From 3d6fd501de4d69d973ac15f88e402e3474329323 Mon Sep 17 00:00:00 2001 From: Kim Brose <2803622+HarHarLinks@users.noreply.github.com> Date: Tue, 3 Oct 2023 15:59:01 +0200 Subject: [PATCH 01/21] Fix link in Draupnir docs --- docs/configuring-playbook-bot-draupnir.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuring-playbook-bot-draupnir.md b/docs/configuring-playbook-bot-draupnir.md index 2308b5472..59cce0af5 100644 --- a/docs/configuring-playbook-bot-draupnir.md +++ b/docs/configuring-playbook-bot-draupnir.md @@ -77,7 +77,7 @@ ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start ## Usage -You can refer to the upstream [documentation](https://github.com/the-draupnir-project/Draupnir) for additional ways to use and configure draupnir. Check out their [quickstart guide](https://github.com/matrix-org/draupnir/blob/main/docs/moderators.md#quick-usage) for some basic commands you can give to the bot. +You can refer to the upstream [documentation](https://github.com/the-draupnir-project/Draupnir) for additional ways to use and configure draupnir. Check out their [quickstart guide](https://github.com/the-draupnir-project/Draupnir/blob/main/docs/moderators.md#quick-usage) for some basic commands you can give to the bot. You can configure additional options by adding the `matrix_bot_draupnir_configuration_extension_yaml` variable to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file. From 21ef495c2e99f2d656f40ed4b2faadd63f1be80c Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 3 Oct 2023 17:37:54 +0300 Subject: [PATCH 02/21] Upgrade mautrix-googlechat (v0.5.0 -> v0.5.1) --- roles/custom/matrix-bridge-mautrix-googlechat/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-mautrix-googlechat/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-googlechat/defaults/main.yml index de0123043..9a4c74d69 100644 --- a/roles/custom/matrix-bridge-mautrix-googlechat/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-googlechat/defaults/main.yml @@ -8,7 +8,7 @@ matrix_mautrix_googlechat_container_image_self_build: false matrix_mautrix_googlechat_container_image_self_build_repo: "https://github.com/mautrix/googlechat.git" matrix_mautrix_googlechat_container_image_self_build_repo_version: "{{ 'master' if matrix_mautrix_googlechat_version == 'latest' else matrix_mautrix_googlechat_version }}" -matrix_mautrix_googlechat_version: v0.5.0 +matrix_mautrix_googlechat_version: v0.5.1 # See: https://mau.dev/mautrix/googlechat/container_registry matrix_mautrix_googlechat_docker_image: "{{ matrix_mautrix_googlechat_docker_image_name_prefix }}mautrix/googlechat:{{ matrix_mautrix_googlechat_version }}" matrix_mautrix_googlechat_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_googlechat_container_image_self_build else 'dock.mau.dev/' }}" From 86422d734285504423c771941f0d5d110a8255d9 Mon Sep 17 00:00:00 2001 From: Kim Brose <2803622+HarHarLinks@users.noreply.github.com> Date: Tue, 3 Oct 2023 17:41:35 +0200 Subject: [PATCH 03/21] Document how to enable Draupnir report polling --- docs/configuring-playbook-bot-draupnir.md | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/docs/configuring-playbook-bot-draupnir.md b/docs/configuring-playbook-bot-draupnir.md index 59cce0af5..a02a64c4f 100644 --- a/docs/configuring-playbook-bot-draupnir.md +++ b/docs/configuring-playbook-bot-draupnir.md @@ -20,7 +20,7 @@ You can use the playbook to [register a new user](registering-users.md): ansible-playbook -i inventory/hosts setup.yml --extra-vars='username=bot.draupnir password=PASSWORD_FOR_THE_BOT admin=no' --tags=register-user ``` -If you would like draupnir to be able to deactivate users, move aliases, shutdown rooms, etc then it must be a server admin so you need to change `admin=no` to `admin=yes` in the command above. +If you would like draupnir to be able to deactivate users, move aliases, shutdown rooms, show abuse reports ((see below)[#abuse-reports]), etc then it must be a server admin so you need to change `admin=no` to `admin=yes` in the command