From 3ddb8cd148435ff663bd5b71db8da83d92de9e3a Mon Sep 17 00:00:00 2001 From: Chris van Dijk Date: Sat, 18 Apr 2020 19:00:20 +0200 Subject: [PATCH 01/63] Add support for running dimension in an unfederated environment This config change follows: https://github.com/turt2live/matrix-dimension/blob/master/docs/unfederated.md --- roles/matrix-dimension/defaults/main.yml | 2 +- roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 | 6 +++++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/roles/matrix-dimension/defaults/main.yml b/roles/matrix-dimension/defaults/main.yml index 5ee01b615..e9faffa3b 100644 --- a/roles/matrix-dimension/defaults/main.yml +++ b/roles/matrix-dimension/defaults/main.yml @@ -58,7 +58,7 @@ matrix_dimension_configuration_yaml: | # The URL that Dimension should use when trying to communicate with federated APIs on # the homeserver. If not supplied or left empty Dimension will try to resolve the address # through the normal federation process. - federationUrl: "http://matrix-synapse:8048" + federationUrl: "http://matrix-synapse:{{ 8048 if matrix_synapse_federation_enabled|bool else 8008 }}" # The URL that Dimension will redirect media requests to for downloading media such as # stickers. If not supplied or left empty Dimension will use the clientServerUrl. diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index d41313e39..7f9eb04f9 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -226,7 +226,11 @@ listeners: x_forwarded: true resources: - - names: [client] + - names: + - client +{% if matrix_dimension_enabled and not matrix_synapse_federation_enabled %} + - openid +{% endif %} compress: false {% if matrix_synapse_federation_enabled %} From da2e90dcc1a68ce161d693cbe520ed5fafeb62de Mon Sep 17 00:00:00 2001 From: Chris van Dijk Date: Sat, 18 Apr 2020 19:01:45 +0200 Subject: [PATCH 02/63] Remove check for "Fail if Matrix Federation is disabled" This playbook now suports running dimension in both a federated and an unfederated environment. --- roles/matrix-dimension/tasks/validate_config.yml | 8 -------- 1 file changed, 8 deletions(-) diff --git a/roles/matrix-dimension/tasks/validate_config.yml b/roles/matrix-dimension/tasks/validate_config.yml index 62f23e33e..ead8352b5 100644 --- a/roles/matrix-dimension/tasks/validate_config.yml +++ b/roles/matrix-dimension/tasks/validate_config.yml @@ -6,14 +6,6 @@ - "matrix_dimension_access_token" when: "matrix_dimension_enabled and vars[item] == ''" -- name: Fail if Matrix Federation is disabled - fail: - msg: >- - You need to enable Matrix Federation to use Dimension. Set `{{ item }}` to 'true'. - with_items: - - "matrix_synapse_federation_enabled" - when: "matrix_dimension_enabled|bool and not matrix_synapse_federation_enabled|bool" - - name: (Deprecation) Catch and report renamed Dimension variables fail: msg: >- From 18beb3046612fb2b4f2d665087fa2e1f425d8edb Mon Sep 17 00:00:00 2001 From: Chris van Dijk Date: Sat, 18 Apr 2020 19:12:20 +0200 Subject: [PATCH 03/63] Update docs to reflect support for unfederated dimension --- docs/configuring-playbook-dimension.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuring-playbook-dimension.md b/docs/configuring-playbook-dimension.md index 99de20d65..40bec06b7 100644 --- a/docs/configuring-playbook-dimension.md +++ b/docs/configuring-playbook-dimension.md @@ -4,7 +4,7 @@ If you're just installing Matrix services for the first time, please continue with the [Configuration](configuring-playbook.md) / [Installation](installing.md) flow and come back here later. ## Prerequisites -For an Integration Manager like [Dimension](https://dimension.t2bot.io) to work, your server needs to have federation enabled (`matrix_synapse_federation_enabled: true`). This is the default for this playbook, so unless you've explicitly disabled federation, you're okay. +This playbook now supports running [Dimension](https://dimension.t2bot.io) in both a federated and an [unfederated](https://github.com/turt2live/matrix-dimension/blob/master/docs/unfederated.md) environment. This is handled automatically based on the value of `matrix_synapse_federation_enabled`. Other important prerequisite is the `dimension.` DNS record being set up correctly. See [Configuring your DNS server](configuring-dns.md) on how to set up DNS record correctly. From 9991d545ddbec3b3686bffd3ee02aa58fcf8ca0b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 21 Apr 2020 21:48:06 +0300 Subject: [PATCH 04/63] Add note about synapse-janitor and require explicit confirmation for usage Fixes #465 (Github Issue). Related to https://github.com/xwiki-labs/synapse_scripts/pull/12. --- docs/maintenance-synapse.md | 8 +++++++- roles/matrix-postgres/tasks/run_synapse_janitor.yml | 7 +++++++ 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/docs/maintenance-synapse.md b/docs/maintenance-synapse.md index d64b3b9fe..ab33b9de7 100644 --- a/docs/maintenance-synapse.md +++ b/docs/maintenance-synapse.md @@ -8,11 +8,17 @@ Table of contents: - [Purging old data with the Purge History API](#purging-old-data-with-the-purge-history-api), for when you wish to delete in-use (but old) data from the Synapse database -- [Compressing state with rust-synapse-compress-state](#compressing-state-with-rust-synapse-compress-state), for when you wish to compress some Synapse state tables using the [rust-synapse-compress-state](https://github.com/matrix-org/rust-synapse-compress-state) tool +- [Synapse maintenance](#synapse-maintenance) + - [Purging unused data with synapse-janitor](#purging-unused-data-with-synapse-janitor) + - [Vacuuming Postgres](#vacuuming-postgres) + - [Purging old data with the Purge History API](#purging-old-data-with-the-purge-history-api) + - [Compressing state with rust-synapse-compress-state](#compressing-state-with-rust-synapse-compress-state) ## Purging unused data with synapse-janitor +**NOTE**: There are [reports](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/465) that **synapse-janitor is dangerous to use and causes database corruption**. You may wish to refrain from using it. + When you **leave** and **forget** a room, Synapse can clean up its data, but currently doesn't. This **unused and unreachable data** remains in your database forever. diff --git a/roles/matrix-postgres/tasks/run_synapse_janitor.yml b/roles/matrix-postgres/tasks/run_synapse_janitor.yml index 5591b75a3..4562b8ba1 100644 --- a/roles/matrix-postgres/tasks/run_synapse_janitor.yml +++ b/roles/matrix-postgres/tasks/run_synapse_janitor.yml @@ -7,6 +7,13 @@ msg: "Postgres via the matrix-postgres role is not enabled (`matrix_postgres_enabled`). Cannot run synapse-janitor." when: "not matrix_postgres_enabled|bool" +- name: Fail if not aware of the risks + fail: + msg: >- + Using Synapse Janitor is considered dangerous and may break your database. + See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/465. + If you'd like to run it anyway, add `--extra-vars='i_know_synapse_janitor_is_dangerous=1'` to your command. + when: "i_know_synapse_janitor_is_dangerous|default('') == ''" # Defaults From 3f4bc9b8818f175982e07cc5ca3cb01abfd7fd44 Mon Sep 17 00:00:00 2001 From: Chris van Dijk Date: Wed, 22 Apr 2020 19:01:56 +0200 Subject: [PATCH 05/63] Move config supprt for unfederated dimension into group_vars --- group_vars/matrix_servers | 9 +++++++++ roles/matrix-dimension/defaults/main.yml | 4 +++- roles/matrix-synapse/defaults/main.yml | 5 +++++ .../matrix-synapse/templates/synapse/homeserver.yaml.j2 | 6 +----- 4 files changed, 18 insertions(+), 6 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index e80d55c35..4c41c3b83 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -402,6 +402,8 @@ matrix_dimension_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_ena matrix_integration_manager_rest_url: "{{ matrix_dimension_integrations_rest_url if matrix_dimension_enabled else None }}" matrix_integration_manager_ui_url: "{{ matrix_dimension_integrations_ui_url if matrix_dimension_enabled else None }}" +matrix_dimension_homeserver_federationUrl: "http://matrix-synapse:{{ 8048 if matrix_synapse_federation_enabled|bool else 8008 }}" + ###################################################################### # # /matrix-dimension @@ -723,6 +725,13 @@ matrix_synapse_tls_federation_listener_enabled: false matrix_synapse_tls_certificate_path: ~ matrix_synapse_tls_private_key_path: ~ +matrix_synapse_http_listener_resource_names: | + {{ + ["client"] + + + ( ["openid"] if matrix_dimension_enabled and not matrix_synapse_federation_enabled else [] ) + }} + matrix_synapse_email_enabled: "{{ matrix_mailer_enabled }}" matrix_synapse_email_smtp_host: "matrix-mailer" matrix_synapse_email_smtp_port: 8025 diff --git a/roles/matrix-dimension/defaults/main.yml b/roles/matrix-dimension/defaults/main.yml index e9faffa3b..fafe289d6 100644 --- a/roles/matrix-dimension/defaults/main.yml +++ b/roles/matrix-dimension/defaults/main.yml @@ -32,6 +32,8 @@ matrix_dimension_integrations_rest_url: "https://{{ matrix_server_fqn_dimension matrix_dimension_integrations_widgets_urls: ["https://{{ matrix_server_fqn_dimension }}/widgets"] matrix_dimension_integrations_jitsi_widget_url: "https://{{ matrix_server_fqn_dimension }}/widgets/jitsi" +matrix_dimension_homeserver_federationUrl: "http://matrix-synapse:8048" + # Default Dimension configuration template which covers the generic use case. # You can customize it by controlling the various variables inside it. # @@ -58,7 +60,7 @@ matrix_dimension_configuration_yaml: | # The URL that Dimension should use when trying to communicate with federated APIs on # the homeserver. If not supplied or left empty Dimension will try to resolve the address # through the normal federation process. - federationUrl: "http://matrix-synapse:{{ 8048 if matrix_synapse_federation_enabled|bool else 8008 }}" + federationUrl: "{{ matrix_dimension_homeserver_federationUrl }}" # The URL that Dimension will redirect media requests to for downloading media such as # stickers. If not supplied or left empty Dimension will use the clientServerUrl. diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index f117fe93d..a2fa1bea3 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -137,6 +137,11 @@ matrix_synapse_tls_federation_listener_enabled: true matrix_synapse_tls_certificate_path: "/data/{{ matrix_server_fqn_matrix }}.tls.crt" matrix_synapse_tls_private_key_path: "/data/{{ matrix_server_fqn_matrix }}.tls.key" +# Resource names used by the unsecure HTTP listener. Here only the Client API +# is defined, see the homeserver config for a full list of valid resource +# names. +matrix_synapse_http_listener_resource_names: ["client"] + # Enable this to allow Synapse to report utilization statistics about your server to matrix.org # (things like number of users, number of messages sent, uptime, load, etc.) matrix_synapse_report_stats: false diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index 7f9eb04f9..4479d8fc0 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -226,11 +226,7 @@ listeners: x_forwarded: true resources: - - names: - - client -{% if matrix_dimension_enabled and not matrix_synapse_federation_enabled %} - - openid -{% endif %} + - names: {{ matrix_synapse_http_listener_resource_names|to_json }} compress: false {% if matrix_synapse_federation_enabled %} From b08a49d94dc67f930d925b06e428accab6c3ccad Mon Sep 17 00:00:00 2001 From: Rodrigo Belem Date: Wed, 22 Apr 2020 15:26:23 -0400 Subject: [PATCH 06/63] Allow skype more configurations for relay and provisioning --- .../defaults/main.yml | 43 +++++++++++++++---- 1 file changed, 35 insertions(+), 8 deletions(-) diff --git a/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml b/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml index c32768079..8119199d3 100644 --- a/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml @@ -16,9 +16,26 @@ matrix_mx_puppet_skype_docker_src_files_path: "{{ matrix_mx_puppet_skype_base_pa matrix_mx_puppet_skype_appservice_port: "8438" matrix_mx_puppet_skype_homeserver_address: 'http://matrix-synapse:8008' -matrix_mx_puppet_skype_homeserver_domain: '{{ matrix_domain }}' matrix_mx_puppet_skype_appservice_address: 'http://matrix-mx-puppet-skype:{{ matrix_mx_puppet_skype_appservice_port }}' +# "@user:server.com" to allow specific user +# "@.*:yourserver.com" to allow users on a specific homeserver +# "@.*" to allow anyone +matrix_mx_puppet_skype_provisioning_whitelist: + - "@.*:{{ matrix_domain|regex_escape }}" + +# Leave empty to disable blacklist +# "@user:server.com" disallow a specific user +# "@.*:yourserver.com" disallow users on a specific homeserver +matrix_mx_puppet_skype_provisioning_blacklist: + +# Same as provisioning +matrix_mx_puppet_skype_relay_whitelist: + - "@.*:{{ matrix_domain|regex_escape }}" + +# Same as provisioning +matrix_mx_puppet_skype_relay_blacklist: + # A list of extra arguments to pass to the container matrix_mx_puppet_skype_container_extra_arguments: [] @@ -48,7 +65,7 @@ matrix_mx_puppet_skype_configuration_yaml: | # Port to host the bridge on which your homeserver will connect to port: {{ matrix_mx_puppet_skype_appservice_port }} # Name of your homeserver - domain: {{ matrix_mx_puppet_skype_homeserver_domain }} + domain: {{ matrix_domain }} # URL where the bridge can connect to your homeserver homeserverUrl: {{ matrix_mx_puppet_skype_homeserver_address }} # Optionally specify a different media URL used for the media store @@ -60,7 +77,7 @@ matrix_mx_puppet_skype_configuration_yaml: | # yourserver.com: supersecretsharedsecret {% if matrix_mx_puppet_skype_login_shared_secret != '' %} loginSharedSecretMap: - {{ matrix_mx_puppet_skype_homeserver_domain }}: {{ matrix_mx_puppet_skype_login_shared_secret }} + {{ matrix_domain }}: {{ matrix_mx_puppet_skype_login_shared_secret }} {% endif %} # optionally override the display name of the bridge bot #displayname: Protocol Bot @@ -123,18 +140,23 @@ matrix_mx_puppet_skype_configuration_yaml: | provisioning: # Regex of Matrix IDs allowed to use the puppet bridge whitelist: + whitelist: {{ matrix_mx_puppet_skype_provisioning_whitelist|to_json }} # Allow a specific user #- "@user:server\\.com" # Allow users on a specific homeserver - - '@.*:{{ matrix_mx_puppet_skype_homeserver_domain | regex_escape }}' + #- "@.*:yourserver\\.com" # Allow anyone #- ".*" + # Regex of Matrix IDs forbidden from using the puppet bridge #blacklist: # Disallow a specific user #- "@user:server\\.com" # Disallow users on a specific homeserver #- "@.*:yourserver\\.com" + {% if matrix_mx_puppet_skype_provisioning_blacklist %} + blacklist: {{ matrix_mx_puppet_skype_provisioning_blacklist|to_json }} + {% endif %} presence: # Bridge online/offline status @@ -150,10 +172,15 @@ matrix_mx_puppet_skype_configuration_yaml: | relay: # Regex of Matrix IDs to allow to use the relay mode # Same format as in provisioning - whitelist: - - '@.*:{{ matrix_mx_puppet_skype_homeserver_domain | regex_escape }}' + #whitelist: + #- "@.*:yourserver\\.com" + whitelist: {{ matrix_mx_puppet_skype_relay_whitelist|to_json }} + #blacklist: #- "@user:yourserver\\.com" + {% if matrix_mx_puppet_skype_relay_blacklist %} + blacklist: {{ matrix_mx_puppet_skype_relay_blacklist|to_json }} + {% endif %} # Map certain homeserver URLs to the C-S API endpoint # Useful for double-puppeting if .well-known is unavailable for some reason @@ -196,11 +223,11 @@ matrix_mx_puppet_skype_registration_yaml: | namespaces: users: - exclusive: true - regex: '@_skypepuppet_.*:{{ matrix_mx_puppet_skype_homeserver_domain|regex_escape }}' + regex: '@_skypepuppet_.*:{{ matrix_domain|regex_escape }}' rooms: [] aliases: - exclusive: true - regex: '#_skypepuppet_.*:{{ matrix_mx_puppet_skype_homeserver_domain|regex_escape }}' + regex: '#_skypepuppet_.*:{{ matrix_domain|regex_escape }}' protocols: [] rate_limited: false sender_localpart: _skypepuppet_bot From 0af5a8c4cce8e3b279158e6caa3a6e6d99c12018 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 22 Apr 2020 22:42:16 +0300 Subject: [PATCH 07/63] Simplify mx-puppet-skype blacklists a bit Related to #466 (Github Pull Request). --- roles/matrix-bridge-mx-puppet-skype/defaults/main.yml | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml b/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml index 8119199d3..1d21835c7 100644 --- a/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml @@ -27,14 +27,14 @@ matrix_mx_puppet_skype_provisioning_whitelist: # Leave empty to disable blacklist # "@user:server.com" disallow a specific user # "@.*:yourserver.com" disallow users on a specific homeserver -matrix_mx_puppet_skype_provisioning_blacklist: +matrix_mx_puppet_skype_provisioning_blacklist: [] # Same as provisioning matrix_mx_puppet_skype_relay_whitelist: - "@.*:{{ matrix_domain|regex_escape }}" # Same as provisioning -matrix_mx_puppet_skype_relay_blacklist: +matrix_mx_puppet_skype_relay_blacklist: [] # A list of extra arguments to pass to the container matrix_mx_puppet_skype_container_extra_arguments: [] @@ -154,9 +154,7 @@ matrix_mx_puppet_skype_configuration_yaml: | #- "@user:server\\.com" # Disallow users on a specific homeserver #- "@.*:yourserver\\.com" - {% if matrix_mx_puppet_skype_provisioning_blacklist %} blacklist: {{ matrix_mx_puppet_skype_provisioning_blacklist|to_json }} - {% endif %} presence: # Bridge online/offline status @@ -178,9 +176,7 @@ matrix_mx_puppet_skype_configuration_yaml: | #blacklist: #- "@user:yourserver\\.com" - {% if matrix_mx_puppet_skype_relay_blacklist %} blacklist: {{ matrix_mx_puppet_skype_relay_blacklist|to_json }} - {% endif %} # Map certain homeserver URLs to the C-S API endpoint # Useful for double-puppeting if .well-known is unavailable for some reason From 4149e03b694286ee887af5ae5cea38a65db89759 Mon Sep 17 00:00:00 2001 From: Rodrigo Belem Date: Sun, 12 Apr 2020 10:17:30 -0400 Subject: [PATCH 08/63] Initial mx-puppet-slack bridge role --- ...iguring-playbook-bridge-mx-puppet-slack.md | 34 ++++ group_vars/matrix_servers | 31 +++ .../defaults/main.yml | 181 ++++++++++++++++++ .../tasks/init.yml | 70 +++++++ .../tasks/main.yml | 21 ++ .../tasks/setup_install.yml | 93 +++++++++ .../tasks/setup_uninstall.yml | 24 +++ .../tasks/validate_config.yml | 10 + .../systemd/matrix-mx-puppet-slack.service.j2 | 41 ++++ setup.yml | 1 + 10 files changed, 506 insertions(+) create mode 100644 docs/configuring-playbook-bridge-mx-puppet-slack.md create mode 100644 roles/matrix-bridge-mx-puppet-slack/defaults/main.yml create mode 100644 roles/matrix-bridge-mx-puppet-slack/tasks/init.yml create mode 100644 roles/matrix-bridge-mx-puppet-slack/tasks/main.yml create mode 100644 roles/matrix-bridge-mx-puppet-slack/tasks/setup_install.yml create mode 100644 roles/matrix-bridge-mx-puppet-slack/tasks/setup_uninstall.yml create mode 100644 roles/matrix-bridge-mx-puppet-slack/tasks/validate_config.yml create mode 100644 roles/matrix-bridge-mx-puppet-slack/templates/systemd/matrix-mx-puppet-slack.service.j2 diff --git a/docs/configuring-playbook-bridge-mx-puppet-slack.md b/docs/configuring-playbook-bridge-mx-puppet-slack.md new file mode 100644 index 000000000..afc1999b8 --- /dev/null +++ b/docs/configuring-playbook-bridge-mx-puppet-slack.md @@ -0,0 +1,34 @@ +# Setting up MX Puppet Slack (optional) + +The playbook can install and configure +[mx-puppet-slack](https://github.com/Sorunome/mx-puppet-slack) for you. + +See the project page to learn what it does and why it might be useful to you. + +To enable the [Slack](https://www.slack.com/) bridge just use the following +playbook configuration: + + +```yaml +matrix_mx_puppet_slack_enabled: true +matrix_mx_puppet_slack_client_id: "" +matrix_mx_puppet_slack_client_secret: "" +``` + + +## Usage + +Once the bot is enabled you need to start a chat with `Slack Puppet Bridge` with +the handle `@_slackpuppet_bot:YOUR_DOMAIN` (where `YOUR_DOMAIN` is your base +domain, not the `matrix.