, so that `root` in the container
# can read the `/etc/borgmatic.d/config.yaml` (`{{ matrix_backup_borg_config_path }}/config.yaml`) file,
# owned by `matrix:matrix` on the filesystem.
#
# `/root` is mountes as temporary filesystem, because we're using `--read-only` and because
# Borgmatic tries to write to at least a few paths under `/root` (`.config`, `.ssh`, `.borgmatic`).
ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-backup-borg \
--log-driver=none \
--cap-drop=ALL \
--cap-add=CAP_DAC_OVERRIDE \
--read-only \
--network={{ matrix_docker_network }} \
--tmpfs=/root:rw,noexec,nosuid,size=100m \
--tmpfs=/tmp:rw,noexec,nosuid,size=100m \
--mount type=bind,src={{ matrix_backup_borg_config_path }}/passwd,dst=/etc/passwd,ro \
--mount type=bind,src={{ matrix_backup_borg_config_path }},dst=/etc/borgmatic.d,ro \
{% for source in matrix_backup_borg_location_source_directories %}
--mount type=bind,src={{ source }},dst={{ source }},ro \
{% endfor %}
{% for arg in matrix_backup_borg_container_extra_arguments %}
{{ arg }} \
{% endfor %}
{{ matrix_backup_borg_docker_image }}
ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-backup-borg 2>/dev/null || true'
ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-backup-borg 2>/dev/null || true'
SyslogIdentifier=matrix-backup-borg
[Install]
WantedBy=multi-user.target

@ -1,10 +0,0 @@
[Unit]
Description=Matrix Borg Backup timer
[Timer]
Unit=matrix-backup-borg.service
OnCalendar={{ matrix_backup_borg_schedule }}
RandomizedDelaySec={{ matrix_backup_borg_schedule_randomized_delay_sec }}
[Install]
WantedBy=timers.target

@ -72,7 +72,7 @@ matrix_server_fqn_buscarron: "buscarron.{{ matrix_domain }}"
# This is where you access the Dimension.
matrix_server_fqn_dimension: "dimension.{{ matrix_domain }}"
# This is where you access the etherpad (if enabled via matrix_etherpad_enabled; disabled by default).
# This is where you access the etherpad (if enabled via etherpad_enabled; disabled by default).
matrix_server_fqn_etherpad: "etherpad.{{ matrix_domain }}"
# For use with Go-NEB! (github callback url for example)
@ -90,8 +90,14 @@ matrix_server_fqn_sygnal: "sygnal.{{ matrix_domain }}"
# This is where you access the ntfy push notification service.
matrix_server_fqn_ntfy: "ntfy.{{ matrix_domain }}"
# This is where you access rageshake.
matrix_server_fqn_rageshake: "rageshake.{{ matrix_domain }}"
matrix_federation_public_port: 8448
# The name of the Traefik entrypoint for handling Matrix Federation
matrix_federation_traefik_entrypoint: matrix-federation
# The architecture that your server runs.
# Recognized values by us are 'amd64', 'arm32' and 'arm64'.
# Not all architectures support all services, so your experience (on non-amd64) may vary.
@ -151,17 +157,25 @@ matrix_client_element_jitsi_preferredDomain: '' # noqa var-naming
# Controls whether Element should use End-to-End Encryption by default.
# Setting this to false will update `/.well-known/matrix/client` and tell Element clients to avoid E2EE.
# See: https://github.com/vector-im/element-web/blob/develop/docs/e2ee.md
matrix_client_element_e2ee_default: true
matrix_well_known_matrix_client_io_element_e2ee_default: true
# Controls whether Element should require a secure backup set up before Element can be used.
# Setting this to true will update `/.well-known/matrix/client` and tell Element require a secure backup.
# See: https://github.com/vector-im/element-web/blob/develop/docs/e2ee.md
matrix_client_element_e2ee_secure_backup_required: false
matrix_well_known_matrix_client_io_element_e2ee_secure_backup_required: false
# Controls which backup methods from ["key", "passphrase"] should be used, both is the default.
# Setting this to other then empty will update `/.well-known/matrix/client` and tell Element which method to use
# See: https://github.com/vector-im/element-web/blob/develop/docs/e2ee.md
matrix_client_element_e2ee_secure_backup_setup_methods: []
matrix_well_known_matrix_client_io_element_e2ee_secure_backup_setup_methods: []
# Controls whether element related entries should be added to the client well-known. Override this to false to hide
# element related well-known entries.
# By default if any of the following change from their default this is set to true:
# `matrix_well_known_matrix_client_io_element_e2ee_default`
# `matrix_well_known_matrix_client_io_element_e2ee_secure_backup_required`
# `matrix_well_known_matrix_client_io_element_e2ee_secure_backup_setup_methods`
matrix_well_known_matrix_client_io_element_e2ee_entries_enabled: "{{ not matrix_well_known_matrix_client_io_element_e2ee_default or matrix_well_known_matrix_client_io_element_e2ee_secure_backup_required or matrix_well_known_matrix_client_io_element_e2ee_secure_backup_setup_methods | length > 0 }}"
# Default `/.well-known/matrix/client` configuration - it covers the generic use case.
# You can customize it by controlling the various variables inside the template file that it references.
@ -262,6 +276,53 @@ matrix_well_known_matrix_support_enabled: false
matrix_homeserver_container_extra_arguments_auto: []
matrix_homeserver_app_service_config_files_auto: []
# Specifies the type of reverse-proxy used by the playbook.
#
# Changing this has an effect on whether a reverse-proxy is installed at all and what its type is,
# as well as how all other services are configured.
#
# Valid options and a description of their behavior:
#
# - `playbook-managed-traefik`
# - the playbook will run a managed Traefik instance (matrix-traefik)
# - Traefik will do SSL termination, unless you disable it (e.g. `devture_traefik_config_entrypoint_web_secure_enabled: false`)
# - if SSL termination is enabled (as it is by default), you need to populate: `devture_traefik_config_certificatesResolvers_acme_email`
# - it will also install matrix-nginx-proxy in local-only mode, while we migrate the rest of the services to a Traefik-native mode of working
#
# - `playbook-managed-nginx`
# - the playbook will install matrix-nginx-proxy
# - matrix-nginx-proxy will do SSL termination with Certbot, unless you change that (see `matrix_ssl_retrieval_method`)
# - if SSL termination is enabled (as it is by default), you need to populate: `matrix_ssl_lets_encrypt_support_email`
#
# - `other-traefik-container`
# - this playbook will not install Traefik
# - nevertheless, the playbook expects that you would install Traefik yourself via other means
# - you should make sure your Traefik configuration is compatible with what the playbook would have configured (web, web-secure, matrix-federation entrypoints, etc.)
# - you need to set `matrix_playbook_reverse_proxyable_services_additional_network` to the name of your Traefik network
# - Traefik certs dumper will be enabled by default (`devture_traefik_certs_dumper_enabled`). You need to point it to your Traefik's SSL certificates (`devture_traefik_certs_dumper_ssl_dir_path`)
#
# - `other-nginx-non-container`
# - the playbook will not install matrix-nginx-proxy
# - however, it will still dump some nginx configuration in /matrix/nginx/conf.d
# - these configs are meant to be included into a locally-installed (without a container) nginx server
# - all container services are exposed locally (e.g. `-p 127.0.0.1:8080:8080`)
#
# - `other-on-same-host`
# - like other-nginx-non-container, but supposedly won't generate useless configuration in /matrix/nginx/conf.d in the future
#
# - `other-on-another-host`
# - like other-on-same-host, but services are exposed on all interfaces (e.g. `-p 0.0.0.0:8080:8080`)
# - configurable via `matrix_playbook_service_host_bind_interface_prefix`
#
# - `none`
# - no reverse-proxy will be installed
# - no nginx configuration will be dumped in /matrix/nginx/conf.d
# - no port exposure will be done for any of the container services
# - it's up to you to expose the ports you want, etc.
matrix_playbook_reverse_proxy_type: ''
matrix_playbook_service_host_bind_interface_prefix: "{{ '' if matrix_playbook_reverse_proxy_type not in ['other-nginx-non-container', 'other-on-same-host', 'other-on-another-host'] else ('0.0.0.0:' if matrix_playbook_reverse_proxy_type == 'other-on-another-host' else '127.0.0.1:') }}"
# Variables to Control which parts of our roles run.
run_postgres_import: true
run_postgres_upgrade: true

@ -1,30 +1,28 @@
---
- block:
- ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"
tags:
- tags:
- setup-all
- install-all
block:
- ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"
# This needs to always run, because it populates `matrix_user_uid` and `matrix_user_gid`,
# which are required by many other roles.
- block:
- ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_matrix_user.yml"
tags:
- tags:
- always
- setup-system-user
- common
block:
- ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_matrix_user.yml"
- block:
- ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_matrix_base.yml"
tags:
- tags:
- setup-all
- install-all
- common
block:
- ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_matrix_base.yml"
- block:
- ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_well_known.yml"
tags:
- tags:
- setup-all
- setup-ma1sd
- setup-synapse
@ -37,3 +35,5 @@
- install-dendrite
- install-conduit
- install-nginx-proxy
block:
- ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_well_known.yml"

@ -18,6 +18,9 @@
- {'old': 'hostname_riot', 'new': 'matrix_server_fqn_element'}
- {'old': 'matrix_server_fqn_riot', 'new': 'matrix_server_fqn_element'}
- {'old': 'matrix_local_bin_path', 'new': '<there is no global bin path anymore - each role has its own>'}
- {'old': 'matrix_client_element_e2ee_default', 'new': 'matrix_well_known_matrix_client_io_element_e2ee_default'}
- {'old': 'matrix_client_element_e2ee_secure_backup_required', 'new': 'matrix_well_known_matrix_client_io_element_e2ee_secure_backup_required'}
- {'old': 'matrix_client_element_e2ee_secure_backup_setup_methods', 'new': 'matrix_well_known_matrix_client_io_element_e2ee_secure_backup_setup_methods'}
# We have a dedicated check for this variable, because we'd like to have a custom (friendlier) message.
- name: Fail if matrix_homeserver_generic_secret_key is undefined
@ -51,6 +54,19 @@
msg: "Detected that variable matrix_architecture {{ matrix_architecture }} appears to be set incorrectly. See docs/alternative-architectures.md. Server appears to be {{ ansible_architecture }}."
when: matrix_architecture not in ['amd64', 'arm32', 'arm64']
- name: Fail if matrix_playbook_reverse_proxy_type is set incorrectly
ansible.builtin.fail:
msg: |
You have not explicitly specified the type of reverse-proxy you'd like to use (with a `matrix_playbook_reverse_proxy_type` variable in your configuration).
The playbook used to default to nginx (matrix-nginx-proxy), but things are changing with Traefik being the new default reverse-proxy.
Learn more here: https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/CHANGELOG.md#traefik-is-the-default-reverse-proxy-now
when: matrix_playbook_reverse_proxy_type == ''
- name: Fail if matrix_playbook_reverse_proxy_type is set incorrectly
ansible.builtin.fail:
msg: "Detected that variable matrix_playbook_reverse_proxy_type (current value: `{{ matrix_playbook_reverse_proxy_type }}`) appears to be set incorrectly. See roles/custom/matrix-base/defaults/main.yml for valid choices."
when: matrix_playbook_reverse_proxy_type not in ['playbook-managed-traefik', 'playbook-managed-nginx', 'other-traefik-container', 'other-nginx-non-container', 'other-on-same-host', 'other-on-another-host', 'none']
- name: Fail if uppercase domain used
ansible.builtin.fail:
msg: "Detected that you're using an uppercase domain name - `{{ item }}`. This will cause trouble. Please use all-lowercase!"

