diff --git a/CHANGELOG.md b/CHANGELOG.md index b849ef359..de86333da 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,39 @@ +# 2020-05-19 + +## (Compatibility Break / Security Issue) Disabling User Directory search powered by the ma1sd Identity Server + +User Directory search requests used to go to the ma1sd identity server by default, which queried its own stores and the Synapse database. + +ma1sd current has [a security issue](https://github.com/ma1uta/ma1sd/issues/44), which made it leak information about all users - including users created by bridges, etc. + +Until the issue gets fixed, we're making User Directory search not go to ma1sd by default. You **need to re-run the playbook and restart services to apply this workaround**. + +*If you insist on restoring the old behavior* (**which has a security issue!**), you *might* use this configuration: `matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled: "{{ matrix_ma1sd_enabled }}"` + + +# 2020-04-28 + +## Newer IRC bridge (with potential breaking change) + +This upgrades matrix-appservice-irc from 0.14.1 to 0.16.0. Upstream +made a change to how you define manual mappings. If you added a +`mapping` to your configuration, you will need to update it accoring +to the [upstream +instructions](https://github.com/matrix-org/matrix-appservice-irc/blob/master/CHANGELOG.md#0150-2020-02-05). +If you did not include `mappings` in your configuration for IRC, no +change is necessary. `mappings` is not part of the default +configuration. + + +# 2020-04-23 + +## Slack bridging support + +Thanks to [Rodrigo Belem](https://github.com/rbelem)'s efforts, the playbook now supports bridging to [Slack](https://slack.com) via the [mx-puppet-slack](https://github.com/Sorunome/mx-puppet-slack) bridge. + +See our [Setting up MX Puppet Slack bridging](docs/configuring-playbook-bridge-mx-puppet-slack.md) documentation page for getting started. + + # 2020-04-09 ## Skype bridging support diff --git a/README.md b/README.md index 43125026f..6f7d25e0f 100644 --- a/README.md +++ b/README.md @@ -146,6 +146,8 @@ This playbook sets up your server using the following Docker images: - [sorunome/mx-puppet-skype](https://hub.docker.com/r/sorunome/mx-puppet-skype) - the [mx-puppet-skype](https://github.com/Sorunome/mx-puppet-skype) bridge to [Skype](https:/www.skype.com) (optional) +- [sorunome/mx-puppet-slack](https://hub.docker.com/r/sorunome/mx-puppet-slack) - the [mx-puppet-slack](https://github.com/Sorunome/mx-puppet-slack) bridge to [Slack](https:/slack.com) (optional) + - [turt2live/matrix-dimension](https://hub.docker.com/r/turt2live/matrix-dimension) - the [Dimension](https://dimension.t2bot.io/) integrations manager (optional) - [jitsi/web](https://hub.docker.com/r/jitsi/web) - the [Jitsi](https://jitsi.org/) web UI (optional) diff --git a/docs/configuring-playbook-bridge-mx-puppet-slack.md b/docs/configuring-playbook-bridge-mx-puppet-slack.md new file mode 100644 index 000000000..1f20219f1 --- /dev/null +++ b/docs/configuring-playbook-bridge-mx-puppet-slack.md @@ -0,0 +1,34 @@ +# Setting up MX Puppet Slack (optional) + +The playbook can install and configure +[mx-puppet-slack](https://github.com/Sorunome/mx-puppet-slack) for you. + +See the project page to learn what it does and why it might be useful to you. + +To enable the [Slack](https://slack.com/) bridge just use the following +playbook configuration: + + +```yaml +matrix_mx_puppet_slack_enabled: true +matrix_mx_puppet_slack_client_id: "" +matrix_mx_puppet_slack_client_secret: "" +``` + + +## Usage + +Once the bot is enabled you need to start a chat with `Slack Puppet Bridge` with +the handle `@_slackpuppet_bot:YOUR_DOMAIN` (where `YOUR_DOMAIN` is your base +domain, not the `matrix.` domain). + +Three authentication methods are available, Legacy Token, OAuth and xoxc token. +See mx-puppet-slack [documentation](https://github.com/Sorunome/mx-puppet-slack) +for more information about how to configure the bridge. + +Once logged in, send `list` to the bot user to list the available rooms. + +Clicking rooms in the list will result in you receiving an invitation to the +bridged room. + +Also send `help` to the bot to see the commands available. diff --git a/docs/configuring-playbook-dimension.md b/docs/configuring-playbook-dimension.md index 99de20d65..d4de8e2b1 100644 --- a/docs/configuring-playbook-dimension.md +++ b/docs/configuring-playbook-dimension.md @@ -4,11 +4,14 @@ If you're just installing Matrix services for the first time, please continue with the [Configuration](configuring-playbook.md) / [Installation](installing.md) flow and come back here later. ## Prerequisites -For an Integration Manager like [Dimension](https://dimension.t2bot.io) to work, your server needs to have federation enabled (`matrix_synapse_federation_enabled: true`). This is the default for this playbook, so unless you've explicitly disabled federation, you're okay. + +This playbook now supports running [Dimension](https://dimension.t2bot.io) in both a federated and an [unfederated](https://github.com/turt2live/matrix-dimension/blob/master/docs/unfederated.md) environment. This is handled automatically based on the value of `matrix_synapse_federation_enabled`. Other important prerequisite is the `dimension.` DNS record being set up correctly. See [Configuring your DNS server](configuring-dns.md) on how to set up DNS record correctly. + ## Enable + [Dimension integrations manager](https://dimension.t2bot.io) installation is disabled by default. You can enable it in your configuration file (`inventory/host_vars/matrix./vars.yml`): ```yaml @@ -17,23 +20,31 @@ matrix_dimension_enabled: true ## Define admin users + These users can modify the integrations this Dimension supports. Admin interface is accessible by opening Dimension in Riot and clicking the settings icon. Add this to your configuration file (`inventory/host_vars/matrix./vars.yml`): ```yaml -matrix_dimension_admins: ['@user1:domain.com', '@user2:domain.com'] +matrix_dimension_admins: + - "@user1:{{ matrix_domain }}" + - "@user2:{{ matrix_domain }}" ``` + ## Access token -You are required to specify an access token for Dimension to work. -To get an access token, follow these steps: + +We recommend that you create a dedicated Matrix user for Dimension (`dimension` is a good username). +Follow our [Registering users](registering-users.md) guide to learn how to register **a regular (non-admin) user**. + +You are required to specify an access token (belonging to this new user) for Dimension to work. +To get an access token for the Dimension user, follow these steps: 1. In a private browsing session (incognito window), open Riot. -2. It's preferable to use a dedicated user for the access token, so create and log in with that user's username and password. -3. Set the display name and avatar, if required. -4. In the settings page choose "Help & About", scroll down to the bottom and click `Access Token: `. -5. Copy the highlighted text to your configuration. -6. Close the private browsing session. **Do not log out**. Logging out will invalidate the token, making it not work. +2. Log in with the `dimension` user and its password. +1. Set the display name and avatar, if required. +2. In the settings page choose "Help & About", scroll down to the bottom and click `Access Token: `. +3. Copy the highlighted text to your configuration. +4. Close the private browsing session. **Do not log out**. Logging out will invalidate the token, making it not work. **Access tokens are sensitive information. Do not include them in any bug reports, messages, or logs. Do not share the access token with anyone.** @@ -45,12 +56,23 @@ matrix_dimension_access_token: "YOUR ACCESS TOKEN HERE" For more information on how to acquire an access token, visit [https://t2bot.io/docs/access_tokens](https://t2bot.io/docs/access_tokens). + +## Installation + After these variables have been set, please run the following command to re-run setup and to restart Dimension: ``` ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start ``` + +## Jitsi domain + +By default Dimension will use [jitsi.riot.im](https://jitsi.riot.im/) as the `conferenceDomain` of [Jitsi](https://jitsi.org/) audio/video conference widgets. For users running [a self-hosted Jitsi instance](./configuring-playbook-jitsi.md), you will likely want the widget to use your own Jitsi instance. Currently there is no way to configure this via the playbook, see [this issue](https://github.com/turt2live/matrix-dimension/issues/345) for details. + +In the interim until the above limitation is resolved, an admin user needs to configure the domain via the admin ui once dimension is running. In riot-web, go to *Manage Integrations* → *Settings* → *Widgets* → *Jitsi Conference Settings* and set *Jitsi Domain* and *Jitsi Script URL* appropriately. + + ## Additional features To use a more custom configuration, you can define a `matrix_dimension_configuration_extension_yaml` string variable and put your configuration in it. diff --git a/docs/configuring-playbook-email.md b/docs/configuring-playbook-email.md index 0933fb546..d9721a4ef 100644 --- a/docs/configuring-playbook-email.md +++ b/docs/configuring-playbook-email.md @@ -34,7 +34,7 @@ matrix_mailer_relay_auth_password: "some-password" ### Configuations for sending emails using Sendgrid -An easy and free STMP service to set up is [Sendgrid](https://sendgrid.com/), the free tier allows for up to 100 emails per day to be sent. In the settings below you can provide any email for `matrix_mailer_sender_address`. +An easy and free SMTP service to set up is [Sendgrid](https://sendgrid.com/), the free tier allows for up to 100 emails per day to be sent. In the settings below you can provide any email for `matrix_mailer_sender_address`. The only other thing you need to change is the `matrix_mailer_relay_auth_password`, which you can generate at https://app.sendgrid.com/settings/api_keys. The API key password looks something like `SG.955oW1mLSfwds7i9Yd6IA5Q.q8GTaB8q9kGDzasegdG6u95fQ-6zkdwrPP8bOeuI`. diff --git a/docs/configuring-playbook-jitsi.md b/docs/configuring-playbook-jitsi.md index d6ff1c8a4..21a440f64 100644 --- a/docs/configuring-playbook-jitsi.md +++ b/docs/configuring-playbook-jitsi.md @@ -4,7 +4,7 @@ The playbook can install the [Jitsi](https://jitsi.org/) video-conferencing plat Jitsi installation is **not enabled by default**, because it's not a core component of Matrix services. -The setup done by the playbook is very similar to [docker-jitsi-meet](https://github.com/jitsi/docker-jitsi-meet). +The setup done by the playbook is very similar to [docker-jitsi-meet](https://github.com/jitsi/docker-jitsi-meet). You can refer to the documentation there for many of the options here. ## Prerequisites @@ -34,13 +34,13 @@ matrix_jitsi_jibri_xmpp_password: "" ``` -## (Optional) configure internal Jitsi authentication and guests mode +## (Optional) Configure Jitsi authentication and guests mode By default the Jitsi Meet instance does not require any kind of login and is open to use for anyone without registration. If you're fine with such an open Jitsi instance, please skip to [Apply changes](#apply-changes). -If you would like to control who is allowed to open meetings on your new Jitsi instance, then please follow this step to enable Jitsi's `internal` authentication and guests mode. With this optional configuration, all meeting rooms have to be opened by at least one registered user, after that guests are free to join. If a registered host is not present yet, guests are put on hold into a waiting room. +If you would like to control who is allowed to open meetings on your new Jitsi instance, then please follow this step to enable Jitsi's authentication and guests mode. With authentication enabled, all meeting rooms have to be opened by a registered user, after which guests are free to join. If a registered host is not yet present, guests are put on hold in individual waiting rooms. Add these two lines to your `inventory/host_vars/matrix.DOMAIN/vars.yml` configuration: @@ -49,11 +49,43 @@ matrix_jitsi_enable_auth: true matrix_jitsi_enable_guests: true ``` +### (Optional) LDAP authentication + +The default authentication mode of Jitsi is `internal`, however LDAP is also supported. An example LDAP configuration could be: + +```yaml +matrix_jitsi_enable_auth: true +matrix_jitsi_auth_type: ldap +matrix_jitsi_ldap_url: ldap://ldap.DOMAIN # or ldaps:// if using tls +matrix_jitsi_ldap_base: "OU=People,DC=DOMAIN" +matrix_jitsi_ldap_filter: "(&(uid=%u)(employeeType=active))" +matrix_jitsi_ldap_use_tls: false +matrix_jitsi_ldap_start_tls: true +``` + +For more information refer to the [docker-jitsi-meet](https://github.com/jitsi/docker-jitsi-meet#authentication-using-ldap) and the [saslauthd `LDAP_SASLAUTHD`](https://github.com/winlibs/cyrus-sasl/blob/master/saslauthd/LDAP_SASLAUTHD) documentation. + + +## (Optional) Making your Jitsi server work on a LAN + +By default the Jitsi Meet instance does not work with a client in LAN (Local Area Network), even if others are connected from WAN. There are no video and audio. In the case of WAN to WAN everything is ok. + +The reason is the Jitsi VideoBridge git to LAN client the IP address of the docker image instead of the host. The [documentation](https://github.com/jitsi/docker-jitsi-meet#running-behind-nat-or-on-a-lan-environment) of Jitsi in docker suggest to add `DOCKER_HOST_ADDRESS` in enviornment variable to make it work. + +Here is how to do it in the playbook. + +Add these two lines to your `inventory/host_vars/matrix.DOMAIN/vars.yml` configuration: + +```yaml +matrix_jitsi_jvb_container_extra_arguments: + - '--env "DOCKER_HOST_ADDRESS="' +``` + ## Apply changes Then re-run the playbook: `ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start` -## Required if configuring Jitsi with its internal authentication: register new users +## Required if