above. ## 2. Get an access token @@ -94,3 +94,17 @@ matrix_bot_draupnir_configuration_extension_yaml: | # completely redefining `matrix_bot_draupnir_configuration_yaml`. recordIgnoredInvites: true ``` + +## Abuse Reports + +Draupnir supports two methods to receive reports in the management room. + +The first method intercepts the report API endpoint of the client-server API, which requires integration with the reverse proxy in front of the homeserver. +While this playbook uses reverse proxies, it does not yet implement this. + +The other method polls an synapse admin API endpoint and is hence only available when using synapse and when the Draupnir user is an admin user (see step 1). +To enable it, set `pollReports: true` in Draupnir's config: +```yaml +matrix_bot_draupnir_configuration_extension_yaml: | + pollReports: true +``` From 69a885c5c40d5a175ece4ea0c4997e13ba63cb3d Mon Sep 17 00:00:00 2001 From: Kim Brose <2803622+HarHarLinks@users.noreply.github.com> Date: Tue, 3 Oct 2023 17:43:39 +0200 Subject: [PATCH 04/21] Fix section link --- docs/configuring-playbook-bot-draupnir.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuring-playbook-bot-draupnir.md b/docs/configuring-playbook-bot-draupnir.md index a02a64c4f..a2cc9c09d 100644 --- a/docs/configuring-playbook-bot-draupnir.md +++ b/docs/configuring-playbook-bot-draupnir.md @@ -20,7 +20,7 @@ You can use the playbook to [register a new user](registering-users.md): ansible-playbook -i inventory/hosts setup.yml --extra-vars='username=bot.draupnir password=PASSWORD_FOR_THE_BOT admin=no' --tags=register-user ``` -If you would like draupnir to be able to deactivate users, move aliases, shutdown rooms, show abuse reports ((see below)[#abuse-reports]), etc then it must be a server admin so you need to change `admin=no` to `admin=yes` in the command above. +If you would like draupnir to be able to deactivate users, move aliases, shutdown rooms, show abuse reports ([see below](#abuse-reports)), etc then it must be a server admin so you need to change `admin=no` to `admin=yes` in the command above. ## 2. Get an access token From 5ec9349810e09a9bb08def71bea5f0838b93c170 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Wed, 4 Oct 2023 16:19:09 +0300 Subject: [PATCH 05/21] Update prometheus 2.47.0 -> 2.47.1 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 14bc66249..49ae0a0f1 100644 --- a/requirements.yml +++ b/requirements.yml @@ -42,7 +42,7 @@ - src: git+https://gitlab.com/etke.cc/roles/ntfy.git version: v2.7.0-2 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus.git - version: v2.47.0-0 + version: v2.47.1-0 name: prometheus - src: git+https://gitlab.com/etke.cc/roles/prometheus_node_exporter.git version: v1.6.1-0 From c8e0f35c945394ffefd5be1115090f6b86b527f9 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 5 Oct 2023 17:00:59 +0300 Subject: [PATCH 06/21] Upgrade Coturn (4.6.2-r4 -> 4.6.2-r5) --- roles/custom/matrix-coturn/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-coturn/defaults/main.yml b/roles/custom/matrix-coturn/defaults/main.yml index dd25df709..1e87d8087 100644 --- a/roles/custom/matrix-coturn/defaults/main.yml +++ b/roles/custom/matrix-coturn/defaults/main.yml @@ -8,7 +8,7 @@ matrix_coturn_container_image_self_build_repo: "https://github.com/coturn/coturn matrix_coturn_container_image_self_build_repo_version: "docker/{{ matrix_coturn_version }}" matrix_coturn_container_image_self_build_repo_dockerfile_path: "docker/coturn/alpine/Dockerfile" -matrix_coturn_version: 4.6.2-r4 +matrix_coturn_version: 4.6.2-r5 matrix_coturn_docker_image: "{{ matrix_coturn_docker_image_name_prefix }}coturn/coturn:{{ matrix_coturn_version }}-alpine" matrix_coturn_docker_image_name_prefix: "{{ 'localhost/' if matrix_coturn_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_coturn_docker_image_force_pull: "{{ matrix_coturn_docker_image.endswith(':latest') }}" From 11b032f3ad6daaa9eacd6f21ff11b923ae7ee471 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 6 Oct 2023 08:38:04 +0300 Subject: [PATCH 07/21] Pass media_url and displayname to Heisenbridge - do not make it guess Without explicitly passing the `media_url` configuration, Heisenbridge would try to guess it. It works most of the time, but some people are experiencing trouble with it. There's no need for wasteful work and for potential unreliability, so we now configure the `media_url` explicitly. Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/2932 --- .../matrix-bridge-heisenbridge/defaults/main.yml | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-heisenbridge/defaults/main.yml b/roles/custom/matrix-bridge-heisenbridge/defaults/main.yml index c81c4fe6b..edab0e03c 100644 --- a/roles/custom/matrix-bridge-heisenbridge/defaults/main.yml +++ b/roles/custom/matrix-bridge-heisenbridge/defaults/main.yml @@ -30,7 +30,15 @@ matrix_heisenbridge_homeserver_url: "{{ matrix_homeserver_container_url }}" matrix_heisenbridge_appservice_token: '' matrix_heisenbridge_homeserver_token: '' -# Default registration file +matrix_heisenbridge_config_media_url: "{{ matrix_homeserver_url }}" +matrix_heisenbridge_config_displayname: "Heisenbridge" + +matrix_heisenbridge_registration_yaml_heisenbridge: + media_url: "{{ matrix_heisenbridge_config_media_url }}" + displayname: "{{ matrix_heisenbridge_config_displayname }}" + +# Default registration file consumed by both the homeserver and Heisenbridge. +# Besides registration information, it contains configuration (see the heisenbridge key). matrix_heisenbridge_registration_yaml: id: heisenbridge url: http://matrix-heisenbridge:9898 @@ -44,5 +52,6 @@ matrix_heisenbridge_registration_yaml: exclusive: true aliases: [] rooms: [] + heisenbridge: "{{ matrix_heisenbridge_registration_yaml_heisenbridge }}" matrix_heisenbridge_registration: "{{ matrix_heisenbridge_registration_yaml | from_yaml }}" From 408aec7d5bbf2aeee4f759916580c9ffb2432024 Mon Sep 17 00:00:00 2001 From: Julian Foad Date: Mon, 9 Oct 2023 11:03:26 +0100 Subject: [PATCH 08/21] client-hydrogen: fix self-build Self-build now requires the new docker buildx/buildkit, so switch from the ansible docker module to running a docker build command, like elsewhere. --- .../tasks/setup_install.yml | 56 +++++++++++-------- 1 file changed, 34 insertions(+), 22 deletions(-) diff --git a/roles/custom/matrix-client-hydrogen/tasks/setup_install.yml b/roles/custom/matrix-client-hydrogen/tasks/setup_install.yml index 0e1148042..375e3c697 100644 --- a/roles/custom/matrix-client-hydrogen/tasks/setup_install.yml +++ b/roles/custom/matrix-client-hydrogen/tasks/setup_install.yml @@ -12,6 +12,40 @@ - {path: "{{ matrix_client_hydrogen_docker_src_files_path }}", when: "{{ matrix_client_hydrogen_container_image_self_build }}"} when: "item.when | bool" +- when: "matrix_client_hydrogen_container_image_self_build | bool" + block: + - name: Ensure Hydrogen repository is present on self-build + ansible.builtin.git: + repo: "{{ matrix_client_hydrogen_container_image_self_build_repo }}" + dest: "{{ matrix_client_hydrogen_docker_src_files_path }}" + version: "{{ matrix_client_hydrogen_docker_image.split(':')[1] }}" + force: "yes" + become: true + become_user: "{{ matrix_user_username }}" + register: matrix_client_hydrogen_git_pull_results + + - name: Check if Hydrogen Docker image exists + ansible.builtin.command: "{{ devture_systemd_docker_base_host_command_docker }} images --quiet --filter 'reference={{ matrix_client_hydrogen_docker_image }}'" + register: matrix_client_hydrogen_docker_image_check_result + changed_when: false + + # Invoking the `docker build` command here, instead of calling the `docker_image` Ansible module, + # because the latter does not support BuildKit. + # See: https://github.com/ansible-collections/community.general/issues/514 + - name: Ensure Hydrogen Docker image is built + ansible.builtin.shell: + chdir: "{{ matrix_client_hydrogen_docker_src_files_path }}" + cmd: | + {{ devture_systemd_docker_base_host_command_docker }} build \ + -t "{{ matrix_client_hydrogen_docker_image }}" \ + -f Dockerfile \ + --push \ + . + environment: + DOCKER_BUILDKIT: 1 + changed_when: true + when: "matrix_client_hydrogen_git_pull_results.changed | bool or matrix_client_hydrogen_docker_image_check_result.stdout == ''" + - name: Ensure Hydrogen Docker image is pulled community.docker.docker_image: name: "{{ matrix_client_hydrogen_docker_image }}" @@ -24,17 +58,6 @@ delay: "{{ devture_playbook_help_container_retries_delay }}" until: result is not failed -- name: Ensure Hydrogen repository is present on self-build - ansible.builtin.git: - repo: "{{ matrix_client_hydrogen_container_image_self_build_repo }}" - dest: "{{ matrix_client_hydrogen_docker_src_files_path }}" - version: "{{ matrix_client_hydrogen_docker_image.split(':')[1] }}" - force: "yes" - become: true - become_user: "{{ matrix_user_username }}" - register: matrix_client_hydrogen_git_pull_results - when: "matrix_client_hydrogen_container_image_self_build | bool" - - name: Ensure Hydrogen configuration installed ansible.builtin.copy: content: "{{ matrix_client_hydrogen_configuration | to_nice_json }}" @@ -54,17 +77,6 @@ - {src: "{{ role_path }}/templates/nginx.conf.j2", name: "nginx.conf"} - {src: "{{ role_path }}/templates/labels.j2", name: "labels"} -- name: Ensure Hydrogen Docker image is built - community.docker.docker_image: - name: "{{ matrix_client_hydrogen_docker_image }}" - source: build - force_source: "{{ matrix_client_hydrogen_git_pull_results.changed }}" - build: - dockerfile: Dockerfile - path: "{{ matrix_client_hydrogen_docker_src_files_path }}" - pull: true - when: "matrix_client_hydrogen_container_image_self_build | bool" - - name: Ensure Hydrogen container network is created community.general.docker_network: name: "{{ matrix_client_hydrogen_container_network }}" From 3e43b9d1c73101183bdd348f033ba09161efba30 Mon Sep 17 00:00:00 2001 From: Julian Foad Date: Mon, 9 Oct 2023 13:28:50 +0100 Subject: [PATCH 09/21] client-hydrogen: remove unrelated change (docker push) --- roles/custom/matrix-client-hydrogen/tasks/setup_install.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/custom/matrix-client-hydrogen/tasks/setup_install.yml b/roles/custom/matrix-client-hydrogen/tasks/setup_install.yml index 375e3c697..5ca6cb732 100644 --- a/roles/custom/matrix-client-hydrogen/tasks/setup_install.yml +++ b/roles/custom/matrix-client-hydrogen/tasks/setup_install.yml @@ -39,7 +39,6 @@ {{ devture_systemd_docker_base_host_command_docker }} build \ -t "{{ matrix_client_hydrogen_docker_image }}" \ -f Dockerfile \ - --push \ . environment: DOCKER_BUILDKIT: 1 From ccbff150cd2deaa82af09af110939528b4a01576 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 10 Oct 2023 10:19:20 +0300 Subject: [PATCH 10/21] Upgrade ddclient (v3.10.0-ls135 -> v3.10.0-ls136) --- roles/custom/matrix-dynamic-dns/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-dynamic-dns/defaults/main.yml b/roles/custom/matrix-dynamic-dns/defaults/main.yml index ca50813d2..dc5865455 100644 --- a/roles/custom/matrix-dynamic-dns/defaults/main.yml +++ b/roles/custom/matrix-dynamic-dns/defaults/main.yml @@ -7,7 +7,7 @@ matrix_dynamic_dns_enabled: true # The dynamic dns daemon interval matrix_dynamic_dns_daemon_interval: '300' -matrix_dynamic_dns_version: v3.10.0-ls135 +matrix_dynamic_dns_version: v3.10.0-ls136 # The docker container to use when in mode matrix_dynamic_dns_docker_image: "{{ matrix_dynamic_dns_docker_image_name_prefix }}linuxserver/ddclient:{{ matrix_dynamic_dns_version }}" From dc9ff4e01b4ef1293af6bd5fb4b10753033a2814 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 10 Oct 2023 11:10:21 +0300 Subject: [PATCH 11/21] Add support for external-IP-address-autodetection to Coturn --- docs/configuring-playbook-turn.md | 13 +++++++- examples/vars.yml | 16 ++++++++++ group_vars/matrix_servers | 3 ++ roles/custom/matrix-coturn/defaults/main.yml | 19 ++++++++++- .../matrix-coturn/tasks/setup_install.yml | 32 +++++++++++++++++++ .../templates/turnserver.conf.j2 | 2 +- 6 files changed, 82 insertions(+), 3 