` domain). + +Three authentication methods are available, Legacy Token, OAuth and xoxc token. +See mx-puppet-slack [documentation](https://github.com/Sorunome/mx-puppet-slack) +for more information about how to configure the bridge. + +Once logged in, send `list` to the bot user to list the available rooms. + +Clicking rooms in the list will result in you receiving an invitation to the +bridged room. + +Also send `help` to the bot to see the commands available. diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index f24c20fdf..1403543f7 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -337,6 +337,37 @@ matrix_mx_puppet_skype_login_shared_secret: "{{ matrix_synapse_ext_password_prov ###################################################################### +###################################################################### +# +# matrix-bridge-mx-puppet-slack +# +###################################################################### + +# We don't enable bridges by default. +matrix_mx_puppet_slack_enabled: false + +matrix_mx_puppet_skype_container_image_self_build: "{{ matrix_architecture != 'amd64'}}" + +matrix_mx_puppet_slack_systemd_required_services_list: | + {{ + ['docker.service'] + + + (['matrix-synapse.service'] if matrix_synapse_enabled else []) + }} + +matrix_mx_puppet_slack_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxslk.as.tok') | to_uuid }}" + +matrix_mx_puppet_slack_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxslk.hs.tok') | to_uuid }}" + +matrix_mx_puppet_slack_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" + +###################################################################### +# +# /matrix-bridge-mx-puppet-slack +# +###################################################################### + + ###################################################################### # # matrix-corporal diff --git a/roles/matrix-bridge-mx-puppet-slack/defaults/main.yml b/roles/matrix-bridge-mx-puppet-slack/defaults/main.yml new file mode 100644 index 000000000..7648fafe3 --- /dev/null +++ b/roles/matrix-bridge-mx-puppet-slack/defaults/main.yml @@ -0,0 +1,181 @@ +# Mx Puppet Slack is a Matrix <-> Slack bridge +# See: https://github.com/Sorunome/mx-puppet-slack + +matrix_mx_puppet_slack_enabled: true + +matrix_mx_puppet_slack_container_image_self_build: false + +matrix_mx_puppet_slack_docker_image: "sorunome/mx-puppet-slack:latest" +matrix_mx_puppet_slack_docker_image_force_pull: "{{ matrix_mx_puppet_slack_docker_image.endswith(':latest') }}" + +matrix_mx_puppet_slack_base_path: "{{ matrix_base_data_path }}/mx-puppet-slack" +matrix_mx_puppet_slack_config_path: "{{ matrix_mx_puppet_slack_base_path }}/config" +matrix_mx_puppet_slack_data_path: "{{ matrix_mx_puppet_slack_base_path }}/data" +matrix_mx_puppet_slack_docker_src_files_path: "{{ matrix_mx_puppet_slack_base_path }}/docker-src" + +matrix_mx_puppet_slack_appservice_port: "8432" + +matrix_mx_puppet_slack_homeserver_address: 'http://matrix-synapse:8008' +matrix_mx_puppet_slack_homeserver_domain: '{{ matrix_domain }}' +matrix_mx_puppet_slack_appservice_address: 'http://matrix-mx-puppet-slack:{{ matrix_mx_puppet_slack_appservice_port }}' + +matrix_mx_puppet_slack_client_id: '' +matrix_mx_puppet_slack_client_secret: '' +matrix_mx_puppet_slack_redirect_path: '/slack/oauth' +matrix_mx_puppet_slack_redirect_uri: 'https://{{ matrix_server_fqn_matrix }}{{ matrix_mx_puppet_slack_redirect_path }}' + +# "@user:server.com" to allow specific user +# "@.*:yourserver.com" to allow users on a specific homeserver +# "@.*" to allow anyone +matrix_mx_puppet_slack_provisioning_whitelist: + - "@.*:{{ matrix_domain|regex_escape }}" + +# Leave empty to disable blacklist +# "@user:server.com" disallow a specific user +# "@.*:yourserver.com" disallow users on a specific homeserver +matrix_mx_puppet_slack_provisioning_blacklist: [] + +# A list of extra arguments to pass to the container +matrix_mx_puppet_slack_container_extra_arguments: [] + +# List of systemd services that matrix-puppet-slack.service depends on. +matrix_mx_puppet_slack_systemd_required_services_list: ['docker.service'] + +# List of systemd services that matrix-puppet-slack.service wants +matrix_mx_puppet_slack_systemd_wanted_services_list: [] + +matrix_mx_puppet_slack_appservice_token: '' +matrix_mx_puppet_slack_homeserver_token: '' + +# Default configuration template which covers the generic use case. +# You can customize it by controlling the various variables inside it. +# +# For a more advanced customization, you can extend the default (see `matrix_mx_puppet_slack_configuration_extension_yaml`) +# or completely replace this variable with your own template. +matrix_mx_puppet_slack_configuration_yaml: | + #jinja2: lstrip_blocks: "True" + bridge: + # Port to host the bridge on + # Used for communication between the homeserver and the bridge + port: {{ matrix_mx_puppet_slack_appservice_port }} + # The host connections to the bridge's webserver are allowed from + bindAddress: 0.0.0.0 + # Public domain of the homeserver + domain: {{ matrix_mx_puppet_slack_homeserver_domain }} + # Reachable URL of the Matrix homeserver + homeserverUrl: {{ matrix_mx_puppet_slack_homeserver_address }} + + + # Slack OAuth settings. Create a slack app at https://api.slack.com/apps + oauth: + enabled: false + # Slack app credentials. + # N.B. This must be quoted so YAML wouldn't parse it as a float. + clientId: "{{ matrix_mx_puppet_slack_client_id }}" + clientSecret: {{ matrix_mx_puppet_slack_client_secret }} + # Path where to listen for OAuth redirect callbacks. + redirectPath: {{ matrix_mx_puppet_slack_redirect_path }} + # Set up proxying from https://your.domain/redirect_path to http://bindAddress:port/redirect_path, + # then set this field and the Slack app redirect URI field to the former. + redirectUri: {{ matrix_mx_puppet_slack_redirect_uri }} + + presence: + # Bridge Discord online/offline status + enabled: true + # How often to send status to the homeserver in milliseconds + interval: 500 + + provisioning: + # Regex of Matrix IDs allowed to use the puppet bridge + whitelist: {{ matrix_mx_puppet_slack_provisioning_whitelist|to_json }} + # Allow a specific user + #- "@user:server\\.com" + # Allow users on a specific homeserver + #- "@.*:yourserver\\.com" + # Allow anyone + #- ".*" + # Regex of Matrix IDs forbidden from using the puppet bridge + #blacklist: + # Disallow a specific user + #- "@user:server\\.com" + # Disallow users on a specific homeserver + #- "@.*:yourserver\\.com" + blacklist: {{ matrix_mx_puppet_slack_provisioning_blacklist|to_json }} + + # Shared secret for the provisioning API for use by integration managers. + # If this is not set, the provisioning API will not be enabled. + #sharedSecret: random string + # Path prefix for the provisioning API. /v1 will be appended to the prefix automatically. + apiPrefix: /_matrix/provision + + database: + # Use Postgres as a database backend + # If set, will be used instead of SQLite3 + # Connection string to connect to the Postgres instance + # with username "user", password "pass", host "localhost" and database name "dbname". + # Modify each value as necessary + #connString: "postgres://user:pass@localhost/dbname?sslmode=disable" + # Use SQLite3 as a database backend + # The name of the database file + filename: /data/database.db + + logging: + # Log level of console output + # Allowed values starting with most verbose: + # silly, debug, verbose, info, warn, error + console: info + # Date and time formatting + lineDateFormat: MMM-D HH:mm:ss.SSS + # Logging files + # Log files are rotated daily by default + files: + # Log file path + - file: "/data/bridge.log" + # Log level for this file + # Allowed values starting with most verbose: + # silly, debug, verbose, info, warn, error + level: info + # Date and time formatting + datePattern: YYYY-MM-DD + # Maximum number of logs to keep. + # This can be a number of files or number of days. + # If using days, add 'd' as a suffix + maxFiles: 14d + # Maximum size of the file after which it will rotate. This can be a + # number of bytes, or units of kb, mb, and gb. If using the units, add + # 'k', 'm', or 'g' as the suffix + maxSize: 50m + +matrix_mx_puppet_slack_configuration_extension_yaml: | + # Your custom YAML configuration goes here. + # This configuration extends the default starting configuration (`matrix_mx_puppet_slack_configuration_yaml`). + # + # You can override individual variables from the default configuration, or introduce new ones. + # + # If you need something more special, you can take full control by + # completely redefining `matrix_mx_puppet_slack_configuration_yaml`. + +matrix_mx_puppet_slack_configuration_extension: "{{ matrix_mx_puppet_slack_configuration_extension_yaml|from_yaml if matrix_mx_puppet_slack_configuration_extension_yaml|from_yaml is mapping else {} }}" + +# Holds the final configuration (a combination of the default and its extension). +# You most likely don't need to touch this variable. Instead, see `matrix_mx_puppet_slack_configuration_yaml`. +matrix_mx_puppet_slack_configuration: "{{ matrix_mx_puppet_slack_configuration_yaml|from_yaml|combine(matrix_mx_puppet_slack_configuration_extension, recursive=True) }}" + +matrix_mx_puppet_slack_registration_yaml: | + as_token: "{{ matrix_mx_puppet_slack_appservice_token }}" + hs_token: "{{ matrix_mx_puppet_slack_homeserver_token }}" + id: slack-puppet + namespaces: + users: + - exclusive: true + regex: '@_slackpuppet_.*:{{ matrix_mx_puppet_slack_homeserver_domain|regex_escape }}' + rooms: [] + aliases: + - exclusive: true + regex: '#_slackpuppet_.*:{{ matrix_mx_puppet_slack_homeserver_domain|regex_escape }}' + protocols: [] + rate_limited: false + sender_localpart: _slackpuppet_bot + url: {{ matrix_mx_puppet_slack_appservice_address }} + +matrix_mx_puppet_slack_registration: "{{ matrix_mx_puppet_slack_registration_yaml|from_yaml }}" diff --git a/roles/matrix-bridge-mx-puppet-slack/tasks/init.yml b/roles/matrix-bridge-mx-puppet-slack/tasks/init.yml new file mode 100644 index 000000000..0b823b2c3 --- /dev/null +++ b/roles/matrix-bridge-mx-puppet-slack/tasks/init.yml @@ -0,0 +1,70 @@ +- set_fact: + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-slack'] }}" + when: matrix_mx_puppet_slack_enabled|bool + +# If the matrix-synapse role is not used, these variables may not exist. +- set_fact: + matrix_synapse_container_extra_arguments: > + {{ matrix_synapse_container_extra_arguments|default([]) }} + + + ["--mount type=bind,src={{ matrix_mx_puppet_slack_config_path }}/registration.yaml,dst=/matrix-mx-puppet-slack-registration.yaml,ro"] + + matrix_synapse_app_service_config_files: > + {{ matrix_synapse_app_service_config_files|default([]) }} + + + {{ ["/matrix-mx-puppet-slack-registration.yaml"] }} + when: matrix_mx_puppet_slack_enabled|bool + +- block: + - name: Fail if matrix-nginx-proxy role already executed + fail: + msg: >- + Trying to append Slack Appservice's reverse-proxying configuration to matrix-nginx-proxy, + but it's pointless since the matrix-nginx-proxy role had already executed. + To fix this, please change the order of roles in your plabook, + so that the matrix-nginx-proxy role would run after the matrix-mx-puppet-slack role. + when: matrix_nginx_proxy_role_executed|default(False)|bool + + - name: Generate Matrix MX Puppet Slack proxying configuration for matrix-nginx-proxy + set_fact: + matrix_mx_puppet_slack_matrix_nginx_proxy_configuration: | + location {{ matrix_mx_puppet_slack_redirect_path }} { + {% if matrix_nginx_proxy_enabled|default(False) %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "{{ matrix_mx_puppet_slack_appservice_address }}"; + proxy_pass $backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://127.0.0.1:{{ matrix_mx_puppet_slack_appservice_port }}; + {% endif %} + } + + - name: Register Slack Appservice proxying configuration with matrix-nginx-proxy + set_fact: + matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: | + {{ + matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks|default([]) + + + [matrix_mx_puppet_slack_matrix_nginx_proxy_configuration] + }} + tags: + - always + when: matrix_appservice_slack_enabled|bool + +- name: Warn about reverse-proxying if matrix-nginx-proxy not used + debug: + msg: >- + NOTE: You've enabled the Matrix Slack bridge but are not using the matrix-nginx-proxy + reverse proxy. + Please make sure that you're proxying the `{{ something }}` + URL endpoint to the matrix-appservice-slack container. + You can expose the container's port using the `matrix_appservice_slack_container_http_host_bind_port` variable. + when: "matrix_appservice_slack_enabled|bool and matrix_nginx_proxy_enabled is not defined" + +# ansible lower than 2.8, does not support docker_image build parameters +# for self buildig it is explicitly needed, so we rather fail here +- name: Fail if running on Ansible lower than 2.8 and trying self building + fail: + msg: "To self build Puppet Slack image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_slack_container_image_self_build" diff --git a/roles/matrix-bridge-mx-puppet-slack/tasks/main.yml b/roles/matrix-bridge-mx-puppet-slack/tasks/main.yml new file mode 100644 index 000000000..6aa0fd0fd --- /dev/null +++ b/roles/matrix-bridge-mx-puppet-slack/tasks/main.yml @@ -0,0 +1,21 @@ +- import_tasks: "{{ role_path }}/tasks/init.yml" + tags: + - always + +- import_tasks: "{{ role_path }}/tasks/validate_config.yml" + when: "run_setup|bool and matrix_mx_puppet_slack_enabled|bool" + tags: + - setup-all + - setup-mx-puppet-slack + +- import_tasks: "{{ role_path }}/tasks/setup_install.yml" + when: "run_setup|bool and matrix_mx_puppet_slack_enabled|bool" + tags: + - setup-all + - setup-mx-puppet-slack + +- import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" + when: "run_setup|bool and not matrix_mx_puppet_slack_enabled|bool" + tags: + - setup-all + - setup-mx-puppet-slack diff --git a/roles/matrix-bridge-mx-puppet-slack/tasks/setup_install.yml b/roles/matrix-bridge-mx-puppet-slack/tasks/setup_install.yml new file mode 100644 index 000000000..f4c9fc8ec --- /dev/null +++ b/roles/matrix-bridge-mx-puppet-slack/tasks/setup_install.yml @@ -0,0 +1,93 @@ +--- + +# If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. +# We don't want to fail in such cases. +- name: Fail if matrix-synapse role already executed + fail: + msg: >- + The matrix-bridge-mx-puppet-slack role needs to execute before the matrix-synapse role. + when: "matrix_synapse_role_executed|default(False)" + +- name: Ensure MX Puppet Slack image is pulled + docker_image: + name: "{{ matrix_mx_puppet_slack_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_mx_puppet_slack_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mx_puppet_slack_docker_image_force_pull }}" + when: matrix_mx_puppet_slack_enabled|bool and not matrix_mx_puppet_slack_container_image_self_build + +- name: Ensure MX Puppet Slack paths exist + file: + path: "{{ item.path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_username }}" + with_items: + - { path: "{{ matrix_mx_puppet_slack_base_path }}", when: true } + - { path: "{{ matrix_mx_puppet_slack_config_path }}", when: true } + - { path: "{{ matrix_mx_puppet_slack_data_path }}", when: true } + - { path: "{{ matrix_mx_puppet_slack_docker_src_files_path }}", when: "{{ matrix_mx_puppet_slack_container_image_self_build }}" } + when: matrix_mx_puppet_slack_enabled|bool and item.when|bool + +- name: Ensure MX Puppet Slack repository is present on self build + git: + repo: https://github.com/Sorunome/mx-puppet-slack.git + dest: "{{ matrix_mx_puppet_slack_docker_src_files_path }}" + force: "yes" + when: "matrix_mx_puppet_slack_enabled|bool and matrix_mx_puppet_slack_container_image_self_build" + +- name: Ensure MX Puppet Slack Docker image is built + docker_image: + name: "{{ matrix_mx_puppet_slack_docker_image }}" + source: build + build: + dockerfile: Dockerfile + path: "{{ matrix_mx_puppet_slack_docker_src_files_path }}" + pull: yes + when: "matrix_mx_puppet_slack_enabled|bool and matrix_mx_puppet_slack_container_image_self_build" + +- name: Check if an old database file already exists + stat: + path: "{{ matrix_mx_puppet_slack_base_path }}/database.db" + register: matrix_mx_puppet_slack_stat_database + +- name: (Data relocation) Ensure matrix-mx-puppet-slack.service is stopped + service: + name: matrix-mx-puppet-slack + state: stopped + daemon_reload: yes + failed_when: false + when: "matrix_mx_puppet_slack_stat_database.stat.exists" + +- name: (Data relocation) Move mx-puppet-slack database file to ./data directory + command: "mv {{ matrix_mx_puppet_slack_base_path }}/database.db {{ matrix_mx_puppet_slack_data_path }}/database.db" + when: "matrix_mx_puppet_slack_stat_database.stat.exists" + +- name: Ensure mx-puppet-slack config.yaml installed + copy: + content: "{{ matrix_mx_puppet_slack_configuration|to_nice_yaml }}" + dest: "{{ matrix_mx_puppet_slack_config_path }}/config.yaml" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_username }}" + +- name: Ensure mx-puppet-slack slack-registration.yaml installed + copy: + content: "{{ matrix_mx_puppet_slack_registration|to_nice_yaml }}" + dest: "{{ matrix_mx_puppet_slack_config_path }}/registration.yaml" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_username }}" + +- name: Ensure matrix-mx-puppet-slack.service installed + template: + src: "{{ role_path }}/templates/systemd/matrix-mx-puppet-slack.service.j2" + dest: "/etc/systemd/system/matrix-mx-puppet-slack.service" + mode: 0644 + register: matrix_mx_puppet_slack_systemd_service_result + +- name: Ensure systemd reloaded after matrix-mx-puppet-slack.service installation + service: + daemon_reload: yes + when: "matrix_mx_puppet_slack_systemd_service_result.changed" diff --git a/roles/matrix-bridge-mx-puppet-slack/tasks/setup_uninstall.yml b/roles/matrix-bridge-mx-puppet-slack/tasks/setup_uninstall.yml new file mode 100644 index 000000000..73314a66e --- /dev/null +++ b/roles/matrix-bridge-mx-puppet-slack/tasks/setup_uninstall.yml @@ -0,0 +1,24 @@ +--- + +- name: Check existence of matrix-mx-puppet-slack service + stat: + path: "/etc/systemd/system/matrix-mx-puppet-slack.service" + register: matrix_mx_puppet_slack_service_stat + +- name: Ensure matrix-mx-puppet-slack is stopped + service: + name: matrix-mx-puppet-slack + state: stopped + daemon_reload: yes + when: "matrix_mx_puppet_slack_service_stat.stat.exists" + +- name: Ensure matrix-mx-puppet-slack.service doesn't exist + file: + path: "/etc/systemd/system/matrix-mx-puppet-slack.service" + state: absent + when: "matrix_mx_puppet_slack_service_stat.stat.exists" + +- name: Ensure systemd reloaded after matrix-mx-puppet-slack.service removal + service: + daemon_reload: yes + when: "matrix_mx_puppet_slack_service_stat.stat.exists" diff --git a/roles/matrix-bridge-mx-puppet-slack/tasks/validate_config.yml b/roles/matrix-bridge-mx-puppet-slack/tasks/validate_config.yml new file mode 100644 index 000000000..3a0bca111 --- /dev/null +++ b/roles/matrix-bridge-mx-puppet-slack/tasks/validate_config.yml @@ -0,0 +1,10 @@ +--- + +- name: Fail if required settings not defined + fail: + msg: >- + You need to define a required configuration setting (`{{ item }}`). + when: "vars[item] == ''" + with_items: + - "matrix_mx_puppet_slack_appservice_token" + - "matrix_mx_puppet_slack_homeserver_token" diff --git a/roles/matrix-bridge-mx-puppet-slack/templates/systemd/matrix-mx-puppet-slack.service.j2 b/roles/matrix-bridge-mx-puppet-slack/templates/systemd/matrix-mx-puppet-slack.service.j2 new file mode 100644 index 000000000..a86c6765d --- /dev/null +++ b/roles/matrix-bridge-mx-puppet-slack/templates/systemd/matrix-mx-puppet-slack.service.j2 @@ -0,0 +1,41 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=Matrix Mx Puppet Slack server +{% for service in matrix_mx_puppet_slack_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +{% for service in matrix_mx_puppet_slack_systemd_wanted_services_list %} +Wants={{ service }} +{% endfor %} + +[Service] +Type=simple +ExecStartPre=-/usr/bin/docker kill matrix-mx-puppet-slack +ExecStartPre=-/usr/bin/docker rm matrix-mx-puppet-slack + +# Intentional delay, so that the homeserver (we likely depend on) can manage to start. +ExecStartPre=/bin/sleep 5 + +ExecStart=/usr/bin/docker run --rm --name matrix-mx-puppet-slack \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --network={{ matrix_docker_network }} \ + -e CONFIG_PATH=/config/config.yaml \ + -e REGISTRATION_PATH=/config/registration.yaml \ + -v {{ matrix_mx_puppet_slack_config_path }}:/config:z \ + -v {{ matrix_mx_puppet_slack_data_path }}:/data:z \ + {% for arg in matrix_mx_puppet_slack_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_mx_puppet_slack_docker_image }} + +ExecStop=-/usr/bin/docker kill matrix-mx-puppet-slack +ExecStop=-/usr/bin/docker rm matrix-mx-puppet-slack +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-mx-puppet-slack + +[Install] +WantedBy=multi-user.target diff --git a/setup.yml b/setup.yml index bca4b240f..ff80320ab 100755 --- a/setup.yml +++ b/setup.yml @@ -17,6 +17,7 @@ - matrix-bridge-mautrix-telegram - matrix-bridge-mautrix-whatsapp - matrix-bridge-mx-puppet-skype + - matrix-bridge-mx-puppet-slack - matrix-synapse - matrix-riot-web - matrix-jitsi From 033dfcb26fedad7550e3d8a267c4790263f13d7f Mon Sep 17 00:00:00 2001 From: Rodrigo Belem Date: Wed, 22 Apr 2020 17:28:00 -0400 Subject: [PATCH 09/63] Remove duplicated whitelist entry in skype main.yml --- roles/matrix-bridge-mx-puppet-skype/defaults/main.