configuring Jitsi with internal authentication: register new users Until this gets integrated into the playbook, we need to register new users / meeting hosts for Jitsi manually. Please SSH into your matrix host machine and execute the following command targeting the `matrix-jitsi-prosody` container: @@ -69,9 +101,15 @@ Run this command for each user you would like to create, replacing `` ## Usage -You can use the self-hosted Jitsi server through Riot, through an Integration Manager like [Dimension](docs/configuring-playbook-dimension.md) or directly at `https://jitsi.DOMAIN`. +You can use the self-hosted Jitsi server in multiple ways: + +- **by adding a widget to a room via riot-web** (the one configured by the playbook at `https://riot.DOMAIN`). Just start a voice or a video call in a room containing more than 2 members and that would create a Jitsi widget which utilizes your self-hosted Jitsi server. + +- **by adding a widget to a room via the Dimension Integration Manager**. You'll have to point the widget to your own Jitsi server manually. See our [Dimension](./configuring-playbook-dimension.md) documentation page for more details. Naturally, Dimension would need to be installed first (the playbook doesn't install it by default). + +- **directly (without any Matrix integration)**. Just go to `https://jitsi.DOMAIN` -To use it via riot-web (the one configured by the playbook at `https://riot.DOMAIN`), just start a voice or a video call in a room containing more than 2 members and that would create a Jitsi widget which utilizes your self-hosted Jitsi server. +**Note**: Riot apps on mobile devices currently [don't support joining meetings on a self-hosted Jitsi server](https://github.com/vector-im/riot-web/blob/601816862f7d84ac47547891bd53effa73d32957/docs/jitsi.md#mobile-app-support). ## Troubleshooting diff --git a/docs/configuring-playbook-matrix-corporal.md b/docs/configuring-playbook-matrix-corporal.md index cba68f744..e983f4723 100644 --- a/docs/configuring-playbook-matrix-corporal.md +++ b/docs/configuring-playbook-matrix-corporal.md @@ -26,7 +26,8 @@ matrix_corporal_policy_provider_config: | "Uri": "https://intranet.example.com/matrix/policy", "AuthorizationBearerToken": "SOME_SECRET", "CachePath": "/var/cache/matrix-corporal/last-policy.json", - "ReloadIntervalSeconds": 1800 + "ReloadIntervalSeconds": 1800, + "TimeoutMilliseconds": 300 } # If you also want to enable Matrix Corporal's HTTP API.. diff --git a/docs/configuring-playbook-turn.md b/docs/configuring-playbook-turn.md index 547f2befb..c1d777a89 100644 --- a/docs/configuring-playbook-turn.md +++ b/docs/configuring-playbook-turn.md @@ -31,3 +31,12 @@ matrix_synapse_turn_uris: - turn:HOSTNAME_OR_IP?transport=udp - turn:HOSTNAME_OR_IP?transport=tcp ``` + +If you have or want to enable [Jitsi](configuring-playbook-jitsi.md), you might want to enable the TURN server there too. +If you do not do it, Jitsi will fall back to an upstream service. + +```yaml +matrix_jitsi_web_stun_servers: +- stun:HOSTNAME_OR_IP:PORT +``` +You can put multiple host/port combinations if you like. diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index af00f7c09..7e9110957 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -99,4 +99,6 @@ When you're done with all the configuration you'd like to do, continue with [Ins - [Setting up MX Puppet Skype bridging](configuring-playbook-bridge-mx-puppet-skype.md) (optional) +- [Setting up MX Puppet Slack bridging](configuring-playbook-bridge-mx-puppet-slack.md) (optional) + - [Setting up Email2Matrix](configuring-playbook-email2matrix.md) (optional) diff --git a/docs/configuring-well-known.md b/docs/configuring-well-known.md index 8bf84ed16..826a74944 100644 --- a/docs/configuring-well-known.md +++ b/docs/configuring-well-known.md @@ -104,7 +104,7 @@ server { ``` -**For Caddy**, it would be something like this: +**For Caddy 2**, it would be something like this: ```caddy reverse_proxy /.well-known/matrix/* https://matrix.DOMAIN { @@ -112,6 +112,14 @@ reverse_proxy /.well-known/matrix/* https://matrix.DOMAIN { } ``` +**For Caddy 1**, it would be something like this: + +```caddy +proxy /.well-known/matrix/ https://matrix.DOMAIN { + header_upstream Host {http.reverse_proxy.upstream.hostport} +} +``` + **For HAProxy**, it would be something like this: ```haproxy diff --git a/docs/installing.md b/docs/installing.md index 1e3ebf540..43758ffb2 100644 --- a/docs/installing.md +++ b/docs/installing.md @@ -10,6 +10,8 @@ ansible-playbook -i inventory/hosts setup.yml --tags=setup-all **Note**: if you don't use SSH keys for authentication, but rather a regular password, you may need to add `--ask-pass` to the above (and all other) Ansible commands. +**Note**: if you **do** use SSH keys for authentication, **and** use a non-root user to *become* root (sudo), you may need to add `-K` (`--ask-become-pass`) to the above (and all other) Ansible commands. + The above command **doesn't start any services just yet** (another step does this later - below). Feel free to **re-run this setup command any time** you think something is off with the server configuration. diff --git a/docs/maintenance-migrating.md b/docs/maintenance-migrating.md index fcfe4e163..71a38e583 100644 --- a/docs/maintenance-migrating.md +++ b/docs/maintenance-migrating.md @@ -1,8 +1,10 @@ # Migrating to new server 1. Prepare by lowering DNS TTL for your domains (`matrix.DOMAIN`, etc.), so that DNS record changes (step 4 below) would happen faster, leading ot less downtime -2. Stop all services on the old server and make sure they won't be starting again. Execute this on the old server: `systemctl disable --now matrix*` +2. Stop all services on the old server and make sure they won't be starting again. Execute this on the old server: `systemctl disable --now matrix*` 3. Copy directory `/matrix` from the old server to the new server. Make sure to preserve ownership and permissions (use `cp -p` or `rsync -ar`)! 4. Make sure your DNS records are adjusted to point to the new server's IP address 5. Remove old server from the `inventory/hosts` file and add new server. -6. Run `ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start`. This will create the matrix user and group and start all services on the new server +6. Run `ansible-playbook -i inventory/hosts setup.yml --tags=setup-system-user`. This will create the `matrix` user and group on the new server +7. Because the `matrix` user and group are created dynamically on each server, the user/group id may differ between the old and new server. We suggest that you adjust ownership of `/matrix` files manually by running this on the new server: `chown -R matrix:matrix /matrix`. +8. Run `ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start` to finish the installation and start all services diff --git a/docs/maintenance-synapse.md b/docs/maintenance-synapse.md index d64b3b9fe..9c70934dd 100644 --- a/docs/maintenance-synapse.md +++ b/docs/maintenance-synapse.md @@ -8,11 +8,18 @@ Table of contents: - [Purging old data with the Purge History API](#purging-old-data-with-the-purge-history-api), for when you wish to delete in-use (but old) data from the Synapse database -- [Compressing state with rust-synapse-compress-state](#compressing-state-with-rust-synapse-compress-state), for when you wish to compress some Synapse state tables using the [rust-synapse-compress-state](https://github.com/matrix-org/rust-synapse-compress-state) tool +- [Synapse maintenance](#synapse-maintenance) + - [Purging unused data with synapse-janitor](#purging-unused-data-with-synapse-janitor) + - [Vacuuming Postgres](#vacuuming-postgres) + - [Purging old data with the Purge History API](#purging-old-data-with-the-purge-history-api) + - [Compressing state with rust-synapse-compress-state](#compressing-state-with-rust-synapse-compress-state) +- [Browse and manipulate the database](#browse-and-manipulate-the-database), for when you really need to take matters into your own hands ## Purging unused data with synapse-janitor +**NOTE**: There are [reports](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/465) that **synapse-janitor is dangerous to use and causes database corruption**. You may wish to refrain from using it. + When you **leave** and **forget** a room, Synapse can clean up its data, but currently doesn't. This **unused and unreachable data** remains in your database forever. @@ -70,3 +77,23 @@ Don't forget that disk space only ever gets released after a [`FULL` Postgres `V Unfortunately, at this time the playbook can't help you run this **experimental tool**. Since it's also experimental, you may wish to stay away from it, or at least [make Postgres backups](./maintenance-postgres.md#backing-up-postgresql) first. + +## Browse and manipulate the database + +When the [matrix admin API](https://github.com/matrix-org/synapse/tree/master/docs/admin_api) and the other tools do not provide a more convenient way, having a look at synapse's postgresql database can satisfy a lot of admins' needs. +First, set up an SSH tunnel to your matrix server (skip if it is your local machine): + +``` +# you may replace 1799 with an arbitrary port unbound on both machines +ssh -L 1799:localhost:1799 matrix.DOMAIN +``` + +Then start up an ephemeral [adminer](https://www.adminer.org/) container on the Matrix server, connecting it to the `matrix` network and linking the postgresql container: + +``` +docker run --rm --publish 1799:8080 --link matrix-postgres --net matrix adminer +``` + +You should then be able to browse the adminer database administration GUI at http://localhost:1799/ after entering your DB credentials (found in the `host_vars` or on the server in `{{matrix_synapse_config_dir_path}}/homeserver.yaml` under `database.args`) + +⚠️ Be **very careful** with this, there is **no undo** for impromptu DB operations. diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 517c299f3..6d9876acf 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -88,7 +88,7 @@ matrix_appservice_webhooks_enabled: false # Normally, matrix-nginx-proxy is enabled and nginx can reach matrix-appservice-webhooks over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose # matrix-appservice-webhooks' client-server port to the local host. -matrix_appservice_webhooks_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:{{ matrix_appservice_webhooks_matrix_port }}' }}" +matrix_appservice_webhooks_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else ('127.0.0.1:' ~ matrix_appservice_webhooks_matrix_port) }}" matrix_appservice_webhooks_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'webhook.as.token') | to_uuid }}" @@ -337,6 +337,37 @@ matrix_mx_puppet_skype_login_shared_secret: "{{ matrix_synapse_ext_password_prov ###################################################################### +###################################################################### +# +# matrix-bridge-mx-puppet-slack +# +###################################################################### + +# We don't enable bridges by default. +matrix_mx_puppet_slack_enabled: false + +matrix_mx_puppet_slack_container_image_self_build: "{{ matrix_architecture != 'amd64'}}" + +matrix_mx_puppet_slack_systemd_required_services_list: | + {{ + ['docker.service'] + + + (['matrix-synapse.service'] if matrix_synapse_enabled else []) + }} + +matrix_mx_puppet_slack_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxslk.as.tok') | to_uuid }}" + +matrix_mx_puppet_slack_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxslk.hs.tok') | to_uuid }}" + +matrix_mx_puppet_slack_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" + +###################################################################### +# +# /matrix-bridge-mx-puppet-slack +# +###################################################################### + + ###################################################################### # # matrix-corporal @@ -416,6 +447,8 @@ matrix_dimension_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_ena matrix_integration_manager_rest_url: "{{ matrix_dimension_integrations_rest_url if matrix_dimension_enabled else None }}" matrix_integration_manager_ui_url: "{{ matrix_dimension_integrations_ui_url if matrix_dimension_enabled else None }}" +matrix_dimension_homeserver_federationUrl: "http://matrix-synapse:{{ 8048 if matrix_synapse_federation_enabled|bool else 8008 }}" + ###################################################################### # # /matrix-dimension @@ -583,7 +616,10 @@ matrix_nginx_proxy_proxy_synapse_metrics: "{{ matrix_synapse_metrics_enabled }}" matrix_nginx_proxy_proxy_synapse_metrics_addr_with_container: "matrix-synapse:{{ matrix_synapse_metrics_port }}" matrix_nginx_proxy_proxy_synapse_metrics_addr_sans_container: "127.0.0.1:{{ matrix_synapse_metrics_port }}" -matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled: "{{ matrix_ma1sd_enabled }}" +# Not proxying the user directory search to the identity server by default anymore, +# because it currently leaks data. +# See: https://github.com/ma1uta/ma1sd/issues/44 +matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled: false matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container: "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container }}" matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container: "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container }}" @@ -739,6 +775,13 @@ matrix_synapse_tls_federation_listener_enabled: false matrix_synapse_tls_certificate_path: ~ matrix_synapse_tls_private_key_path: ~ +matrix_synapse_http_listener_resource_names: | + {{ + ["client"] + + + ( ["openid"] if matrix_dimension_enabled and not matrix_synapse_federation_enabled else [] ) + }} + matrix_synapse_email_enabled: "{{ matrix_mailer_enabled }}" matrix_synapse_email_smtp_host: "matrix-mailer" matrix_synapse_email_smtp_port: 8025 diff --git a/roles/matrix-base/defaults/main.yml b/roles/matrix-base/defaults/main.yml index 7f4c6ace7..1844f299e 100644 --- a/roles/matrix-base/defaults/main.yml +++ b/roles/matrix-base/defaults/main.yml @@ -22,8 +22,7 @@ matrix_server_fqn_dimension: "dimension.