deletions(-) diff --git a/docs/configuring-playbook-turn.md b/docs/configuring-playbook-turn.md index 365fea4b1..c7bf998fd 100644 --- a/docs/configuring-playbook-turn.md +++ b/docs/configuring-playbook-turn.md @@ -16,13 +16,24 @@ matrix_coturn_enabled: false In that case, Synapse would not point to any Coturn servers and audio/video call functionality may fail. ## Manually defining your public IP + In the `hosts` file we explicitly ask for your server's external IP address when defining `ansible_host`, because the same value is used for configuring Coturn. + If you'd rather use a local IP for `ansible_host`, make sure to set up `matrix_coturn_turn_external_ip_address` replacing `YOUR_PUBLIC_IP` with the pubic IP used by the server. ```yaml matrix_coturn_turn_external_ip_address: "YOUR_PUBLIC_IP" ``` +If you'd like to rely on external IP address auto-detection (not recommended unless you need it), set `matrix_coturn_turn_external_ip_address` to an empty value. The playbook will automatically contact an [EchoIP](https://github.com/mpolden/echoip)-compatible service (`https://ifconfig.co/json` by default) to determine your server's IP address. This API endpoint is configurable via the `matrix_coturn_turn_external_ip_address_auto_detection_echoip_service_url` variable. + +If your server has multiple external IP addresses, the Coturn role offers a different variable for specifying them: + +```yaml +# Note: matrix_coturn_turn_external_ip_addresses is different than matrix_coturn_turn_external_ip_address +matrix_coturn_turn_external_ip_addresses: ['1.2.3.4', '4.5.6.7'] +``` + ## Using your own external Coturn server If you'd like to use another TURN server (be it Coturn or some other one), you can configure the playbook like this: @@ -49,4 +60,4 @@ jitsi_web_stun_servers: You can put multiple host/port combinations if you like. ## Further variables and configuration options -To see all the available configuration options, check roles/custom/matrix-coturn/defaults/main.yml +To see all the available configuration options, check roles/custom/matrix-coturn/defaults/main.yml diff --git a/examples/vars.yml b/examples/vars.yml index 784bf0613..dd9a97c4c 100644 --- a/examples/vars.yml +++ b/examples/vars.yml @@ -41,3 +41,19 @@ devture_traefik_config_certificatesResolvers_acme_email: '' # The playbook creates additional Postgres users and databases (one for each enabled service) # using this superuser account. devture_postgres_connection_password: '' + +# By default, we configure Coturn's external IP address using the value specified for `ansible_host` in your `inventory/hosts` file. +# If this value is an external IP address, you can skip this section. +# +# If `ansible_host` is not the server's external IP address, you have 2 choices: +# 1. Uncomment the line below, to allow IP address auto-detection to happen (more on this below) +# 2. Uncomment and adjust the line below to specify an IP address manually +# +# By default, auto-detection will be attempted using the `https://ifconfig.co/json` API. +# Default values for this are specified in `matrix_coturn_turn_external_ip_address_auto_detection_*` variables in the Coturn role +# (see `roles/custom/matrix-coturn/defaults/main.yml`). +# +# If your server has multiple IP addresses, you may define them in another variable which allows a list of addresses. +# Example: `matrix_coturn_turn_external_ip_addresses: ['1.2.3.4', '4.5.6.7']` +# +# matrix_coturn_turn_external_ip_address: '' diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index eaac3385d..ad6433c48 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -2245,6 +2245,9 @@ matrix_coturn_enabled: true matrix_coturn_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm32', 'arm64'] }}" +# We make the assumption that `ansible_host` points to an external IP address, which may not always be the case. +# Users are free to set `matrix_coturn_turn_external_ip_address` to an empty string +# to allow auto-detection (via an EchoIP service) to happen at