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml b/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml index 1d21835c7..9d80ab04b 100644 --- a/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml @@ -139,7 +139,6 @@ matrix_mx_puppet_skype_configuration_yaml: | provisioning: # Regex of Matrix IDs allowed to use the puppet bridge - whitelist: whitelist: {{ matrix_mx_puppet_skype_provisioning_whitelist|to_json }} # Allow a specific user #- "@user:server\\.com" From 4afc46fffe5b005b1fd3e438a58313cf40a54217 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 23 Apr 2020 18:03:36 +0300 Subject: [PATCH 10/63] Announce mx-puppet-slack support Related to #454 (Github Pull Request). --- CHANGELOG.md | 9 +++++++++ README.md | 2 ++ docs/configuring-playbook-bridge-mx-puppet-slack.md | 2 +- docs/configuring-playbook.md | 2 ++ 4 files changed, 14 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b849ef359..7cd0b4c38 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,12 @@ +# 2020-04-23 + +## Slack bridging support + +Thanks to [Rodrigo Belem](https://github.com/rbelem)'s efforts, the playbook now supports bridging to [Slack](https://slack.com) via the [mx-puppet-slack](https://github.com/Sorunome/mx-puppet-slack) bridge. + +See our [Setting up MX Puppet Slack bridging](docs/configuring-playbook-bridge-mx-puppet-slack.md) documentation page for getting started. + + # 2020-04-09 ## Skype bridging support diff --git a/README.md b/README.md index 43125026f..6f7d25e0f 100644 --- a/README.md +++ b/README.md @@ -146,6 +146,8 @@ This playbook sets up your server using the following Docker images: - [sorunome/mx-puppet-skype](https://hub.docker.com/r/sorunome/mx-puppet-skype) - the [mx-puppet-skype](https://github.com/Sorunome/mx-puppet-skype) bridge to [Skype](https:/www.skype.com) (optional) +- [sorunome/mx-puppet-slack](https://hub.docker.com/r/sorunome/mx-puppet-slack) - the [mx-puppet-slack](https://github.com/Sorunome/mx-puppet-slack) bridge to [Slack](https:/slack.com) (optional) + - [turt2live/matrix-dimension](https://hub.docker.com/r/turt2live/matrix-dimension) - the [Dimension](https://dimension.t2bot.io/) integrations manager (optional) - [jitsi/web](https://hub.docker.com/r/jitsi/web) - the [Jitsi](https://jitsi.org/) web UI (optional) diff --git a/docs/configuring-playbook-bridge-mx-puppet-slack.md b/docs/configuring-playbook-bridge-mx-puppet-slack.md index afc1999b8..1f20219f1 100644 --- a/docs/configuring-playbook-bridge-mx-puppet-slack.md +++ b/docs/configuring-playbook-bridge-mx-puppet-slack.md @@ -5,7 +5,7 @@ The playbook can install and configure See the project page to learn what it does and why it might be useful to you. -To enable the [Slack](https://www.slack.com/) bridge just use the following +To enable the [Slack](https://slack.com/) bridge just use the following playbook configuration: diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index af00f7c09..7e9110957 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -99,4 +99,6 @@ When you're done with all the configuration you'd like to do, continue with [Ins - [Setting up MX Puppet Skype bridging](configuring-playbook-bridge-mx-puppet-skype.md) (optional) +- [Setting up MX Puppet Slack bridging](configuring-playbook-bridge-mx-puppet-slack.md) (optional) + - [Setting up Email2Matrix](configuring-playbook-email2matrix.md) (optional) From 23bfaa72ecf5451480d8a9286ffc9f6187394a42 Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Thu, 23 Apr 2020 13:30:50 -0500 Subject: [PATCH 11/63] Upgrade Synapse (1.12.3 -> 1.12.4) --- roles/matrix-synapse/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index a2fa1bea3..8597c7510 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -5,7 +5,7 @@ matrix_synapse_enabled: true matrix_synapse_container_image_self_build: false -matrix_synapse_docker_image: "matrixdotorg/synapse:v1.12.3" +matrix_synapse_docker_image: "matrixdotorg/synapse:v1.12.4" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse" From 8cdf3a24f9650f91c58c4ff6b77734448200bb7c Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 23 Apr 2020 22:13:47 +0300 Subject: [PATCH 12/63] Fix variable name typo --- group_vars/matrix_servers | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 1403543f7..382897fd6 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -346,7 +346,7 @@ matrix_mx_puppet_skype_login_shared_secret: "{{ matrix_synapse_ext_password_prov # We don't enable bridges by default. matrix_mx_puppet_slack_enabled: false -matrix_mx_puppet_skype_container_image_self_build: "{{ matrix_architecture != 'amd64'}}" +matrix_mx_puppet_slack_container_image_self_build: "{{ matrix_architecture != 'amd64'}}" matrix_mx_puppet_slack_systemd_required_services_list: | {{ From 9cc0c5955ddb6e1498cf382b31ce9532a4866351 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 24 Apr 2020 09:59:30 +0300 Subject: [PATCH 13/63] Use |quote in some command calls --- roles/matrix-synapse/tasks/register_user.yml | 2 +- roles/matrix-synapse/tasks/update_user_password.yml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/matrix-synapse/tasks/register_user.yml b/roles/matrix-synapse/tasks/register_user.yml index da0e28c3e..9c2a3ea04 100644 --- a/roles/matrix-synapse/tasks/register_user.yml +++ b/roles/matrix-synapse/tasks/register_user.yml @@ -28,4 +28,4 @@ when: "start_result.changed" - name: Register user - shell: "{{ matrix_local_bin_path }}/matrix-synapse-register-user {{ username }} {{ password }} {{ '1' if admin == 'yes' else '0' }}" + command: "{{ matrix_local_bin_path }}/matrix-synapse-register-user {{ username|quote }} {{ password|quote }} {{ '1' if admin == 'yes' else '0' }}" diff --git a/roles/matrix-synapse/tasks/update_user_password.yml b/roles/matrix-synapse/tasks/update_user_password.yml index 0d77f5ddf..1e86bd493 100644 --- a/roles/matrix-synapse/tasks/update_user_password.yml +++ b/roles/matrix-synapse/tasks/update_user_password.yml @@ -36,8 +36,8 @@ when: "start_result.changed or postgres_start_result.changed" - name: Generate password hash - shell: "/usr/bin/docker exec matrix-synapse /usr/local/bin/hash_password -c /data/homeserver.yaml -p {{ password }}" + shell: "/usr/bin/docker exec matrix-synapse /usr/local/bin/hash_password -c /data/homeserver.yaml -p {{ password|quote }}" register: password_hash - name: Update user password hash - shell: "{{ matrix_local_bin_path }}/matrix-postgres-update-user-password-hash {{ username }} '{{ password_hash.stdout }}'" + command: "{{ matrix_local_bin_path }}/matrix-postgres-update-user-password-hash {{ username|quote }} {{ password_hash.stdout|quote }}" From 438652c732377f92d7af003e82778cffa193f4fe Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 27 Apr 2020 10:49:06 +0300 Subject: [PATCH 14/63] Switch Slack image to a working tag We've had reports of the `:latest` tag not working anymore, leading to an error as described here: https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/341 --- roles/matrix-bridge-appservice-slack/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-appservice-slack/defaults/main.yml b/roles/matrix-bridge-appservice-slack/defaults/main.yml index 58babbc31..d68c11788 100644 --- a/roles/matrix-bridge-appservice-slack/defaults/main.yml +++ b/roles/matrix-bridge-appservice-slack/defaults/main.yml @@ -3,7 +3,7 @@ matrix_appservice_slack_enabled: true -matrix_appservice_slack_docker_image: "cadair/matrix-appservice-slack:latest" +matrix_appservice_slack_docker_image: "cadair/matrix-appservice-slack:cadair" matrix_appservice_slack_docker_image_force_pull: "{{ matrix_appservice_slack_docker_image.endswith(':latest') }}" matrix_appservice_slack_base_path: "{{ matrix_base_data_path }}/appservice-slack" From e4f1f2c754e4c2a83584b4414af4ab41076477f9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micka=C3=ABl=20Corni=C3=A8re?= Date: Mon, 27 Apr 2020 23:40:46 +0200 Subject: [PATCH 15/63] Add information to make jitsi work with a client in LAN --- docs/configuring-playbook-jitsi.md | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/docs/configuring-playbook-jitsi.md b/docs/configuring-playbook-jitsi.md index d6ff1c8a4..8e28d48ba 100644 --- a/docs/configuring-playbook-jitsi.md +++ b/docs/configuring-playbook-jitsi.md @@ -49,6 +49,21 @@ matrix_jitsi_enable_auth: true matrix_jitsi_enable_guests: true ``` +## (Optional) Making your Jitsi server work on a LAN + +By default the Jitsi Meet instance does not work with a client in LAN (Local Area Network), even if others are connected from WAN. There are no video and audio. In the case of WAN to WAN everything is ok. + +The reason is the Jitsi VideoBridge git to LAN client the IP address of the docker image instead of the host. The [documentation](https://github.com/jitsi/docker-jitsi-meet#running-behind-nat-or-on-a-lan-environment) of Jitsi in docker suggest to add DOCKER_HOST_ADDRESS in enviornment variable to make it work. + +Here is how to do it in the playbook. + +Add these two lines to your `inventory/host_vars/matrix.DOMAIN/vars.yml` configuration: + +```yaml +matrix_jitsi_jvb_container_extra_arguments: + - '--env "DOCKER_HOST_ADDRESS="' +``` + ## Apply changes Then re-run the playbook: `ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start` From 37d427c05c884c0db8daf668479a492202afbe9b Mon Sep 17 00:00:00 2001 From: teutat3s <10206665+teutat3s@users.noreply.github.com> Date: Tue, 28 Apr 2020 03:52:43 +0200 Subject: [PATCH 16/63] Update Jitsi docker images to stable 4416 --- roles/matrix-jitsi/defaults/main.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/matrix-jitsi/defaults/main.yml b/roles/matrix-jitsi/defaults/main.yml index fb9242ed5..1e5596b34 100644 --- a/roles/matrix-jitsi/defaults/main.yml +++ b/roles/matrix-jitsi/defaults/main.yml @@ -28,7 +28,7 @@ matrix_jitsi_jibri_recorder_user: recorder matrix_jitsi_jibri_recorder_password: '' -matrix_jitsi_web_docker_image: "jitsi/web:4384" +matrix_jitsi_web_docker_image: "jitsi/web:4416" matrix_jitsi_web_docker_image_force_pull: "{{ matrix_jitsi_web_docker_image.endswith(':latest') }}" matrix_jitsi_web_base_path: "{{ matrix_base_data_path }}/jitsi/web" @@ -74,7 +74,7 @@ matrix_jitsi_web_interface_config_show_powered_by: false matrix_jitsi_web_interface_config_disable_transcription_subtitles: false matrix_jisti_web_interface_config_show_deep_linking_image: false -matrix_jitsi_prosody_docker_image: "jitsi/prosody:4384" +matrix_jitsi_prosody_docker_image: "jitsi/prosody:4416" matrix_jitsi_prosody_docker_image_force_pull: "{{ matrix_jitsi_prosody_docker_image.endswith(':latest') }}" matrix_jitsi_prosody_base_path: "{{ matrix_base_data_path }}/jitsi/prosody" @@ -87,7 +87,7 @@ matrix_jitsi_prosody_container_extra_arguments: [] matrix_jitsi_prosody_systemd_required_services_list: ['docker.service'] -matrix_jitsi_jicofo_docker_image: "jitsi/jicofo:4384" +matrix_jitsi_jicofo_docker_image: "jitsi/jicofo:4416" matrix_jitsi_jicofo_docker_image_force_pull: "{{ matrix_jitsi_jicofo_docker_image.endswith(':latest') }}" matrix_jitsi_jicofo_base_path: "{{ matrix_base_data_path }}/jitsi/jicofo" @@ -104,7 +104,7 @@ matrix_jitsi_jicofo_auth_user: focus matrix_jitsi_jicofo_auth_password: '' -matrix_jitsi_jvb_docker_image: "jitsi/jvb:4384" +matrix_jitsi_jvb_docker_image: "jitsi/jvb:4416" matrix_jitsi_jvb_docker_image_force_pull: "{{ matrix_jitsi_jvb_docker_image.endswith(':latest') }}" matrix_jitsi_jvb_base_path: "{{ matrix_base_data_path }}/jitsi/jvb" From 29f606bac7b1c5ab26e9c98acb14e3c990c53cec Mon Sep 17 00:00:00 2001 From: GuillauG Date: Tue, 28 Apr 2020 12:10:33 +0200 Subject: [PATCH 17/63] Add 'permalinkPrefix' and 'default_theme' for configuring riot web (#472) * add permalinkPrefix to riot-web config * add feature to change default theme of riot-web via its config file * remove matrix_riot_web_change_default_theme and provide sane default --- roles/matrix-riot-web/defaults/main.yml | 4 ++++ roles/matrix-riot-web/templates/config.json.j2 | 2 ++ 2 files changed, 6 insertions(+) diff --git a/roles/matrix-riot-web/defaults/main.yml b/roles/matrix-riot-web/defaults/main.yml index e55de5346..31c2c9696 100644 --- a/roles/matrix-riot-web/defaults/main.yml +++ b/roles/matrix-riot-web/defaults/main.yml @@ -29,6 +29,7 @@ matrix_riot_web_integrations_ui_url: "https://scalar.vector.im/" matrix_riot_web_integrations_rest_url: "https://scalar.vector.im/api" matrix_riot_web_integrations_widgets_urls: ["https://scalar.vector.im/api"] matrix_riot_web_integrations_jitsi_widget_url: "https://scalar.vector.im/api/widgets/jitsi.html" +matrix_riot_web_permalinkPrefix: "https://matrix.to" # Riot public room directory server(s) matrix_riot_web_roomdir_servers: ['matrix.org'] matrix_riot_web_welcome_user_id: "@riot-bot:matrix.org" @@ -75,6 +76,9 @@ matrix_riot_web_enable_presence_by_hs_url: ~ matrix_riot_web_themes_enabled: false matrix_riot_web_themes_repository_url: https://github.com/aaronraimist/riot-web-themes +# Controls the default riot-web theme +matrix_riot_web_default_theme: 'light' + # Controls the `settingsDefault.custom_themes` setting of the riot-web configuration. # You can use this setting to define custom themes. # diff --git a/roles/matrix-riot-web/templates/config.json.j2 b/roles/matrix-riot-web/templates/config.json.j2 index adbbf8dcd..8738e7dac 100644 --- a/roles/matrix-riot-web/templates/config.json.j2 +++ b/roles/matrix-riot-web/templates/config.json.j2 @@ -11,6 +11,8 @@ "settingDefaults": { "custom_themes": {{ matrix_riot_web_settingDefaults_custom_themes|to_json }} }, + "default_theme": {{ matrix_riot_web_default_theme|string|to_json }}, + "permalinkPrefix": {{ matrix_riot_web_permalinkPrefix|string|to_json }}, "disable_custom_urls": {{ matrix_riot_web_disable_custom_urls|to_json }}, "disable_guests": {{ matrix_riot_web_disable_guests|to_json }}, "brand": {{ matrix_riot_web_brand|to_json }}, From a2df0016eb9a30bcb0024581605034dcba29a3b2 Mon Sep 17 00:00:00 2001 From: John Goerzen Date: Tue, 28 Apr 2020 11:43:52 -0500 Subject: [PATCH 18/63] Update matrix-appservice-irc to 0.16.0 Note the potential breaking change Resolves #474 --- CHANGELOG.md | 13 +++++++++++++ .../matrix-bridge-appservice-irc/defaults/main.yml | 2 +- 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7cd0b4c38..4e0188795 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,16 @@ +# 2020-04-28 + +## Newer IRC bridge (with potential breaking change) + +This upgrades matrix-appservice-irc from 0.14.1 to 0.16.0. Upstream +made a change to how you define manual mappings. If you added a +`mapping` to your configuration, you will need to update it accoring +to the [upstream +instructions](https://github.com/matrix-org/matrix-appservice-irc/blob/master/CHANGELOG.md#0150-2020-02-05). +If you did not include `mappings` in your configuration for IRC, no +change is necessary. `mappings` is not part of the default +configuration. + # 2020-04-23 ## Slack bridging support diff --git a/roles/matrix-bridge-appservice-irc/defaults/main.yml b/roles/matrix-bridge-appservice-irc/defaults/main.yml index a9b048724..acbb572ba 100644 --- a/roles/matrix-bridge-appservice-irc/defaults/main.yml +++ b/roles/matrix-bridge-appservice-irc/defaults/main.yml @@ -3,7 +3,7 @@ matrix_appservice_irc_enabled: true -matrix_appservice_irc_docker_image: "matrixdotorg/matrix-appservice-irc:release-0.14.1" +matrix_appservice_irc_docker_image: "matrixdotorg/matrix-appservice-irc:release-0.16.0" matrix_appservice_irc_docker_image_force_pull: "{{ matrix_appservice_irc_docker_image.endswith(':latest') }}" matrix_appservice_irc_base_path: "{{ matrix_base_data_path }}/appservice-irc" From 669780976fbaeb93b1b80d92607cb50ce2e76d8c Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 29 Apr 2020 09:29:03 +0300 Subject: [PATCH 19/63] Update mappings configuration example --- roles/matrix-bridge-appservice-irc/defaults/main.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/roles/matrix-bridge-appservice-irc/defaults/main.yml b/roles/matrix-bridge-appservice-irc/defaults/main.yml index acbb572ba..5f6d0503e 100644 --- a/roles/matrix-bridge-appservice-irc/defaults/main.yml +++ b/roles/matrix-bridge-appservice-irc/defaults/main.yml @@ -235,7 +235,11 @@ matrix_appservice_irc_ircService_servers: [] # # 1:many mappings from IRC channels to room IDs on this IRC server. # # The matrix room must already exist. Your matrix client should expose # # the room ID in a "settings" page for the room. -# "#thepub": ["!kieouiJuedJoxtVdaG:localhost"] +# "#thepub": +# roomIds: ["!kieouiJuedJoxtVdaG:localhost"] +# # Channel key/password to use. Optional. If provided, matrix users do +# # not need to know the channel key in order to join the channel. +# # key: "secret" # # Configuration for virtual matrix users. The following variables are # # exposed: From 37b80d0c75d7ec4f074f96636f1cdefe61013fa7 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 29 Apr 2020 17:22:18 +0300 Subject: [PATCH 20/63] Fix example policy provider configuration for matrix-corporal Fixes the example, to add the missing required configuration key for the HTTP policy provider. Related to #477 (Github Issue). --- docs/configuring-playbook-matrix-corporal.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/configuring-playbook-matrix-corporal.md b/docs/configuring-playbook-matrix-corporal.md index cba68f744..e983f4723 100644 --- a/docs/configuring-playbook-matrix-corporal.md +++ b/docs/configuring-playbook-matrix-corporal.md @@ -26,7 +26,8 @@ matrix_corporal_policy_provider_config: | "Uri": "https://intranet.example.com/matrix/policy", "AuthorizationBearerToken": "SOME_SECRET", "CachePath": "/var/cache/matrix-corporal/last-policy.json", - "ReloadIntervalSeconds": 1800 + "ReloadIntervalSeconds": 1800, + "TimeoutMilliseconds": 300 } # If you also want to enable Matrix Corporal's HTTP API.. From 9d6614e80f38eb4307df48f4ebe4e59dc65c4c91 Mon Sep 17 00:00:00 2001 From: Chris van Dijk Date: Wed, 29 Apr 2020 17:57:38 +0200 Subject: [PATCH 21/63] Add support for Jitsi LDAP authentication --- roles/matrix-jitsi/defaults/main.yml | 22 +++++++++++++++++++++ roles/matrix-jitsi/templates/prosody/env.j2 | 16 ++++++++++++++- 2 files changed, 37 insertions(+), 1 deletion(-) diff --git a/roles/matrix-jitsi/defaults/main.yml b/roles/matrix-jitsi/defaults/main.yml index 1e5596b34..fc428b961 100644 --- a/roles/matrix-jitsi/defaults/main.yml +++ b/roles/matrix-jitsi/defaults/main.yml @@ -7,6 +7,28 @@ matrix_jitsi_enable_guests: false matrix_jitsi_enable_recording: true matrix_jitsi_enable_transcriptions: true +# Authentication type, must be one of internal, jwt or ldap. Currently only +# internal and ldap are supported by this playbook. +matrix_jitsi_auth_type: internal + +# Configuration options for LDAP authentication. For details see upstream: +# https://github.com/jitsi/docker-jitsi-meet#authentication-using-ldap. +# Defaults are taken from: +# https://github.com/jitsi/docker-jitsi-meet/blob/master/prosody/rootfs/defaults/saslauthd.conf +matrix_jitsi_ldap_url: "" +matrix_jitsi_ldap_base: "" +matrix_jitsi_ldap_binddn: "" +matrix_jitsi_ldap_bindpw: "" +matrix_jitsi_ldap_filter: "uid=%u" +matrix_jitsi_ldap_auth_method: "bind" +matrix_jitsi_ldap_version: "3" +matrix_jitsi_ldap_use_tls: false +matrix_jitsi_ldap_tls_ciphers: "" +matrix_jitsi_ldap_tls_check_peer: false +matrix_jitsi_ldap_tls_cacert_file: "/etc/ssl/certs/ca-certificates.crt" +matrix_jitsi_ldap_tls_cacert_dir: "/etc/ssl/certs" +matrix_jitsi_ldap_start_tls: false + matrix_jitsi_timezone: UTC matrix_jitsi_xmpp_domain: matrix-jitsi-web diff --git a/roles/matrix-jitsi/templates/prosody/env.j2 b/roles/matrix-jitsi/templates/prosody/env.j2 index caa792134..e4479b732 100644 --- a/roles/matrix-jitsi/templates/prosody/env.j2 +++ b/roles/matrix-jitsi/templates/prosody/env.j2 @@ -1,8 +1,22 @@ -AUTH_TYPE=internal +AUTH_TYPE={{ matrix_jitsi_auth_type }} ENABLE_AUTH={{ 1 if matrix_jitsi_enable_auth else 0 }} ENABLE_GUESTS={{ 1 if matrix_jitsi_enable_guests else 0 }} +LDAP_URL={{ matrix_jitsi_ldap_url }} +LDAP_BASE={{ matrix_jitsi_ldap_base }} +LDAP_BINDDN={{ matrix_jitsi_ldap_binddn }} +LDAP_BINDPW={{ matrix_jitsi_ldap_bindpw }} +LDAP_FILTER={{ matrix_jitsi_ldap_filter }} +LDAP_AUTH_METHOD={{ matrix_jitsi_ldap_auth_method }} +LDAP_VERSION={{ matrix_jitsi_ldap_version }} +LDAP_USE_TLS={{ 1 if matrix_jitsi_ldap_use_tls else 0 }} +LDAP_TLS_CIPHERS={{ matrix_jitsi_ldap_tls_ciphers }} +LDAP_TLS_CHECK_PEER={{ 1 if matrix_jitsi_ldap_tls_check_peer else 0 }} +LDAP_TLS_CACERT_FILE={{ matrix_jitsi_ldap_tls_cacert_file }} +LDAP_TLS_CACERT_DIR={{ matrix_jitsi_ldap_tls_cacert_dir }} +LDAP_START_TLS={{ 1 if matrix_jitsi_ldap_start_tls else 0 }} + XMPP_DOMAIN={{ matrix_jitsi_xmpp_domain }} XMPP_AUTH_DOMAIN={{ matrix_jitsi_xmpp_auth_domain }} XMPP_GUEST_DOMAIN={{ matrix_jitsi_xmpp_guest_domain }} From 32ce9866e9342a38a52c3fd0467a2f200f121d2d Mon Sep 17 00:00:00 2001 From: Chris van Dijk Date: Wed, 29 Apr 2020 17:58:56 +0200 Subject: [PATCH 22/63] Update documentation for Jitsi LDAP authentication support --- docs/configuring-playbook-jitsi.md | 27 ++++++++++++++++++++++----- 1 file changed, 22 insertions(+), 5 deletions(-) diff --git a/docs/configuring-playbook-jitsi.md b/docs/configuring-playbook-jitsi.md index 8e28d48ba..ca6fc18f5 100644 --- a/docs/configuring-playbook-jitsi.md +++ b/docs/configuring-playbook-jitsi.md @@ -4,7 +4,7 @@ The playbook can install the [Jitsi](https://jitsi.org/) video-conferencing plat Jitsi installation is **not enabled by default**, because it's not a core component of Matrix services. -The setup done by the playbook is very similar to [docker-jitsi-meet](https://github.com/jitsi/docker-jitsi-meet). +The setup done by the playbook is very similar to [docker-jitsi-meet](https://github.com/jitsi/docker-jitsi-meet). You can refer to the documentation there for many of the options here. ## Prerequisites @@ -34,13 +34,13 @@ matrix_jitsi_jibri_xmpp_password: "" ``` -## (Optional) configure internal Jitsi authentication and guests mode +## (Optional) Configure Jitsi authentication and guests mode By default the Jitsi Meet instance does not require any kind of login and is open to use for anyone without registration. If you're fine with such an open