{{ matrix_domain }}" matrix_server_fqn_jitsi: "jitsi.{{ matrix_domain }}" matrix_user_username: "matrix" -matrix_user_uid: 991 -matrix_user_gid: 991 +matrix_user_groupname: "matrix" matrix_base_data_path: "/matrix" matrix_base_data_path_mode: "750" diff --git a/roles/matrix-base/tasks/main.yml b/roles/matrix-base/tasks/main.yml index 827a41013..26e019967 100644 --- a/roles/matrix-base/tasks/main.yml +++ b/roles/matrix-base/tasks/main.yml @@ -2,6 +2,11 @@ tags: - always +- import_tasks: "{{ role_path }}/tasks/validate_config.yml" + when: "run_setup|bool" + tags: + - setup-all + - import_tasks: "{{ role_path }}/tasks/clean_up_old_files.yml" when: run_setup|bool tags: @@ -12,6 +17,14 @@ tags: - setup-all +# This needs to always run, because it populates `matrix_user_uid` and `matrix_user_gid`, +# which are required by many other roles. +- import_tasks: "{{ role_path }}/tasks/setup_matrix_user.yml" + when: run_setup|bool + tags: + - always + - setup-system-user + - import_tasks: "{{ role_path }}/tasks/setup_matrix_base.yml" when: run_setup|bool tags: diff --git a/roles/matrix-base/tasks/setup_matrix_base.yml b/roles/matrix-base/tasks/setup_matrix_base.yml index 24217883d..74d40d1a9 100644 --- a/roles/matrix-base/tasks/setup_matrix_base.yml +++ b/roles/matrix-base/tasks/setup_matrix_base.yml @@ -1,25 +1,12 @@ --- -- name: Ensure Matrix group is created - group: - name: "{{ matrix_user_username }}" - gid: "{{ matrix_user_gid }}" - state: present - -- name: Ensure Matrix user is created - user: - name: "{{ matrix_user_username }}" - uid: "{{ matrix_user_uid }}" - state: present - group: "{{ matrix_user_username }}" - - name: Ensure Matrix base path exists file: path: "{{ item }}" state: directory mode: "{{ matrix_base_data_path_mode }}" owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" with_items: - "{{ matrix_base_data_path }}" @@ -54,4 +41,3 @@ src: "{{ role_path }}/templates/usr-local-bin/matrix-remove-all.j2" dest: "{{ matrix_local_bin_path }}/matrix-remove-all" mode: 0750 - diff --git a/roles/matrix-base/tasks/setup_matrix_user.yml b/roles/matrix-base/tasks/setup_matrix_user.yml new file mode 100644 index 000000000..700201a89 --- /dev/null +++ b/roles/matrix-base/tasks/setup_matrix_user.yml @@ -0,0 +1,22 @@ +--- + +- name: Ensure Matrix group is created + group: + name: "{{ matrix_user_groupname }}" + state: present + register: matrix_group + +- name: Set Matrix Group GID Variable + set_fact: + matrix_user_gid: "{{ matrix_group.gid }}" + +- name: Ensure Matrix user is created + user: + name: "{{ matrix_user_username }}" + state: present + group: "{{ matrix_user_groupname }}" + register: matrix_user + +- name: Set Matrix Group UID Variable + set_fact: + matrix_user_uid: "{{ matrix_user.uid }}" diff --git a/roles/matrix-base/tasks/setup_well_known.yml b/roles/matrix-base/tasks/setup_well_known.yml index 36706df47..3b81ce1e3 100644 --- a/roles/matrix-base/tasks/setup_well_known.yml +++ b/roles/matrix-base/tasks/setup_well_known.yml @@ -8,7 +8,7 @@ state: directory mode: 0755 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" with_items: - "{{ matrix_static_files_base_path }}/.well-known/matrix" @@ -18,7 +18,7 @@ dest: "{{ matrix_static_files_base_path }}/.well-known/matrix/client" mode: 0644 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" - name: Ensure Matrix /.well-known/matrix/server file configured template: @@ -26,7 +26,7 @@ dest: "{{ matrix_static_files_base_path }}/.well-known/matrix/server" mode: 0644 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" when: matrix_well_known_matrix_server_enabled|bool - name: Ensure Matrix /.well-known/matrix/server file deleted diff --git a/roles/matrix-base/tasks/validate_config.yml b/roles/matrix-base/tasks/validate_config.yml new file mode 100644 index 000000000..526866190 --- /dev/null +++ b/roles/matrix-base/tasks/validate_config.yml @@ -0,0 +1,11 @@ +--- + +- name: (Deprecation) Warn about unused user/group variables + fail: + msg: > + The `{{ item }}` variable defined in your configuration is not used by this playbook anymore. + User/group creation is now dynamic. You can remove these variables from your configuration, as they have no effect on anything. + when: "item in vars" + with_items: + - 'matrix_user_uid' + - 'matrix_user_gid' diff --git a/roles/matrix-bridge-appservice-discord/tasks/setup_install.yml b/roles/matrix-bridge-appservice-discord/tasks/setup_install.yml index e2144f6ae..d736fa7c7 100644 --- a/roles/matrix-bridge-appservice-discord/tasks/setup_install.yml +++ b/roles/matrix-bridge-appservice-discord/tasks/setup_install.yml @@ -13,7 +13,7 @@ state: directory mode: 0750 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" with_items: - "{{ matrix_appservice_discord_base_path }}" - "{{ matrix_appservice_discord_config_path }}" @@ -46,7 +46,7 @@ dest: "{{ matrix_appservice_discord_config_path }}/config.yaml" mode: 0644 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" - name: Ensure AppService Discord registration.yaml installed copy: @@ -54,7 +54,7 @@ dest: "{{ matrix_appservice_discord_config_path }}/registration.yaml" mode: 0644 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" # If `matrix_appservice_discord_client_id` hasn't changed, the same invite link would be generated. # We intentionally suppress Ansible changes. diff --git a/roles/matrix-bridge-appservice-irc/defaults/main.yml b/roles/matrix-bridge-appservice-irc/defaults/main.yml index a9b048724..819691f6b 100644 --- a/roles/matrix-bridge-appservice-irc/defaults/main.yml +++ b/roles/matrix-bridge-appservice-irc/defaults/main.yml @@ -3,7 +3,7 @@ matrix_appservice_irc_enabled: true -matrix_appservice_irc_docker_image: "matrixdotorg/matrix-appservice-irc:release-0.14.1" +matrix_appservice_irc_docker_image: "matrixdotorg/matrix-appservice-irc:release-0.17.1" matrix_appservice_irc_docker_image_force_pull: "{{ matrix_appservice_irc_docker_image.endswith(':latest') }}" matrix_appservice_irc_base_path: "{{ matrix_base_data_path }}/appservice-irc" @@ -235,7 +235,11 @@ matrix_appservice_irc_ircService_servers: [] # # 1:many mappings from IRC channels to room IDs on this IRC server. # # The matrix room must already exist. Your matrix client should expose # # the room ID in a "settings" page for the room. -# "#thepub": ["!kieouiJuedJoxtVdaG:localhost"] +# "#thepub": +# roomIds: ["!kieouiJuedJoxtVdaG:localhost"] +# # Channel key/password to use. Optional. If provided, matrix users do +# # not need to know the channel key in order to join the channel. +# # key: "secret" # # Configuration for virtual matrix users. The following variables are # # exposed: diff --git a/roles/matrix-bridge-appservice-irc/tasks/setup_install.yml b/roles/matrix-bridge-appservice-irc/tasks/setup_install.yml index 1c69b2a82..7206d25e9 100644 --- a/roles/matrix-bridge-appservice-irc/tasks/setup_install.yml +++ b/roles/matrix-bridge-appservice-irc/tasks/setup_install.yml @@ -13,7 +13,7 @@ state: directory mode: 0750 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" with_items: - "{{ matrix_appservice_irc_base_path }}" - "{{ matrix_appservice_irc_config_path }}" @@ -50,7 +50,7 @@ dest: "{{ matrix_appservice_irc_config_path }}/config.yaml" mode: 0644 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" - name: Check if Appservice IRC passkey exists stat: @@ -70,7 +70,7 @@ path: "{{ matrix_appservice_irc_data_path }}/passkey.pem" mode: 0644 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" # Ideally, we'd like to generate the final registration.yaml file by ourselves. # @@ -134,7 +134,7 @@ dest: "{{ matrix_appservice_irc_config_path }}/registration.yaml" mode: 0644 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" - name: Ensure matrix-appservice-irc.service installed template: diff --git a/roles/matrix-bridge-appservice-slack/defaults/main.yml b/roles/matrix-bridge-appservice-slack/defaults/main.yml index 58babbc31..d68c11788 100644 --- a/roles/matrix-bridge-appservice-slack/defaults/main.yml +++ b/roles/matrix-bridge-appservice-slack/defaults/main.yml @@ -3,7 +3,7 @@ matrix_appservice_slack_enabled: true -matrix_appservice_slack_docker_image: "cadair/matrix-appservice-slack:latest" +matrix_appservice_slack_docker_image: "cadair/matrix-appservice-slack:cadair" matrix_appservice_slack_docker_image_force_pull: "{{ matrix_appservice_slack_docker_image.endswith(':latest') }}" matrix_appservice_slack_base_path: "{{ matrix_base_data_path }}/appservice-slack" diff --git a/roles/matrix-bridge-appservice-slack/tasks/setup_install.yml b/roles/matrix-bridge-appservice-slack/tasks/setup_install.yml index b4132e966..94e0fedf9 100644 --- a/roles/matrix-bridge-appservice-slack/tasks/setup_install.yml +++ b/roles/matrix-bridge-appservice-slack/tasks/setup_install.yml @@ -13,7 +13,7 @@ state: directory mode: 0750 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" with_items: - "{{ matrix_appservice_slack_base_path }}" - "{{ matrix_appservice_slack_config_path }}" @@ -25,7 +25,7 @@ dest: "{{ matrix_appservice_slack_config_path }}/config.yaml" mode: 0644 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" - name: Ensure appservice-slack registration.yaml installed copy: @@ -33,7 +33,7 @@ dest: "{{ matrix_appservice_slack_config_path }}/slack-registration.yaml" mode: 0644 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" - name: Ensure matrix-appservice-slack.service installed template: diff --git a/roles/matrix-bridge-appservice-webhooks/tasks/setup_install.yml b/roles/matrix-bridge-appservice-webhooks/tasks/setup_install.yml index 5d167dc0b..9ddc121a1 100644 --- a/roles/matrix-bridge-appservice-webhooks/tasks/setup_install.yml +++ b/roles/matrix-bridge-appservice-webhooks/tasks/setup_install.yml @@ -13,7 +13,7 @@ state: directory mode: 0750 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" with_items: - "{{ matrix_appservice_webhooks_base_path }}" - "{{ matrix_appservice_webhooks_config_path }}" @@ -25,7 +25,7 @@ dest: "{{ matrix_appservice_webhooks_config_path }}/config.yaml" mode: 0644 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" - name: Ensure Matrix Appservice webhooks schema.yml template exists template: @@ -33,7 +33,7 @@ dest: "{{ matrix_appservice_webhooks_config_path }}/schema.yml" mode: 0644 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" - name: Ensure Matrix Appservice webhooks database.json template exists template: @@ -41,7 +41,7 @@ dest: "{{ matrix_appservice_webhooks_data_path }}/database.json" mode: 0644 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" - name: Ensure appservice-webhooks registration.yaml installed copy: @@ -49,7 +49,7 @@ dest: "{{ matrix_appservice_webhooks_config_path }}/webhooks-registration.yaml" mode: 0644 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" - name: Ensure matrix-appservice-webhooks.service installed template: diff --git a/roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml index 82b55cea1..a1131d8ea 100644 --- a/roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml @@ -22,7 +22,7 @@ state: directory mode: 0750 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" with_items: - { path: "{{ matrix_mautrix_facebook_base_path }}", when: true } - { path: "{{ matrix_mautrix_facebook_config_path }}", when: true } @@ -73,7 +73,7 @@ dest: "{{ matrix_mautrix_facebook_config_path }}/config.yaml" mode: 0644 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" - name: Ensure mautrix-facebook registration.yaml installed copy: @@ -81,7 +81,7 @@ dest: "{{ matrix_mautrix_facebook_config_path }}/registration.yaml" mode: 0644 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" - name: Ensure matrix-mautrix-facebook.service installed template: diff --git a/roles/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml index ae962d34c..97893be7c 100644 --- a/roles/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml @@ -22,7 +22,7 @@ state: directory mode: 0750 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" with_items: - { path: "{{ matrix_mautrix_hangouts_base_path }}", when: true } - { path: "{{ matrix_mautrix_hangouts_config_path }}", when: true } @@ -72,7 +72,7 @@ dest: "{{ matrix_mautrix_hangouts_config_path }}/config.yaml" mode: 0644 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" - name: Ensure mautrix-hangouts registration.yaml installed copy: @@ -80,7 +80,7 @@ dest: "{{ matrix_mautrix_hangouts_config_path }}/registration.yaml" mode: 0644 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" - name: Ensure matrix-mautrix-hangouts.service installed template: diff --git a/roles/matrix-bridge-mautrix-telegram/defaults/main.yml b/roles/matrix-bridge-mautrix-telegram/defaults/main.yml index b491dce8b..1e77eb023 100644 --- a/roles/matrix-bridge-mautrix-telegram/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-telegram/defaults/main.yml @@ -4,7 +4,7 @@ matrix_mautrix_telegram_enabled: true # See: https://mau.dev/tulir/mautrix-telegram/container_registry -matrix_mautrix_telegram_docker_image: "dock.mau.dev/tulir/mautrix-telegram:v0.7.0" +matrix_mautrix_telegram_docker_image: "dock.mau.dev/tulir/mautrix-telegram:v0.7.2" matrix_mautrix_telegram_docker_image_force_pull: "{{ matrix_mautrix_telegram_docker_image.endswith(':latest') }}" matrix_mautrix_telegram_base_path: "{{ matrix_base_data_path }}/mautrix-telegram" diff --git a/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml index 1c8b063d8..9dc38ec2c 100644 --- a/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml @@ -21,7 +21,7 @@ state: directory mode: 0750 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" with_items: - "{{ matrix_mautrix_telegram_base_path }}" - "{{ matrix_mautrix_telegram_config_path }}" @@ -50,7 +50,7 @@ dest: "{{ matrix_mautrix_telegram_config_path }}/config.yaml" mode: 0644 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" - name: Ensure mautrix-telegram registration.yaml installed copy: @@ -58,7 +58,7 @@ dest: "{{ matrix_mautrix_telegram_config_path }}/registration.yaml" mode: 0644 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" - name: Ensure matrix-mautrix-telegram.service installed template: diff --git a/roles/matrix-bridge-mautrix-whatsapp/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-whatsapp/tasks/setup_install.yml index a818afb18..6bd87bbe2 100644 --- a/roles/matrix-bridge-mautrix-whatsapp/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-whatsapp/tasks/setup_install.yml @@ -21,7 +21,7 @@ state: directory mode: 0750 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" with_items: - "{{ matrix_mautrix_whatsapp_base_path }}" - "{{ matrix_mautrix_whatsapp_config_path }}" @@ -59,7 +59,7 @@ dest: "{{ matrix_mautrix_whatsapp_config_path }}/config.yaml" mode: 0644 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" - name: Ensure mautrix-whatsapp registration.yaml installed copy: @@ -67,7 +67,7 @@ dest: "{{ matrix_mautrix_whatsapp_config_path }}/registration.yaml" mode: 0644 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" - name: Ensure matrix-mautrix-whatsapp.service installed template: diff --git a/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml b/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml index c32768079..9d80ab04b 100644 --- a/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml @@ -16,9 +16,26 @@ matrix_mx_puppet_skype_docker_src_files_path: "{{ matrix_mx_puppet_skype_base_pa matrix_mx_puppet_skype_appservice_port: "8438" matrix_mx_puppet_skype_homeserver_address: 'http://matrix-synapse:8008' -matrix_mx_puppet_skype_homeserver_domain: '{{ matrix_domain }}' matrix_mx_puppet_skype_appservice_address: 'http://matrix-mx-puppet-skype:{{ matrix_mx_puppet_skype_appservice_port }}' +# "@user:server.com" to allow specific user +# "@.