Merge pull request #893 from GoMatrixHosting/master

matrix-awx - the GoMatrixHosting v0.3.0 initial PR

docs/configuring-awx-system.md

@@ -0,0 +1,43 @@
+# Configuring AWX System (optional)
+
+An AWX setup for managing multiple Matrix servers.
+
+This section is used in an AWX system that can create and manage multiple [Matrix](http://matrix.org/) servers. You can issue members an AWX login to their own 'organisation', which they can use to manage/configure 1 to N servers.
+
+Members can be assigned a server from Digitalocean, or they can connect their own on-premises server. This script is free to use in a commercial context with the 'MemberPress Plus' and 'WP Oauth Sever' addons. It can also be run in a non-commercial context.
+
+The AWX system is arranged into 'members' each with their own 'subscriptions'. After creating a subscription the user enters the 'provision stage' where they defined the URLs they will use, the servers location and whether or not there's already a website at the base domain. They then proceed onto the 'deploy stage' where they can configure their Matrix server.
+
+Ideally this system can manage the updates, configuration, backups and monitoring on it's own. It is an extension of the popular deploy script [spantaleev/matrix-docker-ansible-deploy](https://github.com/spantaleev/matrix-docker-ansible-deploy).
+
+Warning: This project is currently alpha quality and should only be run by the brave.
+
+
+## Other Required Playbooks
+
+The following repositories allow you to copy and use this setup:
+
+[Create AWX System](https://gitlab.com/GoMatrixHosting/create-awx-system) - Creates and configures the AWX system for you.
+
+[Ansible Create Delete Subscription Membership](https://gitlab.com/GoMatrixHosting/ansible-create-delete-subscription-membership) - Used by the AWX system to create memberships and subscriptions.
+
+[Ansible Provision Server](https://gitlab.com/GoMatrixHosting/ansible-provision-server) - Used by AWX members to perform initial configuration of their DigitalOcean or On-Premises server.
+
+## Testing Fork For This Playbook
+
+Updates to this section are trailed here:
+
+[GoMatrixHosting Matrix Docker Ansible Deploy](https://gitlab.com/GoMatrixHosting/gomatrixhosting-matrix-docker-ansible-deploy)
+
+
+## Does I need an AWX setup to use this? How do I configure it? 
+
+Yes, you'll need to configure an AWX instance, the [Create AWX System](https://gitlab.com/GoMatrixHosting/create-awx-system) repository makes it easy to do. Just follow the steps listed in '/docs/Installation.md' of that repository.
+
+
+## Does I need a front-end WordPress site? And a DigitalOcean account? 
+
+You do not need a front-end WordPress site or any of the mentioned WordPress plugins to use this setup. It can be run on it's own in a non-commercial context.
+
+You also don't need a DigitalOcean account, but this will limit you to only being able to connect 'On-Premises' servers.
+

group_vars/matrix_servers

@@ -29,6 +29,22 @@ matrix_homeserver_container_url: "{{ 'http://matrix-nginx-proxy:12080' if matrix
 ######################################################################
 
 
+######################################################################
+#
+# matrix-awx
+#
+######################################################################
+
+matrix_nginx_proxy_data_path: "{{ '/chroot/website' if (matrix_awx_enabled and not matrix_nginx_proxy_base_domain_homepage_enabled) else (matrix_nginx_proxy_base_path + '/data') }}"
+matrix_nginx_proxy_data_path_in_container: "{{ '/nginx-data/matrix-domain' if (matrix_awx_enabled and not matrix_nginx_proxy_base_domain_homepage_enabled) else '/nginx-data' }}"
+
+######################################################################
+#
+# /matrix-awx
+#
+######################################################################
+
+
 ######################################################################
 #
 # matrix-bridge-appservice-discord

roles/matrix-awx/defaults/main.yml

@@ -0,0 +1,2 @@
+
+matrix_awx_enabled: false

roles/matrix-awx/surveys/backup_server.json.j2

@@ -0,0 +1,19 @@
+{
+  "name": "Backup Server",
+  "description": "",
+  "spec": [
+    {
+      "question_name": "Enable Backup",
+      "question_description": "Set if remote backup is enabled or not. If enabled a daily backup of your server will be sent to the backup server located in {{ backup_server_location }}.",
+      "required": true,
+      "min": null,
+      "max": null,
+      "default": "{{ matrix_awx_backup_enabled | string | lower }}",
+      "choices": "true\nfalse",
+      "new_question": true,
+      "variable": "matrix_awx_backup_enabled",
+      "type": "multiplechoice"
+    }
+  ]
+}
+

roles/matrix-awx/surveys/configure_corporal.json.j2

@@ -0,0 +1,88 @@
+{
+  "name": "Configure Matrix Corporal",
+  "description": "",
+  "spec": [
+    {
+      "question_name": "Enable Corporal",
+      "question_description": "Controls if Matrix Corporal is enabled at all. If you're unsure if you need Matrix Corporal or not, you most likely don't.",
+      "required": true,
+      "min": null,
+      "max": null,
+      "default": "{{ matrix_corporal_enabled|string|lower }}",
+      "choices": "true\nfalse",
+      "new_question": true,
+      "variable": "matrix_corporal_enabled",
+      "type": "multiplechoice"
+    },
+    {
+      "question_name": "Corporal Policy Provider",
+      "question_description": "Controls what provider policy is used with Matrix Corporal.",
+      "required": true,
+      "min": null,
+      "max": null,
+      "default": "{{ matrix_corporal_policy_provider_mode }}",
+      "choices": "Simple Static File\nHTTP Pull Mode (API Enabled)\nHTTP Push Mode (API Enabled)",
+      "new_question": true,
+      "variable": "matrix_corporal_policy_provider_mode",
+      "type": "multiplechoice"
+    },
+    {
+      "question_name": "Simple Static File Configuration",
+      "question_description": "The configuration file for Matrix Corporal, only needed if 'Simple Static File' provider is selected, any configuration entered here will be saved and applied.",
+      "required": false,
+      "min": 0,
+      "max": 65536,
+      "default": "",
+      "new_question": true,
+      "variable": "matrix_corporal_simple_static_config",
+      "type": "textarea"
+    },
+    {
+      "question_name": "HTTP Pull Mode URI",
+      "question_description": "The network address to remotely fetch the configuration from. Only needed if 'HTTP Pull Mode (API Enabled)' provider is selected.",
+      "required": false,
+      "min": 0,
+      "max": 4096,
+      "default": "{{ matrix_corporal_pull_mode_uri }}",
+      "new_question": true,
+      "variable": "matrix_corporal_pull_mode_uri",
+      "type": "text"
+    },
+    {
+      "question_name": "HTTP Pull Mode Authentication Token",
+      "question_description": "An authentication token for pulling the Corporal configuration from a network location. Only needed if 'HTTP Pull Mode (API Enabled)' provider is selected. WARNING: You must set a strong and unique password here.",
+      "required": false,
+      "min": 0,
+      "max": 256,
+      "default": "{{ matrix_corporal_pull_mode_token }}",
+      "choices": "",
+      "new_question": true,
+      "variable": "matrix_corporal_pull_mode_token",
+      "type": "password"
+    },
+    {
+      "question_name": "Corporal API Authentication Token",
+      "question_description": "An authentication token for interfacing with Corporals API. Only needed to be set if 'HTTP Pull Mode (API Enabled)' or 'HTTP Push Mode (API Enabled)' provider is selected. WARNING: You must set a strong and unique password here.",
+      "required": false,
+      "min": 0,
+      "max": 256,
+      "default": "{{ matrix_corporal_http_api_auth_token }}",
+      "choices": "",
+      "new_question": true,
+      "variable": "matrix_corporal_http_api_auth_token",
+      "type": "password"
+    },
+    {
+      "question_name": "Raise Synapse Ratelimits",
+      "question_description": "For Matrix Corporal to work you will need to temporarily raise the rate limits for logins, please return this value to 'Normal' after you're done using Corporal.",
+      "required": false,
+      "min": null,
+      "max": null,
+      "default": "{{ matrix_corporal_raise_ratelimits }}",
+      "choices": "Normal\nRaised",
+      "new_question": true,
+      "variable": "matrix_corporal_raise_ratelimits",
+      "type": "multiplechoice"
+    }
+  ]
+}

roles/matrix-awx/surveys/configure_element.json.j2

@@ -0,0 +1,78 @@
+{
+  "name": "",
+  "description": "",
+  "spec": [
+    {
+      "question_name": "Enable Element-Web",
+      "question_description": "Set if Element web client is enabled or not.",
+      "required": true,
+      "min": null,
+      "max": null,
+      "default": "{{ matrix_client_element_enabled }}",
+      "choices": "true\nfalse",
+      "new_question": true,
+      "variable": "matrix_client_element_enabled",
+      "type": "multiplechoice"
+    },
+    {
+      "question_name": "Set Branding for Web Client",
+      "question_description": "Sets the 'branding' seen in the tab and on the welcome page to a custom value.",
+      "required": false,
+      "min": 0,
+      "max": 256,
+      "default": "{{ matrix_client_element_brand }}",
+      "choices": "",
+      "new_question": true,
+      "variable": "matrix_client_element_brand",
+      "type": "text"
+    },
+    {
+      "question_name": "Set Theme for Web Client",
+      "question_description": "Sets the default theme for the web client, can be changed later by individual users.",
+      "required": false,
+      "min": null,
+      "max": null,
+      "default": "{{ matrix_client_element_default_theme }}",
+      "choices": "light\ndark",
+      "new_question": true,
+      "variable": "matrix_client_element_default_theme",
+      "type": "multiplechoice"
+    },
+    {
+      "question_name": "Set Welcome Page Background",
+      "question_description": "URL to Wallpaper, shown in background of the welcome page. Must be a 'https' link, otherwise it won't be set.",
+      "required": false,
+      "min": 0,
+      "max": 1024,
+      "default": "{{ matrix_client_element_branding_welcomeBackgroundUrl }}",
+      "choices": "",
+      "new_question": true,
+      "variable": "matrix_client_element_branding_welcomeBackgroundUrl",
+      "type": "text"
+    },
+    {
+      "question_name": "Show Registration Button",
+      "question_description": "If you show the registration button on the welcome page.",
+      "required": false,
+      "min": null,
+      "max": null,
+      "default": "{{ matrix_client_element_registration_enabled }}",
+      "choices": "true\nfalse",
+      "new_question": true,
+      "variable": "matrix_client_element_registration_enabled",
+      "type": "multiplechoice"
+    },
+    {
+      "question_name": "Set Element Subdomain",
+      "question_description": "Sets the subdomain of the Element web-client, you should only specify the subdomain, not the base domain you've already set. (Eg: 'element' for element.example.org) Note that if you change this value you'll need to reconfigure your DNS.",
+      "required": false,
+      "min": 0,
+      "max": 2048,
+      "default": "{{ element_subdomain }}",
+      "choices": "",
+      "new_question": true,
+      "variable": "element_subdomain",
+      "type": "text"
+    }
+  ]
+}