@ -25,8 +25,12 @@ else
echo "Remove unused Docker images and resources"
docker system prune -af
echo "Remove Docker matrix network (should be gone already, but ..)"
docker network rm {{ matrix_docker_network }}
echo "This playbook creates a lot of matrix-* networks. Consider removing them manually ('docker network ls', followed by 'docker network rm NETWORK_NAME')"
echo "Remove {{ matrix_base_data_path }} directory"
rm -fr "{{ matrix_base_data_path }}"
exit 0

@ -26,18 +26,26 @@
"preferredDomain": {{ matrix_client_element_jitsi_preferredDomain|to_json }}
}
{% endif %}
{% if matrix_sliding_sync_enabled %},
"org.matrix.msc3575.proxy": {
"url": "{{ matrix_sliding_sync_base_url }}"
}
{% endif %}
{% if matrix_client_element_location_sharing_enabled %},
"m.tile_server": {
"map_style_url": "https://{{ matrix_server_fqn_element }}/map_style.json"
}
{% endif %}
,
{% if matrix_well_known_matrix_client_io_element_e2ee_entries_enabled %},
"io.element.e2ee": {
"default": {{ matrix_client_element_e2ee_default|to_json }},
"secure_backup_required": {{ matrix_client_element_e2ee_secure_backup_required|to_json }},
"secure_backup_setup_methods": {{ matrix_client_element_e2ee_secure_backup_setup_methods|to_json }}
},
"default": {{ matrix_well_known_matrix_client_io_element_e2ee_default|to_json }},
"secure_backup_required": {{ matrix_well_known_matrix_client_io_element_e2ee_secure_backup_required|to_json }},
"secure_backup_setup_methods": {{ matrix_well_known_matrix_client_io_element_e2ee_secure_backup_setup_methods|to_json }}
}
{% endif %}
{% if matrix_well_known_matrix_client_io_element_e2ee_entries_enabled %},
"im.vector.riot.e2ee": {
"default": {{ matrix_client_element_e2ee_default|to_json }}
"default": {{ matrix_well_known_matrix_client_io_element_e2ee_default|to_json }}
}
{% endif %}
}

@ -1,23 +1,70 @@
---
# buscarron is a helpdesk bot
# buscarron is a Web forms (HTTP POST) to Matrix service.
# Project source code URL: https://gitlab.com/etke.cc/buscarron
matrix_bot_buscarron_enabled: true
matrix_bot_buscarron_version: v1.3.1
# The hostname at which Buscarron is served.
matrix_bot_buscarron_hostname: ''
# The path at which Buscarron is exposed.
# This value must either be `/` or not end with a slash (e.g. `/buscarron`).
matrix_bot_buscarron_path_prefix: /
matrix_bot_buscarron_base_path: "{{ matrix_base_data_path }}/buscarron"
matrix_bot_buscarron_config_path: "{{ matrix_bot_buscarron_base_path }}/config"
matrix_bot_buscarron_data_path: "{{ matrix_bot_buscarron_base_path }}/data"
matrix_bot_buscarron_data_store_path: "{{ matrix_bot_buscarron_data_path }}/store"
matrix_bot_buscarron_container_image_self_build: false
matrix_bot_buscarron_docker_repo: "https://gitlab.com/etke.cc/buscarron.git"
matrix_bot_buscarron_docker_repo_version: "{{ matrix_bot_buscarron_version }}"
matrix_bot_buscarron_docker_src_files_path: "{{ matrix_base_data_path }}/buscarron/docker-src"
matrix_bot_buscarron_version: v1.3.1
matrix_bot_buscarron_docker_image: "{{ matrix_bot_buscarron_docker_image_name_prefix }}etke.cc/buscarron:{{ matrix_bot_buscarron_version }}"
matrix_bot_buscarron_docker_image_name_prefix: "{{ 'localhost/' if matrix_bot_buscarron_container_image_self_build else 'registry.gitlab.com/' }}"
matrix_bot_buscarron_docker_image_force_pull: "{{ matrix_bot_buscarron_docker_image.endswith(':latest') }}"
matrix_bot_buscarron_base_path: "{{ matrix_base_data_path }}/buscarron"
matrix_bot_buscarron_config_path: "{{ matrix_bot_buscarron_base_path }}/config"
matrix_bot_buscarron_data_path: "{{ matrix_bot_buscarron_base_path }}/data"
matrix_bot_buscarron_data_store_path: "{{ matrix_bot_buscarron_data_path }}/store"
# The base container network. It will be auto-created by this role if it doesn't exist already.
matrix_bot_buscarron_container_network: matrix-bot-buscarron
# A list of additional container networks that the container would be connected to.
# The role does not create these networks, so make sure they already exist.
# Use this to expose this container to another reverse proxy, which runs in a different container network.
matrix_bot_buscarron_container_additional_networks: []
# matrix_bot_buscarron_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container.
# See `../templates/labels.j2` for details.
#
# To inject your own other container labels, see `matrix_bot_buscarron_container_labels_additional_labels`.
matrix_bot_buscarron_container_labels_traefik_enabled: true
matrix_bot_buscarron_container_labels_traefik_docker_network: "{{ matrix_bot_buscarron_container_network }}"
matrix_bot_buscarron_container_labels_traefik_hostname: "{{ matrix_bot_buscarron_hostname }}"
# The path prefix must either be `/` or not end with a slash (e.g. `/buscarron`).
matrix_bot_buscarron_container_labels_traefik_path_prefix: "{{ matrix_bot_buscarron_path_prefix }}"
matrix_bot_buscarron_container_labels_traefik_rule: "Host(`{{ matrix_bot_buscarron_container_labels_traefik_hostname }}`){% if matrix_bot_buscarron_container_labels_traefik_path_prefix != '/' %} && PathPrefix(`{{ matrix_bot_buscarron_container_labels_traefik_path_prefix }}`){% endif %}"
matrix_bot_buscarron_container_labels_traefik_priority: 0
matrix_bot_buscarron_container_labels_traefik_entrypoints: web-secure
matrix_bot_buscarron_container_labels_traefik_tls: "{{ matrix_bot_buscarron_container_labels_traefik_entrypoints != 'web' }}"
matrix_bot_buscarron_container_labels_traefik_tls_certResolver: default # noqa var-naming
# Controls which additional headers to attach to all HTTP responses.
# To add your own headers, use `matrix_bot_buscarron_container_labels_traefik_additional_response_headers_custom`
matrix_bot_buscarron_container_labels_traefik_additional_response_headers: "{{ matrix_bot_buscarron_container_labels_traefik_additional_response_headers_auto | combine(matrix_bot_buscarron_container_labels_traefik_additional_response_headers_custom) }}"
matrix_bot_buscarron_container_labels_traefik_additional_response_headers_auto: {}
matrix_bot_buscarron_container_labels_traefik_additional_response_headers_custom: {}
# matrix_bot_buscarron_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file.
# See `../templates/labels.j2` for details.
#
# Example:
# matrix_bot_buscarron_container_labels_additional_labels: |
# my.label=1
# another.label="here"
matrix_bot_buscarron_container_labels_additional_labels: ''
# A list of extra arguments to pass to the container
matrix_bot_buscarron_container_extra_arguments: []

@ -1,20 +1,20 @@
---
- block:
- tags:
- setup-all
- setup-bot-buscarron
- install-all
- install-bot-buscarron
block:
- ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"
when: "run_setup | bool and matrix_bot_buscarron_enabled | bool"
- ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml"
when: "run_setup | bool and matrix_bot_buscarron_enabled | bool"
tags:
- tags:
- setup-all
- setup-bot-buscarron
- install-all
- install-bot-buscarron
- block:
block:
- ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"
when: "run_setup | bool and not matrix_bot_buscarron_enabled | bool"
tags:
- setup-all
- setup-bot-buscarron

@ -40,13 +40,16 @@
- {path: "{{ matrix_bot_buscarron_docker_src_files_path }}", when: true}
when: "item.when | bool"
- name: Ensure buscarron environment variables file created
- name: Ensure buscarron support files installed
ansible.builtin.template:
src: "{{ role_path }}/templates/env.j2"
dest: "{{ matrix_bot_buscarron_config_path }}/env"
src: "{{ role_path }}/templates/{{ item }}.j2"
dest: "{{ matrix_bot_buscarron_config_path }}/{{ item }}"
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_groupname }}"
mode: 0640
with_items:
- env
- labels
- name: Ensure buscarron image is pulled
community.docker.docker_image:
@ -89,6 +92,11 @@
dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-bot-buscarron.service"
mode: 0644
- name: Ensure buscarron container network is created
community.general.docker_network:
name: "{{ matrix_bot_buscarron_container_network }}"
driver: bridge
- name: Ensure matrix-bot-buscarron.service restarted, if necessary
ansible.builtin.service:
name: "matrix-bot-buscarron.service"

@ -7,4 +7,5 @@
when: "item.when | bool and vars[item.name] == ''"
with_items:
- {'name': 'matrix_bot_buscarron_password', when: true}
- {'name': 'matrix_bot_buscarron_hostname', when: true}
- {'name': 'matrix_bot_buscarron_database_hostname', when: "{{ matrix_bot_buscarron_database_engine == 'postgres' }}"}