*:yourserver.com" to allow users on a specific homeserver +# "@.*" to allow anyone +matrix_mx_puppet_skype_provisioning_whitelist: + - "@.*:{{ matrix_domain|regex_escape }}" + +# Leave empty to disable blacklist +# "@user:server.com" disallow a specific user +# "@.*:yourserver.com" disallow users on a specific homeserver +matrix_mx_puppet_skype_provisioning_blacklist: [] + +# Same as provisioning +matrix_mx_puppet_skype_relay_whitelist: + - "@.*:{{ matrix_domain|regex_escape }}" + +# Same as provisioning +matrix_mx_puppet_skype_relay_blacklist: [] + # A list of extra arguments to pass to the container matrix_mx_puppet_skype_container_extra_arguments: [] @@ -48,7 +65,7 @@ matrix_mx_puppet_skype_configuration_yaml: | # Port to host the bridge on which your homeserver will connect to port: {{ matrix_mx_puppet_skype_appservice_port }} # Name of your homeserver - domain: {{ matrix_mx_puppet_skype_homeserver_domain }} + domain: {{ matrix_domain }} # URL where the bridge can connect to your homeserver homeserverUrl: {{ matrix_mx_puppet_skype_homeserver_address }} # Optionally specify a different media URL used for the media store @@ -60,7 +77,7 @@ matrix_mx_puppet_skype_configuration_yaml: | # yourserver.com: supersecretsharedsecret {% if matrix_mx_puppet_skype_login_shared_secret != '' %} loginSharedSecretMap: - {{ matrix_mx_puppet_skype_homeserver_domain }}: {{ matrix_mx_puppet_skype_login_shared_secret }} + {{ matrix_domain }}: {{ matrix_mx_puppet_skype_login_shared_secret }} {% endif %} # optionally override the display name of the bridge bot #displayname: Protocol Bot @@ -122,19 +139,21 @@ matrix_mx_puppet_skype_configuration_yaml: | provisioning: # Regex of Matrix IDs allowed to use the puppet bridge - whitelist: + whitelist: {{ matrix_mx_puppet_skype_provisioning_whitelist|to_json }} # Allow a specific user #- "@user:server\\.com" # Allow users on a specific homeserver - - '@.*:{{ matrix_mx_puppet_skype_homeserver_domain | regex_escape }}' + #- "@.*:yourserver\\.com" # Allow anyone #- ".*" + # Regex of Matrix IDs forbidden from using the puppet bridge #blacklist: # Disallow a specific user #- "@user:server\\.com" # Disallow users on a specific homeserver #- "@.*:yourserver\\.com" + blacklist: {{ matrix_mx_puppet_skype_provisioning_blacklist|to_json }} presence: # Bridge online/offline status @@ -150,10 +169,13 @@ matrix_mx_puppet_skype_configuration_yaml: | relay: # Regex of Matrix IDs to allow to use the relay mode # Same format as in provisioning - whitelist: - - '@.*:{{ matrix_mx_puppet_skype_homeserver_domain | regex_escape }}' + #whitelist: + #- "@.*:yourserver\\.com" + whitelist: {{ matrix_mx_puppet_skype_relay_whitelist|to_json }} + #blacklist: #- "@user:yourserver\\.com" + blacklist: {{ matrix_mx_puppet_skype_relay_blacklist|to_json }} # Map certain homeserver URLs to the C-S API endpoint # Useful for double-puppeting if .well-known is unavailable for some reason @@ -196,11 +218,11 @@ matrix_mx_puppet_skype_registration_yaml: | namespaces: users: - exclusive: true - regex: '@_skypepuppet_.*:{{ matrix_mx_puppet_skype_homeserver_domain|regex_escape }}' + regex: '@_skypepuppet_.*:{{ matrix_domain|regex_escape }}' rooms: [] aliases: - exclusive: true - regex: '#_skypepuppet_.*:{{ matrix_mx_puppet_skype_homeserver_domain|regex_escape }}' + regex: '#_skypepuppet_.*:{{ matrix_domain|regex_escape }}' protocols: [] rate_limited: false sender_localpart: _skypepuppet_bot diff --git a/roles/matrix-bridge-mx-puppet-skype/tasks/setup_install.yml b/roles/matrix-bridge-mx-puppet-skype/tasks/setup_install.yml index 6857c6c93..1febca3eb 100644 --- a/roles/matrix-bridge-mx-puppet-skype/tasks/setup_install.yml +++ b/roles/matrix-bridge-mx-puppet-skype/tasks/setup_install.yml @@ -22,7 +22,7 @@ state: directory mode: 0750 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" with_items: - { path: "{{ matrix_mx_puppet_skype_base_path }}", when: true } - { path: "{{ matrix_mx_puppet_skype_config_path }}", when: true } @@ -42,6 +42,7 @@ docker_image: name: "{{ matrix_mx_puppet_skype_docker_image }}" source: build + force_source: yes build: dockerfile: Dockerfile path: "{{ matrix_mx_puppet_skype_docker_src_files_path }}" @@ -71,7 +72,7 @@ dest: "{{ matrix_mx_puppet_skype_config_path }}/config.yaml" mode: 0644 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" - name: Ensure mx-puppet-skype skype-registration.yaml installed copy: @@ -79,7 +80,7 @@ dest: "{{ matrix_mx_puppet_skype_config_path }}/registration.yaml" mode: 0644 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" - name: Ensure matrix-mx-puppet-skype.service installed template: diff --git a/roles/matrix-bridge-mx-puppet-slack/defaults/main.yml b/roles/matrix-bridge-mx-puppet-slack/defaults/main.yml new file mode 100644 index 000000000..083910b1b --- /dev/null +++ b/roles/matrix-bridge-mx-puppet-slack/defaults/main.yml @@ -0,0 +1,186 @@ +# Mx Puppet Slack is a Matrix <-> Slack bridge +# See: https://github.com/Sorunome/mx-puppet-slack + +matrix_mx_puppet_slack_enabled: true + +matrix_mx_puppet_slack_container_image_self_build: false + +# Controls whether the mx-puppet-slack container exposes its HTTP port (tcp/8432 in the container). +# +# Takes an ":" or "" value (e.g. "127.0.0.1:8432"), or empty string to not expose. +matrix_mx_puppet_slack_container_http_host_bind_port: '' + +matrix_mx_puppet_slack_docker_image: "sorunome/mx-puppet-slack:latest" +matrix_mx_puppet_slack_docker_image_force_pull: "{{ matrix_mx_puppet_slack_docker_image.endswith(':latest') }}" + +matrix_mx_puppet_slack_base_path: "{{ matrix_base_data_path }}/mx-puppet-slack" +matrix_mx_puppet_slack_config_path: "{{ matrix_mx_puppet_slack_base_path }}/config" +matrix_mx_puppet_slack_data_path: "{{ matrix_mx_puppet_slack_base_path }}/data" +matrix_mx_puppet_slack_docker_src_files_path: "{{ matrix_mx_puppet_slack_base_path }}/docker-src" + +matrix_mx_puppet_slack_appservice_port: "8432" + +matrix_mx_puppet_slack_homeserver_address: 'http://matrix-synapse:8008' +matrix_mx_puppet_slack_homeserver_domain: '{{ matrix_domain }}' +matrix_mx_puppet_slack_appservice_address: 'http://matrix-mx-puppet-slack:{{ matrix_mx_puppet_slack_appservice_port }}' + +matrix_mx_puppet_slack_client_id: '' +matrix_mx_puppet_slack_client_secret: '' +matrix_mx_puppet_slack_redirect_path: '/slack/oauth' +matrix_mx_puppet_slack_redirect_uri: 'https://{{ matrix_server_fqn_matrix }}{{ matrix_mx_puppet_slack_redirect_path }}' + +# "@user:server.com" to allow specific user +# "@.*:yourserver.com" to allow users on a specific homeserver +# "@.*" to allow anyone +matrix_mx_puppet_slack_provisioning_whitelist: + - "@.*:{{ matrix_domain|regex_escape }}" + +# Leave empty to disable blacklist +# "@user:server.com" disallow a specific user +# "@.*:yourserver.com" disallow users on a specific homeserver +matrix_mx_puppet_slack_provisioning_blacklist: [] + +# A list of extra arguments to pass to the container +matrix_mx_puppet_slack_container_extra_arguments: [] + +# List of systemd services that matrix-puppet-slack.service depends on. +matrix_mx_puppet_slack_systemd_required_services_list: ['docker.service'] + +# List of systemd services that matrix-puppet-slack.service wants +matrix_mx_puppet_slack_systemd_wanted_services_list: [] + +matrix_mx_puppet_slack_appservice_token: '' +matrix_mx_puppet_slack_homeserver_token: '' + +# Default configuration template which covers the generic use case. +# You can customize it by controlling the various variables inside it. +# +# For a more advanced customization, you can extend the default (see `matrix_mx_puppet_slack_configuration_extension_yaml`) +# or completely replace this variable with your own template. +matrix_mx_puppet_slack_configuration_yaml: | + #jinja2: lstrip_blocks: "True" + bridge: + # Port to host the bridge on + # Used for communication between the homeserver and the bridge + port: {{ matrix_mx_puppet_slack_appservice_port }} + # The host connections to the bridge's webserver are allowed from + bindAddress: 0.0.0.0 + # Public domain of the homeserver + domain: {{ matrix_mx_puppet_slack_homeserver_domain }} + # Reachable URL of the Matrix homeserver + homeserverUrl: {{ matrix_mx_puppet_slack_homeserver_address }} + + + # Slack OAuth settings. Create a slack app at https://api.slack.com/apps + oauth: + enabled: true + # Slack app credentials. + # N.B. This must be quoted so YAML wouldn't parse it as a float. + clientId: "{{ matrix_mx_puppet_slack_client_id }}" + clientSecret: {{ matrix_mx_puppet_slack_client_secret }} + # Path where to listen for OAuth redirect callbacks. + redirectPath: {{ matrix_mx_puppet_slack_redirect_path }} + # Set up proxying from https://your.domain/redirect_path to http://bindAddress:port/redirect_path, + # then set this field and the Slack app redirect URI field to the former. + redirectUri: {{ matrix_mx_puppet_slack_redirect_uri }} + + presence: + # Bridge Discord online/offline status + enabled: true + # How often to send status to the homeserver in milliseconds + interval: 500 + + provisioning: + # Regex of Matrix IDs allowed to use the puppet bridge + whitelist: {{ matrix_mx_puppet_slack_provisioning_whitelist|to_json }} + # Allow a specific user + #- "@user:server\\.com" + # Allow users on a specific homeserver + #- "@.*:yourserver\\.com" + # Allow anyone + #- ".*" + # Regex of Matrix IDs forbidden from using the puppet bridge + #blacklist: + # Disallow a specific user + #- "@user:server\\.com" + # Disallow users on a specific homeserver + #- "@.*:yourserver\\.com" + blacklist: {{ matrix_mx_puppet_slack_provisioning_blacklist|to_json }} + + # Shared secret for the provisioning API for use by integration managers. + # If this is not set, the provisioning API will not be enabled. + #sharedSecret: random string + # Path prefix for the provisioning API. /v1 will be appended to the prefix automatically. + apiPrefix: /_matrix/provision + + database: + # Use Postgres as a database backend + # If set, will be used instead of SQLite3 + # Connection string to connect to the Postgres instance + # with username "user", password "pass", host "localhost" and database name "dbname". + # Modify each value as necessary + #connString: "postgres://user:pass@localhost/dbname?sslmode=disable" + # Use SQLite3 as a database backend + # The name of the database file + filename: /data/database.db + + logging: + # Log level of console output + # Allowed values starting with most verbose: + # silly, debug, verbose, info, warn, error + console: info + # Date and time formatting + lineDateFormat: MMM-D HH:mm:ss.SSS + # Logging files + # Log files are rotated daily by default + files: + # Log file path + - file: "/data/bridge.log" + # Log level for this file + # Allowed values starting with most verbose: + # silly, debug, verbose, info, warn, error + level: info + # Date and time formatting + datePattern: YYYY-MM-DD + # Maximum number of logs to keep. + # This can be a number of files or number of days. + # If using days, add 'd' as a suffix + maxFiles: 14d + # Maximum size of the file after which it will rotate. This can be a + # number of bytes, or units of kb, mb, and gb. If using the units, add + # 'k', 'm', or 'g' as the suffix + maxSize: 50m + +matrix_mx_puppet_slack_configuration_extension_yaml: | + # Your custom YAML configuration goes here. + # This configuration extends the default starting configuration (`matrix_mx_puppet_slack_configuration_yaml`). + # + # You can override individual variables from the default configuration, or introduce new ones. + # + # If you need something more special, you can take full control by + # completely redefining `matrix_mx_puppet_slack_configuration_yaml`. + +matrix_mx_puppet_slack_configuration_extension: "{{ matrix_mx_puppet_slack_configuration_extension_yaml|from_yaml if matrix_mx_puppet_slack_configuration_extension_yaml|from_yaml is mapping else {} }}" + +# Holds the final configuration (a combination of the default and its extension). +# You most likely don't need to touch this variable. Instead, see `matrix_mx_puppet_slack_configuration_yaml`. +matrix_mx_puppet_slack_configuration: "{{ matrix_mx_puppet_slack_configuration_yaml|from_yaml|combine(matrix_mx_puppet_slack_configuration_extension, recursive=True) }}" + +matrix_mx_puppet_slack_registration_yaml: | + as_token: "{{ matrix_mx_puppet_slack_appservice_token }}" + hs_token: "{{ matrix_mx_puppet_slack_homeserver_token }}" + id: slack-puppet + namespaces: + users: + - exclusive: true + regex: '@_slackpuppet_.