roles/matrix-awx/surveys/configure_jitsi.json.j2

@@ -0,0 +1,31 @@
+{
+  "name": "",
+  "description": "",
+  "spec": [
+    {
+      "question_name": "Enable Jitsi",
+      "question_description": "Set if Jitsi is enabled or not. If disabled your server will use the https://jitsi.riot.im server. If you're on a smaller server disabling this might increase the performance of your Matrix service.",
+      "required": false,
+      "min": null,
+      "max": null,
+      "default": "{{ matrix_jitsi_enabled }}",
+      "choices": "true\nfalse",
+      "new_question": true,
+      "variable": "matrix_jitsi_enabled",
+      "type": "multiplechoice"
+    },
+    {
+      "question_name": "Set Default Language",
+      "question_description": "2 digit 639-1 language code to adjust the language of the web client. For a list of possible codes see: https://en.wikipedia.org/wiki/List_of_ISO_639-1_codes",
+      "required": false,
+      "min": 0,
+      "max": 2,
+      "default": "{{ matrix_jitsi_web_config_defaultLanguage }}",
+      "choices": "",
+      "new_question": true,
+      "variable": "matrix_jitsi_web_config_defaultLanguage",
+      "type": "text"
+    }
+  ]
+}
+

roles/matrix-awx/surveys/configure_ma1sd.json.j2

@@ -0,0 +1,41 @@
+{
+  "name": "",
+  "description": "",
+  "spec": [
+    {
+      "question_name": "Enable ma1sd",
+      "question_description": "Set if ma1sd is enabled or not. If disabled your server will loose identity functionality (not recommended).",
+      "required": false,
+      "min": null,
+      "max": null,
+      "default": "{{ matrix_ma1sd_enabled|string|lower }}",
+      "choices": "true\nfalse",
+      "new_question": true,
+      "variable": "matrix_ma1sd_enabled",
+      "type": "multiplechoice"
+    },
+    {
+      "question_name": "ma1sd Authentication Mode",
+      "question_description": "Set the source of user account authentication credentials with the ma1sd.",
+      "required": false,
+      "min": null,
+      "max": null,
+      "default": "{{ ext_matrix_ma1sd_auth_store }}",
+      "choices": "Synapse Internal\nLDAP/AD",
+      "new_question": true,
+      "variable": "ext_matrix_ma1sd_auth_store",
+      "type": "multiplechoice"
+    },
+    {
+      "question_name": "LDAP/AD Configuration",
+      "question_description": "Settings for connecting LDAP/AD to the ma1sd service. (ignored if using Synapse Internal, see https://github.com/ma1uta/ma1sd/blob/master/docs/stores/README.md )",
+      "required": false,
+      "min": 0,
+      "max": 65536,
+      "default": {{ ext_matrix_ma1sd_configuration_extension_yaml | to_json }},
+      "new_question": true,
+      "variable": "ext_matrix_ma1sd_configuration_extension_yaml",
+      "type": "textarea"
+    }
+  ]
+}

roles/matrix-awx/surveys/configure_synapse.json.j2

@@ -0,0 +1,198 @@
+{
+  "name": "Configure Synapse",
+  "description": "",
+  "spec": [
+    {
+      "question_name": "Enable Public Registration",
+      "question_description": "Controls whether people with access to the homeserver can register by themselves.",
+      "required": false,
+      "min": null,
+      "max": null,
+      "default": "{{ matrix_synapse_enable_registration|string|lower }}",
+      "choices": "true\nfalse",
+      "new_question": true,
+      "variable": "matrix_synapse_enable_registration",
+      "type": "multiplechoice"
+    },
+    {
+      "question_name": "Enable Federation",
+      "question_description": "Controls whether Synapse will federate at all. Disable this to completely isolate your server from the rest of the Matrix network.",
+      "required": false,
+      "min": null,
+      "max": null,
+      "default": "{{ matrix_synapse_federation_enabled|string|lower }}",
+      "choices": "true\nfalse",
+      "new_question": true,
+      "variable": "matrix_synapse_federation_enabled",
+      "type": "multiplechoice"
+    },
+    {
+      "question_name": "Allow Public Rooms Over Federation",
+      "question_description": "Controls whether remote servers can fetch this server's public rooms directory via federation. For private servers, you'll most likely want to forbid this.",
+      "required": false,
+      "min": null,
+      "max": null,
+      "default": "{{ matrix_synapse_allow_public_rooms_over_federation|string|lower }}",
+      "choices": "true\nfalse",
+      "new_question": true,
+      "variable": "matrix_synapse_allow_public_rooms_over_federation",
+      "type": "multiplechoice"
+    },
+    {
+      "question_name": "Enable Community Creation",
+      "question_description": "Allows regular users (who aren't server admins) to create 'communities', which are basically groups of rooms.",
+      "required": false,
+      "min": null,
+      "max": null,
+      "default": "{{ matrix_synapse_enable_group_creation|string|lower }}",
+      "choices": "true\nfalse",
+      "new_question": true,
+      "variable": "matrix_synapse_enable_group_creation",
+      "type": "multiplechoice"
+    },
+    {
+      "question_name": "Enable Synapse Presence",
+      "question_description": "Controls whether presence is enabled. This shows who's online and reading your posts. Disabling it will increase both performance and user privacy.",
+      "required": false,
+      "min": null,
+      "max": null,
+      "default": "{{ matrix_synapse_use_presence|string|lower }}",
+      "choices": "true\nfalse",
+      "new_question": true,
+      "variable": "matrix_synapse_use_presence",
+      "type": "multiplechoice"
+    },
+    {
+      "question_name": "Enable URL Previews",
+      "question_description": "Controls whether URL previews should be generated. This will cause a request from Synapse to URLs shared by users.",
+      "required": false,
+      "min": null,
+      "max": null,
+      "default": "{{ matrix_synapse_url_preview_enabled|string|lower }}",
+      "choices": "true\nfalse",
+      "new_question": true,
+      "variable": "matrix_synapse_url_preview_enabled",
+      "type": "multiplechoice"
+    },
+    {
+      "question_name": "Enable Guest Access",
+      "question_description": "Controls whether 'guest accounts' can access rooms without registering. Guest users do not count towards your servers user limit.",
+      "required": false,
+      "min": null,
+      "max": null,
+      "default": "{{ matrix_synapse_allow_guest_access|string|lower }}",
+      "choices": "true\nfalse",
+      "new_question": true,
+      "variable": "matrix_synapse_allow_guest_access",
+      "type": "multiplechoice"
+    },
+    {
+      "question_name": "Registration Requires Email",
+      "question_description": "Controls whether an email address is required to register on the server.",
+      "required": false,
+      "min": null,
+      "max": null,
+      "default": "{{ ext_registrations_require_3pid|string|lower }}",
+      "choices": "true\nfalse",
+      "new_question": true,
+      "variable": "ext_registrations_require_3pid",
+      "type": "multiplechoice"
+    },
+    {
+      "question_name": "Registration Shared Secret",
+      "question_description": "A secret that allows registration of standard or admin accounts by anyone who has the shared secret, even if registration is otherwise disabled. WARNING: You must set a strong and unique password here.",
+      "required": false,
+      "min": 0,
+      "max": 256,
+      "default": "",
+      "choices": "",
+      "new_question": true,
+      "variable": "matrix_synapse_registration_shared_secret",
+      "type": "password"
+    },
+    {
+      "question_name": "Synapse Max Upload Size",
+      "question_description": "Sets the maximum size for uploaded files in MB.",
+      "required": false,
+      "min": 0,
+      "max": 3,
+      "default": "{{ matrix_synapse_max_upload_size_mb }}",
+      "choices": "",
+      "new_question": true,
+      "variable": "matrix_synapse_max_upload_size_mb",
+      "type": "text"
+    },
+    {
+      "question_name": "URL Preview Languages",
+      "question_description": "Sets the languages that URL previews will be generated in. Entries are a 2-3 letter IETF language tag, they must be seperated with newlines. For example: 'fr' https://en.wikipedia.org/wiki/IETF_language_tag",
+      "required": false,
+      "min": 0,
+      "max": 65536,
+      "default": {{ ext_url_preview_accept_language_default|to_json }},
+      "choices": "",
+      "new_question": true,
+      "variable": "ext_url_preview_accept_language_raw",
+      "type": "textarea"
+    },  
+    {
+      "question_name": "Federation Whitelist",
+      "question_description": "Here you can list the URLs of other Matrix homeservers and Synapse will only federate with those homeservers. Entries must be seperated with newlines and must not have a 'https://' prefix. For example: 'matrix.example.org'",
+      "required": false,
+      "min": 0,
+      "max": 65536,
+      "default": {{ ext_federation_whitelist_raw|to_json }},
+      "choices": "",
+      "new_question": true,
+      "variable": "ext_federation_whitelist_raw",
+      "type": "textarea"
+    },  
+    {
+      "question_name": "Synapse Auto-Join Rooms",
+      "question_description": "Sets the 'auto-join' rooms, where new users will be automatically invited to, these rooms must already exist. Entries must be room addresses that are separated with newlines. For example: '#announcements:example.org'",
+      "required": false,
+      "min": 0,
+      "max": 65536,
+      "default": {{ matrix_synapse_auto_join_rooms_raw|to_json }},
+      "choices": "",
+      "new_question": true,
+      "variable": "matrix_synapse_auto_join_rooms_raw",
+      "type": "textarea"
+    },
+    {
+      "question_name": "Enable ReCaptcha on Registration",
+      "question_description": "Enables Googles ReCaptcha verification for registering an account, recommended for public servers.",
+      "required": false,
+      "min": null,
+      "max": null,
+      "default": "{{ ext_enable_registration_captcha|string|lower }}",
+      "choices": "true\nfalse",
+      "new_question": true,
+      "variable": "ext_enable_registration_captcha",
+      "type": "multiplechoice"
+    },
+    {
+      "question_name": "Recaptcha Public Key",
+      "question_description": "Sets the Google ReCaptcha public key for this website.",
+      "required": false,
+      "min": 0,
+      "max": 40,
+      "default": "{{ ext_recaptcha_public_key }}",
+      "choices": "",
+      "new_question": true,
+      "variable": "ext_recaptcha_public_key",
+      "type": "text"
+    },
+    {
+      "question_name": "Recaptcha Private Key",
+      "question_description": "Sets the Google ReCaptcha private key for this website.",
+      "required": false,
+      "min": 0,
+      "max": 40,
+      "default": "{{ ext_recaptcha_private_key }}",
+      "choices": "",
+      "new_question": true,
+      "variable": "ext_recaptcha_private_key",
+      "type": "text"
+    }
+  ]
+}