Jitsi instance, please skip to [Apply changes](#apply-changes). -If you would like to control who is allowed to open meetings on your new Jitsi instance, then please follow this step to enable Jitsi's `internal` authentication and guests mode. With this optional configuration, all meeting rooms have to be opened by at least one registered user, after that guests are free to join. If a registered host is not present yet, guests are put on hold into a waiting room. +If you would like to control who is allowed to open meetings on your new Jitsi instance, then please follow this step to enable Jitsi's authentication and guests mode. With authentication enabled, all meeting rooms have to be opened by a registered user, after which guests are free to join. If a registered host is not yet present, guests are put on hold in individual waiting rooms. Add these two lines to your `inventory/host_vars/matrix.DOMAIN/vars.yml` configuration: @@ -49,11 +49,28 @@ matrix_jitsi_enable_auth: true matrix_jitsi_enable_guests: true ``` +### (Optional) LDAP authentication + +The default authentication mode of Jitsi is `internal`, however LDAP is also supported. An example LDAP configuration could be: + +```yaml +matrix_jitsi_enable_auth: true +matrix_jitsi_auth_type: ldap +matrix_jitsi_ldap_url: ldap://ldap.DOMAIN # or ldaps:// if using tls +matrix_jitsi_ldap_base: "OU=People,DC=DOMAIN" +matrix_jitsi_ldap_filter: "(&(uid=%u)(employeeType=active))" +matrix_jitsi_ldap_use_tls: false +matrix_jitsi_ldap_start_tls: true +``` + +For more information refer to the [docker-jitsi-meet](https://github.com/jitsi/docker-jitsi-meet#authentication-using-ldap) and the [saslauthd `LDAP_SASLAUTHD`](https://github.com/winlibs/cyrus-sasl/blob/master/saslauthd/LDAP_SASLAUTHD) documentation. + + ## (Optional) Making your Jitsi server work on a LAN By default the Jitsi Meet instance does not work with a client in LAN (Local Area Network), even if others are connected from WAN. There are no video and audio. In the case of WAN to WAN everything is ok. -The reason is the Jitsi VideoBridge git to LAN client the IP address of the docker image instead of the host. The [documentation](https://github.com/jitsi/docker-jitsi-meet#running-behind-nat-or-on-a-lan-environment) of Jitsi in docker suggest to add DOCKER_HOST_ADDRESS in enviornment variable to make it work. +The reason is the Jitsi VideoBridge git to LAN client the IP address of the docker image instead of the host. The [documentation](https://github.com/jitsi/docker-jitsi-meet#running-behind-nat-or-on-a-lan-environment) of Jitsi in docker suggest to add `DOCKER_HOST_ADDRESS` in enviornment variable to make it work. Here is how to do it in the playbook. @@ -68,7 +85,7 @@ matrix_jitsi_jvb_container_extra_arguments: Then re-run the playbook: `ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start` -## Required if configuring Jitsi with its internal authentication: register new users +## Required if configuring Jitsi with internal authentication: register new users Until this gets integrated into the playbook, we need to register new users / meeting hosts for Jitsi manually. Please SSH into your matrix host machine and execute the following command targeting the `matrix-jitsi-prosody` container: From a0ce5eec6457b80f0b812a5c1ccefbc6d4c7c679 Mon Sep 17 00:00:00 2001 From: Chris van Dijk Date: Wed, 29 Apr 2020 19:00:24 +0200 Subject: [PATCH 23/63] Document how to point dimension jitsi widgets at your own jitsi instance This can be removed once turt2live/matrix-dimension#345 is resolved. --- docs/configuring-playbook-dimension.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/docs/configuring-playbook-dimension.md b/docs/configuring-playbook-dimension.md index 40bec06b7..8dd34dcd5 100644 --- a/docs/configuring-playbook-dimension.md +++ b/docs/configuring-playbook-dimension.md @@ -51,6 +51,12 @@ After these variables have been set, please run the following command to re-run ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start ``` +## Jitsi domain + +By default dimension will use [jitsi.riot.im](https://jitsi.riot.im/) as the `conferenceDomain` of Jitsi widgets. For users running a self-hosted jitsi instance, you will likely want the widget to use your Jitsi instance. Currently there is no way to configure this via the playbook, see [this issue](https://github.com/turt2live/matrix-dimension/issues/345) for details. + +In the interim until the above limitation is resolved, an admin user needs to configure the domain via the admin ui once dimension is running. In riot-web, go to *Manage Integrations* → *Settings* → *Widgets* → *Jitsi Conference Settings* and set *Jitsi Domain* and *Jitsi Script URL* appropriately. + ## Additional features To use a more custom configuration, you can define a `matrix_dimension_configuration_extension_yaml` string variable and put your configuration in it. From 77c760ac7d2471db8d87752fdd880ff8a64ab188 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 30 Apr 2020 10:14:46 +0300 Subject: [PATCH 24/63] Add some links --- docs/configuring-playbook-dimension.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuring-playbook-dimension.md b/docs/configuring-playbook-dimension.md index 8dd34dcd5..ddd1d1bc5 100644 --- a/docs/configuring-playbook-dimension.md +++ b/docs/configuring-playbook-dimension.md @@ -53,7 +53,7 @@ ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start ## Jitsi domain -By default dimension will use [jitsi.riot.im](https://jitsi.riot.im/) as the `conferenceDomain` of Jitsi widgets. For users running a self-hosted jitsi instance, you will likely want the widget to use your Jitsi instance. Currently there is no way to configure this via the playbook, see [this issue](https://github.com/turt2live/matrix-dimension/issues/345) for details. +By default Dimension will use [jitsi.riot.im](https://jitsi.riot.im/) as the `conferenceDomain` of [Jitsi](https://jitsi.org/) audio/video conference widgets. For users running [a self-hosted Jitsi instance](./configuring-playbook-jitsi.md), you will likely want the widget to use your own Jitsi instance. Currently there is no way to configure this via the playbook, see [this issue](https://github.com/turt2live/matrix-dimension/issues/345) for details. In the interim until the above limitation is resolved, an admin user needs to configure the domain via the admin ui once dimension is running. In riot-web, go to *Manage Integrations* → *Settings* → *Widgets* → *Jitsi Conference Settings* and set *Jitsi Domain* and *Jitsi Script URL* appropriately. From 0029b37b9690cf26e7c904025e934217aa0062a6 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 30 Apr 2020 10:24:17 +0300 Subject: [PATCH 25/63] Improve Usage section of Jitsi docs page --- docs/configuring-playbook-jitsi.md | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/docs/configuring-playbook-jitsi.md b/docs/configuring-playbook-jitsi.md index ca6fc18f5..21a440f64 100644 --- a/docs/configuring-playbook-jitsi.md +++ b/docs/configuring-playbook-jitsi.md @@ -101,9 +101,15 @@ Run this command for each user you would like to create, replacing `` ## Usage -You can use the self-hosted Jitsi server through Riot, through an Integration Manager like [Dimension](docs/configuring-playbook-dimension.md) or directly at `https://jitsi.DOMAIN`. +You can use the self-hosted Jitsi server in multiple ways: -To use it via riot-web (the one configured by the playbook at `https://riot.DOMAIN`), just start a voice or a video call in a room containing more than 2 members and that would create a Jitsi widget which utilizes your self-hosted Jitsi server. +- **by adding a widget to a room via riot-web** (the one configured by the playbook at `https://riot.DOMAIN`). Just start a voice or a video call in a room containing more than 2 members and that would create a Jitsi widget which utilizes your self-hosted Jitsi server. + +- **by adding a widget to a room via the Dimension Integration Manager**. You'll have to point the widget to your own Jitsi server manually. See our [Dimension](./configuring-playbook-dimension.md) documentation page for more details. Naturally, Dimension would need to be installed first (the playbook doesn't install it by default). + +- **directly (without any Matrix integration)**. Just go to `https://jitsi.DOMAIN` + +**Note**: Riot apps on mobile devices currently [don't support joining meetings on a self-hosted Jitsi server](https://github.com/vector-im/riot-web/blob/601816862f7d84ac47547891bd53effa73d32957/docs/jitsi.md#mobile-app-support). ## Troubleshooting From 966b74e74f75285608fff3d7b9c968856cd5316f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Sterba?= Date: Fri, 1 May 2020 14:21:07 +0200 Subject: [PATCH 26/63] Add caddy 1 well-known example Adjust params --- docs/configuring-well-known.md | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/docs/configuring-well-known.md b/docs/configuring-well-known.md index 8bf84ed16..826a74944 100644 --- a/docs/configuring-well-known.md +++ b/docs/configuring-well-known.md @@ -104,7 +104,7 @@ server { ``` -**For Caddy**, it would be something like this: +**For Caddy 2**, it would be something like this: ```caddy reverse_proxy /.well-known/matrix/* https://matrix.DOMAIN { @@ -112,6 +112,14 @@ reverse_proxy /.well-known/matrix/* https://matrix.DOMAIN { } ``` +**For Caddy 1**, it would be something like this: + +```caddy +proxy /.well-known/matrix/ https://matrix.DOMAIN { + header_upstream Host {http.reverse_proxy.upstream.hostport} +} +``` + **For HAProxy**, it would be something like this: ```haproxy From 741064a178b8bd675673235d7021132458f0956d Mon Sep 17 00:00:00 2001 From: Chris van Dijk Date: Fri, 1 May 2020 19:11:55 +0200 Subject: [PATCH 27/63] Fix group ownership of Dimension base path and config Ansible will migrate the ownership of the base path and config path, but manual intervention will be required in order to migrate the ownership of files in those directories (i.e. dimension.db). Stop the services: (local)$ ansible-playbook -i inventory/hosts setup.yml --tags=stop Fix the permissions on the server: (server)# chown -Rv "{{ matrix_user_username }}:{{ matrix_user_username }}" "{{ matrix_dimension_base_path }}" which would typically look like: (server)# chown -Rv matrix:matrix /matrix/dimension/ Reconfigure Dimension and start the services: (local)$ ansible-playbook -i inventory/hosts setup.yml --tags=setup-dimension,start --- roles/matrix-dimension/tasks/setup_dimension.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-dimension/tasks/setup_dimension.yml b/roles/matrix-dimension/tasks/setup_dimension.yml index 2437a5472..929521467 100644 --- a/roles/matrix-dimension/tasks/setup_dimension.yml +++ b/roles/matrix-dimension/tasks/setup_dimension.yml @@ -10,7 +10,7 @@ state: directory mode: 0770 owner: "{{ matrix_user_username }}" - group: "{{ matrix_dimension_user_gid }}" + group: "{{ matrix_user_username }}" when: matrix_dimension_enabled|bool - name: Ensure Dimension config installed @@ -19,7 +19,7 @@ dest: "{{ matrix_dimension_base_path }}/config.yaml" mode: 0640 owner: "{{ matrix_user_username }}" - group: "{{ matrix_dimension_user_gid }}" + group: "{{ matrix_user_username }}" when: matrix_dimension_enabled|bool - name: Ensure Dimension image is pulled From cf0e56e92b697d793da6d71258c4e9daa8ab57cc Mon Sep 17 00:00:00 2001 From: Chris van Dijk Date: Fri, 1 May 2020 19:39:17 +0200 Subject: [PATCH 28/63] Consistent usage of matrix username and groupname, not uid and gid This should be a no-op, no migration necessary. --- roles/matrix-synapse/tasks/goofys/setup_install.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-synapse/tasks/goofys/setup_install.yml b/roles/matrix-synapse/tasks/goofys/setup_install.yml index efd9d46cf..f8c4b013a 100644 --- a/roles/matrix-synapse/tasks/goofys/setup_install.yml +++ b/roles/matrix-synapse/tasks/goofys/setup_install.yml @@ -17,8 +17,8 @@ path: "{{ matrix_synapse_media_store_path }}" state: directory mode: 0750 - owner: "{{ matrix_user_uid }}" - group: "{{ matrix_user_gid }}" + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_username }}" when: "not local_path_matrix_synapse_media_store_path_stat.failed and not local_path_matrix_synapse_media_store_path_stat.stat.exists" - name: Ensure goofys environment variables file created From 7585bcc4ac50d08392cf304599a6f80033d0d339 Mon Sep 17 00:00:00 2001 From: Chris van Dijk Date: Fri, 1 May 2020 19:59:32 +0200 Subject: [PATCH 29/63] Allow the matrix user username and groupname to be configured separately No migration steps should be required. --- roles/matrix-base/defaults/main.yml | 1 + roles/matrix-base/tasks/setup_matrix_base.yml | 6 +++--- roles/matrix-base/tasks/setup_well_known.yml | 6 +++--- .../tasks/setup_install.yml | 6 +++--- .../tasks/setup_install.yml | 8 ++++---- .../tasks/setup_install.yml | 6 +++--- .../tasks/setup_install.yml | 10 +++++----- .../tasks/setup_install.yml | 6 +++--- .../tasks/setup_install.yml | 6 +++--- .../tasks/setup_install.yml | 6 +++--- .../tasks/setup_install.yml | 6 +++--- .../tasks/setup_install.yml | 6 +++--- .../tasks/setup_install.yml | 6 +++--- roles/matrix-corporal/tasks/setup_corporal.yml | 4 ++-- roles/matrix-coturn/tasks/setup_coturn.yml | 4 ++-- roles/matrix-dimension/tasks/setup_dimension.yml | 4 ++-- roles/matrix-email2matrix/tasks/setup_email2matrix.yml | 4 ++-- roles/matrix-jitsi/tasks/setup_jitsi_base.yml | 2 +- roles/matrix-jitsi/tasks/setup_jitsi_jicofo.yml | 2 +- roles/matrix-jitsi/tasks/setup_jitsi_jvb.yml | 2 +- roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml | 2 +- roles/matrix-jitsi/tasks/setup_jitsi_web.yml | 2 +- roles/matrix-ma1sd/tasks/setup_ma1sd.yml | 6 +++--- roles/matrix-mailer/tasks/setup_mailer.yml | 2 +- roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml | 8 ++++---- roles/matrix-nginx-proxy/tasks/setup_well_known.yml | 4 ++-- roles/matrix-nginx-proxy/tasks/ssl/main.yml | 2 +- .../ssl/setup_ssl_self_signed_obtain_for_domain.yml | 2 +- roles/matrix-postgres/tasks/import_sqlite_db.yml | 2 +- .../tasks/migrate_postgres_data_directory.yml | 2 +- roles/matrix-postgres/tasks/run_synapse_janitor.yml | 2 +- roles/matrix-postgres/tasks/setup_postgres.yml | 4 ++-- roles/matrix-riot-web/tasks/setup_riot_web.yml | 6 +++--- .../tasks/ext/rest-auth/setup_install.yml | 2 +- .../tasks/ext/shared-secret-auth/setup_install.yml | 2 +- roles/matrix-synapse/tasks/goofys/setup_install.yml | 2 +- roles/matrix-synapse/tasks/import_media_store.yml | 2 +- roles/matrix-synapse/tasks/setup_synapse.yml | 2 +- roles/matrix-synapse/tasks/synapse/setup_install.yml | 4 ++-- 39 files changed, 80 insertions(+), 79 deletions(-) diff --git a/roles/matrix-base/defaults/main.yml b/roles/matrix-base/defaults/main.yml index 7f4c6ace7..0885f3d84 100644 --- a/roles/matrix-base/defaults/main.yml +++ b/roles/matrix-base/defaults/main.yml @@ -22,6 +22,7 @@ matrix_server_fqn_dimension: "dimension.{{ matrix_domain }}" matrix_server_fqn_jitsi: "jitsi.{{ matrix_domain }}" matrix_user_username: "matrix" +matrix_user_groupname: "matrix" matrix_user_uid: 991 matrix_user_gid: 991 diff --git a/roles/matrix-base/tasks/setup_matrix_base.yml b/roles/matrix-base/tasks/setup_matrix_base.yml index 24217883d..9afda508f 100644 --- a/roles/matrix-base/tasks/setup_matrix_base.yml +++ b/roles/matrix-base/tasks/setup_matrix_base.yml @@ -2,7 +2,7 @@ - name: Ensure Matrix group is created group: - name: "{{ matrix_user_username }}" + name: "{{ matrix_user_groupname }}" gid: "{{ matrix_user_gid }}" state: present @@ -11,7 +11,7 @@ name: "{{ matrix_user_username }}" uid: "{{ matrix_user_uid }}" state: present - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" - name: Ensure Matrix base path exists file: @@ -19,7 +19,7 @@ state: directory mode: "{{ matrix_base_data_path_mode }}" owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" with_items: - "{{ matrix_base_data_path }}" diff --git a/roles/matrix-base/tasks/setup_well_known.yml b/roles/matrix-base/tasks/setup_well_known.yml index 36706df47..3b81ce1e3 100644 --- a/roles/matrix-base/tasks/setup_well_known.yml +++ b/roles/matrix-base/tasks/setup_well_known.yml @@ -8,7 +8,7 @@ state: directory mode: 0755 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" with_items: - "{{ matrix_static_files_base_path }}/.well-known/matrix" @@ -18,7 +18,7 @@ dest: "{{ matrix_static_files_base_path }}/.well-known/matrix/client" mode: 0644 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" - name: Ensure Matrix /.well-known/matrix/server file configured template: @@ -26,7 +26,7 @@ dest: "{{ matrix_static_files_base_path }}/.well-known/matrix/server" mode: 0644 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" when: matrix_well_known_matrix_server_enabled|bool - name: Ensure Matrix /.well-known/matrix/server file deleted diff --git a/roles/matrix-bridge-appservice-discord/tasks/setup_install.yml b/roles/matrix-bridge-appservice-discord/tasks/setup_install.yml index e2144f6ae..d736fa7c7 100644 --- a/roles/matrix-bridge-appservice-discord/tasks/setup_install.yml +++ b/roles/matrix-bridge-appservice-discord/tasks/setup_install.yml @@ -13,7 +13,7 @@ state: directory mode: 0750 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" with_items: - "{{ matrix_appservice_discord_base_path }}" - "{{ matrix_appservice_discord_config_path }}" @@ -46,7 +46,7 @@ dest: "{{ matrix_appservice_discord_config_path }}/config.yaml" mode: 0644 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" - name: Ensure AppService Discord registration.yaml installed copy: @@ -54,7 +54,7 @@ dest: "{{ matrix_appservice_discord_config_path }}/registration.yaml" mode: 0644 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" # If `matrix_appservice_discord_client_id` hasn't changed, the same invite link would be generated. # We intentionally suppress Ansible changes. diff --git a/roles/matrix-bridge-appservice-irc/tasks/setup_install.yml b/roles/matrix-bridge-appservice-irc/tasks/setup_install.yml index 1c69b2a82..7206d25e9 100644 --- a/roles/matrix-bridge-appservice-irc/tasks/setup_install.yml +++ b/roles/matrix-bridge-appservice-irc/tasks/setup_install.yml @@ -13,7 +13,7 @@ state: directory mode: 0750 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" with_items: - "{{ matrix_appservice_irc_base_path }}" - "{{ matrix_appservice_irc_config_path }}" @@ -50,7 +50,7 @@ dest: "{{ matrix_appservice_irc_config_path }}/config.yaml" mode: 0644 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" - name: Check if Appservice IRC passkey exists stat: @@ -70,7 +70,7 @@ path: "{{ matrix_appservice_irc_data_path }}/passkey.pem" mode: 0644 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" # Ideally, we'd like to generate the final registration.yaml file by ourselves. # @@ -134,7 +134,7 @@ dest: "{{ matrix_appservice_irc_config_path }}/registration.yaml" mode: 0644 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" - name: Ensure matrix-appservice-irc.service installed template: diff --git a/roles/matrix-bridge-appservice-slack/tasks/setup_install.yml b/roles/matrix-bridge-appservice-slack/tasks/setup_install.yml index b4132e966..94e0fedf9 100644 --- a/roles/matrix-bridge-appservice-slack/tasks/setup_install.yml +++ b/roles/matrix-bridge-appservice-slack/tasks/setup_install.yml @@ -13,7 +13,7 @@ state: directory mode: 0750 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" with_items: - "{{ matrix_appservice_slack_base_path }}" - "{{ matrix_appservice_slack_config_path }}" @@ -25,7 +25,7 @@ dest: "{{ matrix_appservice_slack_config_path }}/config.yaml" mode: 0644 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" - name: Ensure appservice-slack registration.yaml installed copy: @@ -33,7 +33,7 @@ dest: "{{ matrix_appservice_slack_config_path }}/slack-registration.yaml" mode: 0644 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" - name: Ensure matrix-appservice-slack.service installed template: diff --git a/roles/matrix-bridge-appservice-webhooks/tasks/setup_install.yml b/roles/matrix-bridge-appservice-webhooks/tasks/setup_install.yml index 5d167dc0b..9ddc121a1 100644 --- a/roles/matrix-bridge-appservice-webhooks/tasks/setup_install.yml +++ b/roles/matrix-bridge-appservice-webhooks/tasks/setup_install.yml @@ -13,7 +13,7 @@ state: directory mode: 0750 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" with_items: - "{{ matrix_appservice_webhooks_base_path }}" - "{{ matrix_appservice_webhooks_config_path }}" @@ -25,7 +25,7 @@ dest: "{{ matrix_appservice_webhooks_config_path }}/config.yaml" mode: 0644 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" - name: Ensure Matrix Appservice webhooks schema.yml template exists template: @@ -33,7 +33,7 @@ dest: "{{ matrix_appservice_webhooks_config_path }}/schema.yml" mode: 0644 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" - name: Ensure Matrix Appservice webhooks database.json template exists template: @@ -41,7 +41,7 @@ dest: "{{ matrix_appservice_webhooks_data_path }}/database.json" mode: 0644 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" - name: Ensure appservice-webhooks registration.yaml installed copy: @@ -49,7 +49,7 @@ dest: "{{ matrix_appservice_webhooks_config_path }}/webhooks-registration.yaml" mode: 0644 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" - name: Ensure matrix-appservice-webhooks.service installed template: diff --git a/roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml index 82b55cea1..a1131d8ea 100644 --- a/roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml @@ -22,7 +22,7 @@ state: directory mode: 0750 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" with_items: - { path: "{{ matrix_mautrix_facebook_base_path }}", when: true } - { path: "{{ matrix_mautrix_facebook_config_path }}", when: true } @@ -73,7 +73,7 @@ dest: "{{ matrix_mautrix_facebook_config_path }}/config.yaml" mode: 0644 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" - name: Ensure mautrix-facebook registration.yaml installed copy: @@ -81,7 +81,7 @@ dest: "{{ matrix_mautrix_facebook_config_path }}/registration.yaml" mode: 0644 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" - name: Ensure matrix-mautrix-facebook.service installed template: diff --git a/roles/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml index ae962d34c..97893be7c 100644 --- a/roles/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml @@ -22,7 +22,7 @@ state: directory mode: 0750 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" with_items: - { path: "{{ matrix_mautrix_hangouts_base_path }}", when: true } - { path: "{{ matrix_mautrix_hangouts_config_path }}", when: true } @@ -72,7 +72,7 @@ dest: "{{ matrix_mautrix_hangouts_config_path }}/config.yaml" mode: 0644 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" - name: Ensure mautrix-hangouts registration.yaml installed copy: @@ -80,7 +80,7 @@ dest: "{{ matrix_mautrix_hangouts_config_path }}/registration.yaml" mode: 0644 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" - name: Ensure matrix-mautrix-hangouts.service installed template: diff --git a/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml index 1c8b063d8..9dc38ec2c 100644 --- a/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml @@ -21,7 +21,7 @@ state: directory mode: 0750 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" with_items: - "{{ matrix_mautrix_telegram_base_path }}" - "{{ matrix_mautrix_telegram_config_path }}" @@ -50,7 +50,7 @@ dest: "{{ matrix_mautrix_telegram_config_path }}/config.yaml" mode: 0644 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" - name: Ensure mautrix-telegram registration.yaml installed copy: @@ -58,7 +58,7 @@ dest: "{{ matrix_mautrix_telegram_config_path }}/registration.yaml" mode: 0644 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" - name: Ensure matrix-mautrix-telegram.service installed template: diff --git a/roles/matrix-bridge-mautrix-whatsapp/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-whatsapp/tasks/setup_install.yml index a818afb18..6bd87bbe2 100644 --- a/roles/matrix-bridge-mautrix-whatsapp/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-whatsapp/tasks/setup_install.yml @@ -21,7 +21,7 @@ state: directory mode: 0750 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" with_items: - "{{ matrix_mautrix_whatsapp_base_path }}" - "{{ matrix_mautrix_whatsapp_config_path }}" @@ -59,7 +59,7 @@ dest: "{{ matrix_mautrix_whatsapp_config_path }}/config.yaml" mode: 0644 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" - name: Ensure mautrix-whatsapp registration.yaml installed copy: @@ -67,7 +67,7 @@ dest: "{{ matrix_mautrix_whatsapp_config_path }}/registration.yaml" mode: 0644 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" - name: Ensure matrix-mautrix-whatsapp.service installed template: diff --git a/roles/matrix-bridge-mx-puppet-skype/tasks/setup_install.yml b/roles/matrix-bridge-mx-puppet-skype/tasks/setup_install.yml index 6857c6c93..e88fd7783 100644 --- a/roles/matrix-bridge-mx-puppet-skype/tasks/setup_install.yml +++ b/roles/matrix-bridge-mx-puppet-skype/tasks/setup_install.yml @@ -22,7 +22,7 @@ state: directory mode: 0750 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" with_items: - { path: "{{ matrix_mx_puppet_skype_base_path }}", when: true } - { path: "{{ matrix_mx_puppet_skype_config_path }}", when: true } @@ -71,7 +71,7 @@ dest: "{{ matrix_mx_puppet_skype_config_path }}/config.yaml" mode: 0644 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" - name: Ensure mx-puppet-skype skype-registration.yaml installed copy: @@ -79,7 +79,7 @@ dest: "{{ matrix_mx_puppet_skype_config_path }}/registration.yaml" mode: 0644 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" - name: Ensure matrix-mx-puppet-skype.service installed template: diff --git a/roles/matrix-bridge-mx-puppet-slack/tasks/setup_install.yml b/roles/matrix-bridge-mx-puppet-slack/tasks/setup_install.yml index f4c9fc8ec..ddaede728 100644 --- a/roles/matrix-bridge-mx-puppet-slack/tasks/setup_install.yml +++ b/roles/matrix-bridge-mx-puppet-slack/tasks/setup_install.yml @@ -22,7 +22,7 @@ state: directory mode: 0750 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" with_items: - { path: "{{ matrix_mx_puppet_slack_base_path }}", when: true } - { path: "{{ matrix_mx_puppet_slack_config_path }}", when: true } @@ -70,7 +70,7 @@ dest: "{{ matrix_mx_puppet_slack_config_path }}/config.yaml" mode: 0644 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" - name: Ensure mx-puppet-slack slack-registration.yaml installed copy: @@ -78,7 +78,7 @@ dest: "{{ matrix_mx_puppet_slack_config_path }}/registration.yaml" mode: 0644 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" - name: Ensure matrix-mx-puppet-slack.service installed template: diff --git a/roles/matrix-corporal/tasks/setup_corporal.yml b/roles/matrix-corporal/tasks/setup_corporal.yml index 2e09f013b..72b6a5b26 100644 --- a/roles/matrix-corporal/tasks/setup_corporal.yml +++ b/roles/matrix-corporal/tasks/setup_corporal.yml @@ -10,7 +10,7 @@ state: directory mode: 0750 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" with_items: - "{{ matrix_corporal_config_dir_path }}" - "{{ matrix_corporal_cache_dir_path }}" @@ -31,7 +31,7 @@ dest: "{{ matrix_corporal_config_dir_path }}/config.json" mode: 0644 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" when: matrix_corporal_enabled|bool - name: Ensure matrix-corporal.service installed diff --git a/roles/matrix-coturn/tasks/setup_coturn.yml b/roles/matrix-coturn/tasks/setup_coturn.yml index 8a2ad3bdd..52db0e3e0 100644 --- a/roles/matrix-coturn/tasks/setup_coturn.yml +++ b/roles/matrix-coturn/tasks/setup_coturn.yml @@ -10,7 +10,7 @@ state: directory mode: 0750 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" with_items: - { path: "{{ matrix_coturn_docker_src_files_path }}", when: "{{ matrix_coturn_container_image_self_build }}"} when: matrix_riot_web_enabled|bool and item.when @@ -47,7 +47,7 @@ state: directory mode: 0750 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" when: matrix_coturn_enabled|bool - name: Ensure turnserver.conf installed diff --git a/roles/matrix-dimension/tasks/setup_dimension.yml b/roles/matrix-dimension/tasks/setup_dimension.yml index 929521467..1681a548b 100644 --- a/roles/matrix-dimension/tasks/setup_dimension.yml +++ b/roles/matrix-dimension/tasks/setup_dimension.yml @@ -10,7 +10,7 @@ state: directory mode: 0770 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" when: matrix_dimension_enabled|bool - name: Ensure Dimension config installed @@ -19,7 +19,7 @@ dest: "{{ matrix_dimension_base_path }}/config.yaml" mode: 0640 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" when: matrix_dimension_enabled|bool - name: Ensure Dimension image is pulled diff --git a/roles/matrix-email2matrix/tasks/setup_email2matrix.yml b/roles/matrix-email2matrix/tasks/setup_email2matrix.yml index 1e64627af..d5fa73a51 100644 --- a/roles/matrix-email2matrix/tasks/setup_email2matrix.yml +++ b/roles/matrix-email2matrix/tasks/setup_email2matrix.yml @@ -10,7 +10,7 @@ state: directory mode: 0750 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" with_items: - "{{ matrix_email2matrix_base_path }}" - "{{ matrix_email2matrix_config_dir_path }}" @@ -21,7 +21,7 @@ src: "{{ role_path }}/templates/config.json.j2" dest: "{{ matrix_email2matrix_config_dir_path }}/config.json" owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" mode: 0640 when: matrix_email2matrix_enabled|bool diff --git a/roles/matrix-jitsi/tasks/setup_jitsi_base.yml b/roles/matrix-jitsi/tasks/setup_jitsi_base.yml index fcfbb8f65..408027ee0 100644 --- a/roles/matrix-jitsi/tasks/setup_jitsi_base.yml +++ b/roles/matrix-jitsi/tasks/setup_jitsi_base.yml @@ -10,7 +10,7 @@ state: directory mode: 0750 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" with_items: - { path: "{{ matrix_jitsi_base_path }}", when: true } when: matrix_jitsi_enabled|bool and item.when diff --git a/roles/matrix-jitsi/tasks/setup_jitsi_jicofo.yml b/roles/matrix-jitsi/tasks/setup_jitsi_jicofo.yml index b7ff409a0..63da7fcfa 100644 --- a/roles/matrix-jitsi/tasks/setup_jitsi_jicofo.yml +++ b/roles/matrix-jitsi/tasks/setup_jitsi_jicofo.yml @@ -10,7 +10,7 @@ state: directory mode: 0777 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" with_items: - { path: "{{ matrix_jitsi_jicofo_base_path }}", when: true } - { path: "{{ matrix_jitsi_jicofo_config_path }}", when: true } diff --git a/roles/matrix-jitsi/tasks/setup_jitsi_jvb.yml b/roles/matrix-jitsi/tasks/setup_jitsi_jvb.yml index f442fc6e7..09055b59e 100644 --- a/roles/matrix-jitsi/tasks/setup_jitsi_jvb.yml +++ b/roles/matrix-jitsi/tasks/setup_jitsi_jvb.yml @@ -10,7 +10,7 @@ state: directory mode: 0777 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" with_items: - { path: "{{ matrix_jitsi_jvb_base_path }}", when: true } - { path: "{{ matrix_jitsi_jvb_config_path }}", when: true } diff --git a/roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml b/roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml index e783aad90..4159362da 100644 --- a/roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml +++ b/roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml @@ -10,7 +10,7 @@ state: directory mode: 0777 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" with_items: - { path: "{{ matrix_jitsi_prosody_base_path }}", when: true } - { path: "{{ matrix_jitsi_prosody_config_path }}", when: true } diff --git a/roles/matrix-jitsi/tasks/setup_jitsi_web.yml b/roles/matrix-jitsi/tasks/setup_jitsi_web.yml index 3610a084d..6e5d20b06 100644 --- a/roles/matrix-jitsi/tasks/setup_jitsi_web.yml +++ b/roles/matrix-jitsi/tasks/setup_jitsi_web.yml @@ -10,7 +10,7 @@ state: directory mode: 0777 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" with_items: - { path: "{{ matrix_jitsi_web_base_path }}", when: true } - { path: "{{ matrix_jitsi_web_config_path }}", when: true } diff --git a/roles/matrix-ma1sd/tasks/setup_ma1sd.yml b/roles/matrix-ma1sd/tasks/setup_ma1sd.yml index 57fc019a8..ee055afd7 100644 --- a/roles/matrix-ma1sd/tasks/setup_ma1sd.yml +++ b/roles/matrix-ma1sd/tasks/setup_ma1sd.yml @@ -10,7 +10,7 @@ state: directory mode: 0750 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" with_items: - { path: "{{ matrix_ma1sd_config_path }}", when: true } - { path: "{{ matrix_ma1sd_data_path }}", when: true } @@ -69,7 +69,7 @@ dest: "{{ matrix_ma1sd_config_path }}/ma1sd.yaml" mode: 0644 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" when: matrix_ma1sd_enabled|bool - name: Ensure custom templates are installed if any @@ -78,7 +78,7 @@ dest: "{{ matrix_ma1sd_data_path }}/{{ item.location }}" mode: 0644 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" with_items: - {value: "{{ matrix_ma1sd_threepid_medium_email_custom_invite_template }}", location: 'invite-template.eml'} - {value: "{{ matrix_ma1sd_threepid_medium_email_custom_session_validation_template }}", location: 'validate-template.eml'} diff --git a/roles/matrix-mailer/tasks/setup_mailer.yml b/roles/matrix-mailer/tasks/setup_mailer.yml index e216915fa..6104edfe6 100644 --- a/roles/matrix-mailer/tasks/setup_mailer.yml +++ b/roles/matrix-mailer/tasks/setup_mailer.yml @@ -10,7 +10,7 @@ state: directory mode: 0750 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" when: matrix_mailer_enabled|bool - name: Ensure mailer environment variables file created diff --git a/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml b/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml index 6db5d9785..69ac36f20 100644 --- a/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml +++ b/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml @@ -16,7 +16,7 @@ state: directory mode: 0750 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" with_items: - "{{ matrix_nginx_proxy_base_path }}" - "{{ matrix_nginx_proxy_data_path }}" @@ -34,7 +34,7 @@ src: "{{ role_path }}/templates/nginx/matrix-synapse-metrics-htpasswd.j2" dest: "{{ matrix_nginx_proxy_data_path }}/matrix-synapse-metrics-htpasswd" owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" mode: 0400 when: "matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled|bool and matrix_nginx_proxy_proxy_synapse_metrics|bool" @@ -79,7 +79,7 @@ state: directory mode: 0750 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" when: matrix_nginx_proxy_base_domain_serving_enabled|bool - name: Ensure Matrix nginx-proxy homepage for base domain exists @@ -88,7 +88,7 @@ dest: "{{ matrix_nginx_proxy_data_path }}/matrix-domain/index.html" mode: 0644 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" when: matrix_nginx_proxy_base_domain_serving_enabled|bool and matrix_nginx_proxy_base_domain_homepage_enabled|bool - name: Ensure Matrix nginx-proxy configuration for base domain exists diff --git a/roles/matrix-nginx-proxy/tasks/setup_well_known.yml b/roles/matrix-nginx-proxy/tasks/setup_well_known.yml index 5cd54cc8e..3e43a8c60 100644 --- a/roles/matrix-nginx-proxy/tasks/setup_well_known.yml +++ b/roles/matrix-nginx-proxy/tasks/setup_well_known.yml @@ -11,7 +11,7 @@ state: directory mode: 0755 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" with_items: - "{{ matrix_static_files_base_path }}/.well-known/matrix" @@ -21,4 +21,4 @@ dest: "{{ matrix_static_files_base_path }}/.well-known/matrix" mode: 0644 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" \ No newline at end of file + group: "{{ matrix_user_groupname }}" \ No newline at end of file diff --git a/roles/matrix-nginx-proxy/tasks/ssl/main.yml b/roles/matrix-nginx-proxy/tasks/ssl/main.yml index 5402468c6..6c0608186 100644 --- a/roles/matrix-nginx-proxy/tasks/ssl/main.yml +++ b/roles/matrix-nginx-proxy/tasks/ssl/main.yml @@ -14,7 +14,7 @@ state: directory mode: 0770 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" recurse: true with_items: - "{{ matrix_ssl_log_dir_path }}" diff --git a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed_obtain_for_domain.yml b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed_obtain_for_domain.yml index 80838fa67..aea17cc02 100644 --- a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed_obtain_for_domain.yml +++ b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed_obtain_for_domain.yml @@ -17,7 +17,7 @@ state: directory mode: 0750 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" when: "not matrix_ssl_certificate_cert_path_stat_result.stat.exists" # The proper way to do this is by using a sequence of diff --git a/roles/matrix-postgres/tasks/import_sqlite_db.yml b/roles/matrix-postgres/tasks/import_sqlite_db.yml index 5953557b2..eab4e8924 100644 --- a/roles/matrix-postgres/tasks/import_sqlite_db.yml +++ b/roles/matrix-postgres/tasks/import_sqlite_db.yml @@ -50,7 +50,7 @@ state: directory mode: 0700 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" - name: Ensure matrix-postgres is started service: diff --git a/roles/matrix-postgres/tasks/migrate_postgres_data_directory.yml b/roles/matrix-postgres/tasks/migrate_postgres_data_directory.yml index 599d45b5f..ef5fbf47d 100644 --- a/roles/matrix-postgres/tasks/migrate_postgres_data_directory.yml +++ b/roles/matrix-postgres/tasks/migrate_postgres_data_directory.yml @@ -46,7 +46,7 @@ state: directory mode: 0700 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" when: "result_pg_old_data_dir_stat.stat.exists" - block: diff --git a/roles/matrix-postgres/tasks/run_synapse_janitor.yml b/roles/matrix-postgres/tasks/run_synapse_janitor.yml index 4562b8ba1..41484d79c 100644 --- a/roles/matrix-postgres/tasks/run_synapse_janitor.yml +++ b/roles/matrix-postgres/tasks/run_synapse_janitor.yml @@ -42,7 +42,7 @@ force: true mode: 0550 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" - name: Ensure matrix-postgres is started service: diff --git a/roles/matrix-postgres/tasks/setup_postgres.yml b/roles/matrix-postgres/tasks/setup_postgres.yml index 355898b60..e4d443928 100644 --- a/roles/matrix-postgres/tasks/setup_postgres.yml +++ b/roles/matrix-postgres/tasks/setup_postgres.yml @@ -38,7 +38,7 @@ state: directory mode: 0700 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" with_items: - "{{ matrix_postgres_base_path }}" - "{{ matrix_postgres_data_path }}" @@ -52,7 +52,7 @@ path: "{{ matrix_postgres_data_path }}" state: directory owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" recurse: yes when: matrix_postgres_enabled|bool diff --git a/roles/matrix-riot-web/tasks/setup_riot_web.yml b/roles/matrix-riot-web/tasks/setup_riot_web.yml index a1d25fc60..f21834a8d 100644 --- a/roles/matrix-riot-web/tasks/setup_riot_web.yml +++ b/roles/matrix-riot-web/tasks/setup_riot_web.yml @@ -10,7 +10,7 @@ state: directory mode: 0750 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" with_items: - { path: "{{ matrix_riot_web_data_path }}", when: true } - { path: "{{ matrix_riot_web_docker_src_files_path }}", when: "{{ matrix_riot_web_container_image_self_build }}" } @@ -48,7 +48,7 @@ dest: "{{ matrix_riot_web_data_path }}/config.json" mode: 0644 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" when: matrix_riot_web_enabled|bool - name: Ensure Matrix riot-web config files installed @@ -57,7 +57,7 @@ dest: "{{ matrix_riot_web_data_path }}/{{ item.name }}" mode: 0644 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" with_items: - {src: "{{ role_path }}/templates/nginx.conf.j2", name: "nginx.conf"} - {src: "{{ role_path }}/templates/welcome.html.j2", name: "welcome.html"} diff --git a/roles/matrix-synapse/tasks/ext/rest-auth/setup_install.yml b/roles/matrix-synapse/tasks/ext/rest-auth/setup_install.yml index 9569d71e7..634b1ca5e 100644 --- a/roles/matrix-synapse/tasks/ext/rest-auth/setup_install.yml +++ b/roles/matrix-synapse/tasks/ext/rest-auth/setup_install.yml @@ -12,7 +12,7 @@ force: true mode: 0440 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" - set_fact: matrix_synapse_password_providers_enabled: true diff --git a/roles/matrix-synapse/tasks/ext/shared-secret-auth/setup_install.yml b/roles/matrix-synapse/tasks/ext/shared-secret-auth/setup_install.yml index 60e5ee0c2..af92041df 100644 --- a/roles/matrix-synapse/tasks/ext/shared-secret-auth/setup_install.yml +++ b/roles/matrix-synapse/tasks/ext/shared-secret-auth/setup_install.yml @@ -12,7 +12,7 @@ force: true mode: 0440 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" - set_fact: matrix_synapse_password_providers_enabled: true diff --git a/roles/matrix-synapse/tasks/goofys/setup_install.yml b/roles/matrix-synapse/tasks/goofys/setup_install.yml index f8c4b013a..932379861 100644 --- a/roles/matrix-synapse/tasks/goofys/setup_install.yml +++ b/roles/matrix-synapse/tasks/goofys/setup_install.yml @@ -18,7 +18,7 @@ state: directory mode: 0750 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" when: "not local_path_matrix_synapse_media_store_path_stat.failed and not local_path_matrix_synapse_media_store_path_stat.stat.exists" - name: Ensure goofys environment variables file created diff --git a/roles/matrix-synapse/tasks/import_media_store.yml b/roles/matrix-synapse/tasks/import_media_store.yml index db68f22d1..487bcb356 100644 --- a/roles/matrix-synapse/tasks/import_media_store.yml +++ b/roles/matrix-synapse/tasks/import_media_store.yml @@ -66,7 +66,7 @@ file: path: "{{ matrix_synapse_media_store_path }}" owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" recurse: yes when: "not matrix_s3_media_store_enabled|bool" diff --git a/roles/matrix-synapse/tasks/setup_synapse.yml b/roles/matrix-synapse/tasks/setup_synapse.yml index c40ae170b..4fb41b1ae 100644 --- a/roles/matrix-synapse/tasks/setup_synapse.yml +++ b/roles/matrix-synapse/tasks/setup_synapse.yml @@ -6,7 +6,7 @@ state: directory mode: 0750 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" with_items: - { path: "{{ matrix_synapse_config_dir_path }}", when: true } - { path: "{{ matrix_synapse_run_path }}", when: true } diff --git a/roles/matrix-synapse/tasks/synapse/setup_install.yml b/roles/matrix-synapse/tasks/synapse/setup_install.yml index f10614e74..58f4d31dc 100644 --- a/roles/matrix-synapse/tasks/synapse/setup_install.yml +++ b/roles/matrix-synapse/tasks/synapse/setup_install.yml @@ -15,7 +15,7 @@ state: directory mode: 0750 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" when: "not local_path_media_store_stat.failed and not local_path_media_store_stat.stat.exists" - name: Ensure Synapse repository is present on self-build @@ -79,7 +79,7 @@ dest: "{{ matrix_synapse_config_dir_path }}/homeserver.yaml" mode: 0644 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" - name: Ensure Synapse log config installed template: From d6266a8c4741fb78b97250f16c5dc9f328648b71 Mon Sep 17 00:00:00 2001 From: Horvath Gergely Date: Fri, 1 May 2020 21:34:42 +0200 Subject: [PATCH 30/63] fix skype bridge being rebuilt when upstream changed --- roles/matrix-bridge-mx-puppet-skype/tasks/setup_install.