*:{{ matrix_mx_puppet_slack_homeserver_domain|regex_escape }}' + rooms: [] + aliases: + - exclusive: true + regex: '#_slackpuppet_.*:{{ matrix_mx_puppet_slack_homeserver_domain|regex_escape }}' + protocols: [] + rate_limited: false + sender_localpart: _slackpuppet_bot + url: {{ matrix_mx_puppet_slack_appservice_address }} + +matrix_mx_puppet_slack_registration: "{{ matrix_mx_puppet_slack_registration_yaml|from_yaml }}" diff --git a/roles/matrix-bridge-mx-puppet-slack/tasks/init.yml b/roles/matrix-bridge-mx-puppet-slack/tasks/init.yml new file mode 100644 index 000000000..dac04b9bf --- /dev/null +++ b/roles/matrix-bridge-mx-puppet-slack/tasks/init.yml @@ -0,0 +1,70 @@ +- set_fact: + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-slack'] }}" + when: matrix_mx_puppet_slack_enabled|bool + +# If the matrix-synapse role is not used, these variables may not exist. +- set_fact: + matrix_synapse_container_extra_arguments: > + {{ matrix_synapse_container_extra_arguments|default([]) }} + + + ["--mount type=bind,src={{ matrix_mx_puppet_slack_config_path }}/registration.yaml,dst=/matrix-mx-puppet-slack-registration.yaml,ro"] + + matrix_synapse_app_service_config_files: > + {{ matrix_synapse_app_service_config_files|default([]) }} + + + {{ ["/matrix-mx-puppet-slack-registration.yaml"] }} + when: matrix_mx_puppet_slack_enabled|bool + +- block: + - name: Fail if matrix-nginx-proxy role already executed + fail: + msg: >- + Trying to append Slack Appservice's reverse-proxying configuration to matrix-nginx-proxy, + but it's pointless since the matrix-nginx-proxy role had already executed. + To fix this, please change the order of roles in your plabook, + so that the matrix-nginx-proxy role would run after the matrix-mx-puppet-slack role. + when: matrix_nginx_proxy_role_executed|default(False)|bool + + - name: Generate Matrix MX Puppet Slack proxying configuration for matrix-nginx-proxy + set_fact: + matrix_mx_puppet_slack_matrix_nginx_proxy_configuration: | + location {{ matrix_mx_puppet_slack_redirect_path }} { + {% if matrix_nginx_proxy_enabled|default(False) %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "{{ matrix_mx_puppet_slack_appservice_address }}"; + proxy_pass $backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://127.0.0.1:{{ matrix_mx_puppet_slack_appservice_port }}; + {% endif %} + } + + - name: Register Slack Appservice proxying configuration with matrix-nginx-proxy + set_fact: + matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: | + {{ + matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks|default([]) + + + [matrix_mx_puppet_slack_matrix_nginx_proxy_configuration] + }} + tags: + - always + when: matrix_mx_puppet_slack_enabled|bool + +- name: Warn about reverse-proxying if matrix-nginx-proxy not used + debug: + msg: >- + NOTE: You've enabled the Matrix Slack bridge but are not using the matrix-nginx-proxy + reverse proxy. + Please make sure that you're proxying the `{{ matrix_mx_puppet_slack_redirect_path }}` + URL endpoint to the matrix-mx-puppet-slack container. + You can expose the container's port using the `matrix_appservice_slack_container_http_host_bind_port` variable. + when: "matrix_mx_puppet_slack_enabled|bool and matrix_nginx_proxy_enabled is not defined" + +# ansible lower than 2.8, does not support docker_image build parameters +# for self buildig it is explicitly needed, so we rather fail here +- name: Fail if running on Ansible lower than 2.8 and trying self building + fail: + msg: "To self build Puppet Slack image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_slack_container_image_self_build" diff --git a/roles/matrix-bridge-mx-puppet-slack/tasks/main.yml b/roles/matrix-bridge-mx-puppet-slack/tasks/main.yml new file mode 100644 index 000000000..6aa0fd0fd --- /dev/null +++ b/roles/matrix-bridge-mx-puppet-slack/tasks/main.yml @@ -0,0 +1,21 @@ +- import_tasks: "{{ role_path }}/tasks/init.yml" + tags: + - always + +- import_tasks: "{{ role_path }}/tasks/validate_config.yml" + when: "run_setup|bool and matrix_mx_puppet_slack_enabled|bool" + tags: + - setup-all + - setup-mx-puppet-slack + +- import_tasks: "{{ role_path }}/tasks/setup_install.yml" + when: "run_setup|bool and matrix_mx_puppet_slack_enabled|bool" + tags: + - setup-all + - setup-mx-puppet-slack + +- import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" + when: "run_setup|bool and not matrix_mx_puppet_slack_enabled|bool" + tags: + - setup-all + - setup-mx-puppet-slack diff --git a/roles/matrix-bridge-mx-puppet-slack/tasks/setup_install.yml b/roles/matrix-bridge-mx-puppet-slack/tasks/setup_install.yml new file mode 100644 index 000000000..ddaede728 --- /dev/null +++ b/roles/matrix-bridge-mx-puppet-slack/tasks/setup_install.yml @@ -0,0 +1,93 @@ +--- + +# If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. +# We don't want to fail in such cases. +- name: Fail if matrix-synapse role already executed + fail: + msg: >- + The matrix-bridge-mx-puppet-slack role needs to execute before the matrix-synapse role. + when: "matrix_synapse_role_executed|default(False)" + +- name: Ensure MX Puppet Slack image is pulled + docker_image: + name: "{{ matrix_mx_puppet_slack_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_mx_puppet_slack_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mx_puppet_slack_docker_image_force_pull }}" + when: matrix_mx_puppet_slack_enabled|bool and not matrix_mx_puppet_slack_container_image_self_build + +- name: Ensure MX Puppet Slack paths exist + file: + path: "{{ item.path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - { path: "{{ matrix_mx_puppet_slack_base_path }}", when: true } + - { path: "{{ matrix_mx_puppet_slack_config_path }}", when: true } + - { path: "{{ matrix_mx_puppet_slack_data_path }}", when: true } + - { path: "{{ matrix_mx_puppet_slack_docker_src_files_path }}", when: "{{ matrix_mx_puppet_slack_container_image_self_build }}" } + when: matrix_mx_puppet_slack_enabled|bool and item.when|bool + +- name: Ensure MX Puppet Slack repository is present on self build + git: + repo: https://github.com/Sorunome/mx-puppet-slack.git + dest: "{{ matrix_mx_puppet_slack_docker_src_files_path }}" + force: "yes" + when: "matrix_mx_puppet_slack_enabled|bool and matrix_mx_puppet_slack_container_image_self_build" + +- name: Ensure MX Puppet Slack Docker image is built + docker_image: + name: "{{ matrix_mx_puppet_slack_docker_image }}" + source: build + build: + dockerfile: Dockerfile + path: "{{ matrix_mx_puppet_slack_docker_src_files_path }}" + pull: yes + when: "matrix_mx_puppet_slack_enabled|bool and matrix_mx_puppet_slack_container_image_self_build" + +- name: Check if an old database file already exists + stat: + path: "{{ matrix_mx_puppet_slack_base_path }}/database.db" + register: matrix_mx_puppet_slack_stat_database + +- name: (Data relocation) Ensure matrix-mx-puppet-slack.service is stopped + service: + name: matrix-mx-puppet-slack + state: stopped + daemon_reload: yes + failed_when: false + when: "matrix_mx_puppet_slack_stat_database.stat.exists" + +- name: (Data relocation) Move mx-puppet-slack database file to ./data directory + command: "mv {{ matrix_mx_puppet_slack_base_path }}/database.db {{ matrix_mx_puppet_slack_data_path }}/database.db" + when: "matrix_mx_puppet_slack_stat_database.stat.exists" + +- name: Ensure mx-puppet-slack config.yaml installed + copy: + content: "{{ matrix_mx_puppet_slack_configuration|to_nice_yaml }}" + dest: "{{ matrix_mx_puppet_slack_config_path }}/config.yaml" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure mx-puppet-slack slack-registration.yaml installed + copy: + content: "{{ matrix_mx_puppet_slack_registration|to_nice_yaml }}" + dest: "{{ matrix_mx_puppet_slack_config_path }}/registration.yaml" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure matrix-mx-puppet-slack.service installed + template: + src: "{{ role_path }}/templates/systemd/matrix-mx-puppet-slack.service.j2" + dest: "/etc/systemd/system/matrix-mx-puppet-slack.service" + mode: 0644 + register: matrix_mx_puppet_slack_systemd_service_result + +- name: Ensure systemd reloaded after matrix-mx-puppet-slack.service installation + service: + daemon_reload: yes + when: "matrix_mx_puppet_slack_systemd_service_result.changed" diff --git a/roles/matrix-bridge-mx-puppet-slack/tasks/setup_uninstall.yml b/roles/matrix-bridge-mx-puppet-slack/tasks/setup_uninstall.yml new file mode 100644 index 000000000..73314a66e --- /dev/null +++ b/roles/matrix-bridge-mx-puppet-slack/tasks/setup_uninstall.yml @@ -0,0 +1,24 @@ +--- + +- name: Check existence of matrix-mx-puppet-slack service + stat: + path: "/etc/systemd/system/matrix-mx-puppet-slack.service" + register: matrix_mx_puppet_slack_service_stat + +- name: Ensure matrix-mx-puppet-slack is stopped + service: + name: matrix-mx-puppet-slack + state: stopped + daemon_reload: yes + when: "matrix_mx_puppet_slack_service_stat.stat.exists" + +- name: Ensure matrix-mx-puppet-slack.service doesn't exist + file: + path: "/etc/systemd/system/matrix-mx-puppet-slack.service" + state: absent + when: "matrix_mx_puppet_slack_service_stat.stat.exists" + +- name: Ensure systemd reloaded after matrix-mx-puppet-slack.service removal + service: + daemon_reload: yes + when: "matrix_mx_puppet_slack_service_stat.stat.exists" diff --git a/roles/matrix-bridge-mx-puppet-slack/tasks/validate_config.yml b/roles/matrix-bridge-mx-puppet-slack/tasks/validate_config.yml new file mode 100644 index 000000000..3a0bca111 --- /dev/null +++ b/roles/matrix-bridge-mx-puppet-slack/tasks/validate_config.yml @@ -0,0 +1,10 @@ +--- + +- name: Fail if required settings not defined + fail: + msg: >- + You need to define a required configuration setting (`{{ item }}`). + when: "vars[item] == ''" + with_items: + - "matrix_mx_puppet_slack_appservice_token" + - "matrix_mx_puppet_slack_homeserver_token" diff --git a/roles/matrix-bridge-mx-puppet-slack/templates/systemd/matrix-mx-puppet-slack.service.j2 b/roles/matrix-bridge-mx-puppet-slack/templates/systemd/matrix-mx-puppet-slack.service.j2 new file mode 100644 index 000000000..6db537336 --- /dev/null +++ b/roles/matrix-bridge-mx-puppet-slack/templates/systemd/matrix-mx-puppet-slack.service.j2 @@ -0,0 +1,44 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=Matrix Mx Puppet Slack server +{% for service in matrix_mx_puppet_slack_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +{% for service in matrix_mx_puppet_slack_systemd_wanted_services_list %} +Wants={{ service }} +{% endfor %} + +[Service] +Type=simple +ExecStartPre=-/usr/bin/docker kill matrix-mx-puppet-slack +ExecStartPre=-/usr/bin/docker rm matrix-mx-puppet-slack + +# Intentional delay, so that the homeserver (we likely depend on) can manage to start. +ExecStartPre=/bin/sleep 5 + +ExecStart=/usr/bin/docker run --rm --name matrix-mx-puppet-slack \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --network={{ matrix_docker_network }} \ + {% if matrix_mx_puppet_slack_container_http_host_bind_port %} + -p {{ matrix_mx_puppet_slack_container_http_host_bind_port }}:{{ matrix_mx_puppet_slack_appservice_port }} \ + {% endif %} + -e CONFIG_PATH=/config/config.yaml \ + -e REGISTRATION_PATH=/config/registration.yaml \ + -v {{ matrix_mx_puppet_slack_config_path }}:/config:z \ + -v {{ matrix_mx_puppet_slack_data_path }}:/data:z \ + {% for arg in matrix_mx_puppet_slack_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_mx_puppet_slack_docker_image }} + +ExecStop=-/usr/bin/docker kill matrix-mx-puppet-slack +ExecStop=-/usr/bin/docker rm matrix-mx-puppet-slack +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-mx-puppet-slack + +[Install] +WantedBy=multi-user.target diff --git a/roles/matrix-corporal/tasks/setup_corporal.yml b/roles/matrix-corporal/tasks/setup_corporal.yml index 2e09f013b..72b6a5b26 100644 --- a/roles/matrix-corporal/tasks/setup_corporal.yml +++ b/roles/matrix-corporal/tasks/setup_corporal.yml @@ -10,7 +10,7 @@ state: directory mode: 0750 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" with_items: - "{{ matrix_corporal_config_dir_path }}" - "{{ matrix_corporal_cache_dir_path }}" @@ -31,7 +31,7 @@ dest: "{{ matrix_corporal_config_dir_path }}/config.json" mode: 0644 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" when: matrix_corporal_enabled|bool - name: Ensure matrix-corporal.service installed diff --git a/roles/matrix-coturn/defaults/main.yml b/roles/matrix-coturn/defaults/main.yml index 06063e3b2..ef314d89b 100644 --- a/roles/matrix-coturn/defaults/main.yml +++ b/roles/matrix-coturn/defaults/main.yml @@ -2,7 +2,7 @@ matrix_coturn_enabled: true matrix_coturn_container_image_self_build: false -matrix_coturn_docker_image: "instrumentisto/coturn:4.5.1.1" +matrix_coturn_docker_image: "instrumentisto/coturn:4.5.1.2" matrix_coturn_docker_image_force_pull: "{{ matrix_coturn_docker_image.endswith(':latest') }}" # The Docker network that Coturn would be put into. diff --git a/roles/matrix-coturn/tasks/setup_coturn.yml b/roles/matrix-coturn/tasks/setup_coturn.yml index 8a2ad3bdd..52db0e3e0 100644 --- a/roles/matrix-coturn/tasks/setup_coturn.yml +++ b/roles/matrix-coturn/tasks/setup_coturn.yml @@ -10,7 +10,7 @@ state: directory mode: 0750 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" with_items: - { path: "{{ matrix_coturn_docker_src_files_path }}", when: "{{ matrix_coturn_container_image_self_build }}"} when: matrix_riot_web_enabled|bool and item.when @@ -47,7 +47,7 @@ state: directory mode: 0750 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" when: matrix_coturn_enabled|bool - name: Ensure turnserver.conf installed diff --git a/roles/matrix-dimension/defaults/main.yml b/roles/matrix-dimension/defaults/main.yml index 5ee01b615..fafe289d6 100644 --- a/roles/matrix-dimension/defaults/main.yml +++ b/roles/matrix-dimension/defaults/main.yml @@ -32,6 +32,8 @@ matrix_dimension_integrations_rest_url: "https://{{ matrix_server_fqn_dimension matrix_dimension_integrations_widgets_urls: ["https://{{ matrix_server_fqn_dimension }}/widgets"] matrix_dimension_integrations_jitsi_widget_url: "https://{{ matrix_server_fqn_dimension }}/widgets/jitsi" +matrix_dimension_homeserver_federationUrl: "http://matrix-synapse:8048" + # Default Dimension configuration template which covers the generic use case. # You can customize it by controlling the various variables inside it. # @@ -58,7 +60,7 @@ matrix_dimension_configuration_yaml: | # The URL that Dimension should use when trying to communicate with federated APIs on # the homeserver. If not supplied or left empty Dimension will try to resolve the address # through the normal federation process. - federationUrl: "http://matrix-synapse:8048" + federationUrl: "{{ matrix_dimension_homeserver_federationUrl }}" # The URL that Dimension will redirect media requests to for downloading media such as # stickers. If not supplied or left empty Dimension will use the clientServerUrl. diff --git a/roles/matrix-dimension/tasks/validate_config.yml b/roles/matrix-dimension/tasks/validate_config.yml index 62f23e33e..ead8352b5 100644 --- a/roles/matrix-dimension/tasks/validate_config.yml +++ b/roles/matrix-dimension/tasks/validate_config.yml @@ -6,14 +6,6 @@ - "matrix_dimension_access_token" when: "matrix_dimension_enabled and vars[item] == ''" -- name: Fail if Matrix Federation is disabled - fail: - msg: >- - You need to enable Matrix Federation to use Dimension. Set `{{ item }}` to 'true'. - with_items: - - "matrix_synapse_federation_enabled" - when: "matrix_dimension_enabled|bool and not matrix_synapse_federation_enabled|bool" - - name: (Deprecation) Catch and report renamed Dimension variables fail: msg: >- diff --git a/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2 b/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2 index c32027b12..0a8d0c839 100644 --- a/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2 +++ b/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2 @@ -9,6 +9,9 @@ Type=simple ExecStartPre=-/usr/bin/docker kill matrix-dimension ExecStartPre=-/usr/bin/docker rm matrix-dimension +# Fixup database ownership if it got changed somehow (during a server migration, etc.) +ExecStartPre=-/usr/bin/chown {{ matrix_dimension_user_uid }}:{{ matrix_dimension_user_gid }} {{ matrix_dimension_base_path }}/dimension.db + ExecStart=/usr/bin/docker run --rm --name matrix-dimension \ --log-driver=none \ --user={{ matrix_dimension_user_uid }}:{{ matrix_dimension_user_gid }} \ diff --git a/roles/matrix-email2matrix/tasks/setup_email2matrix.yml b/roles/matrix-email2matrix/tasks/setup_email2matrix.yml index 1e64627af..d5fa73a51 100644 --- a/roles/matrix-email2matrix/tasks/setup_email2matrix.yml +++ b/roles/matrix-email2matrix/tasks/setup_email2matrix.yml @@ -10,7 +10,7 @@ state: directory mode: 0750 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" with_items: - "{{ matrix_email2matrix_base_path }}" - "{{ matrix_email2matrix_config_dir_path }}" @@ -21,7 +21,7 @@ src: "{{ role_path }}/templates/config.json.j2" dest: "{{ matrix_email2matrix_config_dir_path }}/config.json" owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" mode: 0640 when: matrix_email2matrix_enabled|bool diff --git a/roles/matrix-jitsi/defaults/main.yml b/roles/matrix-jitsi/defaults/main.yml index fb9242ed5..21dae4481 100644 --- a/roles/matrix-jitsi/defaults/main.yml +++ b/roles/matrix-jitsi/defaults/main.yml @@ -7,6 +7,28 @@ matrix_jitsi_enable_guests: false matrix_jitsi_enable_recording: true matrix_jitsi_enable_transcriptions: true +# Authentication type, must be one of internal, jwt or ldap. Currently only +# internal and ldap are supported by this playbook. +matrix_jitsi_auth_type: internal + +# Configuration options for LDAP authentication. For details see upstream: +# https://github.com/jitsi/docker-jitsi-meet#authentication-using-ldap. +# Defaults are taken from: +# https://github.com/jitsi/docker-jitsi-meet/blob/master/prosody/rootfs/defaults/saslauthd.conf +matrix_jitsi_ldap_url: "" +matrix_jitsi_ldap_base: "" +matrix_jitsi_ldap_binddn: "" +matrix_jitsi_ldap_bindpw: "" +matrix_jitsi_ldap_filter: "uid=%u" +matrix_jitsi_ldap_auth_method: "bind" +matrix_jitsi_ldap_version: "3" +matrix_jitsi_ldap_use_tls: false +matrix_jitsi_ldap_tls_ciphers: "" +matrix_jitsi_ldap_tls_check_peer: false +matrix_jitsi_ldap_tls_cacert_file: "/etc/ssl/certs/ca-certificates.crt" +matrix_jitsi_ldap_tls_cacert_dir: "/etc/ssl/certs" +matrix_jitsi_ldap_start_tls: false + matrix_jitsi_timezone: UTC matrix_jitsi_xmpp_domain: matrix-jitsi-web @@ -28,7 +50,7 @@ matrix_jitsi_jibri_recorder_user: recorder matrix_jitsi_jibri_recorder_password: '' -matrix_jitsi_web_docker_image: "jitsi/web:4384" +matrix_jitsi_web_docker_image: "jitsi/web:stable-4548-1" matrix_jitsi_web_docker_image_force_pull: "{{ matrix_jitsi_web_docker_image.endswith(':latest') }}" matrix_jitsi_web_base_path: "{{ matrix_base_data_path }}/jitsi/web" @@ -74,11 +96,12 @@ matrix_jitsi_web_interface_config_show_powered_by: false matrix_jitsi_web_interface_config_disable_transcription_subtitles: false matrix_jisti_web_interface_config_show_deep_linking_image: false -matrix_jitsi_prosody_docker_image: "jitsi/prosody:4384" +matrix_jitsi_prosody_docker_image: "jitsi/prosody:stable-4548-1" matrix_jitsi_prosody_docker_image_force_pull: "{{ matrix_jitsi_prosody_docker_image.endswith(':latest') }}" matrix_jitsi_prosody_base_path: "{{ matrix_base_data_path }}/jitsi/prosody" matrix_jitsi_prosody_config_path: "{{ matrix_jitsi_prosody_base_path }}/config" +matrix_jitsi_prosody_plugins_path: "{{ matrix_jitsi_prosody_base_path }}/prosody-plugins-custom" # A list of extra arguments to pass to the container matrix_jitsi_prosody_container_extra_arguments: [] @@ -87,7 +110,7 @@ matrix_jitsi_prosody_container_extra_arguments: [] matrix_jitsi_prosody_systemd_required_services_list: ['docker.service'] -matrix_jitsi_jicofo_docker_image: "jitsi/jicofo:4384" +matrix_jitsi_jicofo_docker_image: "jitsi/jicofo:stable-4548-1" matrix_jitsi_jicofo_docker_image_force_pull: "{{ matrix_jitsi_jicofo_docker_image.endswith(':latest') }}" matrix_jitsi_jicofo_base_path: "{{ matrix_base_data_path }}/jitsi/jicofo" @@ -104,7 +127,7 @@ matrix_jitsi_jicofo_auth_user: focus matrix_jitsi_jicofo_auth_password: '' -matrix_jitsi_jvb_docker_image: "jitsi/jvb:4384" +matrix_jitsi_jvb_docker_image: "jitsi/jvb:stable-4548-1" matrix_jitsi_jvb_docker_image_force_pull: "{{ matrix_jitsi_jvb_docker_image.endswith(':latest') }}" matrix_jitsi_jvb_base_path: "{{ matrix_base_data_path }}/jitsi/jvb" diff --git a/roles/matrix-jitsi/tasks/setup_jitsi_base.yml b/roles/matrix-jitsi/tasks/setup_jitsi_base.yml index fcfbb8f65..408027ee0 100644 --- a/roles/matrix-jitsi/tasks/setup_jitsi_base.yml +++ b/roles/matrix-jitsi/tasks/setup_jitsi_base.yml @@ -10,7 +10,7 @@ state: directory mode: 0750 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" with_items: - { path: "{{ matrix_jitsi_base_path }}", when: true } when: matrix_jitsi_enabled|bool and item.when diff --git a/roles/matrix-jitsi/tasks/setup_jitsi_jicofo.yml b/roles/matrix-jitsi/tasks/setup_jitsi_jicofo.yml index b7ff409a0..63da7fcfa 100644 --- a/roles/matrix-jitsi/tasks/setup_jitsi_jicofo.yml +++ b/roles/matrix-jitsi/tasks/setup_jitsi_jicofo.yml @@ -10,7 +10,7 @@ state: directory mode: 0777 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" with_items: - { path: "{{ matrix_jitsi_jicofo_base_path }}", when: true } - { path: "{{ matrix_jitsi_jicofo_config_path }}", when: true } diff --git a/roles/matrix-jitsi/tasks/setup_jitsi_jvb.yml b/roles/matrix-jitsi/tasks/setup_jitsi_jvb.yml index f442fc6e7..09055b59e 100644 --- a/roles/matrix-jitsi/tasks/setup_jitsi_jvb.yml +++ b/roles/matrix-jitsi/tasks/setup_jitsi_jvb.yml @@ -10,7 +10,7 @@ state: directory mode: 0777 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" with_items: - { path: "{{ matrix_jitsi_jvb_base_path }}", when: true } - { path: "{{ matrix_jitsi_jvb_config_path }}", when: true } diff --git a/roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml b/roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml index e783aad90..66299f64b 100644 --- a/roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml +++ b/roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml @@ -10,10 +10,11 @@ state: directory mode: 0777 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" with_items: - { path: "{{ matrix_jitsi_prosody_base_path }}", when: true } - { path: "{{ matrix_jitsi_prosody_config_path }}", when: true } + - { path: "{{ matrix_jitsi_prosody_plugins_path }}", when: true } when: matrix_jitsi_enabled|bool and item.when - name: Ensure jitsi-prosody Docker image is pulled diff --git a/roles/matrix-jitsi/tasks/setup_jitsi_web.yml b/roles/matrix-jitsi/tasks/setup_jitsi_web.yml index 3610a084d..6e5d20b06 100644 --- a/roles/matrix-jitsi/tasks/setup_jitsi_web.yml +++ b/roles/matrix-jitsi/tasks/setup_jitsi_web.yml @@ -10,7 +10,7 @@ state: directory mode: 0777 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" with_items: - { path: "{{ matrix_jitsi_web_base_path }}", when: true } - { path: "{{ matrix_jitsi_web_config_path }}", when: true } diff --git a/roles/matrix-jitsi/templates/prosody/env.j2 b/roles/matrix-jitsi/templates/prosody/env.j2 index caa792134..e4479b732 100644 --- a/roles/matrix-jitsi/templates/prosody/env.j2 +++ b/roles/matrix-jitsi/templates/prosody/env.j2 @@ -1,8 +1,22 @@ -AUTH_TYPE=internal +AUTH_TYPE={{ matrix_jitsi_auth_type }} ENABLE_AUTH={{ 1 if matrix_jitsi_enable_auth else 0 }} ENABLE_GUESTS={{ 1 if matrix_jitsi_enable_guests else 0 }} +LDAP_URL={{ matrix_jitsi_ldap_url }} +LDAP_BASE={{ matrix_jitsi_ldap_base }} +LDAP_BINDDN={{ matrix_jitsi_ldap_binddn }} +LDAP_BINDPW={{ matrix_jitsi_ldap_bindpw }} +LDAP_FILTER={{ matrix_jitsi_ldap_filter }} +LDAP_AUTH_METHOD={{ matrix_jitsi_ldap_auth_method }} +LDAP_VERSION={{ matrix_jitsi_ldap_version }} +LDAP_USE_TLS={{ 1 if matrix_jitsi_ldap_use_tls else 0 }} +LDAP_TLS_CIPHERS={{ matrix_jitsi_ldap_tls_ciphers }} +LDAP_TLS_CHECK_PEER={{ 1 if matrix_jitsi_ldap_tls_check_peer else 0 }} +LDAP_TLS_CACERT_FILE={{ matrix_jitsi_ldap_tls_cacert_file }} +LDAP_TLS_CACERT_DIR={{ matrix_jitsi_ldap_tls_cacert_dir }} +LDAP_START_TLS={{ 1 if matrix_jitsi_ldap_start_tls else 0 }} + XMPP_DOMAIN={{ matrix_jitsi_xmpp_domain }} XMPP_AUTH_DOMAIN={{ matrix_jitsi_xmpp_auth_domain }} XMPP_GUEST_DOMAIN={{ matrix_jitsi_xmpp_guest_domain }} diff --git a/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 b/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 index bf43021de..459a24d3a 100644 --- a/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 +++ b/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 @@ -16,6 +16,7 @@ ExecStart=/usr/bin/docker run --rm --name matrix-jitsi-prosody \ --network={{ matrix_docker_network }} \ --env-file={{ matrix_jitsi_prosody_base_path }}/env \ -v {{ matrix_jitsi_prosody_config_path }}:/config \ + -v {{ matrix_jitsi_prosody_plugins_path }}:/prosody-plugins-custom \ {% for arg in matrix_jitsi_prosody_container_extra_arguments %} {{ arg }} \ {% endfor %} diff --git a/roles/matrix-ma1sd/defaults/main.yml b/roles/matrix-ma1sd/defaults/main.yml index 144f4932e..ff2f72d4a 100644 --- a/roles/matrix-ma1sd/defaults/main.yml +++ b/roles/matrix-ma1sd/defaults/main.yml @@ -76,6 +76,10 @@ matrix_ma1sd_self_check_validate_certificates: true # According to: https://github.com/ma1uta/ma1sd/blob/master/docs/troubleshooting.md#increase-verbosity matrix_ma1sd_verbose_logging: false +# Setting up support for API prefixes +matrix_ma1sd_v1_enabled: true +matrix_ma1sd_v2_enabled: true + # Default ma1sd configuration template which covers the generic use case. # You can customize it by controlling the various variables inside it. # @@ -85,6 +89,8 @@ matrix_ma1sd_configuration_yaml: | #jinja2: lstrip_blocks: True matrix: domain: {{ matrix_domain }} + v1: {{ matrix_ma1sd_v1_enabled|to_json }} + v2: {{ matrix_ma1sd_v2_enabled|to_json }} server: name: {{ matrix_server_fqn_matrix }} diff --git a/roles/matrix-ma1sd/tasks/setup_ma1sd.yml b/roles/matrix-ma1sd/tasks/setup_ma1sd.yml index 57fc019a8..ee055afd7 100644 --- a/roles/matrix-ma1sd/tasks/setup_ma1sd.yml +++ b/roles/matrix-ma1sd/tasks/setup_ma1sd.yml @@ -10,7 +10,7 @@ state: directory mode: 0750 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" with_items: - { path: "{{ matrix_ma1sd_config_path }}", when: true } - { path: "{{ matrix_ma1sd_data_path }}", when: true } @@ -69,7 +69,7 @@ dest: "{{ matrix_ma1sd_config_path }}/ma1sd.yaml" mode: 0644 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" when: matrix_ma1sd_enabled|bool - name: Ensure custom templates are installed if any @@ -78,7 +78,7 @@ dest: "{{ matrix_ma1sd_data_path }}/{{ item.location }}" mode: 0644 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" with_items: - {value: "{{ matrix_ma1sd_threepid_medium_email_custom_invite_template }}", location: 'invite-template.eml'} - {value: "{{ matrix_ma1sd_threepid_medium_email_custom_session_validation_template }}", location: 'validate-template.eml'} diff --git a/roles/matrix-mailer/tasks/setup_mailer.yml b/roles/matrix-mailer/tasks/setup_mailer.yml index e216915fa..6104edfe6 100644 --- a/roles/matrix-mailer/tasks/setup_mailer.yml +++ b/roles/matrix-mailer/tasks/setup_mailer.yml @@ -10,7 +10,7 @@ state: directory mode: 0750 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" when: matrix_mailer_enabled|bool - name: Ensure mailer