roles/matrix-awx/surveys/configure_synapse_admin.json.j2

@@ -0,0 +1,18 @@
+{
+  "name": "Configure Synapse Admin",
+  "description": "Configure 'Synapse Admin', a moderation tool to help you manage your server.",
+  "spec": [
+    {
+      "question_name": "Enable Synapse Admin",
+      "question_description": "Set if Synapse Admin is enabled or not. If enabled you can access it at https://matrix.{{ matrix_domain }}/synapse-admin.",
+      "required": false,
+      "min": null,
+      "max": null,
+      "default": "{{ matrix_synapse_admin_enabled|string|lower }}",
+      "choices": "true\nfalse",
+      "new_question": true,
+      "variable": "matrix_synapse_admin_enabled",
+      "type": "multiplechoice"
+    }
+  ]
+}

roles/matrix-awx/surveys/configure_website_access_export.json.j2

@@ -0,0 +1,54 @@
+{
+  "name": "Configure Website Access Backup",
+  "description": "Configure base domain website settings and access the services backup.",
+  "spec": [
+    {
+      "question_name": "Customise Base Domain Website",
+      "question_description": "Set if you want to adjust the base domain website using SFTP.",
+      "required": true,
+      "min": null,
+      "max": null,
+      "default": "{{ customise_base_domain_website | string | lower }}",
+      "choices": "true\nfalse",
+      "new_question": true,
+      "variable": "customise_base_domain_website",
+      "type": "multiplechoice"
+    },
+    {
+      "question_name": "SFTP Authorisation Method",
+      "question_description": "Set whether you want to disable SFTP, use a password to connect to SFTP or connect with a more secure SSH key.",
+      "required": true,
+      "min": null,
+      "max": null,
+      "default": "{{ sftp_auth_method | string }}",
+      "choices": "Disabled\nPassword\nSSH Key",
+      "new_question": true,
+      "variable": "sftp_auth_method",
+      "type": "multiplechoice"
+    },
+    {
+      "question_name": "SFTP Password",
+      "question_description": "Sets the password of the 'sftp' account, which allows you to upload a multi-file static website by SFTP, as well as export the latest copy of your Matrix service. Must be defined if 'Password' method is selected. WARNING: You must set a strong and unique password here.",
+      "required": false,
+      "min": 0,
+      "max": 64,
+      "default": "{{ sftp_password }}",
+      "choices": "",
+      "new_question": true,
+      "variable": "sftp_password",
+      "type": "password"
+    },
+    {
+      "question_name": "SFTP Public SSH Key (More Secure)",
+      "question_description": "Sets the public SSH key used to access the 'sftp' account, which allows you to upload a multi-file static website by SFTP, as well as export the latest copy of your Matrix service. Must be defined if 'SSH Key' method is selected.",
+      "required": false,
+      "min": 0,
+      "max": 16384,
+      "default": "{{ sftp_public_key }}",
+      "choices": "",
+      "new_question": true,
+      "variable": "sftp_public_key",
+      "type": "text"
+    }
+  ]
+}

roles/matrix-awx/tasks/backup_server.yml

@@ -0,0 +1,69 @@
+
+- name: Record Backup Server variables locally on AWX
+  delegate_to: 127.0.0.1
+  lineinfile:
+    path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
+    regexp: "^#? *{{ item.key | regex_escape() }}:"
+    line: "{{ item.key }}: {{ item.value }}"
+    insertafter: '# AWX Settings'
+  with_dict:
+    'matrix_awx_backup_enabled': '{{ matrix_awx_backup_enabled }}'
+
+- name: Copy new 'matrix_vars.yml' to target machine
+  copy:
+    src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
+    dest: '/matrix/awx/matrix_vars.yml'
+    mode: '0660'
+
+- name: Save new 'Backup Server' survey.json to the AWX tower, template
+  delegate_to: 127.0.0.1
+  template:
+    src: 'roles/matrix-awx/surveys/backup_server.json.j2'
+    dest: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/backup_server.json'
+
+- name: Copy new 'Backup Server' survey.json to target machine
+  copy:
+    src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/backup_server.json'
+    dest: '/matrix/awx/backup_server.json'
+    mode: '0660'
+
+- name: Collect AWX admin token the hard way!
+  delegate_to: 127.0.0.1
+  shell: |
+      curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g'
+  register: tower_token
+  no_log: True
+  
+- name: Recreate 'Backup Server' job template
+  delegate_to: 127.0.0.1
+  awx.awx.tower_job_template:
+    name: "{{ matrix_domain }} - 0 - Backup Server"
+    description: "Performs a backup of the entire service to a remote location."
+    extra_vars: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/extra_vars.json') }}"
+    job_type: run
+    job_tags: "backup-server"
+    inventory: "{{ member_id }}"
+    project: "{{ member_id }} - Matrix Docker Ansible Deploy"
+    playbook: setup.yml
+    credential: "{{ member_id }} - AWX SSH Key"
+    survey_enabled: true
+    survey_spec: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/backup_server.json') }}"
+    become_enabled: yes
+    state: present
+    verbosity: 1
+    tower_host: "https://{{ tower_host }}"
+    tower_oauthtoken: "{{ tower_token.stdout }}"
+    validate_certs: yes
+
+- name: Perform the borg backup
+  command: borgmatic
+  when: matrix_awx_backup_enabled|bool
+
+- name: Set boolean value to exit playbook
+  set_fact:
+    end_playbook: true
+  
+- name: End playbook if this task list is called.
+  meta: end_play
+  when: end_playbook is defined and end_playbook|bool
+

roles/matrix-awx/tasks/create_user.yml

@@ -0,0 +1,31 @@
+#
+# Create user and define if they are admin
+#
+# /usr/local/bin/matrix-synapse-register-user <your_username> <your_password> <admin access: 0 or 1>
+#
+
+- name: Set admin bool to zero
+  set_fact:
+    admin_bool: 0
+  when: admin_access == 'false'
+
+- name: Examine if server admin set
+  set_fact:      
+    admin_bool: 1
+  when: admin_access == 'true'
+  
+- name: Set boolean value to exit playbook
+  set_fact:
+    end_playbook: true
+
+- name: Create user account
+  command: |
+    /usr/local/bin/matrix-synapse-register-user {{ new_username | quote }} {{ new_password | quote }} {{ admin_bool }}
+  register: cmd
+
+- name: Result
+  debug: msg="{{ cmd.stdout }}"
+  
+- name: End playbook if this task list is called.
+  meta: end_play
+  when: end_playbook is defined and end_playbook|bool