@ -0,0 +1,45 @@
{% if matrix_bot_buscarron_container_labels_traefik_enabled %}
traefik.enable=true
{% if matrix_bot_buscarron_container_labels_traefik_docker_network %}
traefik.docker.network={{ matrix_bot_buscarron_container_labels_traefik_docker_network }}
{% endif %}
{% set middlewares = [] %}
{% if matrix_bot_buscarron_container_labels_traefik_path_prefix != '/' %}
traefik.http.middlewares.matrix-bot-buscarron-slashless-redirect.redirectregex.regex=({{ matrix_bot_buscarron_container_labels_traefik_path_prefix | quote }})$
traefik.http.middlewares.matrix-bot-buscarron-slashless-redirect.redirectregex.replacement=${1}/
{% set middlewares = middlewares + ['matrix-bot-buscarron-slashless-redirect'] %}
{% endif %}
{% if matrix_bot_buscarron_container_labels_traefik_path_prefix != '/' %}
traefik.http.middlewares.matrix-bot-buscarron-strip-prefix.stripprefix.prefixes={{ matrix_bot_buscarron_container_labels_traefik_path_prefix }}
{% set middlewares = middlewares + ['matrix-bot-buscarron-strip-prefix'] %}
{% endif %}
{% if matrix_bot_buscarron_container_labels_traefik_additional_response_headers.keys() | length > 0 %}
{% for name, value in matrix_bot_buscarron_container_labels_traefik_additional_response_headers.items() %}
traefik.http.middlewares.matrix-bot-buscarron-add-headers.headers.customresponseheaders.{{ name }}={{ value }}
{% endfor %}
{% set middlewares = middlewares + ['matrix-bot-buscarron-add-headers'] %}
{% endif %}
traefik.http.routers.matrix-bot-buscarron.rule={{ matrix_bot_buscarron_container_labels_traefik_rule }}
{% if matrix_bot_buscarron_container_labels_traefik_priority | int > 0 %}
traefik.http.routers.matrix-bot-buscarron.priority={{ matrix_bot_buscarron_container_labels_traefik_priority }}
{% endif %}
traefik.http.routers.matrix-bot-buscarron.service=matrix-bot-buscarron
{% if middlewares | length > 0 %}
traefik.http.routers.matrix-bot-buscarron.middlewares={{ middlewares | join(',') }}
{% endif %}
traefik.http.routers.matrix-bot-buscarron.entrypoints={{ matrix_bot_buscarron_container_labels_traefik_entrypoints }}
traefik.http.routers.matrix-bot-buscarron.tls={{ matrix_bot_buscarron_container_labels_traefik_tls | to_json }}
{% if matrix_bot_buscarron_container_labels_traefik_tls %}
traefik.http.routers.matrix-bot-buscarron.tls.certResolver={{ matrix_bot_buscarron_container_labels_traefik_tls_certResolver }}
{% endif %}
traefik.http.services.matrix-bot-buscarron.loadbalancer.server.port=8080
{% endif %}
{{ matrix_bot_buscarron_container_labels_additional_labels }}

@ -16,21 +16,31 @@ Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}"
ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-bot-buscarron 2>/dev/null || true'
ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-bot-buscarron 2>/dev/null || true'
ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-bot-buscarron \
ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
--rm \
--name=matrix-bot-buscarron \
--log-driver=none \
--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
--cap-drop=ALL \
--read-only \
--network={{ matrix_docker_network }} \
--network={{ matrix_bot_buscarron_container_network }} \
--env-file={{ matrix_bot_buscarron_config_path }}/env \
--label-file={{ matrix_bot_buscarron_config_path }}/labels \
--mount type=bind,src={{ matrix_bot_buscarron_data_path }},dst=/data \
{% for arg in matrix_bot_buscarron_container_extra_arguments %}
{{ arg }} \
{% endfor %}
{{ matrix_bot_buscarron_docker_image }}
{% for network in matrix_bot_buscarron_container_additional_networks %}
ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-bot-buscarron
{% endfor %}
ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-bot-buscarron
ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-bot-buscarron 2>/dev/null || true'
ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-bot-buscarron 2>/dev/null || true'
Restart=always
RestartSec=30
SyslogIdentifier=matrix-bot-buscarron

@ -4,19 +4,22 @@
matrix_bot_chatgpt_enabled: true
matrix_bot_chatgpt_version: 3.0.0
matrix_bot_chatgpt_container_image_self_build: false
matrix_bot_chatgpt_docker_repo: "https://github.com/matrixgpt/matrix-chatgpt-bot"
matrix_bot_chatgpt_docker_repo_version: "{{ 'latest' if matrix_bot_chatgpt_version == 'latest' else matrix_bot_chatgpt_version }}"
matrix_bot_chatgpt_docker_src_files_path: "{{ matrix_base_data_path }}/chatgpt/docker-src"
matrix_bot_chatgpt_container_image_self_build_repo: "https://github.com/matrixgpt/matrix-chatgpt-bot"
matrix_bot_chatgpt_container_image_self_build_repo_version: "{{ 'main' if matrix_bot_chatgpt_version == 'latest' else matrix_bot_chatgpt_version }}"
matrix_bot_chatgpt_version: 1.2.3
matrix_bot_chatgpt_docker_image: "{{ matrix_bot_chatgpt_docker_image_name_prefix }}matrixgpt/matrix-chatgpt-bot:{{ matrix_bot_chatgpt_version }}"
matrix_bot_chatgpt_docker_image_name_prefix: "{{ 'localhost/' if matrix_bot_chatgpt_container_image_self_build else 'ghcr.io/' }}"
matrix_bot_chatgpt_docker_image_force_pull: "{{ matrix_bot_chatgpt_docker_image.endswith(':latest') }}"
matrix_bot_chatgpt_container_image: "{{ matrix_bot_chatgpt_container_image_name_prefix }}matrixgpt/matrix-chatgpt-bot:{{ matrix_bot_chatgpt_container_image_tag }}"
matrix_bot_chatgpt_container_image_name_prefix: "{{ 'localhost/' if matrix_bot_chatgpt_container_image_self_build else matrix_bot_chatgpt_container_image_registry_prefix }}"
matrix_bot_chatgpt_container_image_tag: "{{ matrix_bot_chatgpt_version }}"
matrix_bot_chatgpt_container_image_force_pull: "{{ matrix_bot_chatgpt_container_image.endswith(':latest') }}"
matrix_bot_chatgpt_container_image_registry_prefix: ghcr.io/
matrix_bot_chatgpt_base_path: "{{ matrix_base_data_path }}/chatgpt"
matrix_bot_chatgpt_config_path: "{{ matrix_bot_chatgpt_base_path }}/config"
matrix_bot_chatgpt_data_path: "{{ matrix_bot_chatgpt_base_path }}/data"
matrix_bot_chatgpt_container_src_path: "{{ matrix_bot_chatgpt_base_path }}/container-src"
# A list of extra arguments to pass to the container
matrix_bot_chatgpt_container_extra_arguments: []
@ -28,9 +31,14 @@ matrix_bot_chatgpt_systemd_required_services_list: ['docker.service']
matrix_bot_chatgpt_systemd_wanted_services_list: []
# ChatGPT Settings
matrix_bot_chatgpt_openai_email: '' # OPENAI_EMAIL=
matrix_bot_chatgpt_openai_password: '' # OPENAI_PASSWORD=
matrix_bot_chatgpt_openai_login_type: 'google' # OPENAI_LOGIN_TYPE="google"
matrix_bot_chatgpt_openai_api_key: ''
matrix_bot_chatgpt_api_model: 'gpt-3.5-turbo'
matrix_bot_chatgpt_context: 'thread' # CHATGPT_CONTEXT="thread"
matrix_bot_chatgpt_keyv_backend: 'file'
matrix_bot_chatgpt_keyv_url: ''
matrix_bot_chatgpt_keyv_bot_encryption: false
matrix_bot_chatgpt_keyv_bot_storage: true
# Matrix Static Settings (required, see notes)
# Defaults to "https://matrix.org"
@ -49,6 +57,9 @@ matrix_bot_chatgpt_matrix_default_prefix: "!chatgpt " # MATRIX_DEFAULT_PREFIX=
matrix_bot_chatgpt_matrix_default_prefix_reply: false # MATRIX_DEFAULT_PREFIX_REPLY=
# Matrix Access Control (optional)
#
# Lists of space-separated entries. Example:
# matrix_bot_chatgpt_matrix_whitelist: ":{{ matrix_domain }} :second-domain.com :third-domain.com"
matrix_bot_chatgpt_matrix_blacklist: ''
matrix_bot_chatgpt_matrix_whitelist: ':{{ matrix_domain }}'
@ -68,11 +79,11 @@ matrix_bot_chatgpt_matrix_rich_text: true # MATRIX_RICH_TEXT=true
# - @*:another.com
# matrix_bot_chatgpt_admins: "{{ [matrix_admin] if matrix_admin else [] }}"
# Log level
# matrix_bot_chatgpt_loglevel: 'INFO'
# Additional environment variables to pass to the chatgpt container
#
# You can discover additional environment variables from:
# https://github.com/matrixgpt/matrix-chatgpt-bot/blob/main/src/env.ts
#
# Example:
# matrix_bot_chatgpt_environment_variables_extension: |
# chatgpt_TEXT_DONE=Done

@ -0,0 +1,63 @@
---
- name: Ensure chatgpt paths exist
ansible.builtin.file:
path: "{{ item.path }}"
state: directory
mode: 0750
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_groupname }}"
with_items:
- {path: "{{ matrix_bot_chatgpt_config_path }}", when: true}
- {path: "{{ matrix_bot_chatgpt_data_path }}", when: true}
- {path: "{{ matrix_bot_chatgpt_container_src_path }}", when: matrix_bot_chatgpt_container_image_self_build}
when: "item.when | bool"
- name: Ensure chatgpt environment variables file created
ansible.builtin.template:
src: "{{ role_path }}/templates/env.j2"
dest: "{{ matrix_bot_chatgpt_config_path }}/env"
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_groupname }}"
mode: 0640
- name: Ensure chatgpt container image is pulled
community.docker.docker_image:
name: "{{ matrix_bot_chatgpt_container_image }}"
source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
force_source: "{{ matrix_bot_chatgpt_container_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_bot_chatgpt_container_image_force_pull }}"
when: "not matrix_bot_chatgpt_container_image_self_build | bool"
register: result
retries: "{{ devture_playbook_help_container_retries_count }}"
delay: "{{ devture_playbook_help_container_retries_delay }}"
until: result is not failed
- when: matrix_bot_chatgpt_container_image_self_build | bool
block:
- name: Ensure chatgpt repository is present on self-build
ansible.builtin.git:
repo: "{{ matrix_bot_chatgpt_container_image_self_build_repo }}"
version: "{{ matrix_bot_chatgpt_container_image_self_build_repo_version }}"
dest: "{{ matrix_bot_chatgpt_container_src_path }}"
force: "yes"
become: true
become_user: "{{ matrix_user_username }}"
register: matrix_bot_chatgpt_git_pull_results
- name: Ensure chatgpt container image is built
community.docker.docker_image:
name: "{{ matrix_bot_chatgpt_container_image }}"
source: build
force_source: "{{ matrix_bot_chatgpt_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mailer_git_pull_results.changed }}"
build:
dockerfile: Dockerfile
path: "{{ matrix_bot_chatgpt_container_src_path }}"
pull: true
- name: Ensure matrix-bot-chatgpt.service installed
ansible.builtin.template:
src: "{{ role_path }}/templates/systemd/matrix-bot-chatgpt.service.j2"
dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-bot-chatgpt.service"
mode: 0644