environment variables file created diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 8f329f1ad..07dd20381 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -220,7 +220,7 @@ matrix_ssl_domains_to_obtain_certificates_for: [] # Controls whether to obtain production or staging certificates from Let's Encrypt. matrix_ssl_lets_encrypt_staging: false -matrix_ssl_lets_encrypt_certbot_docker_image: "certbot/certbot:{{ matrix_ssl_architecture }}-v1.3.0" +matrix_ssl_lets_encrypt_certbot_docker_image: "certbot/certbot:{{ matrix_ssl_architecture }}-v1.4.0" matrix_ssl_lets_encrypt_certbot_docker_image_force_pull: "{{ matrix_ssl_lets_encrypt_certbot_docker_image.endswith(':latest') }}" matrix_ssl_lets_encrypt_certbot_standalone_http_port: 2402 matrix_ssl_lets_encrypt_support_email: ~ diff --git a/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml b/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml index 6db5d9785..69ac36f20 100644 --- a/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml +++ b/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml @@ -16,7 +16,7 @@ state: directory mode: 0750 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" with_items: - "{{ matrix_nginx_proxy_base_path }}" - "{{ matrix_nginx_proxy_data_path }}" @@ -34,7 +34,7 @@ src: "{{ role_path }}/templates/nginx/matrix-synapse-metrics-htpasswd.j2" dest: "{{ matrix_nginx_proxy_data_path }}/matrix-synapse-metrics-htpasswd" owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" mode: 0400 when: "matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled|bool and matrix_nginx_proxy_proxy_synapse_metrics|bool" @@ -79,7 +79,7 @@ state: directory mode: 0750 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" when: matrix_nginx_proxy_base_domain_serving_enabled|bool - name: Ensure Matrix nginx-proxy homepage for base domain exists @@ -88,7 +88,7 @@ dest: "{{ matrix_nginx_proxy_data_path }}/matrix-domain/index.html" mode: 0644 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" when: matrix_nginx_proxy_base_domain_serving_enabled|bool and matrix_nginx_proxy_base_domain_homepage_enabled|bool - name: Ensure Matrix nginx-proxy configuration for base domain exists diff --git a/roles/matrix-nginx-proxy/tasks/setup_well_known.yml b/roles/matrix-nginx-proxy/tasks/setup_well_known.yml index 5cd54cc8e..3e43a8c60 100644 --- a/roles/matrix-nginx-proxy/tasks/setup_well_known.yml +++ b/roles/matrix-nginx-proxy/tasks/setup_well_known.yml @@ -11,7 +11,7 @@ state: directory mode: 0755 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" with_items: - "{{ matrix_static_files_base_path }}/.well-known/matrix" @@ -21,4 +21,4 @@ dest: "{{ matrix_static_files_base_path }}/.well-known/matrix" mode: 0644 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" \ No newline at end of file + group: "{{ matrix_user_groupname }}" \ No newline at end of file diff --git a/roles/matrix-nginx-proxy/tasks/ssl/main.yml b/roles/matrix-nginx-proxy/tasks/ssl/main.yml index 5402468c6..6c0608186 100644 --- a/roles/matrix-nginx-proxy/tasks/ssl/main.yml +++ b/roles/matrix-nginx-proxy/tasks/ssl/main.yml @@ -14,7 +14,7 @@ state: directory mode: 0770 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" recurse: true with_items: - "{{ matrix_ssl_log_dir_path }}" diff --git a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed_obtain_for_domain.yml b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed_obtain_for_domain.yml index 80838fa67..aea17cc02 100644 --- a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed_obtain_for_domain.yml +++ b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed_obtain_for_domain.yml @@ -17,7 +17,7 @@ state: directory mode: 0750 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" when: "not matrix_ssl_certificate_cert_path_stat_result.stat.exists" # The proper way to do this is by using a sequence of diff --git a/roles/matrix-postgres/defaults/main.yml b/roles/matrix-postgres/defaults/main.yml index 4089793a8..e26c43e7b 100644 --- a/roles/matrix-postgres/defaults/main.yml +++ b/roles/matrix-postgres/defaults/main.yml @@ -8,10 +8,10 @@ matrix_postgres_db_name: "" matrix_postgres_base_path: "{{ matrix_base_data_path }}/postgres" matrix_postgres_data_path: "{{ matrix_postgres_base_path }}/data" -matrix_postgres_docker_image_v9: "postgres:9.6.17-alpine" -matrix_postgres_docker_image_v10: "postgres:10.12-alpine" -matrix_postgres_docker_image_v11: "postgres:11.7-alpine" -matrix_postgres_docker_image_v12: "postgres:12.2-alpine" +matrix_postgres_docker_image_v9: "postgres:9.6.18-alpine" +matrix_postgres_docker_image_v10: "postgres:10.13-alpine" +matrix_postgres_docker_image_v11: "postgres:11.8-alpine" +matrix_postgres_docker_image_v12: "postgres:12.3-alpine" matrix_postgres_docker_image_latest: "{{ matrix_postgres_docker_image_v12 }}" # This variable is assigned at runtime. Overriding its value has no effect. diff --git a/roles/matrix-postgres/tasks/import_sqlite_db.yml b/roles/matrix-postgres/tasks/import_sqlite_db.yml index 5953557b2..42c39a2de 100644 --- a/roles/matrix-postgres/tasks/import_sqlite_db.yml +++ b/roles/matrix-postgres/tasks/import_sqlite_db.yml @@ -50,7 +50,7 @@ state: directory mode: 0700 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" - name: Ensure matrix-postgres is started service: @@ -79,7 +79,6 @@ --network={{ matrix_docker_network }} --entrypoint=python -v {{ matrix_synapse_config_dir_path }}:/data - -v {{ matrix_synapse_run_path }}:/matrix-run -v {{ server_path_homeserver_db }}:/{{ server_path_homeserver_db|basename }}:ro {{ matrix_synapse_docker_image }} /usr/local/bin/synapse_port_db --sqlite-database /{{ server_path_homeserver_db|basename }} --postgres-config /data/homeserver.yaml diff --git a/roles/matrix-postgres/tasks/migrate_postgres_data_directory.yml b/roles/matrix-postgres/tasks/migrate_postgres_data_directory.yml index 599d45b5f..ef5fbf47d 100644 --- a/roles/matrix-postgres/tasks/migrate_postgres_data_directory.yml +++ b/roles/matrix-postgres/tasks/migrate_postgres_data_directory.yml @@ -46,7 +46,7 @@ state: directory mode: 0700 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" when: "result_pg_old_data_dir_stat.stat.exists" - block: diff --git a/roles/matrix-postgres/tasks/run_synapse_janitor.yml b/roles/matrix-postgres/tasks/run_synapse_janitor.yml index 5591b75a3..41484d79c 100644 --- a/roles/matrix-postgres/tasks/run_synapse_janitor.yml +++ b/roles/matrix-postgres/tasks/run_synapse_janitor.yml @@ -7,6 +7,13 @@ msg: "Postgres via the matrix-postgres role is not enabled (`matrix_postgres_enabled`). Cannot run synapse-janitor." when: "not matrix_postgres_enabled|bool" +- name: Fail if not aware of the risks + fail: + msg: >- + Using Synapse Janitor is considered dangerous and may break your database. + See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/465. + If you'd like to run it anyway, add `--extra-vars='i_know_synapse_janitor_is_dangerous=1'` to your command. + when: "i_know_synapse_janitor_is_dangerous|default('') == ''" # Defaults @@ -35,7 +42,7 @@ force: true mode: 0550 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" - name: Ensure matrix-postgres is started service: diff --git a/roles/matrix-postgres/tasks/setup_postgres.yml b/roles/matrix-postgres/tasks/setup_postgres.yml index 355898b60..e4d443928 100644 --- a/roles/matrix-postgres/tasks/setup_postgres.yml +++ b/roles/matrix-postgres/tasks/setup_postgres.yml @@ -38,7 +38,7 @@ state: directory mode: 0700 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" with_items: - "{{ matrix_postgres_base_path }}" - "{{ matrix_postgres_data_path }}" @@ -52,7 +52,7 @@ path: "{{ matrix_postgres_data_path }}" state: directory owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" recurse: yes when: matrix_postgres_enabled|bool diff --git a/roles/matrix-riot-web/defaults/main.yml b/roles/matrix-riot-web/defaults/main.yml index e55de5346..1dc1be04c 100644 --- a/roles/matrix-riot-web/defaults/main.yml +++ b/roles/matrix-riot-web/defaults/main.yml @@ -2,7 +2,7 @@ matrix_riot_web_enabled: true matrix_riot_web_container_image_self_build: false -matrix_riot_web_docker_image: "vectorim/riot-web:v1.5.15" +matrix_riot_web_docker_image: "vectorim/riot-web:v1.6.2" matrix_riot_web_docker_image_force_pull: "{{ matrix_riot_web_docker_image.endswith(':latest') }}" matrix_riot_web_data_path: "{{ matrix_base_data_path }}/riot-web" @@ -29,6 +29,7 @@ matrix_riot_web_integrations_ui_url: "https://scalar.vector.im/" matrix_riot_web_integrations_rest_url: "https://scalar.vector.im/api" matrix_riot_web_integrations_widgets_urls: ["https://scalar.vector.im/api"] matrix_riot_web_integrations_jitsi_widget_url: "https://scalar.vector.im/api/widgets/jitsi.html" +matrix_riot_web_permalinkPrefix: "https://matrix.to" # Riot public room directory server(s) matrix_riot_web_roomdir_servers: ['matrix.org'] matrix_riot_web_welcome_user_id: "@riot-bot:matrix.org" @@ -75,6 +76,9 @@ matrix_riot_web_enable_presence_by_hs_url: ~ matrix_riot_web_themes_enabled: false matrix_riot_web_themes_repository_url: https://github.com/aaronraimist/riot-web-themes +# Controls the default riot-web theme +matrix_riot_web_default_theme: 'light' + # Controls the `settingsDefault.custom_themes` setting of the riot-web configuration. # You can use this setting to define custom themes. # diff --git a/roles/matrix-riot-web/tasks/setup_riot_web.yml b/roles/matrix-riot-web/tasks/setup_riot_web.yml index a1d25fc60..f21834a8d 100644 --- a/roles/matrix-riot-web/tasks/setup_riot_web.yml +++ b/roles/matrix-riot-web/tasks/setup_riot_web.yml @@ -10,7 +10,7 @@ state: directory mode: 0750 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" with_items: - { path: "{{ matrix_riot_web_data_path }}", when: true } - { path: "{{ matrix_riot_web_docker_src_files_path }}", when: "{{ matrix_riot_web_container_image_self_build }}" } @@ -48,7 +48,7 @@ dest: "{{ matrix_riot_web_data_path }}/config.json" mode: 0644 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" when: matrix_riot_web_enabled|bool - name: Ensure Matrix riot-web config files installed @@ -57,7 +57,7 @@ dest: "{{ matrix_riot_web_data_path }}/{{ item.name }}" mode: 0644 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" with_items: - {src: "{{ role_path }}/templates/nginx.conf.j2", name: "nginx.conf"} - {src: "{{ role_path }}/templates/welcome.html.j2", name: "welcome.html"} diff --git a/roles/matrix-riot-web/templates/config.json.j2 b/roles/matrix-riot-web/templates/config.json.j2 index adbbf8dcd..8738e7dac 100644 --- a/roles/matrix-riot-web/templates/config.json.j2 +++ b/roles/matrix-riot-web/templates/config.json.j2 @@ -11,6 +11,8 @@ "settingDefaults": { "custom_themes": {{ matrix_riot_web_settingDefaults_custom_themes|to_json }} }, + "default_theme": {{ matrix_riot_web_default_theme|string|to_json }}, + "permalinkPrefix": {{ matrix_riot_web_permalinkPrefix|string|to_json }}, "disable_custom_urls": {{ matrix_riot_web_disable_custom_urls|to_json }}, "disable_guests": {{ matrix_riot_web_disable_guests|to_json }}, "brand": {{ matrix_riot_web_brand|to_json }}, diff --git a/roles/matrix-riot-web/templates/systemd/matrix-riot-web.service.j2 b/roles/matrix-riot-web/templates/systemd/matrix-riot-web.service.j2 index 51c61f47b..364e0fa1e 100644 --- a/roles/matrix-riot-web/templates/systemd/matrix-riot-web.service.j2 +++ b/roles/matrix-riot-web/templates/systemd/matrix-riot-web.service.j2 @@ -24,6 +24,7 @@ ExecStart=/usr/bin/docker run --rm --name matrix-riot-web \ -v {{ matrix_riot_web_data_path }}/nginx.conf:/etc/nginx/nginx.conf:ro \ -v /dev/null:/etc/nginx/conf.d/default.conf:ro \ -v {{ matrix_riot_web_data_path }}/config.json:/app/config.json:ro \ + -v {{ matrix_riot_web_data_path }}/config.json:/app/config.{{ matrix_server_fqn_riot }}.json:ro \ {% if matrix_riot_web_embedded_pages_home_path is not none %} -v {{ matrix_riot_web_data_path }}/home.html:/app/home.html:ro \ {% endif %} diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index f117fe93d..50d7d8243 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -5,13 +5,12 @@ matrix_synapse_enabled: true matrix_synapse_container_image_self_build: false -matrix_synapse_docker_image: "matrixdotorg/synapse:v1.12.3" +matrix_synapse_docker_image: "matrixdotorg/synapse:v1.13.0" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse" matrix_synapse_docker_src_files_path: "{{ matrix_synapse_base_path }}/docker-src" matrix_synapse_config_dir_path: "{{ matrix_synapse_base_path }}/config" -matrix_synapse_run_path: "{{ matrix_synapse_base_path }}/run" matrix_synapse_storage_path: "{{ matrix_synapse_base_path }}/storage" matrix_synapse_media_store_path: "{{ matrix_synapse_storage_path }}/media-store" matrix_synapse_ext_path: "{{ matrix_synapse_base_path }}/ext" @@ -137,6 +136,11 @@ matrix_synapse_tls_federation_listener_enabled: true matrix_synapse_tls_certificate_path: "/data/{{ matrix_server_fqn_matrix }}.tls.crt" matrix_synapse_tls_private_key_path: "/data/{{ matrix_server_fqn_matrix }}.tls.key" +# Resource names used by the unsecure HTTP listener. Here only the Client API +# is defined, see the homeserver config for a full list of valid resource +# names. +matrix_synapse_http_listener_resource_names: ["client"] + # Enable this to allow Synapse to report utilization statistics about your server to matrix.org # (things like number of users, number of messages sent, uptime, load, etc.) matrix_synapse_report_stats: false diff --git a/roles/matrix-synapse/tasks/ext/rest-auth/setup_install.yml b/roles/matrix-synapse/tasks/ext/rest-auth/setup_install.yml index 9569d71e7..634b1ca5e 100644 --- a/roles/matrix-synapse/tasks/ext/rest-auth/setup_install.yml +++ b/roles/matrix-synapse/tasks/ext/rest-auth/setup_install.yml @@ -12,7 +12,7 @@ force: true mode: 0440 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" - set_fact: matrix_synapse_password_providers_enabled: true diff --git a/roles/matrix-synapse/tasks/ext/shared-secret-auth/setup_install.yml