roles/matrix-awx/tasks/customise_website_access_export.yml

@@ -0,0 +1,230 @@
+
+
+- name: Enable index.html creation if user doesn't wish to customise base domain
+  delegate_to: 127.0.0.1
+  lineinfile:
+    path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
+    regexp: "^#? *{{ item.key | regex_escape() }}:"
+    line: "{{ item.key }}: {{ item.value }}"
+    insertafter: '# Base Domain Settings'
+  with_dict:
+    'matrix_nginx_proxy_base_domain_homepage_enabled': 'true'
+  when: customise_base_domain_website|bool == false
+
+- name: Disable index.html creation to allow multi-file site if user does wish to customise base domain
+  delegate_to: 127.0.0.1
+  lineinfile:
+    path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
+    regexp: "^#? *{{ item.key | regex_escape() }}:"
+    line: "{{ item.key }}: {{ item.value }}"
+    insertafter: '# Base Domain Settings'
+  with_dict:
+    'matrix_nginx_proxy_base_domain_homepage_enabled': 'false'
+  when: customise_base_domain_website|bool == true
+    
+- name: Record custom 'Customise Website + Access Export' variables locally on AWX
+  delegate_to: 127.0.0.1
+  lineinfile:
+    path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
+    regexp: "^#? *{{ item.key | regex_escape() }}:"
+    line: "{{ item.key }}: {{ item.value }}"
+    insertafter: '# Custom Settings'
+  with_dict:
+    'customise_base_domain_website': '{{ customise_base_domain_website }}'
+    'sftp_auth_method': '"{{ sftp_auth_method }}"'
+    'sftp_password': '"{{ sftp_password }}"'
+    'sftp_public_key': '"{{ sftp_public_key }}"'
+    
+- name: Copy new 'matrix_vars.yml' to target machine
+  copy:
+    src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
+    dest: '/matrix/awx/matrix_vars.yml'
+    mode: '0660'
+
+- name: Reload vars in matrix_vars.yml
+  include_vars:
+    file: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
+  no_log: True
+
+- name: Save new 'Customise Website + Access Export' survey.json to the AWX tower, template
+  delegate_to: 127.0.0.1
+  template:
+    src: './roles/matrix-awx/surveys/configure_website_access_export.json.j2'
+    dest: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_website_access_export.json'
+
+- name: Copy new 'Customise Website + Access Export' survey.json to target machine
+  copy:
+    src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_website_access_export.json'
+    dest:  '/matrix/awx/configure_website_access_export.json'
+    mode: '0660'
+
+- name: Collect AWX admin token the hard way!
+  delegate_to: 127.0.0.1
+  shell: |
+      curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g'
+  register: tower_token
+  no_log: True
+
+- name: Recreate 'Customise Base Domain Export' job template
+  delegate_to: 127.0.0.1
+  awx.awx.tower_job_template:
+    name: "{{ matrix_domain }} - 1 - Configure Website + Access Export"
+    description: "Configure base domain website settings and access the servers export."
+    extra_vars: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/extra_vars.json') }}"
+    job_type: run
+    job_tags: "start,setup-nginx-proxy"
+    inventory: "{{ member_id }}"
+    project: "{{ member_id }} - Matrix Docker Ansible Deploy"
+    playbook: setup.yml
+    credential: "{{ member_id }} - AWX SSH Key"
+    survey_enabled: true
+    survey_spec: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_website_access_export.json') }}"
+    become_enabled: yes
+    state: present
+    verbosity: 1
+    tower_host: "https://{{ tower_host }}"
+    tower_oauthtoken: "{{ tower_token.stdout }}"
+    validate_certs: yes
+
+- name: Ensure group "sftp" exists
+  group:
+    name: sftp
+    state: present
+
+- name: If user doesn't define a sftp_password, create a disabled 'sftp' account
+  user:
+    name: sftp
+    comment: SFTP user to set custom web files and access servers export
+    shell: /bin/false
+    home: /home/sftp
+    group: sftp
+    password: '*'
+    update_password: always
+  when: sftp_password|length == 0
+
+- name: If user defines sftp_password, enable account and set password on 'stfp' account
+  user:
+    name: sftp
+    comment: SFTP user to set custom web files and access servers export
+    shell: /bin/false
+    home: /home/sftp
+    group: sftp
+    password: "{{ sftp_password | password_hash('sha512') }}"
+    update_password: always
+  when: sftp_password|length > 0
+
+- name: adding existing user 'sftp' to group matrix
+  user:
+    name: sftp
+    groups: matrix
+    append: yes
+
+- name: Create the ro /chroot directory with sticky bit if it doesn't exist. (/chroot/website has matrix:matrix permissions and is mounted to nginx container)
+  file:
+    path: /chroot
+    state: directory
+    owner: root
+    group: root
+    mode: '1755'
+
+- name: Ensure /chroot/website location exists.
+  file:
+    path: /chroot/website
+    state: directory
+    owner: matrix
+    group: matrix
+    mode: '0574'
+
+- name: Ensure /chroot/export location exists
+  file:
+    path: /chroot/export
+    state: directory
+    owner: sftp
+    group: sftp
+    mode: '0700'
+
+- name: Ensure /home/sftp/.ssh location exists
+  file:
+    path: /home/sftp/.ssh
+    state: directory
+    owner: sftp
+    group: sftp
+    mode: '0700'
+
+- name: Ensure /home/sftp/authorized_keys exists
+  file:
+    path: /home/sftp/.ssh/authorized_keys
+    state: touch
+    owner: sftp
+    group: sftp
+    mode: '0644'
+
+- name: Clear authorized_keys file
+  shell: echo "" > /home/sftp/.ssh/authorized_keys
+
+- name: Insert public SSH key into authorized_keys file
+  lineinfile:
+    path: /home/sftp/.ssh/authorized_keys
+    line: "{{ sftp_public_key }}"
+    owner: sftp
+    group: sftp
+    mode: '0644'
+  when: (sftp_public_key | length > 0) and (sftp_auth_method == "SSH Key")
+  
+- name: Alter SSH Subsystem State 1
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    line: "Subsystem sftp	/usr/lib/openssh/sftp-server"
+    state: absent
+
+- name: Alter SSH Subsystem State 2
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    insertafter: "^# override default of no subsystems"
+    line: "Subsystem sftp internal-sftp"
+
+- name: Add SSH Match User section for disabled auth
+  blockinfile:
+    path: /etc/ssh/sshd_config
+    state: absent
+    block: |
+      Match User sftp
+          ChrootDirectory /chroot
+          PermitTunnel no
+          X11Forwarding no
+          AllowTcpForwarding no
+          PasswordAuthentication yes
+          AuthorizedKeysFile /home/sftp/.ssh/authorized_keys
+  when: sftp_auth_method == "Disabled"
+
+- name: Add SSH Match User section for password auth
+  blockinfile:
+    path: /etc/ssh/sshd_config
+    state: present
+    block: |
+      Match User sftp
+          ChrootDirectory /chroot
+          PermitTunnel no
+          X11Forwarding no
+          AllowTcpForwarding no
+          PasswordAuthentication yes
+  when: sftp_auth_method == "Password"
+
+- name: Add SSH Match User section for publickey auth
+  blockinfile:
+    path: /etc/ssh/sshd_config
+    state: present
+    block: |
+      Match User sftp
+          ChrootDirectory /chroot
+          PermitTunnel no
+          X11Forwarding no
+          AllowTcpForwarding no
+          AuthorizedKeysFile /home/sftp/.ssh/authorized_keys
+  when: sftp_auth_method == "SSH Key"
+
+- name: Restart service ssh.service
+  service:
+    name: ssh.service
+    state: restarted
+

roles/matrix-awx/tasks/import_awx.yml

@@ -0,0 +1,23 @@
+
+- name: Ensure /matrix/awx is empty
+  shell: rm -r /matrix/awx/*
+  ignore_errors: yes
+
+- name: Ensure /matrix/synapse is empty
+  shell: rm -r /matrix/synapse/*
+  ignore_errors: yes
+
+- name: Extract from /chroot/export
+  shell: tar -xvzf /chroot/export/matrix.tar.gz -C /matrix/
+
+- name: Ensure correct ownership of /matrix/awx
+  shell: chown -R matrix:matrix /matrix/awx
+
+- name: Ensure correct ownership of /matrix/synapse
+  shell: chown -R matrix:matrix /matrix/synapse
+
+- name: Fetch matrix_vars.yml file to AWX
+  fetch:
+    src: /matrix/awx/matrix_vars.yml
+    dest: /var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/
+    flat: yes

roles/matrix-awx/tasks/load_hosting_and_org_variables.yml

@@ -0,0 +1,10 @@
+
+- name: Include vars in organisation.yml
+  include_vars:
+    file: '/var/lib/awx/projects/clients/{{ member_id }}/organisation.yml'
+  no_log: True
+
+- name: Include vars in hosting_vars.yml
+  include_vars:
+    file: '/var/lib/awx/projects/hosting/hosting_vars.yml'
+  no_log: True

roles/matrix-awx/tasks/load_matrix_variables.yml

@@ -0,0 +1,6 @@
+
+- name: Include vars in matrix_vars.yml
+  include_vars:
+    file: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
+  no_log: True
+

roles/matrix-awx/tasks/main.yml

@@ -0,0 +1,79 @@
+
+# Load initial hosting and organisation variables from AWX volume
+- import_tasks: "{{ role_path }}/tasks/load_hosting_and_org_variables.yml"
+  when: run_setup|bool and matrix_awx_enabled|bool
+  tags:
+    - always
+
+# Perform a backup of the server
+- import_tasks: "{{ role_path }}/tasks/backup_server.yml"
+  when: run_setup|bool and matrix_awx_enabled|bool
+  tags:
+    - backup-server
+
+# Create a user account if called
+- import_tasks: "{{ role_path }}/tasks/create_user.yml"
+  when: run_setup|bool and matrix_awx_enabled|bool
+  tags:
+    - create-user
+    
+# Perform extra self-check functions
+- import_tasks: "{{ role_path }}/tasks/self_check.yml"
+  when: run_setup|bool and matrix_awx_enabled|bool
+  tags:
+    - self-check
+
+# Import configs, media repo from /chroot/backup import
+- import_tasks: "{{ role_path }}/tasks/import_awx.yml"
+  when: run_setup|bool and matrix_awx_enabled|bool
+  tags:
+    - import-awx
+
+# Configure SFTP so user can upload a static website or access the servers export
+- import_tasks: "{{ role_path }}/tasks/customise_website_access_export.yml"
+  when: run_setup|bool and matrix_awx_enabled|bool
+  tags:
+    - setup-nginx-proxy
+
+# Additional playbook to set the variable file during Element configuration
+- import_tasks: "{{ role_path }}/tasks/set_variables_element.yml"
+  when: run_setup|bool and matrix_awx_enabled|bool
+  tags:
+    - setup-client-element
+
+# Additional playbook to set the variable file during Synapse configuration
+- import_tasks: "{{ role_path }}/tasks/set_variables_synapse.yml"
+  when: run_setup|bool and matrix_awx_enabled|bool
+  tags:
+    - setup-synapse
+
+# Additional playbook to set the variable file during Jitsi configuration
+- import_tasks: "{{ role_path }}/tasks/set_variables_jitsi.yml"
+  when: run_setup|bool and matrix_awx_enabled|bool
+  tags:
+    - setup-jitsi
+
+# Additional playbook to set the variable file during Ma1sd configuration
+- import_tasks: "{{ role_path }}/tasks/set_variables_ma1sd.yml"
+  when: run_setup|bool and matrix_awx_enabled|bool
+  tags:
+    - setup-ma1sd
+    
+# Additional playbook to set the variable file during Corporal configuration
+- import_tasks: "{{ role_path }}/tasks/set_variables_corporal.yml"
+  when: run_setup|bool and matrix_awx_enabled|bool
+  tags:
+    - setup-corporal  
+
+# Additional playbook to set the variable file during Synapse Admin configuration
+- import_tasks: "{{ role_path }}/tasks/set_variables_synapse_admin.yml"
+  when: run_setup|bool and matrix_awx_enabled|bool
+  tags:
+    - setup-all
+
+# Load newly formed matrix variables from tower volume
+- import_tasks: "{{ role_path }}/tasks/load_matrix_variables.yml"
+  when: run_setup|bool and matrix_awx_enabled|bool
+  tags:
+    - always
+