runtime. matrix_coturn_turn_external_ip_address: "{{ ansible_host }}" matrix_coturn_turn_static_auth_secret: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'coturn.sas', rounds=655555) | to_uuid }}" diff --git a/roles/custom/matrix-coturn/defaults/main.yml b/roles/custom/matrix-coturn/defaults/main.yml index 1e87d8087..c090d038b 100644 --- a/roles/custom/matrix-coturn/defaults/main.yml +++ b/roles/custom/matrix-coturn/defaults/main.yml @@ -73,8 +73,25 @@ matrix_coturn_turn_udp_max_port: 49172 matrix_coturn_turn_static_auth_secret: "" # The external IP address of the machine where Coturn is. +# If do not define an IP address here or in `matrix_coturn_turn_external_ip_addresses`, auto-detection via an EchoIP service will be done. +# See `matrix_coturn_turn_external_ip_address_auto_detection_enabled` matrix_coturn_turn_external_ip_address: '' -matrix_coturn_turn_external_ip_addresses: ["{{ matrix_coturn_turn_external_ip_address }}"] +matrix_coturn_turn_external_ip_addresses: "{{ [matrix_coturn_turn_external_ip_address] if matrix_coturn_turn_external_ip_address != '' else [] }}" + +# Controls whether external IP address auto-detection should be attempted. +# We try to do this if there is no external IP address explicitly configured and if an EchoIP service URL is specified. +# See matrix_coturn_turn_external_ip_address_auto_detection_echoip_service_url +matrix_coturn_turn_external_ip_address_auto_detection_enabled: "{{ matrix_coturn_turn_external_ip_addresses | length == 0 and matrix_coturn_turn_external_ip_address_auto_detection_echoip_service_url != '' }}" + +# Specifies the address of the EchoIP service (https://github.com/mpolden/echoip) to use for detecting the external IP address. +# By default, we use the official public instance. +matrix_coturn_turn_external_ip_address_auto_detection_echoip_service_url: https://ifconfig.co/json + +# Controls whether SSL certificates will be validated when contacting the EchoIP service (matrix_coturn_turn_external_ip_address_auto_detection_echoip_service_url) +matrix_coturn_turn_external_ip_address_auto_detection_echoip_validate_certs: true + +matrix_coturn_turn_external_ip_address_auto_detection_echoip_service_retries_count: "{{ devture_playbook_help_geturl_retries_count }}" +matrix_coturn_turn_external_ip_address_auto_detection_echoip_service_retries_delay: "{{ devture_playbook_help_geturl_retries_delay }}" matrix_coturn_allowed_peer_ips: [] diff --git a/roles/custom/matrix-coturn/tasks/setup_install.yml b/roles/custom/matrix-coturn/tasks/setup_install.yml index 503ffae10..6064b3603 100644 --- a/roles/custom/matrix-coturn/tasks/setup_install.yml +++ b/roles/custom/matrix-coturn/tasks/setup_install.yml @@ -1,5 +1,37 @@ --- +- when: matrix_coturn_turn_external_ip_address_auto_detection_enabled | bool + block: + - when: matrix_coturn_turn_external_ip_address_auto_detection_echoip_service_url == '' + name: Fail if enabled, but EchoIP service URL unset + ansible.builtin.fail: + msg: "To use the external IP address auto-detection feature, you need to set matrix_coturn_turn_external_ip_address_auto_detection_echoip_service_url" + + # NOTE: + # `ansible.builtin.uri` does not provide a way to configure whether IPv4 or IPv6 is used. + # Luckily, the default instance we use does not define AAAA records for now, so it's always IPv4. + - name: Fetch IP address information from EchoIP service + ansible.builtin.uri: + url: "{{ matrix_coturn_turn_external_ip_address_auto_detection_echoip_service_url }}" + headers: + Content-Type: application/json + follow_redirects: none + validate_certs: "{{ matrix_coturn_turn_external_ip_address_auto_detection_echoip_validate_certs }}" + register: result_matrix_coturn_turn_external_ip_address_auto_detection_echoip_response + ignore_errors: true + check_mode: false + retries: "{{ matrix_coturn_turn_external_ip_address_auto_detection_echoip_service_retries_count }}" + delay: "{{ matrix_coturn_turn_external_ip_address_auto_detection_echoip_service_retries_delay }}" + until: not