@ -1,20 +1,21 @@
---
- block:
- when: matrix_bot_chatgpt_enabled | bool
ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"
- when: matrix_bot_chatgpt_enabled | bool
ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml"
-
tags:
- setup-all
- setup-bot-chatgpt
- install-all
- install-bot-chatgpt
block:
- when: matrix_bot_chatgpt_enabled | bool
ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"
- block:
- when: not matrix_bot_chatgpt_enabled | bool
ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"
tags:
- when: matrix_bot_chatgpt_enabled | bool
ansible.builtin.include_tasks: "{{ role_path }}/tasks/install.yml"
- tags:
- setup-all
- setup-bot-chatgpt
block:
- when: not matrix_bot_chatgpt_enabled | bool
ansible.builtin.include_tasks: "{{ role_path }}/tasks/uninstall.yml"

@ -1,63 +0,0 @@
---
- name: Ensure chatgpt paths exist
ansible.builtin.file:
path: "{{ item.path }}"
state: directory
mode: 0750
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_groupname }}"
with_items:
- {path: "{{ matrix_bot_chatgpt_config_path }}", when: true}
- {path: "{{ matrix_bot_chatgpt_data_path }}", when: true}
- {path: "{{ matrix_bot_chatgpt_docker_src_files_path }}", when: matrix_bot_chatgpt_container_image_self_build}
when: "item.when | bool"
- name: Ensure chatgpt environment variables file created
ansible.builtin.template:
src: "{{ role_path }}/templates/env.j2"
dest: "{{ matrix_bot_chatgpt_config_path }}/env"
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_groupname }}"
mode: 0640
- name: Ensure chatgpt image is pulled
community.docker.docker_image:
name: "{{ matrix_bot_chatgpt_docker_image }}"
source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
force_source: "{{ matrix_bot_chatgpt_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_bot_chatgpt_docker_image_force_pull }}"
when: "not matrix_bot_chatgpt_container_image_self_build | bool"
register: result
retries: "{{ devture_playbook_help_container_retries_count }}"
delay: "{{ devture_playbook_help_container_retries_delay }}"
until: result is not failed
- name: Ensure chatgpt repository is present on self-build
ansible.builtin.git:
repo: "{{ matrix_bot_chatgpt_docker_repo }}"
version: "{{ matrix_bot_chatgpt_docker_repo_version }}"
dest: "{{ matrix_bot_chatgpt_docker_src_files_path }}"
force: "yes"
become: true
become_user: "{{ matrix_user_username }}"
register: matrix_bot_chatgpt_git_pull_results
when: "matrix_bot_chatgpt_container_image_self_build | bool"
- name: Ensure chatgpt image is built
community.docker.docker_image:
name: "{{ matrix_bot_chatgpt_docker_image }}"
source: build
force_source: "{{ matrix_bot_chatgpt_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mailer_git_pull_results.changed }}"
build:
dockerfile: Dockerfile
path: "{{ matrix_bot_chatgpt_docker_src_files_path }}"
pull: true
when: "matrix_bot_chatgpt_container_image_self_build | bool"
- name: Ensure matrix-bot-chatgpt.service installed
ansible.builtin.template:
src: "{{ role_path }}/templates/systemd/matrix-bot-chatgpt.service.j2"
dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-bot-chatgpt.service"
mode: 0644
register: matrix_bot_chatgpt_systemd_service_result

@ -6,7 +6,30 @@
You need to define a required configuration setting (`{{ item.name }}`).
when: "item.when | bool and vars[item.name] == ''"
with_items:
- {'name': 'matrix_bot_chatgpt_openai_email', when: true}
- {'name': 'matrix_bot_chatgpt_openai_password', when: true}
- {'name': 'matrix_bot_chatgpt_openai_login_type', when: true}
- {'name': 'matrix_bot_chatgpt_openai_api_key', when: true}
- {'name': 'matrix_bot_chatgpt_matrix_bot_username', when: true}
- name: Fail if OpenAI configuration not up-to-date.
ansible.builtin.fail:
msg: >-
Your configuration contains a varible that is no longer used.
Please change your configuration to remove the variable (`{{ item.name }}`).
when: "item.name in vars"
with_items:
- {'name': 'matrix_bot_chatgpt_openai_email'}
- {'name': 'matrix_bot_chatgpt_openai_password'}
- {'name': 'matrix_bot_chatgpt_openai_login_type'}
- name: (Deprecation) Catch and report renamed ChatGPT settings
ansible.builtin.fail:
msg: >-
Your configuration contains a variable, which now has a different name.
Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`).
when: "item.old in vars"
with_items:
- {'old': 'matrix_bot_chatgpt_docker_image', 'new': 'matrix_bot_chatgpt_container_image'}
- {'old': 'matrix_bot_chatgpt_docker_image_name_prefix', 'new': 'matrix_bot_chatgpt_container_image_name_prefix'}
- {'old': 'matrix_bot_chatgpt_docker_image_force_pull', 'new': 'matrix_bot_chatgpt_container_image_force_pull'}
- {'old': 'matrix_bot_chatgpt_docker_repo', 'new': 'matrix_bot_chatgpt_container_image_self_build_repo'}
- {'old': 'matrix_bot_chatgpt_docker_repo_version', 'new': 'matrix_bot_chatgpt_container_image_self_build_repo_version'}
- {'old': 'matrix_bot_chatgpt_docker_src_files_path', 'new': 'matrix_bot_chatgpt_container_src_path'}

@ -1,9 +1,14 @@
MATRIX_HOMESERVER_URL={{ matrix_bot_chatgpt_matrix_homeserver_url }}
MATRIX_ACCESS_TOKEN={{ matrix_bot_chatgpt_matrix_access_token }}
OPENAI_EMAIL={{ matrix_bot_chatgpt_openai_email }}
OPENAI_PASSWORD={{ matrix_bot_chatgpt_openai_password }}
OPENAI_LOGIN_TYPE={{ matrix_bot_chatgpt_openai_login_type }}
OPENAI_API_KEY={{ matrix_bot_chatgpt_openai_api_key }}
CHATGPT_CONTEXT={{ matrix_bot_chatgpt_context }}
CHATGPT_API_MODEL={{ matrix_bot_chatgpt_api_model }}
KEYV_BACKEND={{ matrix_bot_chatgpt_keyv_backend }}
KEYV_URL={{ matrix_bot_chatgpt_keyv_url }}
KEYV_BOT_ENCRYPTION={{ matrix_bot_chatgpt_keyv_bot_encryption|lower }}
KEYV_BOT_STORAGE={{ matrix_bot_chatgpt_keyv_bot_storage|lower }}
# With the @ and :DOMAIN, ie @SOMETHING:DOMAIN
MATRIX_BOT_USERNAME={{ matrix_bot_chatgpt_matrix_bot_username }}

@ -16,7 +16,9 @@ Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}"
ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-bot-chatgpt 2>/dev/null || true'
ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-bot-chatgpt 2>/dev/null || true'
ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-bot-chatgpt \
ExecStart={{ devture_systemd_docker_base_host_command_docker }} run \
--rm \
--name=matrix-bot-chatgpt \
--log-driver=none \
--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
--cap-drop=ALL \
@ -29,7 +31,7 @@ ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name
{% for arg in matrix_bot_chatgpt_container_extra_arguments %}
{{ arg }} \
{% endfor %}
{{ matrix_bot_chatgpt_docker_image }}
{{ matrix_bot_chatgpt_container_image }}
ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-bot-chatgpt 2>/dev/null || true'
ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-bot-chatgpt 2>/dev/null || true'

@ -0,0 +1,59 @@
---
# A moderation tool for Matrix
# Project source code URL: https://github.com/Gnuxie/Draupnir
matrix_bot_draupnir_enabled: true
matrix_bot_draupnir_version: "v1.80.1"
matrix_bot_draupnir_container_image_self_build: false
matrix_bot_draupnir_container_image_self_build_repo: "https://github.com/Gnuxie/Draupnir.git"
matrix_bot_draupnir_docker_image: "{{ matrix_bot_draupnir_docker_image_name_prefix }}gnuxie/draupnir:{{ matrix_bot_draupnir_version }}"
matrix_bot_draupnir_docker_image_name_prefix: "{{ 'localhost/' if matrix_bot_draupnir_container_image_self_build else matrix_container_global_registry_prefix }}"
matrix_bot_draupnir_docker_image_force_pull: "{{ matrix_bot_draupnir_docker_image.endswith(':latest') }}"
matrix_bot_draupnir_base_path: "{{ matrix_base_data_path }}/draupnir"
matrix_bot_draupnir_config_path: "{{ matrix_bot_draupnir_base_path }}/config"
matrix_bot_draupnir_data_path: "{{ matrix_bot_draupnir_base_path }}/data"
matrix_bot_draupnir_docker_src_files_path: "{{ matrix_bot_draupnir_base_path }}/docker-src"
# A list of extra arguments to pass to the container
matrix_bot_draupnir_container_extra_arguments: []
# List of systemd services that matrix-bot-draupnir.service depends on
matrix_bot_draupnir_systemd_required_services_list: ['docker.service']
# List of systemd services that matrix-bot-draupnir.service wants
matrix_bot_draupnir_systemd_wanted_services_list: []
# The access token for the bot user
matrix_bot_draupnir_access_token: ""
# The room ID where people can use the bot. The bot has no access controls, so
# anyone in this room can use the bot - secure your room!
# This should be a room alias or room ID - not a matrix.to URL.
# Note: draupnir is fairly verbose - expect a lot of messages from it.
matrix_bot_draupnir_management_room: ""
# Default configuration template which covers the generic use case.
# You can customize it by controlling the various variables inside it.
#
# For a more advanced customization, you can extend the default (see `matrix_bot_draupnir_configuration_extension_yaml`)
# or completely replace this variable with your own template.
matrix_bot_draupnir_configuration_yaml: "{{ lookup('template', 'templates/production.yaml.j2') }}"
matrix_bot_draupnir_configuration_extension_yaml: |
# Your custom YAML configuration goes here.
# This configuration extends the default starting configuration (`matrix_bot_draupnir_configuration_yaml`).
#
# You can override individual variables from the default configuration, or introduce new ones.
#
# If you need something more special, you can take full control by
# completely redefining `matrix_bot_draupnir_configuration_yaml`.
matrix_bot_draupnir_configuration_extension: "{{ matrix_bot_draupnir_configuration_extension_yaml | from_yaml if matrix_bot_draupnir_configuration_extension_yaml | from_yaml is mapping else {} }}"
# Holds the final configuration (a combination of the default and its extension).
# You most likely don't need to touch this variable. Instead, see `matrix_bot_draupnir_configuration_yaml`.
matrix_bot_draupnir_configuration: "{{ matrix_bot_draupnir_configuration_yaml | from_yaml | combine(matrix_bot_draupnir_configuration_extension, recursive=True) }}"