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/matrix-bridge-mx-puppet-skype/tasks/setup_install.yml b/roles/matrix-bridge-mx-puppet-skype/tasks/setup_install.yml index 6857c6c93..8fb94d731 100644 --- a/roles/matrix-bridge-mx-puppet-skype/tasks/setup_install.yml +++ b/roles/matrix-bridge-mx-puppet-skype/tasks/setup_install.yml @@ -42,6 +42,7 @@ docker_image: name: "{{ matrix_mx_puppet_skype_docker_image }}" source: build + force_source: yes build: dockerfile: Dockerfile path: "{{ matrix_mx_puppet_skype_docker_src_files_path }}" From e750c6c6ff6e58ea90e588499b92418a652a5ece Mon Sep 17 00:00:00 2001 From: Dan Arnfield Date: Mon, 4 May 2020 09:46:45 -0500 Subject: [PATCH 31/63] Update coturn (4.5.1.1 -> 4.5.1.2) --- roles/matrix-coturn/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-coturn/defaults/main.yml b/roles/matrix-coturn/defaults/main.yml index 06063e3b2..ef314d89b 100644 --- a/roles/matrix-coturn/defaults/main.yml +++ b/roles/matrix-coturn/defaults/main.yml @@ -2,7 +2,7 @@ matrix_coturn_enabled: true matrix_coturn_container_image_self_build: false -matrix_coturn_docker_image: "instrumentisto/coturn:4.5.1.1" +matrix_coturn_docker_image: "instrumentisto/coturn:4.5.1.2" matrix_coturn_docker_image_force_pull: "{{ matrix_coturn_docker_image.endswith(':latest') }}" # The Docker network that Coturn would be put into. From f7fcf3590a7eb60a3aaebf19a678f3c4bef3baf2 Mon Sep 17 00:00:00 2001 From: Chris van Dijk Date: Mon, 4 May 2020 17:34:23 +0200 Subject: [PATCH 32/63] Clarify domain of Dimension admin users in docs by using matrix_domain variable --- docs/configuring-playbook-dimension.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/configuring-playbook-dimension.md b/docs/configuring-playbook-dimension.md index ddd1d1bc5..24fd16e11 100644 --- a/docs/configuring-playbook-dimension.md +++ b/docs/configuring-playbook-dimension.md @@ -21,7 +21,9 @@ These users can modify the integrations this Dimension supports. Admin interface Add this to your configuration file (`inventory/host_vars/matrix./vars.yml`): ```yaml -matrix_dimension_admins: ['@user1:domain.com', '@user2:domain.com'] +matrix_dimension_admins: + - "@user1:{{ matrix_domain }}" + - "@user2:{{ matrix_domain }}" ``` ## Access token From a1c5a197a93d410d714215b90627bcfb007864b4 Mon Sep 17 00:00:00 2001 From: Fanch Date: Mon, 4 May 2020 21:43:54 +0200 Subject: [PATCH 33/63] remove default UID/GID --- roles/matrix-base/defaults/main.yml | 2 -- roles/matrix-base/tasks/setup_matrix_base.yml | 13 ++++++++++--- 2 files changed, 10 insertions(+), 5 deletions(-) diff --git a/roles/matrix-base/defaults/main.yml b/roles/matrix-base/defaults/main.yml index 7f4c6ace7..90061a064 100644 --- a/roles/matrix-base/defaults/main.yml +++ b/roles/matrix-base/defaults/main.yml @@ -22,8 +22,6 @@ matrix_server_fqn_dimension: "dimension.{{ matrix_domain }}" matrix_server_fqn_jitsi: "jitsi.{{ matrix_domain }}" matrix_user_username: "matrix" -matrix_user_uid: 991 -matrix_user_gid: 991 matrix_base_data_path: "/matrix" matrix_base_data_path_mode: "750" diff --git a/roles/matrix-base/tasks/setup_matrix_base.yml b/roles/matrix-base/tasks/setup_matrix_base.yml index 24217883d..9720cb912 100644 --- a/roles/matrix-base/tasks/setup_matrix_base.yml +++ b/roles/matrix-base/tasks/setup_matrix_base.yml @@ -3,15 +3,23 @@ - name: Ensure Matrix group is created group: name: "{{ matrix_user_username }}" - gid: "{{ matrix_user_gid }}" state: present + register: matrix_group + +- name: Set Matrix Group GID Variable + set_fact: + matrix_user_gid: "{{ matrix_group.gid }}" - name: Ensure Matrix user is created user: name: "{{ matrix_user_username }}" - uid: "{{ matrix_user_uid }}" state: present group: "{{ matrix_user_username }}" + register: matrix_user + +- name: Set Matrix Group UID Variable + set_fact: + matrix_user_uid: "{{ matrix_user.uid }}" - name: Ensure Matrix base path exists file: @@ -54,4 +62,3 @@ src: "{{ role_path }}/templates/usr-local-bin/matrix-remove-all.j2" dest: "{{ matrix_local_bin_path }}/matrix-remove-all" mode: 0750 - From 658e3361f6ba55414ae84f7a1e68e2428fad7c34 Mon Sep 17 00:00:00 2001 From: Christian Wolf Date: Tue, 5 May 2020 08:42:14 +0200 Subject: [PATCH 34/63] Added a documentation enhancement regarding external TURN server --- docs/configuring-playbook-turn.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/docs/configuring-playbook-turn.md b/docs/configuring-playbook-turn.md index 547f2befb..c1d777a89 100644 --- a/docs/configuring-playbook-turn.md +++ b/docs/configuring-playbook-turn.md @@ -31,3 +31,12 @@ matrix_synapse_turn_uris: - turn:HOSTNAME_OR_IP?transport=udp - turn:HOSTNAME_OR_IP?transport=tcp ``` + +If you have or want to enable [Jitsi](configuring-playbook-jitsi.md), you might want to enable the TURN server there too. +If you do not do it, Jitsi will fall back to an upstream service. + +```yaml +matrix_jitsi_web_stun_servers: +- stun:HOSTNAME_OR_IP:PORT +``` +You can put multiple host/port combinations if you like. From 4359571d38e0f4b1d9e5bd3477b583bd0eca16ad Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 5 May 2020 14:02:14 +0300 Subject: [PATCH 35/63] Upgrade riot-web to v1.6.0 --- roles/matrix-riot-web/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-riot-web/defaults/main.yml b/roles/matrix-riot-web/defaults/main.yml index 31c2c9696..71255e243 100644 --- a/roles/matrix-riot-web/defaults/main.yml +++ b/roles/matrix-riot-web/defaults/main.yml @@ -2,7 +2,7 @@ matrix_riot_web_enabled: true matrix_riot_web_container_image_self_build: false -matrix_riot_web_docker_image: "vectorim/riot-web:v1.5.15" +matrix_riot_web_docker_image: "vectorim/riot-web:v1.6.0" matrix_riot_web_docker_image_force_pull: "{{ matrix_riot_web_docker_image.endswith(':latest') }}" matrix_riot_web_data_path: "{{ matrix_base_data_path }}/riot-web" From 8fea6f5130e658cd0edbf030ce61a82cf9c874b2 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 6 May 2020 09:43:30 +0300 Subject: [PATCH 36/63] Make sure matrix_user_uid and matrix_user_gid are always set If one runs the playbook with `--tags=setup-all`, it would have been fine. But running with a specific tag (e.g. `--tags=setup-riot-web`) would have made that initialization be skipped, and the `matrix-riot-web` role would fail, due to missing variables. --- roles/matrix-base/tasks/main.yml | 7 ++++++ roles/matrix-base/tasks/setup_matrix_base.yml | 21 ------------------ roles/matrix-base/tasks/setup_matrix_user.yml | 22 +++++++++++++++++++ 3 files changed, 29 insertions(+), 21 deletions(-) create mode 100644 roles/matrix-base/tasks/setup_matrix_user.yml diff --git a/roles/matrix-base/tasks/main.yml b/roles/matrix-base/tasks/main.yml index 827a41013..c51d6811a 100644 --- a/roles/matrix-base/tasks/main.yml +++ b/roles/matrix-base/tasks/main.yml @@ -12,6 +12,13 @@ tags: - setup-all +# This needs to always run, because it populates `matrix_user_uid` and `matrix_user_gid`, +# which are required by many other roles. +- import_tasks: "{{ role_path }}/tasks/setup_matrix_user.yml" + when: run_setup|bool + tags: + - always + - import_tasks: "{{ role_path }}/tasks/setup_matrix_base.yml" when: run_setup|bool tags: diff --git a/roles/matrix-base/tasks/setup_matrix_base.yml b/roles/matrix-base/tasks/setup_matrix_base.yml index 9720cb912..fa26b5f54 100644 --- a/roles/matrix-base/tasks/setup_matrix_base.yml +++ b/roles/matrix-base/tasks/setup_matrix_base.yml @@ -1,26 +1,5 @@ --- -- name: Ensure Matrix group is created - group: - name: "{{ matrix_user_username }}" - state: present - register: matrix_group - -- name: Set Matrix Group GID Variable - set_fact: - matrix_user_gid: "{{ matrix_group.gid }}" - -- name: Ensure Matrix user is created - user: - name: "{{ matrix_user_username }}" - state: present - group: "{{ matrix_user_username }}" - register: matrix_user - -- name: Set Matrix Group UID Variable - set_fact: - matrix_user_uid: "{{ matrix_user.uid }}" - - name: Ensure Matrix base path exists file: path: "{{ item }}" diff --git a/roles/matrix-base/tasks/setup_matrix_user.yml b/roles/matrix-base/tasks/setup_matrix_user.yml new file mode 100644 index 000000000..277a41d97 --- /dev/null +++ b/roles/matrix-base/tasks/setup_matrix_user.yml @@ -0,0 +1,22 @@ +--- + +- name: Ensure Matrix group is created + group: + name: "{{ matrix_user_username }}" + state: present + register: matrix_group + +- name: Set Matrix Group GID Variable + set_fact: + matrix_user_gid: "{{ matrix_group.gid }}" + +- name: Ensure Matrix user is created + user: + name: "{{ matrix_user_username }}" + state: present + group: "{{ matrix_user_username }}" + register: matrix_user + +- name: Set Matrix Group UID Variable + set_fact: + matrix_user_uid: "{{ matrix_user.uid }}" From ccc7aaf0ce47262bebef9cfe565c8df5f4fd7ff3 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 6 May 2020 09:55:40 +0300 Subject: [PATCH 37/63] Fix "Migrating to a new server" flow due to dynamic user/group creation --- docs/maintenance-migrating.md | 6 ++++-- roles/matrix-base/tasks/main.yml | 1 + 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/docs/maintenance-migrating.md b/docs/maintenance-migrating.md index fcfe4e163..71a38e583 100644 --- a/docs/maintenance-migrating.md +++ b/docs/maintenance-migrating.md @@ -1,8 +1,10 @@ # Migrating to new server 1. Prepare by lowering DNS TTL for your domains (`matrix.DOMAIN`, etc.), so that DNS record changes (step 4 below) would happen faster, leading ot less downtime -2. Stop all services on the old server and make sure they won't be starting again. Execute this on the old server: `systemctl disable --now matrix*` +2. Stop all services on the old server and make sure they won't be starting again. Execute this on the old server: `systemctl disable --now matrix*` 3. Copy directory `/matrix` from the old server to the new server. Make sure to preserve ownership and permissions (use `cp -p` or `rsync -ar`)! 4. Make sure your DNS records are adjusted to point to the new server's IP address 5. Remove old server from the `inventory/hosts` file and add new server. -6. Run `ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start`. This will create the matrix user and group and start all services on the new server +6. Run `ansible-playbook -i inventory/hosts setup.yml --tags=setup-system-user`. This will create the `matrix` user and group on the new server +7. Because the `matrix` user and group are created dynamically on each server, the user/group id may differ between the old and new server. We suggest that you adjust ownership of `/matrix` files manually by running this on the new server: `chown -R matrix:matrix /matrix`. +8. Run `ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start` to finish the installation and start all services diff --git a/roles/matrix-base/tasks/main.yml b/roles/matrix-base/tasks/main.yml index c51d6811a..a1bb6754b 100644 --- a/roles/matrix-base/tasks/main.yml +++ b/roles/matrix-base/tasks/main.yml @@ -18,6 +18,7 @@ when: run_setup|bool tags: - always + - setup-system-user - import_tasks: "{{ role_path }}/tasks/setup_matrix_base.yml" when: run_setup|bool From c1c8b8e62cbcdaf5a378bae7ad6f7b2e0a92db56 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 6 May 2020 10:17:19 +0300 Subject: [PATCH 38/63] Warn about matrix_user_uid/matrix_user_gid We don't really need to fail in such a spectactular way, but it's probably good to do. It will only happen for people who are defining their own user/group id, which is rare. It seems like a good idea to tell them that this doesn't work as they expect anymore and to ask them to remove these variables, which otherwise give them a fake sense of hope. Related to #486 (Github Pull Request). --- roles/matrix-base/tasks/main.yml | 5 +++++ roles/matrix-base/tasks/validate_config.yml | 11 +++++++++++ 2 files changed, 16 insertions(+) create mode 100644 roles/matrix-base/tasks/validate_config.yml diff --git a/roles/matrix-base/tasks/main.yml b/roles/matrix-base/tasks/main.yml index a1bb6754b..26e019967 100644 --- a/roles/matrix-base/tasks/main.yml +++ b/roles/matrix-base/tasks/main.yml @@ -2,6 +2,11 @@ tags: - always +- import_tasks: "{{ role_path }}/tasks/validate_config.yml" + when: "run_setup|bool" + tags: + - setup-all + - import_tasks: "{{ role_path }}/tasks/clean_up_old_files.yml" when: run_setup|bool tags: diff --git a/roles/matrix-base/tasks/validate_config.yml b/roles/matrix-base/tasks/validate_config.yml new file mode 100644 index 000000000..3ea1f5a10 --- /dev/null +++ b/roles/matrix-base/tasks/validate_config.yml @@ -0,0 +1,11 @@ +--- + +- name: (Deprecation) Warn about unused user/group variables + fail: + msg: > + The `{{ item }}` variable defined in your configuration is not used by this playbook anymore. + User/group creation is now dynamic. You can remove these variables from your configuration, as they have no effect on anything. + when: "item in vars" + with_items: + - 'matrix_user_uid' + - 'matrix_user_uid' From 884df93be196ba3559bc269035bb3046b3b4a141 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 6 May 2020 10:29:43 +0300 Subject: [PATCH 39/63] Make it clearer that Dimension requires a dedicated user --- docs/configuring-playbook-dimension.md | 28 +++++++++++++++++++------- 1 file changed, 21 insertions(+), 7 deletions(-) diff --git a/docs/configuring-playbook-dimension.md b/docs/configuring-playbook-dimension.md index 24fd16e11..d4de8e2b1 100644 --- a/docs/configuring-playbook-dimension.md +++ b/docs/configuring-playbook-dimension.md @@ -4,11 +4,14 @@ If you're just installing Matrix services for the first time, please continue with the [Configuration](configuring-playbook.md) / [Installation](installing.md) flow and come back here later. ## Prerequisites + This playbook now supports running [Dimension](https://dimension.t2bot.io) in both a federated and an [unfederated](https://github.com/turt2live/matrix-dimension/blob/master/docs/unfederated.md) environment. This is handled automatically based on the value of `matrix_synapse_federation_enabled`. Other important prerequisite is the `dimension.` DNS record being set up correctly. See [Configuring your DNS server](configuring-dns.md) on how to set up DNS record correctly. + ## Enable + [Dimension integrations manager](https://dimension.t2bot.io) installation is disabled by default. You can enable it in your configuration file (`inventory/host_vars/matrix./vars.yml`): ```yaml @@ -17,6 +20,7 @@ matrix_dimension_enabled: true ## Define admin users + These users can modify the integrations this Dimension supports. Admin interface is accessible by opening Dimension in Riot and clicking the settings icon. Add this to your configuration file (`inventory/host_vars/matrix./vars.yml`): @@ -26,16 +30,21 @@ matrix_dimension_admins: - "@user2:{{ matrix_domain }}" ``` + ## Access token -You are required to specify an access token for Dimension to work. -To get an access token, follow these steps: + +We recommend that you create a dedicated Matrix user for Dimension (`dimension` is a good username). +Follow our [Registering users](registering-users.md) guide to learn how to register **a regular (non-admin) user**. + +You are required to specify an access token (belonging to this new user) for Dimension to work. +To get an access token for the Dimension user, follow these steps: 1. In a private browsing session (incognito window), open Riot. -2. It's preferable to use a dedicated user for the access token, so create and log in with that user's username and password. -3. Set the display name and avatar, if required. -4. In the settings page choose "Help & About", scroll down to the bottom and click `Access Token: `. -5. Copy the highlighted text to your configuration. -6. Close the private browsing session. **Do not log out**. Logging out will invalidate the token, making it not work. +2. Log in with the `dimension` user and its password. +1. Set the display name and avatar, if required. +2. In the settings page choose "Help & About", scroll down to the bottom and click `Access Token: `. +3. Copy the highlighted text to your configuration. +4. Close the private browsing session. **Do not log out**. Logging out will invalidate the token, making it not work. **Access tokens are sensitive information. Do not include them in any bug reports, messages, or logs. Do not share the access token with anyone.** @@ -47,18 +56,23 @@ matrix_dimension_access_token: "YOUR ACCESS TOKEN HERE" For more information on how to acquire an access token, visit [https://t2bot.io/docs/access_tokens](https://t2bot.io/docs/access_tokens). + +## Installation + After these variables have been set, please run the following command to re-run setup and to restart Dimension: ``` ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start ``` + ## Jitsi domain By default Dimension will use [jitsi.riot.im](https://jitsi.riot.im/) as the `conferenceDomain` of [Jitsi](https://jitsi.org/) audio/video conference widgets. For users running [a self-hosted Jitsi instance](./configuring-playbook-jitsi.md), you will likely want the widget to use your own Jitsi instance. Currently there is no way to configure this via the playbook, see [this issue](https://github.com/turt2live/matrix-dimension/issues/345) for details. In the interim until the above limitation is resolved, an admin user needs to configure the domain via the admin ui once dimension is running. In riot-web, go to *Manage Integrations* → *Settings* → *Widgets* → *Jitsi Conference Settings* and set *Jitsi Domain* and *Jitsi Script URL* appropriately. + ## Additional features To use a more custom configuration, you can define a `matrix_dimension_configuration_extension_yaml` string variable and put your configuration in it. From ae1b1be3f4b6a6836e00e1371dac2662c7274048 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 6 May 2020 11:20:14 +0300 Subject: [PATCH 40/63] Do not use matrix:matrix for Dimension configuration Dimension runs as the `node` user in the container (`1000:1000`). It doesn't seem like we have a way around it. Thus, its configuration must also be readable by that user (or group, in this case). --- roles/matrix-dimension/tasks/setup_dimension.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-dimension/tasks/setup_dimension.yml b/roles/matrix-dimension/tasks/setup_dimension.yml index 1681a548b..2437a5472 100644 --- a/roles/matrix-dimension/tasks/setup_dimension.yml +++ b/roles/matrix-dimension/tasks/setup_dimension.yml @@ -10,7 +10,7 @@ state: directory mode: 0770 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" + group: "{{ matrix_dimension_user_gid }}" when: matrix_dimension_enabled|bool - name: Ensure Dimension config installed @@ -19,7 +19,7 @@ dest: "{{ matrix_dimension_base_path }}/config.yaml" mode: 0640 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" + group: "{{ matrix_dimension_user_gid }}" when: matrix_dimension_enabled|bool - name: Ensure Dimension image is pulled From dd527d596850574b83f7d9f4903e3191a35ed7af Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 6 May 2020 11:28:09 +0300 Subject: [PATCH 41/63] Ensure correct dimension.db file ownership This is mostly here to guard against problems happening due to server migration and doing `chown -R matrix:matrix /matrix`. Normally, the file is owned by `1000:1000`, as expected. If ownership changes, Dimension could still start, but it will fail the first time it tries to write to the database. Explicitly chowning before startup guards against this. Related to #485 and #486 (Github Pull Requests). Also related to ccc7aaf0ce47262beb. --- .../templates/systemd/matrix-dimension.service.j2 | 3 +++ 1 file changed, 3 insertions(+) diff --git a/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2 b/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2 index c32027b12..0a8d0c839 100644 --- a/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2 +++ b/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2 @@ -9,6 +9,9 @@ Type=simple ExecStartPre=-/usr/bin/docker kill matrix-dimension ExecStartPre=-/usr/bin/docker rm matrix-dimension +# Fixup database ownership if it got changed somehow (during a server migration, etc.) +ExecStartPre=-/usr/bin/chown {{ matrix_dimension_user_uid }}:{{ matrix_dimension_user_gid }} {{ matrix_dimension_base_path }}/dimension.db + ExecStart=/usr/bin/docker run --rm --name matrix-dimension \ --log-driver=none \ --user={{ matrix_dimension_user_uid }}:{{ matrix_dimension_user_gid }} \ From 787f12e70d9e5828dfbcbda6af76de5a4131ab1a Mon Sep 17 00:00:00 2001 From: Dan Arnfield Date: Fri, 8 May 2020 13:56:31 -0500 Subject: [PATCH 42/63] Fix typo in validation --- roles/matrix-base/tasks/validate_config.