roles/matrix-awx/tasks/self_check.yml

@@ -0,0 +1,94 @@
+
+- name: Install prerequisite apt packages on target
+  apt:
+    name: 
+      - sysstat
+    state: present
+    
+- name: Install prerequisite yum packages on AWX
+  delegate_to: 127.0.0.1
+  yum:
+    name: 
+      - bind-utils
+    state: present
+    
+- name: Install prerequisite pip packages on AWX
+  delegate_to: 127.0.0.1
+  pip:
+    name: 
+      - dnspython
+    state: present
+
+- name: Calculate CPU usage statistics
+  shell: iostat -c
+  register: cpu_usage_stat
+  no_log: True
+    
+- name: Print CPU usage statistics
+  debug:
+    msg: "{{ cpu_usage_stat.stdout.split('\n') }}"
+  when: cpu_usage_stat is defined
+
+- name: Calculate RAM usage statistics
+  shell: free -mh
+  register: ram_usage_stat
+  no_log: True
+
+- name: Print RAM usage statistics
+  debug:
+    msg: "{{ ram_usage_stat.stdout.split('\n') }}"
+  when: ram_usage_stat is defined
+
+- name: Calculate free disk space
+  shell: df -h
+  register: disk_space_stat
+  no_log: True
+
+- name: Print free disk space
+  debug:
+    msg: "{{ disk_space_stat.stdout.split('\n') }}"
+  when: disk_space_stat is defined
+
+- name: Calculate size of Synapse database
+  shell: du -sh /matrix/postgres/data
+  register: db_size_stat
+  no_log: True
+
+- name: Print size of Synapse database
+  debug:
+    msg: "{{ db_size_stat.stdout.split('\n') }}"
+  when: db_size_stat is defined
+
+- name: Calculate size of local media repository
+  shell: du -sh /matrix/synapse/storage/media-store/local*
+  register: local_media_size_stat
+  ignore_errors: yes
+  no_log: True
+
+- name: Print size of local media repository
+  debug:
+    msg: "{{ local_media_size_stat.stdout.split('\n') }}"
+  when: local_media_size_stat is defined
+
+- name: Calculate size of remote media repository
+  shell: du -sh /matrix/synapse/storage/media-store/remote*
+  register: remote_media_size_stat
+  ignore_errors: yes
+  no_log: True
+
+- name: Print size of remote media repository
+  debug:
+    msg: "{{ remote_media_size_stat.stdout.split('\n') }}"
+  when: remote_media_size_stat is defined
+
+- name: Calculate docker container statistics
+  shell: docker stats --all --no-stream
+  register: docker_stats
+  ignore_errors: yes
+  no_log: True
+
+- name: Print docker container statistics
+  debug:
+    msg: "{{ docker_stats.stdout.split('\n') }}"
+  when: docker_stats is defined
+

roles/matrix-awx/tasks/set_variables_corporal.yml

@@ -0,0 +1,254 @@
+
+- name: Record Corporal Enabled/Disabled variable
+  delegate_to: 127.0.0.1
+  lineinfile:
+    path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
+    regexp: "^#? *{{ item.key | regex_escape() }}:"
+    line: "{{ item.key }}: {{ item.value }}"
+    insertafter: '# Corporal Settings'
+  with_dict:
+    'matrix_corporal_enabled': '{{ matrix_corporal_enabled }}'
+    
+- name: Enable Shared Secret Auth if Corporal enabled
+  delegate_to: 127.0.0.1
+  lineinfile:
+    path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
+    regexp: "^#? *{{ item.key | regex_escape() }}:"
+    line: "{{ item.key }}: {{ item.value }}"
+    insertafter: '# Shared Secret Auth Settings'
+  with_dict:
+    'matrix_synapse_ext_password_provider_shared_secret_auth_enabled': 'true'
+  when: matrix_corporal_enabled|bool
+  
+- name: Disable Shared Secret Auth if Corporal disabled
+  delegate_to: 127.0.0.1
+  lineinfile:
+    path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
+    regexp: "^#? *{{ item.key | regex_escape() }}:"
+    line: "{{ item.key }}: {{ item.value }}"
+    insertafter: '# Shared Secret Auth Settings'
+  with_dict:
+    'matrix_synapse_ext_password_provider_shared_secret_auth_enabled': 'false'
+  when: not matrix_corporal_enabled|bool
+  
+- name: Enable Rest Auth Endpoint if Corporal enabled
+  delegate_to: 127.0.0.1
+  lineinfile:
+    path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
+    regexp: "^#? *{{ item.key | regex_escape() }}:"
+    line: "{{ item.key }}: {{ item.value }}"
+    insertafter: '# Synapse Extension'
+  with_dict:
+    'matrix_synapse_ext_password_provider_rest_auth_enabled': 'true'
+  when: matrix_corporal_enabled|bool
+
+- name: Disable Rest Auth Endpoint if Corporal disabled
+  delegate_to: 127.0.0.1
+  lineinfile:
+    path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
+    regexp: "^#? *{{ item.key | regex_escape() }}:"
+    line: "{{ item.key }}: {{ item.value }}"
+    insertafter: '# Synapse Extension'
+  with_dict:
+    'matrix_synapse_ext_password_provider_rest_auth_enabled': 'false'
+  when: not matrix_corporal_enabled|bool
+
+- name: Disable Corporal API if Simple Static File mode selected
+  delegate_to: 127.0.0.1
+  lineinfile:
+    path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
+    regexp: "^#? *{{ item.key | regex_escape() }}:"
+    line: "{{ item.key }}: {{ item.value }}"
+    insertafter: '# Corporal Settings'
+  with_dict:
+    'matrix_corporal_http_api_enabled': 'false'
+  when: (matrix_corporal_policy_provider_mode == "Simple Static File") or (not matrix_corporal_enabled|bool)
+
+- name: Enable Corporal API if Push/Pull mode delected
+  delegate_to: 127.0.0.1
+  lineinfile:
+    path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
+    regexp: "^#? *{{ item.key | regex_escape() }}:"
+    line: "{{ item.key }}: {{ item.value }}"
+    insertafter: '# Corporal Settings'
+  with_dict:
+    'matrix_corporal_http_api_enabled': 'true'
+  when: (matrix_corporal_policy_provider_mode != "Simple Static File") and (matrix_corporal_enabled|bool)
+
+- name: Record Corporal API Access Token if it's defined
+  delegate_to: 127.0.0.1
+  lineinfile:
+    path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
+    regexp: "^#? *{{ item.key | regex_escape() }}:"
+    line: "{{ item.key }}: {{ item.value }}"
+    insertafter: '# Corporal Settings'
+  with_dict:
+    'matrix_corporal_http_api_auth_token': '{{ matrix_corporal_http_api_auth_token }}'
+  when: matrix_corporal_http_api_auth_token|length > 0
+
+- name: Record 'Simple Static File' configuration variables in matrix_vars.yml
+  delegate_to: 127.0.0.1
+  blockinfile:
+    path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
+    insertafter: "# Corporal Policy Provider Settings"
+    block: |
+      matrix_corporal_policy_provider_config: |
+        {
+          "Type": "static_file",
+          "Path": "/etc/matrix-corporal/corporal-policy.json"
+        }
+  when: matrix_corporal_policy_provider_mode == "Simple Static File" 
+
+- name: Touch the /matrix/corporal/ directory
+  file:
+    path: "/matrix/corporal/"
+    state: directory
+    owner: matrix
+    group: matrix
+    mode: '750'
+
+- name: Touch the /matrix/corporal/config/ directory
+  file:
+    path: "/matrix/corporal/config/"
+    state: directory
+    owner: matrix
+    group: matrix
+    mode: '750'
+
+- name: Touch the /matrix/corporal/cache/ directory
+  file:
+    path: "/matrix/corporal/cache/"
+    state: directory
+    owner: matrix
+    group: matrix
+    mode: '750'
+
+- name: Touch the corporal-policy.json file to ensure it exists
+  file:
+    path: "/matrix/corporal/config/corporal-policy.json"
+    state: touch
+    owner: matrix
+    group: matrix
+    mode: '660'
+    
+- name: Touch the last-policy.json file to ensure it exists
+  file:
+    path: "/matrix/corporal/config/last-policy.json"
+    state: touch
+    owner: matrix
+    group: matrix
+    mode: '660'
+  
+- name: Record 'Simple Static File' configuration content in corporal-policy.json
+  copy:
+    content: "{{ matrix_corporal_simple_static_config | string  }}"
+    dest: "/matrix/corporal/config/corporal-policy.json"
+    owner: matrix
+    group: matrix
+    mode: '660'
+  when: (matrix_corporal_policy_provider_mode == "Simple Static File") and (matrix_corporal_simple_static_config|length > 0)
+
+- name: Record 'HTTP Pull Mode' configuration variables in matrix_vars.yml
+  delegate_to: 127.0.0.1
+  blockinfile:
+    path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
+    insertafter: "# Corporal Policy Provider Settings"
+    block: |
+      matrix_corporal_policy_provider_config: |
+        {
+          "Type": "http",
+          "Uri": "{{ matrix_corporal_pull_mode_uri }}",
+          "AuthorizationBearerToken": "{{ matrix_corporal_pull_mode_token }}",
+          "CachePath": "/var/cache/matrix-corporal/last-policy.json",
+          "ReloadIntervalSeconds": 1800,
+          "TimeoutMilliseconds": 30000
+        }
+  when: (matrix_corporal_policy_provider_mode == "HTTP Pull Mode (API Enabled)") and (matrix_corporal_pull_mode_uri|length > 0) and (matrix_corporal_pull_mode_token|length > 0)
+
+- name: Record 'HTTP Push Mode' configuration variables in matrix_vars.yml
+  delegate_to: 127.0.0.1
+  blockinfile:
+    path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
+    insertafter: "# Corporal Policy Provider Settings"
+    block: |
+      matrix_corporal_policy_provider_config: |
+        {
+          "Type": "last_seen_store_policy",
+          "CachePath": "/var/cache/matrix-corporal/last-policy.json"
+        }
+  when: (matrix_corporal_policy_provider_mode == "HTTP Push Mode (API Enabled)")
+
+- name: Lower RateLimit if set to 'Normal'
+  delegate_to: 127.0.0.1
+  replace:
+    path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
+    regexp: '    address:\n        per_second: 50\n        burst_count: 300\n    account:\n        per_second: 0.17\n        burst_count: 300'
+    replace: '    address:\n        per_second: 0.17\n        burst_count: 3\n    account:\n        per_second: 0.17\n        burst_count: 3'
+  when: matrix_corporal_raise_ratelimits == "Normal"
+
+- name: Raise RateLimit if set to 'Raised'
+  delegate_to: 127.0.0.1
+  replace:
+    path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
+    regexp: '    address:\n        per_second: 0.17\n        burst_count: 3\n    account:\n        per_second: 0.17\n        burst_count: 3'
+    replace: '    address:\n        per_second: 50\n        burst_count: 300\n    account:\n        per_second: 0.17\n        burst_count: 300'
+  when: matrix_corporal_raise_ratelimits == "Raised"
+
+- name: Copy new 'matrix_vars.yml' to target machine
+  copy:
+    src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
+    dest: '/matrix/awx/matrix_vars.yml'
+    mode: '0664'
+
+- name: Save new 'Configure Corporal' survey.json to the AWX tower
+  delegate_to: 127.0.0.1
+  template:
+    src: 'roles/matrix-awx/surveys/configure_corporal.json.j2'
+    dest: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_corporal.json'
+
+- name: Copy new 'Configure Corporal' survey.json to target machine
+  copy:
+    src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_corporal.json'
+    dest: '/matrix/awx/configure_corporal.json'
+    mode: '0660'
+    
+- debug:
+    msg: "matrix_corporal_matrix_homeserver_api_endpoint: {{ matrix_corporal_matrix_homeserver_api_endpoint }}"
+    
+- debug:
+    msg: "matrix_corporal_matrix_auth_shared_secret: {{ matrix_corporal_matrix_auth_shared_secret }}"
+
+- debug:
+    msg: "matrix_corporal_http_gateway_internal_rest_auth_enabled: {{ matrix_corporal_http_gateway_internal_rest_auth_enabled }}"
+   
+- debug:
+    msg: "matrix_corporal_matrix_registration_shared_secret: {{ matrix_corporal_matrix_registration_shared_secret }}"
+
+- name: Collect AWX admin token the hard way!
+  delegate_to: 127.0.0.1
+  shell: |
+      curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g'
+  register: tower_token
+  no_log: True
+
+- name: Recreate 'Configure Corporal (Advanced)' job template
+  delegate_to: 127.0.0.1
+  awx.awx.tower_job_template:
+    name: "{{ matrix_domain }} - 1 - Configure Corporal (Advanced)"
+    description: "Configure Matrix Corporal, a tool that manages your Matrix server according to a configuration policy."
+    extra_vars: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/extra_vars.json') }}"
+    job_type: run
+    job_tags: "start,setup-corporal"
+    inventory: "{{ member_id }}"
+    project: "{{ member_id }} - Matrix Docker Ansible Deploy"
+    playbook: setup.yml
+    credential: "{{ member_id }} - AWX SSH Key"
+    survey_enabled: true
+    survey_spec: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_corporal.json') }}"
+    become_enabled: yes
+    state: present
+    verbosity: 1
+    tower_host: "https://{{ tower_host }}"
+    tower_oauthtoken: "{{ tower_token.stdout }}"
+    validate_certs: yes
+    