@ -1,20 +1,20 @@
---
- block:
- when: matrix_prometheus_enabled | bool
- tags:
- setup-all
- setup-bot-draupnir
- install-all
- install-bot-draupnir
block:
- when: matrix_bot_draupnir_enabled | bool
ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"
- when: matrix_prometheus_enabled | bool
- when: matrix_bot_draupnir_enabled | bool
ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml"
tags:
- setup-all
- setup-prometheus
- install-all
- install-prometheus
- block:
- when: not matrix_prometheus_enabled | bool
ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"
tags:
- tags:
- setup-all
- setup-prometheus
- setup-bot-draupnir
block:
- when: not matrix_bot_draupnir_enabled | bool
ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"

@ -0,0 +1,74 @@
---
- ansible.builtin.set_fact:
matrix_bot_draupnir_requires_restart: false
- name: Ensure matrix-bot-draupnir paths exist
ansible.builtin.file:
path: "{{ item.path }}"
state: directory
mode: 0750
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_groupname }}"
with_items:
- {path: "{{ matrix_bot_draupnir_base_path }}", when: true}
- {path: "{{ matrix_bot_draupnir_config_path }}", when: true}
- {path: "{{ matrix_bot_draupnir_data_path }}", when: true}
- {path: "{{ matrix_bot_draupnir_docker_src_files_path }}", when: "{{ matrix_bot_draupnir_container_image_self_build }}"}
when: "item.when | bool"
- name: Ensure draupnir Docker image is pulled
community.docker.docker_image:
name: "{{ matrix_bot_draupnir_docker_image }}"
source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
force_source: "{{ matrix_bot_draupnir_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_bot_draupnir_docker_image_force_pull }}"
when: "not matrix_bot_draupnir_container_image_self_build | bool"
register: result
retries: "{{ devture_playbook_help_container_retries_count }}"
delay: "{{ devture_playbook_help_container_retries_delay }}"
until: result is not failed
- name: Ensure draupnir repository is present on self-build
ansible.builtin.git:
repo: "{{ matrix_bot_draupnir_container_image_self_build_repo }}"
dest: "{{ matrix_bot_draupnir_docker_src_files_path }}"
version: "{{ matrix_bot_draupnir_docker_image.split(':')[1] }}"
force: "yes"
become: true
become_user: "{{ matrix_user_username }}"
register: matrix_bot_draupnir_git_pull_results
when: "matrix_bot_draupnir_container_image_self_build | bool"
- name: Ensure draupnir Docker image is built
community.docker.docker_image:
name: "{{ matrix_bot_draupnir_docker_image }}"
source: build
force_source: "{{ matrix_bot_draupnir_git_pull_results.changed }}"
build:
dockerfile: Dockerfile
path: "{{ matrix_bot_draupnir_docker_src_files_path }}"
pull: true
when: "matrix_bot_draupnir_container_image_self_build | bool"
- name: Ensure matrix-bot-draupnir config installed
ansible.builtin.copy:
content: "{{ matrix_bot_draupnir_configuration | to_nice_yaml(indent=2, width=999999) }}"
dest: "{{ matrix_bot_draupnir_config_path }}/production.yaml"
mode: 0644
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_groupname }}"
- name: Ensure matrix-bot-draupnir.service installed
ansible.builtin.template:
src: "{{ role_path }}/templates/systemd/matrix-bot-draupnir.service.j2"
dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-bot-draupnir.service"
mode: 0644
register: matrix_bot_draupnir_systemd_service_result
- name: Ensure matrix-bot-draupnir.service restarted, if necessary
ansible.builtin.service:
name: "matrix-bot-draupnir.service"
state: restarted
daemon_reload: true
when: "matrix_bot_draupnir_requires_restart | bool"

@ -0,0 +1,25 @@
---
- name: Check existence of matrix-bot-draupnir service
ansible.builtin.stat:
path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-bot-draupnir.service"
register: matrix_bot_draupnir_service_stat
- when: matrix_bot_draupnir_service_stat.stat.exists | bool
block:
- name: Ensure matrix-bot-draupnir is stopped
ansible.builtin.service:
name: matrix-bot-draupnir
state: stopped
enabled: false
daemon_reload: true
- name: Ensure matrix-bot-draupnir.service doesn't exist
ansible.builtin.file:
path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-bot-draupnir.service"
state: absent
- name: Ensure matrix-bot-draupnir paths don't exist
ansible.builtin.file:
path: "{{ matrix_bot_draupnir_base_path }}"
state: absent

@ -0,0 +1,9 @@
---
- name: Fail if required variables are undefined
ansible.builtin.fail:
msg: "The `{{ item }}` variable must be defined and have a non-null value."
with_items:
- "matrix_bot_draupnir_access_token"
- "matrix_bot_draupnir_management_room"
when: "vars[item] == '' or vars[item] is none"

@ -0,0 +1,256 @@
# Endpoint URL that Draupnir uses to interact with the matrix homeserver (client-server API),
# set this to the pantalaimon URL if you're using that.
homeserverUrl: "{{ matrix_homeserver_url }}"
# Endpoint URL that Draupnir could use to fetch events related to reports (client-server API and /_synapse/),
# only set this to the public-internet homeserver client API URL, do NOT set this to the pantalaimon URL.
rawHomeserverUrl: "{{ matrix_homeserver_url }}"
# Matrix Access Token to use, Draupnir will only use this if pantalaimon.use is false.
accessToken: "{{ matrix_bot_draupnir_access_token }}"
# Options related to Pantalaimon (https://github.com/matrix-org/pantalaimon)
#pantalaimon:
# # Whether or not Draupnir will use pantalaimon to access the matrix homeserver,
# # set to `true` if you're using pantalaimon.
# #
# # Be sure to point homeserverUrl to the pantalaimon instance.
# #
# # Draupnir will log in using the given username and password once,
# # then store the resulting access token in a file under dataPath.
# use: false
#
# # The username to login with.
# username: draupnir
#
# # The password Draupnir will login with.
# #
# # After successfully logging in once, this will be ignored, so this value can be blanked after first startup.
# password: your_password
# The path Draupnir will store its state/data in, leave default ("/data/storage") when using containers.
dataPath: "/data"
# If true (the default), Draupnir will only accept invites from users present in managementRoom.
autojoinOnlyIfManager: true
# If `autojoinOnlyIfManager` is false, only the members in this space can invite
# the bot to new rooms.
#acceptInvitesFromSpace: "!example:example.org"
# Whether Draupnir should report ignored invites to the management room (if autojoinOnlyIfManager is true).
recordIgnoredInvites: false
# The room ID (or room alias) of the management room, anyone in this room can issue commands to Draupnir.
#
# Draupnir has no more granular access controls other than this, be sure you trust everyone in this room - secure it!
#
# This should be a room alias or room ID - not a matrix.to URL.
#
# Note: By default, Draupnir is fairly verbose - expect a lot of messages in this room.
# (see verboseLogging to adjust this a bit.)
managementRoom: "{{ matrix_bot_draupnir_management_room }}"
# Whether Draupnir should log a lot more messages in the room,
# mainly involves "all-OK" messages, and debugging messages for when Draupnir checks bans in a room.
verboseLogging: false
# The log level of terminal (or container) output,
# can be one of DEBUG, INFO, WARN and ERROR, in increasing order of importance and severity.
#
# This should be at INFO or DEBUG in order to get support for Draupnir problems.
logLevel: "INFO"
# Whether or not Draupnir should synchronize policy lists immediately after startup.
# Equivalent to running '!draupnir sync'.
syncOnStartup: true
# Whether or not Draupnir should check moderation permissions in all protected rooms on startup.
# Equivalent to running `!draupnir verify`.
verifyPermissionsOnStartup: true
# Whether or not Draupnir should actually apply bans and policy lists,
# turn on to trial some untrusted configuration or lists.
noop: false
# Whether Draupnir should check member lists quicker (by using a different endpoint),
# keep in mind that enabling this will miss invited (but not joined) users.
#
# Turn on if your bot is in (very) large rooms, or in large amounts of rooms.
fasterMembershipChecks: false
# A case-insensitive list of ban reasons to have the bot also automatically redact the user's messages for.
#
# If the bot sees you ban a user with a reason that is an (exact case-insensitive) match to this list,
# it will also remove the user's messages automatically.
#
# Typically this is useful to avoid having to give two commands to the bot.
# Advanced: Use asterisks to have the reason match using "globs"
# (f.e. "spam*testing" would match "spam for testing" as well as "spamtesting").
#
# See here for more info: https://www.digitalocean.com/community/tools/glob
# Note: Keep in mind that glob is NOT regex!
automaticallyRedactForReasons:
- "spam"
- "advertising"
# A list of rooms to protect. Draupnir will add this to the list it knows from its account data.
#
# It won't, however, add it to the account data.
# Manually add the room via '!draupnir rooms add' to have it stay protected regardless if this config value changes.
#
# Note: These must be matrix.to URLs
#protectedRooms:
# - "https://matrix.to/#/#yourroom:example.org"
# Whether or not to add all joined rooms to the "protected rooms" list
# (excluding the management room and watched policy list rooms, see below).
#
# Note that this effectively makes the protectedRooms and associated commands useless
# for regular rooms.
#
# Note: the management room is *excluded* from this condition.
# Explicitly add it as a protected room to protect it.
#
# Note: Ban list rooms the bot is watching but didn't create will not be protected.
# Explicitly add these rooms as a protected room list if you want them protected.
protectAllJoinedRooms: false
# Increase this delay to have Draupnir wait longer between two consecutive backgrounded
# operations. The total duration of operations will be longer, but the homeserver won't
# be affected as much. Conversely, decrease this delay to have Draupnir chain operations
# faster. The total duration of operations will generally be shorter, but the performance
# of the homeserver may be more impacted.
backgroundDelayMS: 500
# Server administration commands, these commands will only work if Draupnir is
# a global server administrator, and the bot's server is a Synapse instance.
admin:
# Whether or not Draupnir can temporarily take control of any eligible account from the local homeserver who's in the room
# (with enough permissions) to "make" a user an admin.
#
# This only works if a local user with enough admin permissions is present in the room.
enableMakeRoomAdminCommand: false
# Misc options for command handling and commands
commands:
# Whether or not the `!draupnir` prefix is necessary to submit commands.
#
# If `true`, will allow commands like `!ban`, `!help`, etc.
#
# Note: Draupnir can also be pinged by display name instead of having to use
# the !draupnir prefix. For example, "my_moderator_bot: ban @spammer:example.org"
# will address only my_moderator_bot.
allowNoPrefix: false
# Any additional bot prefixes that Draupnir will listen to. i.e. adding `mod` will allow `!mod help`.
additionalPrefixes:
- "draupnir-bot"
- "draupnir_bot"
- "draupnir"
# Whether or not commands with a wildcard (*) will require an additional `--force` argument
# in the command to be able to be submitted.
confirmWildcardBan: true
# The default reasons to be prompted with if the reason is missing from a ban command.
ban:
defaultReasons:
- "spam"
- "brigading"
- "harassment"
- "disagreement"
# Configuration specific to certain toggle-able protections
#protections:
# # Configuration for the wordlist plugin, which can ban users based if they say certain
# # blocked words shortly after joining.
# wordlist:
# # A list of case-insensitive keywords that the WordList protection will watch for from new users.
# #
# # WordList will ban users who use these words when first joining a room, so take caution when selecting them.
# #
# # For advanced usage, regex can also be used, see the following links for more information;
# # - https://www.digitalocean.com/community/tutorials/an-introduction-to-regular-expressions
# # - https://regexr.com/
# # - https://regexone.com/
# words:
# - "LoReM"
# - "IpSuM"
# - "DoLoR"
# - "aMeT"
#
# # For how long (in minutes) the user is "new" to the WordList plugin.
# #
# # After this time, the user will no longer be banned for using a word in the above wordlist.
# #
# # Set to zero to disable the timeout and make users *always* appear "new".
# # (users will always be banned if they say a bad word)
# minutesBeforeTrusting: 20
# Options for advanced monitoring of the health of the bot.
health:
# healthz options. These options are best for use in container environments
# like Kubernetes to detect how healthy the service is. The bot will report
# that it is unhealthy until it is able to process user requests. Typically
# this means that it'll flag itself as unhealthy for a number of minutes
# before saying "Now monitoring rooms" and flagging itself healthy.
#
# Health is flagged through HTTP status codes, defined below.
healthz:
# Whether the healthz integration should be enabled (default false)
enabled: false
# The port to expose the webserver on. Defaults to 8080.
port: 8080
# The address to listen for requests on. Defaults to all addresses.
address: "0.0.0.0"
# The path to expose the monitoring endpoint at. Defaults to `/healthz`
endpoint: "/healthz"
# The HTTP status code which reports that the bot is healthy/ready to
# process requests. Typically this should not be changed. Defaults to
# 200.
healthyStatus: 200
# The HTTP status code which reports that the bot is not healthy/ready.
# Defaults to 418.
unhealthyStatus: 418
# Options for exposing web APIs.
#web:
# # Whether to enable web APIs.
# enabled: false
#
# # The port to expose the webserver on. Defaults to 8080.
# port: 8080
#
# # The address to listen for requests on. Defaults to only the current
# # computer.
# address: localhost
#
# # Alternative setting to open to the entire web. Be careful,
# # as this will increase your security perimeter:
# #
# # address: "0.0.0.0"
#
# # A web API designed to intercept Matrix API
# # POST /_matrix/client/r0/rooms/{roomId}/report/{eventId}
# # and display readable abuse reports in the moderation room.
# #
# # If you wish to take advantage of this feature, you will need
# # to configure a reverse proxy, see e.g. test/nginx.conf
# abuseReporting:
# # Whether to enable this feature.
# enabled: false
# Whether or not to actively poll synapse for abuse reports, to be used
# instead of intercepting client calls to synapse's abuse endpoint, when that
# isn't possible/practical.
pollReports: false
# Whether or not new reports, received either by webapi or polling,
# should be printed to our managementRoom.
displayReports: false