b/roles/matrix-synapse/tasks/ext/shared-secret-auth/setup_install.yml index 60e5ee0c2..af92041df 100644 --- a/roles/matrix-synapse/tasks/ext/shared-secret-auth/setup_install.yml +++ b/roles/matrix-synapse/tasks/ext/shared-secret-auth/setup_install.yml @@ -12,7 +12,7 @@ force: true mode: 0440 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" - set_fact: matrix_synapse_password_providers_enabled: true diff --git a/roles/matrix-synapse/tasks/goofys/setup_install.yml b/roles/matrix-synapse/tasks/goofys/setup_install.yml index efd9d46cf..932379861 100644 --- a/roles/matrix-synapse/tasks/goofys/setup_install.yml +++ b/roles/matrix-synapse/tasks/goofys/setup_install.yml @@ -17,8 +17,8 @@ path: "{{ matrix_synapse_media_store_path }}" state: directory mode: 0750 - owner: "{{ matrix_user_uid }}" - group: "{{ matrix_user_gid }}" + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" when: "not local_path_matrix_synapse_media_store_path_stat.failed and not local_path_matrix_synapse_media_store_path_stat.stat.exists" - name: Ensure goofys environment variables file created diff --git a/roles/matrix-synapse/tasks/import_media_store.yml b/roles/matrix-synapse/tasks/import_media_store.yml index db68f22d1..487bcb356 100644 --- a/roles/matrix-synapse/tasks/import_media_store.yml +++ b/roles/matrix-synapse/tasks/import_media_store.yml @@ -66,7 +66,7 @@ file: path: "{{ matrix_synapse_media_store_path }}" owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" recurse: yes when: "not matrix_s3_media_store_enabled|bool" diff --git a/roles/matrix-synapse/tasks/register_user.yml b/roles/matrix-synapse/tasks/register_user.yml index da0e28c3e..9c2a3ea04 100644 --- a/roles/matrix-synapse/tasks/register_user.yml +++ b/roles/matrix-synapse/tasks/register_user.yml @@ -28,4 +28,4 @@ when: "start_result.changed" - name: Register user - shell: "{{ matrix_local_bin_path }}/matrix-synapse-register-user {{ username }} {{ password }} {{ '1' if admin == 'yes' else '0' }}" + command: "{{ matrix_local_bin_path }}/matrix-synapse-register-user {{ username|quote }} {{ password|quote }} {{ '1' if admin == 'yes' else '0' }}" diff --git a/roles/matrix-synapse/tasks/setup_synapse.yml b/roles/matrix-synapse/tasks/setup_synapse.yml index c40ae170b..1ae7ade69 100644 --- a/roles/matrix-synapse/tasks/setup_synapse.yml +++ b/roles/matrix-synapse/tasks/setup_synapse.yml @@ -6,10 +6,9 @@ state: directory mode: 0750 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" with_items: - { path: "{{ matrix_synapse_config_dir_path }}", when: true } - - { path: "{{ matrix_synapse_run_path }}", when: true } - { path: "{{ matrix_synapse_ext_path }}", when: true } - { path: "{{ matrix_synapse_docker_src_files_path }}", when: "{{ matrix_synapse_container_image_self_build }}" } # We handle matrix_synapse_media_store_path elsewhere (in ./synapse/setup_install.yml), diff --git a/roles/matrix-synapse/tasks/synapse/setup_install.yml b/roles/matrix-synapse/tasks/synapse/setup_install.yml index f10614e74..58f4d31dc 100644 --- a/roles/matrix-synapse/tasks/synapse/setup_install.yml +++ b/roles/matrix-synapse/tasks/synapse/setup_install.yml @@ -15,7 +15,7 @@ state: directory mode: 0750 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" when: "not local_path_media_store_stat.failed and not local_path_media_store_stat.stat.exists" - name: Ensure Synapse repository is present on self-build @@ -79,7 +79,7 @@ dest: "{{ matrix_synapse_config_dir_path }}/homeserver.yaml" mode: 0644 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" - name: Ensure Synapse log config installed template: diff --git a/roles/matrix-synapse/tasks/update_user_password.yml b/roles/matrix-synapse/tasks/update_user_password.yml index 0d77f5ddf..1e86bd493 100644 --- a/roles/matrix-synapse/tasks/update_user_password.yml +++ b/roles/matrix-synapse/tasks/update_user_password.yml @@ -36,8 +36,8 @@ when: "start_result.changed or postgres_start_result.changed" - name: Generate password hash - shell: "/usr/bin/docker exec matrix-synapse /usr/local/bin/hash_password -c /data/homeserver.yaml -p {{ password }}" + shell: "/usr/bin/docker exec matrix-synapse /usr/local/bin/hash_password -c /data/homeserver.yaml -p {{ password|quote }}" register: password_hash - name: Update user password hash - shell: "{{ matrix_local_bin_path }}/matrix-postgres-update-user-password-hash {{ username }} '{{ password_hash.stdout }}'" + command: "{{ matrix_local_bin_path }}/matrix-postgres-update-user-password-hash {{ username|quote }} {{ password_hash.stdout|quote }}" diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index d41313e39..e729c7330 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -20,10 +20,15 @@ server_name: "{{ matrix_domain }}" # pid_file: /homeserver.pid -# The path to the web client which will be served at /_matrix/client/ -# if 'webclient' is configured under the 'listeners' configuration. +# The absolute URL to the web client which /_matrix/client will redirect +# to if 'webclient' is configured under the 'listeners' configuration. # -#web_client_location: "/path/to/web/root" +# This option can be also set to the filesystem path to the web client +# which will be served at /_matrix/client/ if 'webclient' is configured +# under the 'listeners' configuration, however this is a security risk: +# https://github.com/matrix-org/synapse#security-note +# +#web_client_location: https://riot.example.com/ # The public-facing base URL that clients use to access this HS # (not including _matrix/...). This is the same URL a user would @@ -226,7 +231,7 @@ listeners: x_forwarded: true resources: - - names: [client] + - names: {{ matrix_synapse_http_listener_resource_names|to_json }} compress: false {% if matrix_synapse_federation_enabled %} @@ -252,6 +257,19 @@ listeners: {% endif %} +# Forward extremities can build up in a room due to networking delays between +# homeservers. Once this happens in a large room, calculation of the state of +# that room can become quite expensive. To mitigate this, once the number of +# forward extremities reaches a given threshold, Synapse will send an +# org.matrix.dummy_event event, which will reduce the forward extremities +# in the room. +# +# This setting defines the threshold (i.e. number of forward extremities in the +# room) at which dummy events are sent. The default value is 10. +# +#dummy_events_threshold: 5 + + ## Homeserver blocking ## # How to reach the server admin, used in ResourceLimitError @@ -410,6 +428,16 @@ retention: # longest_max_lifetime: 1y # interval: 1d +# Inhibits the /requestToken endpoints from returning an error that might leak +# information about whether an e-mail address is in use or not on this +# homeserver. +# Note that for some endpoints the error situation is the e-mail already being +# used, and for others the error is entering the e-mail being unused. +# If this option is enabled, instead of returning an error, these endpoints will +# act as if no error happened and return a fake session ID ('sid') to clients. +# +#request_token_inhibit_3pid_errors: true + ## TLS ## @@ -706,20 +734,15 @@ media_store_path: "/matrix-media-store-parent/{{ matrix_synapse_media_store_dire # #media_storage_providers: # - module: file_system -# # Whether to write new local files. +# # Whether to store newly uploaded local files # store_local: false -# # Whether to write new remote media +# # Whether to store newly downloaded remote files # store_remote: false -# # Whether to block upload requests waiting for write to this -# # provider to complete +# # Whether to wait for successful storage for local uploads # store_synchronous: false # config: # directory: /mnt/some/other/directory -# Directory where in-progress uploads are stored. -# -uploads_path: "/matrix-run/uploads" - # The largest allowed upload size in bytes # max_upload_size: "{{ matrix_synapse_max_upload_size_mb }}M" @@ -834,6 +857,31 @@ url_preview_ip_range_blacklist: # max_spider_size: 10M +# A list of values for the Accept-Language HTTP header used when +# downloading webpages during URL preview generation. This allows +# Synapse to specify the preferred languages that URL previews should +# be in when communicating with remote servers. +# +# Each value is a IETF language tag; a 2-3 letter identifier for a +# language, optionally followed by subtags separated by '-', specifying +# a country or region variant. +# +# Multiple values can be provided, and a weight can be added to each by +# using quality value syntax (;q=). '*' translates to any language. +# +# Defaults to "en". +# +# Example: +# +# url_preview_accept_language: +# - en-UK +# - en-US;q=0.9 +# - fr;q=0.8 +# - *;q=0.7 +# +url_preview_accept_language: +# - en + ## Captcha ## # See docs/CAPTCHA_SETUP for full details of configuring this. @@ -852,10 +900,6 @@ max_spider_size: 10M # #enable_registration_captcha: false -# A secret key used to bypass the captcha test entirely. -# -#captcha_bypass_secret: "YOUR_SECRET_HERE" - # The API endpoint to use for verifying m.login.recaptcha responses. # #recaptcha_siteverify_api: "https://www.recaptcha.net/recaptcha/api/siteverify" @@ -1066,6 +1110,29 @@ account_threepid_delegates: email: {{ matrix_synapse_account_threepid_delegates_email|to_json }} msisdn: {{ matrix_synapse_account_threepid_delegates_msisdn|to_json }} +# Whether users are allowed to change their displayname after it has +# been initially set. Useful when provisioning users based on the +# contents of a third-party directory. +# +# Does not apply to server administrators. Defaults to 'true' +# +#enable_set_displayname: false + +# Whether users are allowed to change their avatar after it has been +# initially set. Useful when provisioning users based on the contents +# of a third-party directory. +# +# Does not apply to server administrators. Defaults to 'true' +# +#enable_set_avatar_url: false + +# Whether users can change the 3PIDs associated with their accounts +# (email address and msisdn). +# +# Defaults to 'true' +# +#enable_3pid_changes: false + # Users who register on this homeserver will automatically be joined # to these rooms # @@ -1108,7 +1175,7 @@ sentry: # enabled by default, either for performance reasons or limited use. # metrics_flags: - # Publish synapse_federation_known_servers, a g auge of the number of + # Publish synapse_federation_known_servers, a gauge of the number of # servers this homeserver knows about, including itself. May cause # performance problems on large homeservers. # @@ -1272,32 +1339,32 @@ saml2_config: # remote: # - url: https://our_idp/metadata.xml # - # # By default, the user has to go to our login page first. If you'd like - # # to allow IdP-initiated login, set 'allow_unsolicited: true' in a - # # 'service.sp' section: - # # - # #service: - # # sp: - # # allow_unsolicited: true - # - # # The examples below are just used to generate our metadata xml, and you - # # may well not need them, depending on your setup. Alternatively you - # # may need a whole lot more detail - see the pysaml2 docs! - # - # description: ["My awesome SP", "en"] - # name: ["Test SP", "en"] - # - # organization: - # name: Example com - # display_name: - # - ["Example co", "en"] - # url: "http://example.com" - # - # contact_person: - # - given_name: Bob - # sur_name: "the Sysadmin" - # email_address": ["admin@example.com"] - # contact_type": technical + # # By default, the user has to go to our login page first. If you'd like + # # to allow IdP-initiated login, set 'allow_unsolicited: true' in a + # # 'service.sp' section: + # # + # #service: + # # sp: + # # allow_unsolicited: true + # + # # The examples below are just used to generate our metadata xml, and you + # # may well not need them, depending on your setup. Alternatively you + # # may need a whole lot more detail - see the pysaml2 docs! + # + # description: ["My awesome SP", "en"] + # name: ["Test SP", "en"] + # + # organization: + # name: Example com + # display_name: + # - ["Example co", "en"] + # url: "http://example.com" + # + # contact_person: + # - given_name: Bob + # sur_name: "the Sysadmin" + # email_address": ["admin@example.com"] + # contact_type": technical # Instead of putting the config inline as above, you can specify a # separate pysaml2 configuration file: @@ -1532,8 +1599,19 @@ email: #template_dir: "res/templates" {% endif %} - -#password_providers: +# Password providers allow homeserver administrators to integrate +# their Synapse installation with existing authentication methods +# ex. LDAP, external tokens, etc. +# +# For more information and known implementations, please see +# https://github.com/matrix-org/synapse/blob/master/docs/password_auth_providers.md +# +# Note: instances wishing to use SAML or CAS authentication should +# instead use the `saml2_config` or `cas_config` options, +# respectively. +# +# password_providers: +# # Example config for an LDAP auth provider # - module: "ldap_auth_provider.LdapAuthProvider" # config: # enabled: true diff --git a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 index 0bd2c25d5..e7b7f1c66 100644 --- a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 +++ b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 @@ -45,7 +45,6 @@ ExecStart=/usr/bin/docker run --rm --name matrix-synapse \ -p {{ matrix_synapse_container_manhole_api_host_bind_port }}:9000 \ {% endif %} -v {{ matrix_synapse_config_dir_path }}:/data:ro \ - -v {{ matrix_synapse_run_path }}:/matrix-run:rw \ -v {{ matrix_synapse_storage_path }}:/matrix-media-store-parent:slave \ {% for volume in matrix_synapse_container_additional_volumes %} -v {{ volume.src }}:{{ volume.dst }}:{{ volume.options }} \ diff --git a/setup.yml b/setup.yml index bca4b240f..ff80320ab 100755 --- a/setup.yml +++ b/setup.yml @@ -17,6 +17,7 @@ - matrix-bridge-mautrix-telegram - matrix-bridge-mautrix-whatsapp - matrix-bridge-mx-puppet-skype + - matrix-bridge-mx-puppet-slack - matrix-synapse - matrix-riot-web - matrix-jitsi