roles/matrix-awx/tasks/set_variables_element.yml

@@ -0,0 +1,77 @@
+
+- name: Record Element-Web variables locally on AWX
+  delegate_to: 127.0.0.1
+  lineinfile:
+    path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
+    regexp: "^#? *{{ item.key | regex_escape() }}:"
+    line: "{{ item.key }}: {{ item.value }}"
+    insertafter: '# Element Settings'
+  with_dict:
+    'matrix_client_element_enabled': '{{ matrix_client_element_enabled }}'
+    'matrix_client_element_jitsi_preferredDomain': '{{ matrix_client_element_jitsi_preferredDomain }}'
+    'matrix_client_element_brand': '{{ matrix_client_element_brand }}'
+    'matrix_client_element_default_theme': '{{ matrix_client_element_default_theme }}'
+    'matrix_client_element_registration_enabled': '{{ matrix_client_element_registration_enabled }}'
+    'matrix_server_fqn_element': "{{ element_subdomain }}.{{ matrix_domain }}"
+
+- name: Set fact for 'https' string
+  set_fact:
+    https_string: "https"
+
+- name: Record Element-Web Background variable locally on AWX
+  delegate_to: 127.0.0.1
+  lineinfile:
+    path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
+    regexp: "^#? *{{ item.key | regex_escape() }}:"
+    line: "{{ item.key }}: {{ item.value }}"
+    insertafter: '# Element Settings'
+  with_dict:
+    'matrix_client_element_branding_welcomeBackgroundUrl': '{{ matrix_client_element_branding_welcomeBackgroundUrl }}'
+  when: (https_string in matrix_client_element_branding_welcomeBackgroundUrl) and ( matrix_client_element_branding_welcomeBackgroundUrl|length > 0 )
+
+- name: Copy new 'matrix_vars.yml' to target machine
+  copy:
+    src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
+    dest: '/matrix/awx/matrix_vars.yml'
+    mode: '0660'
+
+- name: Save new 'Configure Element' survey.json to the AWX tower, template
+  delegate_to: 127.0.0.1
+  template:
+    src: 'roles/matrix-awx/surveys/configure_element.json.j2'
+    dest: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_element.json'
+
+- name: Copy new 'Configure Element' survey.json to target machine
+  copy:
+    src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_element.json'
+    dest: '/matrix/awx/configure_element.json'
+    mode: '0660'
+
+- name: Collect AWX admin token the hard way!
+  delegate_to: 127.0.0.1
+  shell: |
+      curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g'
+  register: tower_token
+  no_log: True
+  
+- name: Recreate 'Configure Element' job template
+  delegate_to: 127.0.0.1
+  awx.awx.tower_job_template:
+    name: "{{ matrix_domain }} - 1 - Configure Element"
+    description: "Configure Element client via survey."
+    extra_vars: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/extra_vars.json') }}"
+    job_type: run
+    job_tags: "start,setup-client-element"
+    inventory: "{{ member_id }}"
+    project: "{{ member_id }} - Matrix Docker Ansible Deploy"
+    playbook: setup.yml
+    credential: "{{ member_id }} - AWX SSH Key"
+    survey_enabled: true
+    survey_spec: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_element.json') }}"
+    become_enabled: yes
+    state: present
+    verbosity: 1
+    tower_host: "https://{{ tower_host }}"
+    tower_oauthtoken: "{{ tower_token.stdout }}"
+    validate_certs: yes
+

roles/matrix-awx/tasks/set_variables_jitsi.yml

@@ -0,0 +1,58 @@
+
+- name: Record Jitsi variables locally on AWX
+  delegate_to: 127.0.0.1
+  lineinfile:
+    path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
+    regexp: "^#? *{{ item.key | regex_escape() }}:"
+    line: "{{ item.key }}: {{ item.value }}"
+    insertafter: '# Jitsi Settings'
+  with_dict:
+    'matrix_jitsi_enabled': '{{ matrix_jitsi_enabled }}'
+    'matrix_jitsi_web_config_defaultLanguage': '{{ matrix_jitsi_web_config_defaultLanguage }}'
+
+- name: Copy new 'matrix_vars.yml' to target machine
+  copy:
+    src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
+    dest: '/matrix/awx/matrix_vars.yml'
+    mode: '0660'
+
+- name: Save new 'Configure Jitsi' survey.json to the AWX tower, template
+  delegate_to: 127.0.0.1
+  template:
+    src: 'roles/matrix-awx/surveys/configure_jitsi.json.j2'
+    dest: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_jitsi.json'
+
+- name: Copy new 'Configure Jitsi' survey.json to target machine
+  copy:
+    src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_jitsi.json'
+    dest:  '/matrix/awx/configure_jitsi.json'
+    mode: '0660'
+
+- name: Collect AWX admin token the hard way!
+  delegate_to: 127.0.0.1
+  shell: |
+      curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g'
+  register: tower_token
+  no_log: True
+
+- name: Recreate 'Configure Jitsi' job template
+  delegate_to: 127.0.0.1
+  awx.awx.tower_job_template:
+    name: "{{ matrix_domain }} - 1 - Configure Jitsi"
+    description: "Configure Jitsi conferencing settings."
+    extra_vars: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/extra_vars.json') }}"
+    job_type: run
+    job_tags: "start,setup-jitsi"
+    inventory: "{{ member_id }}"
+    project: "{{ member_id }} - Matrix Docker Ansible Deploy"
+    playbook: setup.yml
+    credential: "{{ member_id }} - AWX SSH Key"
+    survey_enabled: true
+    survey_spec: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_jitsi.json') }}"
+    become_enabled: yes
+    state: present
+    verbosity: 1
+    tower_host: "https://{{ tower_host }}"
+    tower_oauthtoken: "{{ tower_token.stdout }}"
+    validate_certs: yes
+