@ -1,11 +1,11 @@
#jinja2: lstrip_blocks: "True"
[Unit]
Description=matrix-grafana
{% for service in matrix_grafana_systemd_required_services_list %}
Description=Matrix Draupnir bot
{% for service in matrix_bot_draupnir_systemd_required_services_list %}
Requires={{ service }}
After={{ service }}
{% endfor %}
{% for service in matrix_grafana_systemd_wanted_services_list %}
{% for service in matrix_bot_draupnir_systemd_required_services_list %}
Wants={{ service }}
{% endfor %}
DefaultDependencies=no
@ -13,31 +13,30 @@ DefaultDependencies=no
[Service]
Type=simple
Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}"
ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-grafana 2>/dev/null || true'
ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-grafana 2>/dev/null || true'
ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-bot-draupnir 2>/dev/null || true'
ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-bot-draupnir 2>/dev/null || true'
# Intentional delay, so that the homeserver (we likely depend on) can manage to start.
ExecStartPre={{ matrix_host_command_sleep }} 5
ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-grafana \
ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-bot-draupnir \
--log-driver=none \
--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
--cap-drop=ALL \
--read-only \
--network={{ matrix_docker_network }} \
{% if matrix_grafana_container_http_host_bind_port %}
-p {{ matrix_grafana_container_http_host_bind_port }}:3000 \
{% endif %}
-v {{ matrix_grafana_config_path }}:/etc/grafana:z \
-v {{ matrix_grafana_data_path }}:/var/lib/grafana:z \
{% for arg in matrix_grafana_container_extra_arguments %}
--mount type=bind,src={{ matrix_bot_draupnir_config_path }},dst=/data/config,ro \
--mount type=bind,src={{ matrix_bot_draupnir_data_path }},dst=/data \
{% for arg in matrix_bot_draupnir_container_extra_arguments %}
{{ arg }} \
{% endfor %}
{{ matrix_grafana_docker_image }}
{{ matrix_bot_draupnir_docker_image }}
ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-grafana 2>/dev/null || true'
ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-grafana 2>/dev/null || true'
ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-bot-draupnir 2>/dev/null || true'
ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-bot-draupnir 2>/dev/null || true'
Restart=always
RestartSec=30
SyslogIdentifier=matrix-grafana
SyslogIdentifier=matrix-bot-draupnir
[Install]
WantedBy=multi-user.target

@ -1,11 +1,22 @@
---
# Go-NEB is a Matrix bot written in Go. It is the successor to Matrix-NEB, the original Matrix bot written in Python.
# Project source code URL: https://github.com/matrix-org/go-neb
matrix_bot_go_neb_enabled: true
matrix_bot_go_neb_version: latest
matrix_bot_go_neb_docker_image: "matrixdotorg/go-neb:{{ matrix_bot_go_neb_version }}"
matrix_bot_go_neb_docker_image_force_pull: "{{ matrix_bot_go_neb_docker_image.endswith(':latest') }}"
matrix_bot_go_neb_scheme: https
# The hostname at which Go-NEB is served.
matrix_bot_go_neb_hostname: ''
# The path at which Go-NEB is exposed.
# This value must either be `/` or not end with a slash (e.g. `/go-neb`).
matrix_bot_go_neb_path_prefix: /
matrix_bot_go_neb_base_url: "{{ matrix_bot_go_neb_scheme }}://{{ matrix_bot_go_neb_hostname }}{{ matrix_bot_go_neb_path_prefix }}{{ '' if matrix_bot_go_neb_path_prefix == '/' else '/' }}"
matrix_bot_go_neb_base_path: "{{ matrix_base_data_path }}/go-neb"
matrix_bot_go_neb_config_path: "{{ matrix_bot_go_neb_base_path }}/config"
@ -13,11 +24,63 @@ matrix_bot_go_neb_config_path_in_container: "/config/config.yaml"
matrix_bot_go_neb_data_path: "{{ matrix_bot_go_neb_base_path }}/data"
matrix_bot_go_neb_data_store_path: "{{ matrix_bot_go_neb_data_path }}/store"
matrix_bot_go_neb_container_image: "{{ matrix_bot_go_neb_container_image_registry_prefix }}matrixdotorg/go-neb:{{ matrix_bot_go_neb_container_image_tag }}"
matrix_bot_go_neb_container_image_tag: "{{ matrix_bot_go_neb_version }}"
matrix_bot_go_neb_container_image_force_pull: "{{ matrix_bot_go_neb_container_image.endswith(':latest') }}"
matrix_bot_go_neb_container_image_registry_prefix: docker.io/
# The base container network. It will be auto-created by this role if it doesn't exist already.
matrix_bot_go_neb_container_network: matrix-bot-go-neb
# A list of additional container networks that the container would be connected to.
# The role does not create these networks, so make sure they already exist.
# Use this to expose this container to another reverse proxy, which runs in a different container network.
matrix_bot_go_neb_container_additional_networks: []
# Controls whether the matrix-bot-go-neb container exposes its HTTP port (tcp/4050 in the container).
#
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:4050"), or empty string to not expose.
matrix_bot_go_neb_container_http_host_bind_port: ''
# matrix_bot_go_neb_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container.
# See `../templates/labels.j2` for details.
#
# To inject your own other container labels, see `matrix_bot_go_neb_container_labels_additional_labels`.
matrix_bot_go_neb_container_labels_traefik_enabled: true
matrix_bot_go_neb_container_labels_traefik_docker_network: "{{ matrix_bot_go_neb_container_network }}"
matrix_bot_go_neb_container_labels_traefik_hostname: "{{ matrix_bot_go_neb_hostname }}"
# The path prefix must either be `/` or not end with a slash (e.g. `/go-neb`).
matrix_bot_go_neb_container_labels_traefik_path_prefix: "{{ matrix_bot_go_neb_path_prefix }}"
matrix_bot_go_neb_container_labels_traefik_rule: "Host(`{{ matrix_bot_go_neb_container_labels_traefik_hostname }}`){% if matrix_bot_go_neb_container_labels_traefik_path_prefix != '/' %} && PathPrefix(`{{ matrix_bot_go_neb_container_labels_traefik_path_prefix }}`){% endif %}"
matrix_bot_go_neb_container_labels_traefik_priority: 0
matrix_bot_go_neb_container_labels_traefik_entrypoints: web-secure
matrix_bot_go_neb_container_labels_traefik_tls: "{{ matrix_bot_go_neb_container_labels_traefik_entrypoints != 'web' }}"
matrix_bot_go_neb_container_labels_traefik_tls_certResolver: default # noqa var-naming
# Controls which additional headers to attach to all HTTP responses.
# To add your own headers, use `matrix_bot_go_neb_container_labels_traefik_additional_response_headers_custom`
matrix_bot_go_neb_container_labels_traefik_additional_response_headers: "{{ matrix_bot_go_neb_container_labels_traefik_additional_response_headers_auto | combine(matrix_bot_go_neb_container_labels_traefik_additional_response_headers_custom) }}"
matrix_bot_go_neb_container_labels_traefik_additional_response_headers_auto: |
{{
{}
| combine ({'X-XSS-Protection': matrix_bot_go_neb_http_header_xss_protection} if matrix_bot_go_neb_http_header_xss_protection else {})
| combine ({'X-Frame-Options': matrix_bot_go_neb_http_header_frame_options} if matrix_bot_go_neb_http_header_frame_options else {})
| combine ({'X-Content-Type-Options': matrix_bot_go_neb_http_header_content_type_options} if matrix_bot_go_neb_http_header_content_type_options else {})
| combine ({'Content-Security-Policy': matrix_bot_go_neb_http_header_content_security_policy} if matrix_bot_go_neb_http_header_content_security_policy else {})
| combine ({'Permission-Policy': matrix_bot_go_neb_http_header_content_permission_policy} if matrix_bot_go_neb_http_header_content_permission_policy else {})
| combine ({'Strict-Transport-Security': matrix_bot_go_neb_http_header_strict_transport_security} if matrix_bot_go_neb_http_header_strict_transport_security and matrix_bot_go_neb_container_labels_traefik_tls else {})
}}
matrix_bot_go_neb_container_labels_traefik_additional_response_headers_custom: {}
# matrix_bot_go_neb_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file.
# See `../templates/labels.j2` for details.
#
# Example:
# matrix_bot_go_neb_container_labels_additional_labels: |
# my.label=1
# another.label="here"
matrix_bot_go_neb_container_labels_additional_labels: ''
# A list of extra arguments to pass to the container
matrix_bot_go_neb_container_extra_arguments: []
@ -27,6 +90,57 @@ matrix_bot_go_neb_systemd_required_services_list: ['docker.service']
# List of systemd services that matrix-bot-go-neb.service wants
matrix_bot_go_neb_systemd_wanted_services_list: []
# Specifies the value of the `X-XSS-Protection` header
# Stops pages from loading when they detect reflected cross-site scripting (XSS) attacks.
#
# Learn more about it is here:
# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
# - https://portswigger.net/web-security/cross-site-scripting/reflected
matrix_bot_go_neb_http_header_xss_protection: "1; mode=block"
# Specifies the value of the `X-Frame-Options` header which controls whether framing can happen.
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
matrix_bot_go_neb_http_header_frame_options: SAMEORIGIN
# Specifies the value of the `X-Content-Type-Options` header.
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
matrix_bot_go_neb_http_header_content_type_options: nosniff
# Specifies the value of the `Content-Security-Policy` header.
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
matrix_bot_go_neb_http_header_content_security_policy: frame-ancestors 'self'
# Specifies the value of the `Permission-Policy` header.
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permission-Policy
matrix_bot_go_neb_http_header_content_permission_policy: "{{ 'interest-cohort=()' if matrix_bot_go_neb_floc_optout_enabled else '' }}"
# Specifies the value of the `Strict-Transport-Security` header.
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
matrix_bot_go_neb_http_header_strict_transport_security: "max-age=31536000; includeSubDomains{{ '; preload' if matrix_bot_go_neb_hsts_preload_enabled else '' }}"
# Controls whether to send a "Permissions-Policy interest-cohort=();" header along with all responses
#
# Learn more about what it is here:
# - https://www.eff.org/deeplinks/2021/03/googles-floc-terrible-idea
# - https://paramdeo.com/blog/opting-your-website-out-of-googles-floc-network
# - https://amifloced.org/
#
# Of course, a better solution is to just stop using browsers (like Chrome), which participate in such tracking practices.
# See: `matrix_bot_go_neb_content_permission_policy`
matrix_bot_go_neb_floc_optout_enabled: true
# Controls if HSTS preloading is enabled
#
# In its strongest and recommended form, the [HSTS policy](https://www.chromium.org/hsts) includes all subdomains, and
# indicates a willingness to be "preloaded" into browsers:
# `Strict-Transport-Security: max-age=31536000; includeSubDomains; preload`
# For more information visit:
# - https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
# - https://hstspreload.org/#opt-in
# See: `matrix_bot_go_neb_http_header_strict_transport_security`
matrix_bot_go_neb_hsts_preload_enabled: false
# Database-related configuration fields.
#
# MUST be "sqlite3". No other type is supported.