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-base/tasks/validate_config.yml b/roles/matrix-base/tasks/validate_config.yml index 3ea1f5a10..526866190 100644 --- a/roles/matrix-base/tasks/validate_config.yml +++ b/roles/matrix-base/tasks/validate_config.yml @@ -8,4 +8,4 @@ when: "item in vars" with_items: - 'matrix_user_uid' - - 'matrix_user_uid' + - 'matrix_user_gid' From 89deb1b195e14136e0a3e2fe587b3d5efce712c3 Mon Sep 17 00:00:00 2001 From: Kevin Lanni Date: Sat, 9 May 2020 11:04:49 -0700 Subject: [PATCH 43/63] Add note about ask-become-pass This flag is necessary for Ansible to ask for the sudo password when using the non-root option as documented in the `hosts` file. Otherwise, Ansible errors out with `missing sudo password`. --- docs/installing.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/installing.md b/docs/installing.md index 1e3ebf540..43758ffb2 100644 --- a/docs/installing.md +++ b/docs/installing.md @@ -10,6 +10,8 @@ ansible-playbook -i inventory/hosts setup.yml --tags=setup-all **Note**: if you don't use SSH keys for authentication, but rather a regular password, you may need to add `--ask-pass` to the above (and all other) Ansible commands. +**Note**: if you **do** use SSH keys for authentication, **and** use a non-root user to *become* root (sudo), you may need to add `-K` (`--ask-become-pass`) to the above (and all other) Ansible commands. + The above command **doesn't start any services just yet** (another step does this later - below). Feel free to **re-run this setup command any time** you think something is off with the server configuration. From 308fc9c60a15b91354306bb525537b2c83e43476 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 10 May 2020 09:52:52 +0300 Subject: [PATCH 44/63] Fix webhooks service address when matrix-nginx-proxy disabled Fixes #494 (Github Issue). --- group_vars/matrix_servers | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 382897fd6..970a5703b 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -88,7 +88,7 @@ matrix_appservice_webhooks_enabled: false # Normally, matrix-nginx-proxy is enabled and nginx can reach matrix-appservice-webhooks over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose # matrix-appservice-webhooks' client-server port to the local host. -matrix_appservice_webhooks_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:{{ matrix_appservice_webhooks_matrix_port }}' }}" +matrix_appservice_webhooks_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else ('127.0.0.1:' ~ matrix_appservice_webhooks_matrix_port) }}" matrix_appservice_webhooks_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'webhook.as.token') | to_uuid }}" From 058e3bbd7fc7eac3feb63d4114e1bcc571188850 Mon Sep 17 00:00:00 2001 From: Marcel Partap Date: Sun, 10 May 2020 18:44:52 +0200 Subject: [PATCH 45/63] Document how to administer synapse database via tunneled web-frontend --- docs/maintenance-synapse.md | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/docs/maintenance-synapse.md b/docs/maintenance-synapse.md index ab33b9de7..b7c1ede22 100644 --- a/docs/maintenance-synapse.md +++ b/docs/maintenance-synapse.md @@ -14,6 +14,7 @@ Table of contents: - [Purging old data with the Purge History API](#purging-old-data-with-the-purge-history-api) - [Compressing state with rust-synapse-compress-state](#compressing-state-with-rust-synapse-compress-state) +- [Browse and manipulate the database](#browse-and-manipulate-the-database), for when you really need to take matters into your own hands ## Purging unused data with synapse-janitor @@ -76,3 +77,23 @@ Don't forget that disk space only ever gets released after a [`FULL` Postgres `V Unfortunately, at this time the playbook can't help you run this **experimental tool**. Since it's also experimental, you may wish to stay away from it, or at least [make Postgres backups](./maintenance-postgres.md#backing-up-postgresql) first. + +## Browse and manipulate the database + +When the [matrix admin API](https://github.com/matrix-org/synapse/tree/master/docs/admin_api) and the other tools do not provide a more convenient way, having a look at synapse's postgresql database can satisfy a lot of admins' needs. +First, set up an SSH tunnel to your matrix server (skip if it is your local machine): + +``` +# you may replace 1799 with an arbitrary port unbound on both machines +ssh -L 1799:localhost:1799 matrix.DOMAIN +``` + +Then start up an ephemeral [adminer](https://www.adminer.org/) container, connecting it to the matrix-net and linking the postgresql container: + +``` +docker run --rm --publish 1799:8080 --link matrix-postgres --net matrix adminer +``` + +You should then be able to browse the adminer database administration GUI at http://localhost:1799/ after entering your DB credentials (found in the `host_vars` or on the server in `{{matrix_synapse_config_dir_path}}/homeserver.yaml` under `database.args`) + +⚠️ Be **very careful** with this, there is **no undo** for impromptu DB operations. From 4ff7e753b2b7471bd6a152cca76818a00aedac65 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 11 May 2020 11:09:22 +0300 Subject: [PATCH 46/63] Make it clearer where to spawn adminer --- docs/maintenance-synapse.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/maintenance-synapse.md b/docs/maintenance-synapse.md index b7c1ede22..9c70934dd 100644 --- a/docs/maintenance-synapse.md +++ b/docs/maintenance-synapse.md @@ -88,7 +88,7 @@ First, set up an SSH tunnel to your matrix server (skip if it is your local mach ssh -L 1799:localhost:1799 matrix.DOMAIN ``` -Then start up an ephemeral [adminer](https://www.adminer.org/) container, connecting it to the matrix-net and linking the postgresql container: +Then start up an ephemeral [adminer](https://www.adminer.org/) container on the Matrix server, connecting it to the `matrix` network and linking the postgresql container: ``` docker run --rm --publish 1799:8080 --link matrix-postgres --net matrix adminer From 93f4111654a202158f85fa15d5ff898274ab893d Mon Sep 17 00:00:00 2001 From: Marcel Partap Date: Wed, 13 May 2020 16:15:37 +0200 Subject: [PATCH 47/63] Prevent 404s when Riot tries to retrieve domain-specific config.json Riot unconditionally asks for a config.${document.domain}.json, c.f. https://github.com/vector-im/riot-web/blame/develop/src/vector/getconfig.ts#L24 --- .../matrix-riot-web/templates/systemd/matrix-riot-web.service.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/matrix-riot-web/templates/systemd/matrix-riot-web.service.j2 b/roles/matrix-riot-web/templates/systemd/matrix-riot-web.service.j2 index 51c61f47b..364e0fa1e 100644 --- a/roles/matrix-riot-web/templates/systemd/matrix-riot-web.service.j2 +++ b/roles/matrix-riot-web/templates/systemd/matrix-riot-web.service.j2 @@ -24,6 +24,7 @@ ExecStart=/usr/bin/docker run --rm --name matrix-riot-web \ -v {{ matrix_riot_web_data_path }}/nginx.conf:/etc/nginx/nginx.conf:ro \ -v /dev/null:/etc/nginx/conf.d/default.conf:ro \ -v {{ matrix_riot_web_data_path }}/config.json:/app/config.json:ro \ + -v {{ matrix_riot_web_data_path }}/config.json:/app/config.{{ matrix_server_fqn_riot }}.json:ro \ {% if matrix_riot_web_embedded_pages_home_path is not none %} -v {{ matrix_riot_web_data_path }}/home.html:/app/home.html:ro \ {% endif %} From d430e42c99e94e763525402579d8cfd2de9d50ea Mon Sep 17 00:00:00 2001 From: chagai95 <31655082+chagai95@users.noreply.github.com> Date: Sat, 16 May 2020 14:49:12 +0200 Subject: [PATCH 48/63] Typo STMP -> SMTP --- docs/configuring-playbook-email.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuring-playbook-email.md b/docs/configuring-playbook-email.md index 0933fb546..d9721a4ef 100644 --- a/docs/configuring-playbook-email.md +++ b/docs/configuring-playbook-email.md @@ -34,7 +34,7 @@ matrix_mailer_relay_auth_password: "some-password" ### Configuations for sending emails using Sendgrid -An easy and free STMP service to set up is [Sendgrid](https://sendgrid.com/), the free tier allows for up to 100 emails per day to be sent. In the settings below you can provide any email for `matrix_mailer_sender_address`. +An easy and free SMTP service to set up is [Sendgrid](https://sendgrid.com/), the free tier allows for up to 100 emails per day to be sent. In the settings below you can provide any email for `matrix_mailer_sender_address`. The only other thing you need to change is the `matrix_mailer_relay_auth_password`, which you can generate at https://app.sendgrid.com/settings/api_keys. The API key password looks something like `SG.955oW1mLSfwds7i9Yd6IA5Q.q8GTaB8q9kGDzasegdG6u95fQ-6zkdwrPP8bOeuI`. From c2df3d7bbfc4bd9397d5512ae80f175d4daf6004 Mon Sep 17 00:00:00 2001 From: teutat3s <10206665+teutat3s@users.noreply.github.com> Date: Sat, 16 May 2020 15:00:44 +0200 Subject: [PATCH 49/63] Update jitsi containers to 4548-1 --- roles/matrix-jitsi/defaults/main.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/matrix-jitsi/defaults/main.yml b/roles/matrix-jitsi/defaults/main.yml index fc428b961..9d79a5cd3 100644 --- a/roles/matrix-jitsi/defaults/main.yml +++ b/roles/matrix-jitsi/defaults/main.yml @@ -50,7 +50,7 @@ matrix_jitsi_jibri_recorder_user: recorder matrix_jitsi_jibri_recorder_password: '' -matrix_jitsi_web_docker_image: "jitsi/web:4416" +matrix_jitsi_web_docker_image: "jitsi/web:4548-1" matrix_jitsi_web_docker_image_force_pull: "{{ matrix_jitsi_web_docker_image.endswith(':latest') }}" matrix_jitsi_web_base_path: "{{ matrix_base_data_path }}/jitsi/web" @@ -96,7 +96,7 @@ matrix_jitsi_web_interface_config_show_powered_by: false matrix_jitsi_web_interface_config_disable_transcription_subtitles: false matrix_jisti_web_interface_config_show_deep_linking_image: false -matrix_jitsi_prosody_docker_image: "jitsi/prosody:4416" +matrix_jitsi_prosody_docker_image: "jitsi/prosody:4548-1" matrix_jitsi_prosody_docker_image_force_pull: "{{ matrix_jitsi_prosody_docker_image.endswith(':latest') }}" matrix_jitsi_prosody_base_path: "{{ matrix_base_data_path }}/jitsi/prosody" @@ -109,7 +109,7 @@ matrix_jitsi_prosody_container_extra_arguments: [] matrix_jitsi_prosody_systemd_required_services_list: ['docker.service'] -matrix_jitsi_jicofo_docker_image: "jitsi/jicofo:4416" +matrix_jitsi_jicofo_docker_image: "jitsi/jicofo:4548-1" matrix_jitsi_jicofo_docker_image_force_pull: "{{ matrix_jitsi_jicofo_docker_image.endswith(':latest') }}" matrix_jitsi_jicofo_base_path: "{{ matrix_base_data_path }}/jitsi/jicofo" @@ -126,7 +126,7 @@ matrix_jitsi_jicofo_auth_user: focus matrix_jitsi_jicofo_auth_password: '' -matrix_jitsi_jvb_docker_image: "jitsi/jvb:4416" +matrix_jitsi_jvb_docker_image: "jitsi/jvb:4548-1" matrix_jitsi_jvb_docker_image_force_pull: "{{ matrix_jitsi_jvb_docker_image.endswith(':latest') }}" matrix_jitsi_jvb_base_path: "{{ matrix_base_data_path }}/jitsi/jvb" From fbd8f3ec9bcebcef9c09e7a345a6713a4a3c2c51 Mon Sep 17 00:00:00 2001 From: teutat3s <10206665+teutat3s@users.noreply.github.com> Date: Sat, 16 May 2020 15:12:51 +0200 Subject: [PATCH 50/63] Jitsi prosody: add volume /prosody-plugins-custom --- roles/matrix-jitsi/defaults/main.yml | 1 + .../templates/prosody/matrix-jitsi-prosody.service.j2 | 1 + 2 files changed, 2 insertions(+) diff --git a/roles/matrix-jitsi/defaults/main.yml b/roles/matrix-jitsi/defaults/main.yml index 9d79a5cd3..bc61829ef 100644 --- a/roles/matrix-jitsi/defaults/main.yml +++ b/roles/matrix-jitsi/defaults/main.yml @@ -101,6 +101,7 @@ matrix_jitsi_prosody_docker_image_force_pull: "{{ matrix_jitsi_prosody_docker_im matrix_jitsi_prosody_base_path: "{{ matrix_base_data_path }}/jitsi/prosody" matrix_jitsi_prosody_config_path: "{{ matrix_jitsi_prosody_base_path }}/config" +matrix_jitsi_prosody_plugins_path: "{{ matrix_jitsi_prosody_base_path }}/prosody-plugins-custom" # A list of extra arguments to pass to the container matrix_jitsi_prosody_container_extra_arguments: [] diff --git a/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 b/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 index bf43021de..459a24d3a 100644 --- a/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 +++ b/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 @@ -16,6 +16,7 @@ ExecStart=/usr/bin/docker run --rm --name matrix-jitsi-prosody \ --network={{ matrix_docker_network }} \ --env-file={{ matrix_jitsi_prosody_base_path }}/env \ -v {{ matrix_jitsi_prosody_config_path }}:/config \ + -v {{ matrix_jitsi_prosody_plugins_path }}:/prosody-plugins-custom \ {% for arg in matrix_jitsi_prosody_container_extra_arguments %} {{ arg }} \ {% endfor %} From 47001258b5935e86e239b7a4acc328a76b1fa41c Mon Sep 17 00:00:00 2001 From: teutat3s <10206665+teutat3s@users.noreply.github.com> Date: Sun, 17 May 2020 14:19:58 +0200 Subject: [PATCH 51/63] Ensure prosody plugin path created / permissions --- roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml b/roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml index 4159362da..66299f64b 100644 --- a/roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml +++ b/roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml @@ -14,6 +14,7 @@ with_items: - { path: "{{ matrix_jitsi_prosody_base_path }}", when: true } - { path: "{{ matrix_jitsi_prosody_config_path }}", when: true } + - { path: "{{ matrix_jitsi_prosody_plugins_path }}", when: true } when: matrix_jitsi_enabled|bool and item.when - name: Ensure jitsi-prosody Docker image is pulled From ba23779b05a89714d7cecb3ce9db96652cb1b56f Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 17 May 2020 21:23:18 +0300 Subject: [PATCH 52/63] Fix incorrect Jitsi container image tags Related to #508 (Github Pull Request). --- roles/matrix-jitsi/defaults/main.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/matrix-jitsi/defaults/main.yml b/roles/matrix-jitsi/defaults/main.yml index bc61829ef..21dae4481 100644 --- a/roles/matrix-jitsi/defaults/main.yml +++ b/roles/matrix-jitsi/defaults/main.yml @@ -50,7 +50,7 @@ matrix_jitsi_jibri_recorder_user: recorder matrix_jitsi_jibri_recorder_password: '' -matrix_jitsi_web_docker_image: "jitsi/web:4548-1" +matrix_jitsi_web_docker_image: "jitsi/web:stable-4548-1" matrix_jitsi_web_docker_image_force_pull: "{{ matrix_jitsi_web_docker_image.endswith(':latest') }}" matrix_jitsi_web_base_path: "{{ matrix_base_data_path }}/jitsi/web" @@ -96,7 +96,7 @@ matrix_jitsi_web_interface_config_show_powered_by: false matrix_jitsi_web_interface_config_disable_transcription_subtitles: false matrix_jisti_web_interface_config_show_deep_linking_image: false -matrix_jitsi_prosody_docker_image: "jitsi/prosody:4548-1" +matrix_jitsi_prosody_docker_image: "jitsi/prosody:stable-4548-1" matrix_jitsi_prosody_docker_image_force_pull: "{{ matrix_jitsi_prosody_docker_image.endswith(':latest') }}" matrix_jitsi_prosody_base_path: "{{ matrix_base_data_path }}/jitsi/prosody" @@ -110,7 +110,7 @@ matrix_jitsi_prosody_container_extra_arguments: [] matrix_jitsi_prosody_systemd_required_services_list: ['docker.service'] -matrix_jitsi_jicofo_docker_image: "jitsi/jicofo:4548-1" +matrix_jitsi_jicofo_docker_image: "jitsi/jicofo:stable-4548-1" matrix_jitsi_jicofo_docker_image_force_pull: "{{ matrix_jitsi_jicofo_docker_image.endswith(':latest') }}" matrix_jitsi_jicofo_base_path: "{{ matrix_base_data_path }}/jitsi/jicofo" @@ -127,7 +127,7 @@ matrix_jitsi_jicofo_auth_user: focus matrix_jitsi_jicofo_auth_password: '' -matrix_jitsi_jvb_docker_image: "jitsi/jvb:4548-1" +matrix_jitsi_jvb_docker_image: "jitsi/jvb:stable-4548-1" matrix_jitsi_jvb_docker_image_force_pull: "{{ matrix_jitsi_jvb_docker_image.endswith(':latest') }}" matrix_jitsi_jvb_base_path: "{{ matrix_base_data_path }}/jitsi/jvb" From 07ff1162661b52a0a161ec769f4ad55aa3393d4c Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 19 May 2020 12:57:19 +0300 Subject: [PATCH 53/63] Do not send User Directory search requests to ma1sd for now We can undo this once https://github.com/ma1uta/ma1sd/issues/44 gets resolved. --- CHANGELOG.md | 14 ++++++++++++++ group_vars/matrix_servers | 5 ++++- 2 files changed, 18 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4e0188795..de86333da 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,16 @@ +# 2020-05-19 + +## (Compatibility Break / Security Issue) Disabling User Directory search powered by the ma1sd Identity Server + +User Directory search requests used to go to the ma1sd identity server by default, which queried its own stores and the Synapse database. + +ma1sd current has [a security issue](https://github.com/ma1uta/ma1sd/issues/44), which made it leak information about all users - including users created by bridges, etc. + +Until the issue gets fixed, we're making User Directory search not go to ma1sd by default. You **need to re-run the playbook and restart services to apply this workaround**. + +*If you insist on restoring the old behavior* (**which has a security issue!**), you *might* use this configuration: `matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled: "{{ matrix_ma1sd_enabled }}"` + + # 2020-04-28 ## Newer IRC bridge (with potential breaking change) @@ -11,6 +24,7 @@ If you did not include `mappings` in your configuration for IRC, no change is necessary. `mappings` is not part of the default configuration. + # 2020-04-23 ## Slack bridging support diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 970a5703b..6d9876acf 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -616,7 +616,10 @@ matrix_nginx_proxy_proxy_synapse_metrics: "{{ matrix_synapse_metrics_enabled }}" matrix_nginx_proxy_proxy_synapse_metrics_addr_with_container: "matrix-synapse:{{ matrix_synapse_metrics_port }}" matrix_nginx_proxy_proxy_synapse_metrics_addr_sans_container: "127.0.0.1:{{ matrix_synapse_metrics_port }}" -matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled: "{{ matrix_ma1sd_enabled }}" +# Not proxying the user directory search to the identity server by default anymore, +# because it currently leaks data. +# See: https://github.com/ma1uta/ma1sd/issues/44 +matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled: false matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container: "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container }}" matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container: "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container }}" From 7a2dbdc2d7c5595a6bab71295f62660d152d7eee Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 19 May 2020 15:06:35 +0300 Subject: [PATCH 54/63] Update components --- roles/matrix-bridge-appservice-irc/defaults/main.yml | 2 +- roles/matrix-nginx-proxy/defaults/main.yml | 2 +- roles/matrix-riot-web/defaults/main.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/matrix-bridge-appservice-irc/defaults/main.yml b/roles/matrix-bridge-appservice-irc/defaults/main.yml index 5f6d0503e..819691f6b 100644 --- a/roles/matrix-bridge-appservice-irc/defaults/main.yml +++ b/roles/matrix-bridge-appservice-irc/defaults/main.yml @@ -3,7 +3,7 @@ matrix_appservice_irc_enabled: true -matrix_appservice_irc_docker_image: "matrixdotorg/matrix-appservice-irc:release-0.16.0" +matrix_appservice_irc_docker_image: "matrixdotorg/matrix-appservice-irc:release-0.17.1" matrix_appservice_irc_docker_image_force_pull: "{{ matrix_appservice_irc_docker_image.endswith(':latest') }}" matrix_appservice_irc_base_path: "{{ matrix_base_data_path }}/appservice-irc" diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 8f329f1ad..07dd20381 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -220,7 +220,7 @@ matrix_ssl_domains_to_obtain_certificates_for: [] # Controls whether to obtain production or staging certificates from Let's Encrypt. matrix_ssl_lets_encrypt_staging: false -matrix_ssl_lets_encrypt_certbot_docker_image: "certbot/certbot:{{ matrix_ssl_architecture }}-v1.3.0" +matrix_ssl_lets_encrypt_certbot_docker_image: "certbot/certbot:{{ matrix_ssl_architecture }}-v1.4.0" matrix_ssl_lets_encrypt_certbot_docker_image_force_pull: "{{ matrix_ssl_lets_encrypt_certbot_docker_image.endswith(':latest') }}" matrix_ssl_lets_encrypt_certbot_standalone_http_port: 2402 matrix_ssl_lets_encrypt_support_email: ~ diff --git a/roles/matrix-riot-web/defaults/main.yml b/roles/matrix-riot-web/defaults/main.yml index 71255e243..d82336991 100644 --- a/roles/matrix-riot-web/defaults/main.yml +++ b/roles/matrix-riot-web/defaults/main.yml @@ -2,7 +2,7 @@ matrix_riot_web_enabled: true matrix_riot_web_container_image_self_build: false -matrix_riot_web_docker_image: "vectorim/riot-web:v1.6.0" +matrix_riot_web_docker_image: "vectorim/riot-web:v1.6.1" matrix_riot_web_docker_image_force_pull: "{{ matrix_riot_web_docker_image.endswith(':latest') }}" matrix_riot_web_data_path: "{{ matrix_base_data_path }}/riot-web" From a03e95b7eb4d20ba3765e959af332feb2ad66057 Mon Sep 17 00:00:00 2001 From: louis Date: Tue, 19 May 2020 17:06:11 +0200 Subject: [PATCH 55/63] enable by default v2 api prefix for ma1sd --- roles/matrix-ma1sd/defaults/main.