roles/matrix-awx/tasks/set_variables_ma1sd.yml

@@ -0,0 +1,130 @@
+
+- name: Record ma1sd variables locally on AWX
+  delegate_to: 127.0.0.1
+  lineinfile:
+    path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
+    regexp: "^#? *{{ item.key | regex_escape() }}:"
+    line: "{{ item.key }}: {{ item.value }}"
+    insertafter: '# ma1sd Settings'
+  with_dict:
+    'matrix_ma1sd_enabled': '{{ matrix_ma1sd_enabled }}'
+
+- name: Disable REST auth (matrix-corporal/ma1sd) if using internal auth
+  delegate_to: 127.0.0.1
+  lineinfile:
+    path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
+    regexp: "^#? *{{ item.key | regex_escape() }}:"
+    line: "{{ item.key }}: {{ item.value }}"
+    insertafter: '# Synapse Extension'
+  with_dict:
+    'matrix_synapse_ext_password_provider_rest_auth_enabled': 'false'
+  when: ext_matrix_ma1sd_auth_store == 'Synapse Internal'
+
+- name: Enable REST auth if using external LDAP/AD with ma1sd
+  delegate_to: 127.0.0.1
+  lineinfile:
+    path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
+    regexp: "^#? *{{ item.key | regex_escape() }}:"
+    line: "{{ item.key }}: {{ item.value }}"
+    insertafter: '# Synapse Extension'
+  with_dict:
+    'matrix_synapse_ext_password_provider_rest_auth_enabled': 'true'
+    'matrix_synapse_ext_password_provider_rest_auth_endpoint': 'http://matrix-ma1sd:8090'
+  when: ext_matrix_ma1sd_auth_store == 'LDAP/AD'
+
+- name: Strip header from ma1sd configuration extension if using internal auth
+  set_fact:
+    ext_matrix_ma1sd_configuration_extension_yaml_parsed: "{{ ext_matrix_ma1sd_configuration_extension_yaml.splitlines() | reject('search', '^matrix_client_element_configuration_extension_json:') | list }}"
+  when: ext_matrix_ma1sd_auth_store == 'LDAP/AD'
+
+- name: Remove entire ma1sd configuration extension
+  delegate_to: 127.0.0.1
+  replace:
+    path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
+    regexp: '^.*\n'
+    after: '# Start ma1sd Extension'
+    before: '# End ma1sd Extension'
+    
+- name: Replace conjoined ma1sd configuration extension limiters
+  delegate_to: 127.0.0.1
+  replace:
+    path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
+    regexp: '^# Start ma1sd Extension# End ma1sd Extension'
+    replace: '# Start ma1sd Extension\n# End ma1sd Extension'
+  
+- name: Insert ma1sd configuration extension header if using external LDAP/AD with ma1sd
+  delegate_to: 127.0.0.1
+  lineinfile:
+    path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
+    line: "matrix_ma1sd_configuration_extension_yaml: |"
+    insertafter: '# Start ma1sd Extension'
+  when: ext_matrix_ma1sd_auth_store == 'LDAP/AD'
+
+- name: Set ma1sd configuration extension if using external LDAP/AD with ma1sd
+  delegate_to: 127.0.0.1
+  lineinfile:
+    path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
+    insertbefore: '# End ma1sd Extension'
+    line: '{{ item }}'
+  with_items: "{{ ext_matrix_ma1sd_configuration_extension_yaml_parsed }}"
+  when: ext_matrix_ma1sd_auth_store == 'LDAP/AD'
+
+- name: Record ma1sd Custom variables locally on AWX
+  delegate_to: 127.0.0.1
+  lineinfile:
+    path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
+    regexp: "^#? *{{ item.key | regex_escape() }}:"
+    line: "{{ item.key }}: {{ item.value }}"
+    insertbefore: '# Custom Settings'
+  with_dict:
+    'ext_matrix_ma1sd_auth_store': '{{ ext_matrix_ma1sd_auth_store }}'
+    'ext_matrix_ma1sd_configuration_extension_yaml': '{{ ext_matrix_ma1sd_configuration_extension_yaml.splitlines() | to_json }}'
+
+- name: Copy new 'matrix_vars.yml' to target machine
+  copy:
+    src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
+    dest: '/matrix/awx/matrix_vars.yml'
+    mode: '0660'
+
+- name: Save new 'Configure ma1sd' survey.json to the AWX tower, template
+  delegate_to: 127.0.0.1
+  template:
+    src: 'roles/matrix-awx/surveys/configure_ma1sd.json.j2'
+    dest: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_ma1sd.json'
+
+- name: Copy new 'Configure ma1sd' survey.json to target machine
+  copy:
+    src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_ma1sd.json'
+    dest:  '/matrix/awx/configure_ma1sd.json'
+    mode: '0660'
+
+- name: Collect AWX admin token the hard way!
+  delegate_to: 127.0.0.1
+  shell: |
+      curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g'
+  register: tower_token
+  no_log: True
+
+- name: Recreate 'Configure ma1sd (Advanced)' job template
+  delegate_to: 127.0.0.1
+  awx.awx.tower_job_template:
+    name: "{{ matrix_domain }} - 1 - Configure ma1sd (Advanced)"
+    description: "Configure Jitsi conferencing settings."
+    extra_vars: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/extra_vars.json') }}"
+    job_type: run
+    job_tags: "start,setup-ma1sd"
+    inventory: "{{ member_id }}"
+    project: "{{ member_id }} - Matrix Docker Ansible Deploy"
+    playbook: setup.yml
+    credential: "{{ member_id }} - AWX SSH Key"
+    survey_enabled: true
+    survey_spec: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_ma1sd.json') }}"
+    become_enabled: yes
+    state: present
+    verbosity: 1
+    tower_host: "https://{{ tower_host }}"
+    tower_oauthtoken: "{{ tower_token.stdout }}"
+    validate_certs: yes
+    
+# ^ This playbook isn't executing so the survey isn't being updated! :P
+

roles/matrix-awx/tasks/set_variables_synapse.yml

@@ -0,0 +1,223 @@
+
+- name: Record Synapse variables locally on AWX
+  delegate_to: 127.0.0.1
+  lineinfile:
+    path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
+    regexp: "^#? *{{ item.key | regex_escape() }}:"
+    line: "{{ item.key }}: {{ item.value }}"
+    insertafter: '# Synapse Settings'
+  with_dict:
+    'matrix_synapse_allow_public_rooms_over_federation': '{{ matrix_synapse_allow_public_rooms_over_federation }}'
+    'matrix_synapse_enable_registration': '{{ matrix_synapse_enable_registration }}'
+    'matrix_synapse_federation_enabled': '{{ matrix_synapse_federation_enabled }}'
+    'matrix_synapse_enable_group_creation': '{{ matrix_synapse_enable_group_creation }}'
+    'matrix_synapse_use_presence': '{{ matrix_synapse_use_presence }}'
+    'matrix_synapse_max_upload_size_mb': '{{ matrix_synapse_max_upload_size_mb }}'
+    'matrix_synapse_url_preview_enabled': '{{ matrix_synapse_url_preview_enabled }}'
+    'matrix_synapse_allow_guest_access': '{{ matrix_synapse_allow_guest_access }}'
+  
+- name: Empty Synapse variable 'matrix_synapse_auto_join_rooms' locally on AWX, if raw inputs empty
+  delegate_to: 127.0.0.1
+  replace:
+    path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
+    regexp: "^matrix_synapse_auto_join_rooms: .*$"
+    replace: "matrix_synapse_auto_join_rooms: []"
+  when: matrix_synapse_auto_join_rooms_raw|length == 0
+
+- name: If the raw inputs is not empty start constructing parsed auto_join_rooms list
+  set_fact:
+    matrix_synapse_auto_join_rooms_array: |-
+      {{ matrix_synapse_auto_join_rooms_raw.splitlines() | to_json }}
+  when: matrix_synapse_auto_join_rooms_raw|length > 0
+
+- name: Record Synapse variable 'matrix_synapse_auto_join_rooms' locally on AWX, if it's not blank
+  delegate_to: 127.0.0.1
+  lineinfile:
+    path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
+    regexp: "^#? *{{ item.key | regex_escape() }}:"
+    line: "{{ item.key }}: {{ item.value }}"
+    insertafter: '# Synapse Settings'
+  with_dict:
+    "matrix_synapse_auto_join_rooms": "{{ matrix_synapse_auto_join_rooms_array }}"
+  when: matrix_synapse_auto_join_rooms_raw|length > 0
+
+- name: Record Synapse Shared Secret if it's defined
+  delegate_to: 127.0.0.1
+  lineinfile:
+    path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
+    regexp: "^#? *{{ item.key | regex_escape() }}:"
+    line: "{{ item.key }}: {{ item.value }}"
+    insertafter: '# Synapse Settings'
+  with_dict:
+    'matrix_synapse_registration_shared_secret': '{{ matrix_synapse_registration_shared_secret }}'
+  when: matrix_synapse_registration_shared_secret|length > 0
+
+- name: Record registations_require_3pid extra variable if true
+  delegate_to: 127.0.0.1
+  lineinfile:
+    path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
+    regexp: "{{ item }}:"
+    line: "{{ item }}"
+    insertbefore: '# End Synapse Extension'
+  with_items:
+    - "  registrations_require_3pid:"
+    - "    - email"
+  when: ext_registrations_require_3pid|bool
+
+- name: Remove registrations_require_3pid extra variable if false
+  delegate_to: 127.0.0.1
+  lineinfile:
+    path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
+    regexp: "{{ item }}:"
+    line: "{{ item }}"
+    insertbefore: '# End Synapse Extension'
+    state: absent
+  with_items:
+    - "  registrations_require_3pid:"
+    - "    - email"
+  when: not ext_registrations_require_3pid|bool
+
+- name: Remove URL Languages
+  delegate_to: 127.0.0.1
+  replace:
+    path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
+    regexp: '^(?!.*\bemail\b)    - [a-zA-Z\-]{2,5}\n'
+    after: '  url_preview_accept_language:'
+    before: '# End Synapse Extension'
+
+- name: Set URL languages default if raw inputs empty
+  set_fact:
+    ext_url_preview_accept_language_default: 'en'
+  when: ext_url_preview_accept_language_raw|length == 0
+
+- name: Set URL languages default if raw inputs not empty
+  set_fact:
+    ext_url_preview_accept_language_default: "{{ ext_url_preview_accept_language_raw }}"
+  when: ext_url_preview_accept_language_raw|length > 0
+
+- name: Set URL languages if raw inputs empty
+  delegate_to: 127.0.0.1
+  lineinfile:
+    path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
+    insertafter: '^  url_preview_accept_language:'
+    line: "    - {{ ext_url_preview_accept_language_default }}"
+  when: ext_url_preview_accept_language_raw|length == 0
+
+- name: Set URL languages if raw inputs not empty
+  delegate_to: 127.0.0.1
+  lineinfile:
+    path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
+    insertafter: '^  url_preview_accept_language:'
+    line: "    - {{ item }}"
+  with_items: "{{ ext_url_preview_accept_language_raw.splitlines() }}"
+  when: ext_url_preview_accept_language_raw|length > 0
+
+- name: Remove Federation Whitelisting 1
+  delegate_to: 127.0.0.1
+  replace:
+    path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
+    regexp: '^    - [a-z0-9]+\.[a-z0-9.]+\n'
+    after: '  federation_domain_whitelist:'
+    before: '# End Synapse Extension'
+
+- name: Remove Federation Whitelisting 2
+  delegate_to: 127.0.0.1
+  lineinfile:
+    path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
+    line: "  federation_domain_whitelist:"
+    state: absent
+
+- name: Set Federation Whitelisting 1
+  delegate_to: 127.0.0.1
+  lineinfile:
+    path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
+    insertafter: '^matrix_synapse_configuration_extension_yaml: \|'
+    line: "  federation_domain_whitelist:"
+  when: ext_federation_whitelist_raw|length > 0
+
+- name: Set Federation Whitelisting 2
+  delegate_to: 127.0.0.1
+  lineinfile:
+    path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
+    insertafter: '^  federation_domain_whitelist:'
+    line: "    - {{ item }}"
+  with_items: "{{ ext_federation_whitelist_raw.splitlines() }}"
+  when: ext_federation_whitelist_raw|length > 0
+  
+- name: Record Synapse Custom variables locally on AWX
+  delegate_to: 127.0.0.1
+  lineinfile:
+    path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
+    regexp: "^#? *{{ item.key | regex_escape() }}:"
+    line: "{{ item.key }}: {{ item.value }}"
+    insertbefore: '# Custom Settings'
+  with_dict:
+    'ext_federation_whitelist_raw': '{{ ext_federation_whitelist_raw.splitlines() | to_json }}'
+    'ext_url_preview_accept_language_default': '{{ ext_url_preview_accept_language_default.splitlines() | to_json }}'
+
+- name: Set ext_recaptcha_public_key to a 'public-key' if undefined
+  set_fact: ext_recaptcha_public_key="public-key"
+  when: (ext_recaptcha_public_key is not defined) or (ext_recaptcha_public_key|length == 0)
+
+- name: Set ext_recaptcha_private_key to a 'private-key' if undefined
+  set_fact: ext_recaptcha_private_key="private-key"
+  when: (ext_recaptcha_private_key is not defined) or (ext_recaptcha_private_key|length == 0)
+
+- name: Record Synapse Extension variables locally on AWX
+  delegate_to: 127.0.0.1
+  lineinfile:
+    path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
+    regexp: "^#? *{{ item.key | regex_escape() }}:"
+    line: "{{ item.key }}: {{ item.value }}"
+    insertbefore: '# End Synapse Extension'
+  with_dict:
+    '  enable_registration_captcha': '{{ ext_enable_registration_captcha }}'
+    '  recaptcha_public_key': '{{ ext_recaptcha_public_key }}'
+    '  recaptcha_private_key': '{{ ext_recaptcha_private_key }}'
+
+- name: Copy new 'matrix_vars.yml' to target machine
+  copy:
+    src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
+    dest: '/matrix/awx/matrix_vars.yml'
+    mode: '0660'
+
+- name: Save new 'Configure Synapse' survey.json to the AWX tower, template
+  delegate_to: 127.0.0.1
+  template:
+    src: 'roles/matrix-awx/surveys/configure_synapse.json.j2'
+    dest: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}//configure_synapse.json'
+
+- name: Copy new 'Configure Synapse' survey.json to target machine
+  copy:
+    src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_synapse.json'
+    dest:  '/matrix/awx/configure_synapse.json'
+    mode: '0660'
+
+- name: Collect AWX admin token the hard way!
+  delegate_to: 127.0.0.1
+  shell: |
+      curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g'
+  register: tower_token
+  no_log: True
+
+- name: Recreate 'Configure Synapse' job template
+  delegate_to: 127.0.0.1
+  awx.awx.tower_job_template:
+    name: "{{ matrix_domain }} - 1 - Configure Synapse"
+    description: "Configure Synapse (homeserver) settings."
+    extra_vars: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/extra_vars.json') }}"
+    job_type: run
+    job_tags: "start,setup-synapse"
+    inventory: "{{ member_id }}"
+    project: "{{ member_id }} - Matrix Docker Ansible Deploy"
+    playbook: setup.yml
+    credential: "{{ member_id }} - AWX SSH Key"
+    survey_enabled: true
+    survey_spec: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_synapse.json') }}"
+    become_enabled: yes
+    state: present
+    verbosity: 1
+    tower_host: "https://{{ tower_host }}"
+    tower_oauthtoken: "{{ tower_token.stdout }}"
+    validate_certs: yes
+