@ -1,8 +1,5 @@
---
- ansible.builtin.set_fact:
matrix_bot_go_neb_requires_restart: false
- name: Ensure go-neb paths exist
ansible.builtin.file:
path: "{{ item.path }}"
@ -16,17 +13,6 @@
- {path: "{{ matrix_bot_go_neb_data_store_path }}", when: true}
when: "item.when | bool"
- name: Ensure go-neb image is pulled
community.docker.docker_image:
name: "{{ matrix_bot_go_neb_docker_image }}"
source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
force_source: "{{ matrix_bot_go_neb_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_bot_go_neb_docker_image_force_pull }}"
register: result
retries: "{{ devture_playbook_help_container_retries_count }}"
delay: "{{ devture_playbook_help_container_retries_delay }}"
until: result is not failed
- name: Ensure go-neb config installed
ansible.builtin.copy:
content: "{{ matrix_bot_go_neb_configuration | to_nice_yaml(indent=2, width=999999) }}"
@ -35,16 +21,35 @@
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_groupname }}"
- name: Ensure go-neb support files installed
ansible.builtin.template:
src: "{{ role_path }}/templates/{{ item }}.j2"
dest: "{{ matrix_bot_go_neb_base_path }}/{{ item }}"
mode: 0640
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_groupname }}"
with_items:
- env
- labels
- name: Ensure go-neb container network is created
community.general.docker_network:
name: "{{ matrix_bot_go_neb_container_network }}"
driver: bridge
- name: Ensure go-neb container image is pulled
community.docker.docker_image:
name: "{{ matrix_bot_go_neb_container_image }}"
source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
force_source: "{{ matrix_bot_go_neb_container_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_bot_go_neb_container_image_force_pull }}"
register: result
retries: "{{ devture_playbook_help_container_retries_count }}"
delay: "{{ devture_playbook_help_container_retries_delay }}"
until: result is not failed
- name: Ensure matrix-bot-go-neb.service installed
ansible.builtin.template:
src: "{{ role_path }}/templates/systemd/matrix-bot-go-neb.service.j2"
dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-bot-go-neb.service"
mode: 0644
register: matrix_bot_go_neb_systemd_service_result
- name: Ensure matrix-bot-go-neb.service restarted, if necessary
ansible.builtin.service:
name: "matrix-bot-go-neb.service"
state: restarted
daemon_reload: true
when: "matrix_bot_go_neb_requires_restart | bool"

@ -1,20 +1,20 @@
---
- block:
- ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"
when: "run_setup | bool and matrix_bot_go_neb_enabled | bool"
- ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml"
when: "run_setup | bool and matrix_bot_go_neb_enabled | bool"
tags:
- tags:
- setup-all
- setup-bot-go-neb
- install-all
- install-bot-go-neb
block:
- ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"
when: "run_setup | bool and matrix_bot_go_neb_enabled | bool"
- block:
- ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"
when: "run_setup | bool and not matrix_bot_go_neb_enabled | bool"
tags:
- ansible.builtin.include_tasks: "{{ role_path }}/tasks/install.yml"
when: "run_setup | bool and matrix_bot_go_neb_enabled | bool"
- tags:
- setup-all
- setup-bot-go-neb
block:
- ansible.builtin.include_tasks: "{{ role_path }}/tasks/uninstall.yml"
when: "run_setup | bool and not matrix_bot_go_neb_enabled | bool"

@ -0,0 +1,8 @@
BIND_ADDRESS=:4050
DATABASE_TYPE={{ matrix_bot_go_neb_database_engine }}
DATABASE_URL={{ matrix_bot_go_neb_storage_database }}
BASE_URL={{ matrix_bot_go_neb_base_url }}
CONFIG_FILE={{ matrix_bot_go_neb_config_path_in_container }}

@ -0,0 +1,45 @@
{% if matrix_bot_go_neb_container_labels_traefik_enabled %}
traefik.enable=true
{% if matrix_bot_go_neb_container_labels_traefik_docker_network %}
traefik.docker.network={{ matrix_bot_go_neb_container_labels_traefik_docker_network }}
{% endif %}
{% set middlewares = [] %}
{% if matrix_bot_go_neb_container_labels_traefik_path_prefix != '/' %}
traefik.http.middlewares.matrix-bot-go-neb-slashless-redirect.redirectregex.regex=({{ matrix_bot_go_neb_container_labels_traefik_path_prefix | quote }})$
traefik.http.middlewares.matrix-bot-go-neb-slashless-redirect.redirectregex.replacement=${1}/
{% set middlewares = middlewares + ['matrix-bot-go-neb-slashless-redirect'] %}
{% endif %}
{% if matrix_bot_go_neb_container_labels_traefik_path_prefix != '/' %}
traefik.http.middlewares.matrix-bot-go-neb-strip-prefix.stripprefix.prefixes={{ matrix_bot_go_neb_container_labels_traefik_path_prefix }}
{% set middlewares = middlewares + ['matrix-bot-go-neb-strip-prefix'] %}
{% endif %}
{% if matrix_bot_go_neb_container_labels_traefik_additional_response_headers.keys() | length > 0 %}
{% for name, value in matrix_bot_go_neb_container_labels_traefik_additional_response_headers.items() %}
traefik.http.middlewares.matrix-bot-go-neb-add-headers.headers.customresponseheaders.{{ name }}={{ value }}
{% endfor %}
{% set middlewares = middlewares + ['matrix-bot-go-neb-add-headers'] %}
{% endif %}
traefik.http.routers.matrix-bot-go-neb.rule={{ matrix_bot_go_neb_container_labels_traefik_rule }}
{% if matrix_bot_go_neb_container_labels_traefik_priority | int > 0 %}
traefik.http.routers.matrix-bot-go-neb.priority={{ matrix_bot_go_neb_container_labels_traefik_priority }}
{% endif %}
traefik.http.routers.matrix-bot-go-neb.service=matrix-bot-go-neb
{% if middlewares | length > 0 %}
traefik.http.routers.matrix-bot-go-neb.middlewares={{ middlewares | join(',') }}
{% endif %}
traefik.http.routers.matrix-bot-go-neb.entrypoints={{ matrix_bot_go_neb_container_labels_traefik_entrypoints }}
traefik.http.routers.matrix-bot-go-neb.tls={{ matrix_bot_go_neb_container_labels_traefik_tls | to_json }}
{% if matrix_bot_go_neb_container_labels_traefik_tls %}
traefik.http.routers.matrix-bot-go-neb.tls.certResolver={{ matrix_bot_go_neb_container_labels_traefik_tls_certResolver }}
{% endif %}
traefik.http.services.matrix-bot-go-neb.loadbalancer.server.port=4050
{% endif %}
{{ matrix_bot_go_neb_container_labels_additional_labels }}