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/roles/matrix-ma1sd/defaults/main.yml b/roles/matrix-ma1sd/defaults/main.yml index 144f4932e..a02845f95 100644 --- a/roles/matrix-ma1sd/defaults/main.yml +++ b/roles/matrix-ma1sd/defaults/main.yml @@ -76,6 +76,10 @@ matrix_ma1sd_self_check_validate_certificates: true # According to: https://github.com/ma1uta/ma1sd/blob/master/docs/troubleshooting.md#increase-verbosity matrix_ma1sd_verbose_logging: false +# Setting up support for API prefixes +matrix_ma1sd_v1_enabled: true +matrix_ma1sd_v2_enabled: true + # Default ma1sd configuration template which covers the generic use case. # You can customize it by controlling the various variables inside it. # @@ -85,6 +89,8 @@ matrix_ma1sd_configuration_yaml: | #jinja2: lstrip_blocks: True matrix: domain: {{ matrix_domain }} + v1: {{ matrix_ma1sd_v1_enabled }} + v2: {{ matrix_ma1sd_v2_enabled }} server: name: {{ matrix_server_fqn_matrix }} From a3259bbd777da37f7446d16e049f2fb9ea8326a0 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 19 May 2020 21:15:23 +0300 Subject: [PATCH 56/63] Add |to_json to some variables --- roles/matrix-ma1sd/defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-ma1sd/defaults/main.yml b/roles/matrix-ma1sd/defaults/main.yml index a02845f95..ff2f72d4a 100644 --- a/roles/matrix-ma1sd/defaults/main.yml +++ b/roles/matrix-ma1sd/defaults/main.yml @@ -89,8 +89,8 @@ matrix_ma1sd_configuration_yaml: | #jinja2: lstrip_blocks: True matrix: domain: {{ matrix_domain }} - v1: {{ matrix_ma1sd_v1_enabled }} - v2: {{ matrix_ma1sd_v2_enabled }} + v1: {{ matrix_ma1sd_v1_enabled|to_json }} + v2: {{ matrix_ma1sd_v2_enabled|to_json }} server: name: {{ matrix_server_fqn_matrix }} From 8fb3ce6f6d4c312f264d613b21308d3d07cd4414 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 19 May 2020 21:35:32 +0300 Subject: [PATCH 57/63] Upgrade Synapse (v1.12.4 -> v1.13.0) --- .../tasks/import_sqlite_db.yml | 1 - roles/matrix-synapse/defaults/main.yml | 3 +- roles/matrix-synapse/tasks/setup_synapse.yml | 1 - .../templates/synapse/homeserver.yaml.j2 | 166 +++++++++++++----- .../synapse/systemd/matrix-synapse.service.j2 | 1 - 5 files changed, 123 insertions(+), 49 deletions(-) diff --git a/roles/matrix-postgres/tasks/import_sqlite_db.yml b/roles/matrix-postgres/tasks/import_sqlite_db.yml index eab4e8924..42c39a2de 100644 --- a/roles/matrix-postgres/tasks/import_sqlite_db.yml +++ b/roles/matrix-postgres/tasks/import_sqlite_db.yml @@ -79,7 +79,6 @@ --network={{ matrix_docker_network }} --entrypoint=python -v {{ matrix_synapse_config_dir_path }}:/data - -v {{ matrix_synapse_run_path }}:/matrix-run -v {{ server_path_homeserver_db }}:/{{ server_path_homeserver_db|basename }}:ro {{ matrix_synapse_docker_image }} /usr/local/bin/synapse_port_db --sqlite-database /{{ server_path_homeserver_db|basename }} --postgres-config /data/homeserver.yaml diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index 8597c7510..50d7d8243 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -5,13 +5,12 @@ matrix_synapse_enabled: true matrix_synapse_container_image_self_build: false -matrix_synapse_docker_image: "matrixdotorg/synapse:v1.12.4" +matrix_synapse_docker_image: "matrixdotorg/synapse:v1.13.0" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse" matrix_synapse_docker_src_files_path: "{{ matrix_synapse_base_path }}/docker-src" matrix_synapse_config_dir_path: "{{ matrix_synapse_base_path }}/config" -matrix_synapse_run_path: "{{ matrix_synapse_base_path }}/run" matrix_synapse_storage_path: "{{ matrix_synapse_base_path }}/storage" matrix_synapse_media_store_path: "{{ matrix_synapse_storage_path }}/media-store" matrix_synapse_ext_path: "{{ matrix_synapse_base_path }}/ext" diff --git a/roles/matrix-synapse/tasks/setup_synapse.yml b/roles/matrix-synapse/tasks/setup_synapse.yml index 4fb41b1ae..1ae7ade69 100644 --- a/roles/matrix-synapse/tasks/setup_synapse.yml +++ b/roles/matrix-synapse/tasks/setup_synapse.yml @@ -9,7 +9,6 @@ group: "{{ matrix_user_groupname }}" with_items: - { path: "{{ matrix_synapse_config_dir_path }}", when: true } - - { path: "{{ matrix_synapse_run_path }}", when: true } - { path: "{{ matrix_synapse_ext_path }}", when: true } - { path: "{{ matrix_synapse_docker_src_files_path }}", when: "{{ matrix_synapse_container_image_self_build }}" } # We handle matrix_synapse_media_store_path elsewhere (in ./synapse/setup_install.yml), diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index 4479d8fc0..e729c7330 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -20,10 +20,15 @@ server_name: "{{ matrix_domain }}" # pid_file: /homeserver.pid -# The path to the web client which will be served at /_matrix/client/ -# if 'webclient' is configured under the 'listeners' configuration. +# The absolute URL to the web client which /_matrix/client will redirect +# to if 'webclient' is configured under the 'listeners' configuration. # -#web_client_location: "/path/to/web/root" +# This option can be also set to the filesystem path to the web client +# which will be served at /_matrix/client/ if 'webclient' is configured +# under the 'listeners' configuration, however this is a security risk: +# https://github.com/matrix-org/synapse#security-note +# +#web_client_location: https://riot.example.com/ # The public-facing base URL that clients use to access this HS # (not including _matrix/...). This is the same URL a user would @@ -252,6 +257,19 @@ listeners: {% endif %} +# Forward extremities can build up in a room due to networking delays between +# homeservers. Once this happens in a large room, calculation of the state of +# that room can become quite expensive. To mitigate this, once the number of +# forward extremities reaches a given threshold, Synapse will send an +# org.matrix.dummy_event event, which will reduce the forward extremities +# in the room. +# +# This setting defines the threshold (i.e. number of forward extremities in the +# room) at which dummy events are sent. The default value is 10. +# +#dummy_events_threshold: 5 + + ## Homeserver blocking ## # How to reach the server admin, used in ResourceLimitError @@ -410,6 +428,16 @@ retention: # longest_max_lifetime: 1y # interval: 1d +# Inhibits the /requestToken endpoints from returning an error that might leak +# information about whether an e-mail address is in use or not on this +# homeserver. +# Note that for some endpoints the error situation is the e-mail already being +# used, and for others the error is entering the e-mail being unused. +# If this option is enabled, instead of returning an error, these endpoints will +# act as if no error happened and return a fake session ID ('sid') to clients. +# +#request_token_inhibit_3pid_errors: true + ## TLS ## @@ -706,20 +734,15 @@ media_store_path: "/matrix-media-store-parent/{{ matrix_synapse_media_store_dire # #media_storage_providers: # - module: file_system -# # Whether to write new local files. +# # Whether to store newly uploaded local files # store_local: false -# # Whether to write new remote media +# # Whether to store newly downloaded remote files # store_remote: false -# # Whether to block upload requests waiting for write to this -# # provider to complete +# # Whether to wait for successful storage for local uploads # store_synchronous: false # config: # directory: /mnt/some/other/directory -# Directory where in-progress uploads are stored. -# -uploads_path: "/matrix-run/uploads" - # The largest allowed upload size in bytes # max_upload_size: "{{ matrix_synapse_max_upload_size_mb }}M" @@ -834,6 +857,31 @@ url_preview_ip_range_blacklist: # max_spider_size: 10M +# A list of values for the Accept-Language HTTP header used when +# downloading webpages during URL preview generation. This allows +# Synapse to specify the preferred languages that URL previews should +# be in when communicating with remote servers. +# +# Each value is a IETF language tag; a 2-3 letter identifier for a +# language, optionally followed by subtags separated by '-', specifying +# a country or region variant. +# +# Multiple values can be provided, and a weight can be added to each by +# using quality value syntax (;q=). '*' translates to any language. +# +# Defaults to "en". +# +# Example: +# +# url_preview_accept_language: +# - en-UK +# - en-US;q=0.9 +# - fr;q=0.8 +# - *;q=0.7 +# +url_preview_accept_language: +# - en + ## Captcha ## # See docs/CAPTCHA_SETUP for full details of configuring this. @@ -852,10 +900,6 @@ max_spider_size: 10M # #enable_registration_captcha: false -# A secret key used to bypass the captcha test entirely. -# -#captcha_bypass_secret: "YOUR_SECRET_HERE" - # The API endpoint to use for verifying m.login.recaptcha responses. # #recaptcha_siteverify_api: "https://www.recaptcha.net/recaptcha/api/siteverify" @@ -1066,6 +1110,29 @@ account_threepid_delegates: email: {{ matrix_synapse_account_threepid_delegates_email|to_json }} msisdn: {{ matrix_synapse_account_threepid_delegates_msisdn|to_json }} +# Whether users are allowed to change their displayname after it has +# been initially set. Useful when provisioning users based on the +# contents of a third-party directory. +# +# Does not apply to server administrators. Defaults to 'true' +# +#enable_set_displayname: false + +# Whether users are allowed to change their avatar after it has been +# initially set. Useful when provisioning users based on the contents +# of a third-party directory. +# +# Does not apply to server administrators. Defaults to 'true' +# +#enable_set_avatar_url: false + +# Whether users can change the 3PIDs associated with their accounts +# (email address and msisdn). +# +# Defaults to 'true' +# +#enable_3pid_changes: false + # Users who register on this homeserver will automatically be joined # to these rooms # @@ -1108,7 +1175,7 @@ sentry: # enabled by default, either for performance reasons or limited use. # metrics_flags: - # Publish synapse_federation_known_servers, a g auge of the number of + # Publish synapse_federation_known_servers, a gauge of the number of # servers this homeserver knows about, including itself. May cause # performance problems on large homeservers. # @@ -1272,32 +1339,32 @@ saml2_config: # remote: # - url: https://our_idp/metadata.xml # - # # By default, the user has to go to our login page first. If you'd like - # # to allow IdP-initiated login, set 'allow_unsolicited: true' in a - # # 'service.sp' section: - # # - # #service: - # # sp: - # # allow_unsolicited: true - # - # # The examples below are just used to generate our metadata xml, and you - # # may well not need them, depending on your setup. Alternatively you - # # may need a whole lot more detail - see the pysaml2 docs! - # - # description: ["My awesome SP", "en"] - # name: ["Test SP", "en"] - # - # organization: - # name: Example com - # display_name: - # - ["Example co", "en"] - # url: "http://example.com" - # - # contact_person: - # - given_name: Bob - # sur_name: "the Sysadmin" - # email_address": ["admin@example.com"] - # contact_type": technical + # # By default, the user has to go to our login page first. If you'd like + # # to allow IdP-initiated login, set 'allow_unsolicited: true' in a + # # 'service.sp' section: + # # + # #service: + # # sp: + # # allow_unsolicited: true + # + # # The examples below are just used to generate our metadata xml, and you + # # may well not need them, depending on your setup. Alternatively you + # # may need a whole lot more detail - see the pysaml2 docs! + # + # description: ["My awesome SP", "en"] + # name: ["Test SP", "en"] + # + # organization: + # name: Example com + # display_name: + # - ["Example co", "en"] + # url: "http://example.com" + # + # contact_person: + # - given_name: Bob + # sur_name: "the Sysadmin" + # email_address": ["admin@example.com"] + # contact_type": technical # Instead of putting the config inline as above, you can specify a # separate pysaml2 configuration file: @@ -1532,8 +1599,19 @@ email: #template_dir: "res/templates" {% endif %} - -#password_providers: +# Password providers allow homeserver administrators to integrate +# their Synapse installation with existing authentication methods +# ex. LDAP, external tokens, etc. +# +# For more information and known implementations, please see +# https://github.com/matrix-org/synapse/blob/master/docs/password_auth_providers.md +# +# Note: instances wishing to use SAML or CAS authentication should +# instead use the `saml2_config` or `cas_config` options, +# respectively. +# +# password_providers: +# # Example config for an LDAP auth provider # - module: "ldap_auth_provider.LdapAuthProvider" # config: # enabled: true diff --git a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 index 0bd2c25d5..e7b7f1c66 100644 --- a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 +++ b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 @@ -45,7 +45,6 @@ ExecStart=/usr/bin/docker run --rm --name matrix-synapse \ -p {{ matrix_synapse_container_manhole_api_host_bind_port }}:9000 \ {% endif %} -v {{ matrix_synapse_config_dir_path }}:/data:ro \ - -v {{ matrix_synapse_run_path }}:/matrix-run:rw \ -v {{ matrix_synapse_storage_path }}:/matrix-media-store-parent:slave \ {% for volume in matrix_synapse_container_additional_volumes %} -v {{ volume.src }}:{{ volume.dst }}:{{ volume.options }} \ From ee3944bcdb1befeaf4daa278a846084bc9087913 Mon Sep 17 00:00:00 2001 From: Dan Arnfield Date: Thu, 21 May 2020 11:40:40 -0500 Subject: [PATCH 58/63] Update postgres (12.2 -> 12.3, etc) --- roles/matrix-postgres/defaults/main.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/matrix-postgres/defaults/main.yml b/roles/matrix-postgres/defaults/main.yml index 4089793a8..e26c43e7b 100644 --- a/roles/matrix-postgres/defaults/main.yml +++ b/roles/matrix-postgres/defaults/main.yml @@ -8,10 +8,10 @@ matrix_postgres_db_name: "" matrix_postgres_base_path: "{{ matrix_base_data_path }}/postgres" matrix_postgres_data_path: "{{ matrix_postgres_base_path }}/data" -matrix_postgres_docker_image_v9: "postgres:9.6.17-alpine" -matrix_postgres_docker_image_v10: "postgres:10.12-alpine" -matrix_postgres_docker_image_v11: "postgres:11.7-alpine" -matrix_postgres_docker_image_v12: "postgres:12.2-alpine" +matrix_postgres_docker_image_v9: "postgres:9.6.18-alpine" +matrix_postgres_docker_image_v10: "postgres:10.13-alpine" +matrix_postgres_docker_image_v11: "postgres:11.8-alpine" +matrix_postgres_docker_image_v12: "postgres:12.3-alpine" matrix_postgres_docker_image_latest: "{{ matrix_postgres_docker_image_v12 }}" # This variable is assigned at runtime. Overriding its value has no effect. From c1bb4f680ef96a5df8c681fcb75671e4b595dafa Mon Sep 17 00:00:00 2001 From: joao-p-marques Date: Thu, 21 May 2020 23:40:38 +0100 Subject: [PATCH 59/63] enable oauth --- roles/matrix-bridge-mx-puppet-slack/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-mx-puppet-slack/defaults/main.yml b/roles/matrix-bridge-mx-puppet-slack/defaults/main.yml index 7648fafe3..8a993bb73 100644 --- a/roles/matrix-bridge-mx-puppet-slack/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-slack/defaults/main.yml @@ -68,7 +68,7 @@ matrix_mx_puppet_slack_configuration_yaml: | # Slack OAuth settings. Create a slack app at https://api.slack.com/apps oauth: - enabled: false + enabled: true # Slack app credentials. # N.B. This must be quoted so YAML wouldn't parse it as a float. clientId: "{{ matrix_mx_puppet_slack_client_id }}" From afd6d7e45ab5baa316dbd677ea4f5c6321452f2e Mon Sep 17 00:00:00 2001 From: joao-p-marques Date: Thu, 21 May 2020 23:40:54 +0100 Subject: [PATCH 60/63] change var name to correct one --- roles/matrix-bridge-mx-puppet-slack/tasks/init.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-bridge-mx-puppet-slack/tasks/init.yml b/roles/matrix-bridge-mx-puppet-slack/tasks/init.yml index 0b823b2c3..5781adf5e 100644 --- a/roles/matrix-bridge-mx-puppet-slack/tasks/init.yml +++ b/roles/matrix-bridge-mx-puppet-slack/tasks/init.yml @@ -50,7 +50,7 @@ }} tags: - always - when: matrix_appservice_slack_enabled|bool + when: matrix_mx_puppet_slack_enabled|bool - name: Warn about reverse-proxying if matrix-nginx-proxy not used debug: @@ -60,7 +60,7 @@ Please make sure that you're proxying the `{{ something }}` URL endpoint to the matrix-appservice-slack container. You can expose the container's port using the `matrix_appservice_slack_container_http_host_bind_port` variable. - when: "matrix_appservice_slack_enabled|bool and matrix_nginx_proxy_enabled is not defined" + when: "matrix_mx_puppet_slack_enabled|bool and matrix_nginx_proxy_enabled is not defined" # ansible lower than 2.8, does not support docker_image build parameters # for self buildig it is explicitly needed, so we rather fail here From 3198ed0dc962ef2abd9875387e61a59b307ad541 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 22 May 2020 11:12:06 +0300 Subject: [PATCH 61/63] Add missing matrix_mx_puppet_slack_container_http_host_bind_port variable --- roles/matrix-bridge-mx-puppet-slack/defaults/main.yml | 5 +++++ roles/matrix-bridge-mx-puppet-slack/tasks/init.yml | 4 ++-- .../templates/systemd/matrix-mx-puppet-slack.service.j2 | 3 +++ 3 files changed, 10 insertions(+), 2 deletions(-) diff --git a/roles/matrix-bridge-mx-puppet-slack/defaults/main.yml b/roles/matrix-bridge-mx-puppet-slack/defaults/main.yml index 8a993bb73..083910b1b 100644 --- a/roles/matrix-bridge-mx-puppet-slack/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-slack/defaults/main.yml @@ -5,6 +5,11 @@ matrix_mx_puppet_slack_enabled: true matrix_mx_puppet_slack_container_image_self_build: false +# Controls whether the mx-puppet-slack container exposes its HTTP port (tcp/8432 in the container). +# +# Takes an ":" or "" value (e.g. "127.0.0.1:8432"), or empty string to not expose. +matrix_mx_puppet_slack_container_http_host_bind_port: '' + matrix_mx_puppet_slack_docker_image: "sorunome/mx-puppet-slack:latest" matrix_mx_puppet_slack_docker_image_force_pull: "{{ matrix_mx_puppet_slack_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-bridge-mx-puppet-slack/tasks/init.yml b/roles/matrix-bridge-mx-puppet-slack/tasks/init.yml index 5781adf5e..dac04b9bf 100644 --- a/roles/matrix-bridge-mx-puppet-slack/tasks/init.yml +++ b/roles/matrix-bridge-mx-puppet-slack/tasks/init.yml @@ -57,8 +57,8 @@ msg: >- NOTE: You've enabled the Matrix Slack bridge but are not using the matrix-nginx-proxy reverse proxy. - Please make sure that you're proxying the `{{ something }}` - URL endpoint to the matrix-appservice-slack container. + Please make sure that you're proxying the `{{ matrix_mx_puppet_slack_redirect_path }}` + URL endpoint to the matrix-mx-puppet-slack container. You can expose the container's port using the `matrix_appservice_slack_container_http_host_bind_port` variable. when: "matrix_mx_puppet_slack_enabled|bool and matrix_nginx_proxy_enabled is not defined" diff --git a/roles/matrix-bridge-mx-puppet-slack/templates/systemd/matrix-mx-puppet-slack.service.j2 b/roles/matrix-bridge-mx-puppet-slack/templates/systemd/matrix-mx-puppet-slack.service.j2 index a86c6765d..6db537336 100644 --- a/roles/matrix-bridge-mx-puppet-slack/templates/systemd/matrix-mx-puppet-slack.service.j2 +++ b/roles/matrix-bridge-mx-puppet-slack/templates/systemd/matrix-mx-puppet-slack.service.j2 @@ -22,6 +22,9 @@ ExecStart=/usr/bin/docker run --rm --name matrix-mx-puppet-slack \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ --network={{ matrix_docker_network }} \ + {% if matrix_mx_puppet_slack_container_http_host_bind_port %} + -p {{ matrix_mx_puppet_slack_container_http_host_bind_port }}:{{ matrix_mx_puppet_slack_appservice_port }} \ + {% endif %} -e CONFIG_PATH=/config/config.yaml \ -e REGISTRATION_PATH=/config/registration.yaml \ -v {{ matrix_mx_puppet_slack_config_path }}:/config:z \ From 5c7e5c57bda1af540322b6c64568705fe109c285 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 22 May 2020 18:08:17 +0300 Subject: [PATCH 62/63] Upgrade riot-web (1.6.1 -> 1.6.2) --- roles/matrix-riot-web/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-riot-web/defaults/main.yml b/roles/matrix-riot-web/defaults/main.yml index d82336991..1dc1be04c 100644 --- a/roles/matrix-riot-web/defaults/main.yml +++ b/roles/matrix-riot-web/defaults/main.yml @@ -2,7 +2,7 @@ matrix_riot_web_enabled: true matrix_riot_web_container_image_self_build: false -matrix_riot_web_docker_image: "vectorim/riot-web:v1.6.1" +matrix_riot_web_docker_image: "vectorim/riot-web:v1.6.2" matrix_riot_web_docker_image_force_pull: "{{ matrix_riot_web_docker_image.endswith(':latest') }}" matrix_riot_web_data_path: "{{ matrix_base_data_path }}/riot-web" From 4c4f208613230d652043a334b8645f8e80bfef81 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 22 May 2020 19:54:30 +0300 Subject: [PATCH 63/63] Upgrade mautrix-telegram (0.7.0 -> 0.7.2) --- roles/matrix-bridge-mautrix-telegram/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-mautrix-telegram/defaults/main.yml b/roles/matrix-bridge-mautrix-telegram/defaults/main.yml index b491dce8b..1e77eb023 100644 --- a/roles/matrix-bridge-mautrix-telegram/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-telegram/defaults/main.yml @@ -4,7 +4,7 @@ matrix_mautrix_telegram_enabled: true # See: https://mau.dev/tulir/mautrix-telegram/container_registry -matrix_mautrix_telegram_docker_image: "dock.mau.dev/tulir/mautrix-telegram:v0.7.0" +matrix_mautrix_telegram_docker_image: "dock.mau.dev/tulir/mautrix-telegram:v0.7.2" matrix_mautrix_telegram_docker_image_force_pull: "{{ matrix_mautrix_telegram_docker_image.endswith(':latest') }}" matrix_mautrix_telegram_base_path: "{{ matrix_base_data_path }}/mautrix-telegram"