roles/matrix-awx/tasks/set_variables_synapse_admin.yml

@@ -0,0 +1,58 @@
+
+- name: Record Synapse Admin variables locally on AWX
+  delegate_to: 127.0.0.1
+  lineinfile:
+    path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
+    regexp: "^#? *{{ item.key | regex_escape() }}:"
+    line: "{{ item.key }}: {{ item.value }}"
+    insertafter: '# Synapse Admin Settings'
+  with_dict:
+    'matrix_synapse_admin_enabled': '{{ matrix_synapse_admin_enabled }}'
+
+- name: Copy new 'matrix_vars.yml' to target machine
+  copy:
+    src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
+    dest: '/matrix/awx/matrix_vars.yml'
+    mode: '0660'
+
+- name: Save new 'Configure Synapse Admin' survey.json to the AWX tower, template
+  delegate_to: 127.0.0.1
+  template:
+    src: 'roles/matrix-awx/surveys/configure_synapse_admin.json.j2'
+    dest: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_synapse_admin.json'
+
+- name: Copy new 'Configure Synapse Admin' survey.json to target machine
+  copy:
+    src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_synapse_admin.json'
+    dest:  '/matrix/awx/configure_synapse_admin.json'
+    mode: '0660'
+
+- name: Collect AWX admin token the hard way!
+  delegate_to: 127.0.0.1
+  shell: |
+      curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g'
+  register: tower_token
+  no_log: True
+
+- name: Recreate 'Configure Synapse Admin' job template
+  delegate_to: 127.0.0.1
+  awx.awx.tower_job_template:
+    name: "{{ matrix_domain }} - 1 - Configure Synapse Admin"
+    description: "Configure 'Synapse Admin', a moderation tool to help you manage your server."
+    extra_vars: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/extra_vars.json') }}"
+    job_type: run
+    job_tags: "start,setup-all"
+    inventory: "{{ member_id }}"
+    project: "{{ member_id }} - Matrix Docker Ansible Deploy"
+    playbook: setup.yml
+    credential: "{{ member_id }} - AWX SSH Key"
+    survey_enabled: true
+    survey_spec: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_synapse_admin.json') }}"
+    become_enabled: yes
+    state: present
+    verbosity: 1
+    tower_host: "https://{{ tower_host }}"
+    tower_oauthtoken: "{{ tower_token.stdout }}"
+    validate_certs: yes
+
+

roles/matrix-common-after/tasks/awx_post.yml

@@ -0,0 +1,20 @@
+---
+
+- name: Create user account
+  command: |
+    /usr/local/bin/matrix-synapse-register-user janitor {{ matrix_awx_janitor_user_password | quote }} 1
+  register: cmd
+  when: not matrix_awx_janitor_user_created|bool
+  no_log: True
+    
+- name: Update AWX janitor user created variable
+  delegate_to: 127.0.0.1
+  lineinfile:
+    path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
+    regexp: "^#? *{{ item.key | regex_escape() }}:"
+    line: "{{ item.key }}: {{ item.value }}"
+    insertafter: 'AWX Settings'
+  with_dict:
+    'matrix_awx_janitor_user_created': 'true'
+  when: not matrix_awx_janitor_user_created|bool
+

roles/matrix-common-after/tasks/main.yml

@@ -1,3 +1,4 @@
+
 - import_tasks: "{{ role_path }}/tasks/start.yml"
   when: run_start|bool
   tags:
@@ -11,7 +12,14 @@
 - import_tasks: "{{ role_path }}/tasks/dump_runtime_results.yml"
   tags:
     - always
+    
+- import_tasks: "{{ role_path }}/tasks/awx_post.yml"
+  when: run_setup|bool and matrix_awx_enabled|bool
+  tags:
+    - always
 
 - import_tasks: "{{ role_path }}/tasks/run_docker_prune.yml"
   tags:
     - run-docker-prune
+    
+

roles/matrix-nginx-proxy/defaults/main.yml

@@ -9,6 +9,7 @@ matrix_nginx_proxy_docker_image_force_pull: "{{ matrix_nginx_proxy_docker_image.
 
 matrix_nginx_proxy_base_path: "{{ matrix_base_data_path }}/nginx-proxy"
 matrix_nginx_proxy_data_path: "{{ matrix_nginx_proxy_base_path }}/data"
+matrix_nginx_proxy_data_path_in_container: "/nginx-data"
 matrix_nginx_proxy_confd_path: "{{ matrix_nginx_proxy_base_path }}/conf.d"
 
 # List of systemd services that matrix-nginx-proxy.service depends on

roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2

@@ -33,7 +33,7 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-nginx-proxy \
 			-p {{ matrix_nginx_proxy_container_federation_host_bind_port }}:{{ matrix_nginx_proxy_proxy_matrix_federation_port }} \
 			{% endif %}
 			--mount type=bind,src={{ matrix_nginx_proxy_base_path }}/nginx.conf,dst=/etc/nginx/nginx.conf,ro \
-			--mount type=bind,src={{ matrix_nginx_proxy_data_path }},dst=/nginx-data,ro \
+			--mount type=bind,src={{ matrix_nginx_proxy_data_path }},dst={{ matrix_nginx_proxy_data_path_in_container }},ro \
 			--mount type=bind,src={{ matrix_nginx_proxy_confd_path }},dst=/etc/nginx/conf.d,ro \
 			{% if matrix_ssl_retrieval_method != 'none' %}
 			--mount type=bind,src={{ matrix_ssl_config_dir_path }},dst={{ matrix_ssl_config_dir_path }},ro \

setup.yml

@@ -7,6 +7,7 @@
     - roles/matrix-synapse/vars/workers.yml
 
   roles:
+    - matrix-awx
     - matrix-base
     - matrix-dynamic-dns
     - matrix-mailer