@ -16,31 +16,37 @@ Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}"
ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-bot-go-neb 2>/dev/null || true'
ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-bot-go-neb 2>/dev/null || true'
ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-bot-go-neb \
ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
--rm \
--name=matrix-bot-go-neb \
--log-driver=none \
--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
--cap-drop=ALL \
--read-only \
--network={{ matrix_docker_network }} \
--network={{ matrix_bot_go_neb_container_network }} \
{% if matrix_bot_go_neb_container_http_host_bind_port %}
-p {{ matrix_bot_go_neb_container_http_host_bind_port }}:4050 \
{% endif %}
-e 'BIND_ADDRESS=:4050' \
-e 'DATABASE_TYPE={{ matrix_bot_go_neb_database_engine }}' \
-e 'BASE_URL=https://{{ matrix_server_fqn_bot_go_neb }}' \
-e 'CONFIG_FILE={{ matrix_bot_go_neb_config_path_in_container }}' \
-e 'DATABASE_URL={{ matrix_bot_go_neb_storage_database }}' \
--env-file={{ matrix_bot_go_neb_base_path }}/env \
--label-file={{ matrix_bot_go_neb_base_path }}/labels \
--mount type=bind,src={{ matrix_bot_go_neb_config_path }},dst=/config,ro \
--mount type=bind,src={{ matrix_bot_go_neb_data_path }},dst=/data \
--entrypoint=/bin/sh \
{% for arg in matrix_bot_go_neb_container_extra_arguments %}
{{ arg }} \
{% endfor %}
{{ matrix_bot_go_neb_docker_image }} \
{{ matrix_bot_go_neb_container_image }} \
-c "go-neb /config/config.yaml"
{% for network in matrix_bot_go_neb_container_additional_networks %}
ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-bot-go-neb
{% endfor %}
ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-bot-go-neb
ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-bot-go-neb 2>/dev/null || true'
ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-bot-go-neb 2>/dev/null || true'
Restart=always
RestartSec=30
SyslogIdentifier=matrix-bot-go-neb

@ -4,12 +4,19 @@
matrix_bot_honoroit_enabled: true
# The hostname at which honoroit is served.
matrix_bot_honoroit_hostname: ''
# The path at which honoroit is exposed.
# This value must either be `/` or not end with a slash (e.g. `/honoroit`).
matrix_bot_honoroit_path_prefix: /
matrix_bot_honoroit_container_image_self_build: false
matrix_bot_honoroit_docker_repo: "https://gitlab.com/etke.cc/honoroit.git"
matrix_bot_honoroit_docker_repo_version: "{{ matrix_bot_honoroit_version }}"
matrix_bot_honoroit_docker_src_files_path: "{{ matrix_base_data_path }}/honoroit/docker-src"
matrix_bot_honoroit_version: v0.9.16
matrix_bot_honoroit_version: v0.9.17
matrix_bot_honoroit_docker_image: "{{ matrix_bot_honoroit_docker_image_name_prefix }}etke.cc/honoroit:{{ matrix_bot_honoroit_version }}"
matrix_bot_honoroit_docker_image_name_prefix: "{{ 'localhost/' if matrix_bot_honoroit_container_image_self_build else 'registry.gitlab.com/' }}"
matrix_bot_honoroit_docker_image_force_pull: "{{ matrix_bot_honoroit_docker_image.endswith(':latest') }}"
@ -19,6 +26,44 @@ matrix_bot_honoroit_config_path: "{{ matrix_bot_honoroit_base_path }}/config"
matrix_bot_honoroit_data_path: "{{ matrix_bot_honoroit_base_path }}/data"
matrix_bot_honoroit_data_store_path: "{{ matrix_bot_honoroit_data_path }}/store"
# The base container network. It will be auto-created by this role if it doesn't exist already.
matrix_bot_honoroit_container_network: matrix-bot-honoroit
# A list of additional container networks that the container would be connected to.
# The role does not create these networks, so make sure they already exist.
# Use this to expose this container to another reverse proxy, which runs in a different container network.
matrix_bot_honoroit_container_additional_networks: []
# matrix_bot_honoroit_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container.
# See `../templates/labels.j2` for details.
#
# To inject your own other container labels, see `matrix_bot_honoroit_container_labels_additional_labels`.
matrix_bot_honoroit_container_labels_traefik_enabled: true
matrix_bot_honoroit_container_labels_traefik_docker_network: "{{ matrix_bot_honoroit_container_network }}"
matrix_bot_honoroit_container_labels_traefik_hostname: "{{ matrix_bot_honoroit_hostname }}"
# The path prefix must either be `/` or not end with a slash (e.g. `/honoroit`).
matrix_bot_honoroit_container_labels_traefik_path_prefix: "{{ matrix_bot_honoroit_path_prefix }}"
matrix_bot_honoroit_container_labels_traefik_rule: "Host(`{{ matrix_bot_honoroit_container_labels_traefik_hostname }}`){% if matrix_bot_honoroit_container_labels_traefik_path_prefix != '/' %} && PathPrefix(`{{ matrix_bot_honoroit_container_labels_traefik_path_prefix }}`){% endif %}"
matrix_bot_honoroit_container_labels_traefik_priority: 0
matrix_bot_honoroit_container_labels_traefik_entrypoints: web-secure
matrix_bot_honoroit_container_labels_traefik_tls: "{{ matrix_bot_honoroit_container_labels_traefik_entrypoints != 'web' }}"
matrix_bot_honoroit_container_labels_traefik_tls_certResolver: default # noqa var-naming
# Controls which additional headers to attach to all HTTP responses.
# To add your own headers, use `matrix_bot_honoroit_container_labels_traefik_additional_response_headers_custom`
matrix_bot_honoroit_container_labels_traefik_additional_response_headers: "{{ matrix_bot_honoroit_container_labels_traefik_additional_response_headers_auto | combine(matrix_bot_honoroit_container_labels_traefik_additional_response_headers_custom) }}"
matrix_bot_honoroit_container_labels_traefik_additional_response_headers_auto: {}
matrix_bot_honoroit_container_labels_traefik_additional_response_headers_custom: {}
# matrix_bot_honoroit_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file.
# See `../templates/labels.j2` for details.
#
# Example:
# matrix_bot_honoroit_container_labels_additional_labels: |
# my.label=1
# another.label="here"
matrix_bot_honoroit_container_labels_additional_labels: ''
# A list of extra arguments to pass to the container
matrix_bot_honoroit_container_extra_arguments: []

@ -1,20 +1,20 @@
---
- block:
- tags:
- setup-all
- setup-bot-honoroit
- install-all
- install-bot-honoroit
block:
- ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"
when: "run_setup | bool and matrix_bot_honoroit_enabled | bool"
- ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml"
when: "run_setup | bool and matrix_bot_honoroit_enabled | bool"
tags:
- tags:
- setup-all
- setup-bot-honoroit
- install-all
- install-bot-honoroit
- block:
block:
- ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"
when: "run_setup | bool and not matrix_bot_honoroit_enabled | bool"
tags:
- setup-all
- setup-bot-honoroit

@ -40,13 +40,16 @@
- {path: "{{ matrix_bot_honoroit_docker_src_files_path }}", when: true}
when: "item.when | bool"
- name: Ensure honoroit environment variables file created
- name: Ensure honoroit support files installed
ansible.builtin.template:
src: "{{ role_path }}/templates/env.j2"
dest: "{{ matrix_bot_honoroit_config_path }}/env"
src: "{{ role_path }}/templates/{{ item }}.j2"
dest: "{{ matrix_bot_honoroit_config_path }}/{{ item }}"
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_groupname }}"
mode: 0640
with_items:
- env
- labels
- name: Ensure honoroit image is pulled
community.docker.docker_image:

@ -0,0 +1,45 @@
{% if matrix_bot_honoroit_container_labels_traefik_enabled %}
traefik.enable=true
{% if matrix_bot_honoroit_container_labels_traefik_docker_network %}
traefik.docker.network={{ matrix_bot_honoroit_container_labels_traefik_docker_network }}
{% endif %}
{% set middlewares = [] %}
{% if matrix_bot_honoroit_container_labels_traefik_path_prefix != '/' %}
traefik.http.middlewares.matrix-bot-honoroit-slashless-redirect.redirectregex.regex=({{ matrix_bot_honoroit_container_labels_traefik_path_prefix | quote }})$
traefik.http.middlewares.matrix-bot-honoroit-slashless-redirect.redirectregex.replacement=${1}/
{% set middlewares = middlewares + ['matrix-bot-honoroit-slashless-redirect'] %}
{% endif %}
{% if matrix_bot_honoroit_container_labels_traefik_path_prefix != '/' %}
traefik.http.middlewares.matrix-bot-honoroit-strip-prefix.stripprefix.prefixes={{ matrix_bot_honoroit_container_labels_traefik_path_prefix }}
{% set middlewares = middlewares + ['matrix-bot-honoroit-strip-prefix'] %}
{% endif %}
{% if matrix_bot_honoroit_container_labels_traefik_additional_response_headers.keys() | length > 0 %}
{% for name, value in matrix_bot_honoroit_container_labels_traefik_additional_response_headers.items() %}
traefik.http.middlewares.matrix-bot-honoroit-add-headers.headers.customresponseheaders.{{ name }}={{ value }}
{% endfor %}
{% set middlewares = middlewares + ['matrix-bot-honoroit-add-headers'] %}
{% endif %}
traefik.http.routers.matrix-bot-honoroit.rule={{ matrix_bot_honoroit_container_labels_traefik_rule }}
{% if matrix_bot_honoroit_container_labels_traefik_priority | int > 0 %}
traefik.http.routers.matrix-bot-honoroit.priority={{ matrix_bot_honoroit_container_labels_traefik_priority }}
{% endif %}
traefik.http.routers.matrix-bot-honoroit.service=matrix-bot-honoroit
{% if middlewares | length > 0 %}
traefik.http.routers.matrix-bot-honoroit.middlewares={{ middlewares | join(',') }}
{% endif %}
traefik.http.routers.matrix-bot-honoroit.entrypoints={{ matrix_bot_honoroit_container_labels_traefik_entrypoints }}
traefik.http.routers.matrix-bot-honoroit.tls={{ matrix_bot_honoroit_container_labels_traefik_tls | to_json }}
{% if matrix_bot_honoroit_container_labels_traefik_tls %}
traefik.http.routers.matrix-bot-honoroit.tls.certResolver={{ matrix_bot_honoroit_container_labels_traefik_tls_certResolver }}
{% endif %}
traefik.http.services.matrix-bot-honoroit.loadbalancer.server.port=8080
{% endif %}
{{ matrix_bot_honoroit_container_labels_additional_labels }}

Some files were not shown because too many files have changed in this diff Show More

Loading…
Cancel
Save