result_matrix_coturn_turn_external_ip_address_auto_detection_echoip_response.failed + + - when: "(result_matrix_coturn_turn_external_ip_address_auto_detection_echoip_response.failed or 'json' not in result_matrix_coturn_turn_external_ip_address_auto_detection_echoip_response)" + name: Fail if EchoIP service failed + ansible.builtin.fail: + msg: "Failed contacting EchoIP service API at `{{ matrix_coturn_turn_external_ip_address_auto_detection_echoip_service_url }}` (controlled by `matrix_coturn_turn_external_ip_address_auto_detection_echoip_service_url`). Full error: {{ result_matrix_coturn_turn_external_ip_address_auto_detection_echoip_response }}" + + - ansible.builtin.set_fact: + matrix_coturn_turn_external_ip_address: "{{ result_matrix_coturn_turn_external_ip_address_auto_detection_echoip_response.json.ip }}" + - name: Ensure Matrix Coturn path exists ansible.builtin.file: path: "{{ item.path }}" diff --git a/roles/custom/matrix-coturn/templates/turnserver.conf.j2 b/roles/custom/matrix-coturn/templates/turnserver.conf.j2 index 3ed7b99fa..b4688ff9e 100644 --- a/roles/custom/matrix-coturn/templates/turnserver.conf.j2 +++ b/roles/custom/matrix-coturn/templates/turnserver.conf.j2 @@ -5,7 +5,7 @@ realm=turn.{{ matrix_server_fqn_matrix }} min-port={{ matrix_coturn_turn_udp_min_port }} max-port={{ matrix_coturn_turn_udp_max_port }} -{% for ip in matrix_coturn_turn_external_ip_addresses|select('ne', '') %} +{% for ip in matrix_coturn_turn_external_ip_addresses %} external-ip={{ ip }} {% endfor %} From 15763e5418527b44432d3388e2a670f6e0a34f66 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 10 Oct 2023 12:14:25 +0300 Subject: [PATCH 12/21] Upgrade Element (v1.11.45 -> v1.11.46) --- roles/custom/matrix-client-element/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-client-element/defaults/main.yml b/roles/custom/matrix-client-element/defaults/main.yml index f80dea84a..e86eaed1d 100644 --- a/roles/custom/matrix-client-element/defaults/main.yml +++ b/roles/custom/matrix-client-element/defaults/main.yml @@ -10,7 +10,7 @@ matrix_client_element_container_image_self_build_repo: "https://github.com/vecto # - https://github.com/vector-im/element-web/issues/19544 matrix_client_element_container_image_self_build_low_memory_system_patch_enabled: "{{ ansible_memtotal_mb < 4096 }}" -matrix_client_element_version: v1.11.45 +matrix_client_element_version: v1.11.46 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}" matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}" From 37195d49dc42cd32ffc567042e0de409b85c42d2 Mon Sep 17 00:00:00 2001 From: slikie <13197246+slikie@users.noreply.github.com> Date: Tue, 10 Oct 2023 19:26:37 +0800 Subject: [PATCH 13/21] Update main.yml --- roles/custom/matrix-synapse/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index 32ae30f44..8a2e94e6e 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -4,7 +4,7 @@ matrix_synapse_enabled: true -matrix_synapse_version: v1.93.0 +matrix_synapse_version: v1.94.0 matrix_synapse_username: '' matrix_synapse_uid: '' From 954634b580fbe802764d55a088fe23f2f1f738d5 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 11 Oct 2023 11:12:28 +0300 Subject: [PATCH 14/21] Make ansible-lint happy --- roles/custom/matrix-coturn/tasks/setup_install.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/custom/matrix-coturn/tasks/setup_install.yml b/roles/custom/matrix-coturn/tasks/setup_install.yml index 6064b3603..fbeba92d2 100644 --- a/roles/custom/matrix-coturn/tasks/setup_install.yml +++ b/roles/custom/matrix-coturn/tasks/setup_install.yml @@ -2,8 +2,8 @@ - when: matrix_coturn_turn_external_ip_address_auto_detection_enabled | bool block: - - when: matrix_coturn_turn_external_ip_address_auto_detection_echoip_service_url == '' - name: Fail if enabled, but EchoIP service URL unset + - name: Fail if enabled, but EchoIP service URL unset + when: matrix_coturn_turn_external_ip_address_auto_detection_echoip_service_url == '' ansible.builtin.fail: msg: "To use the external IP address auto-detection feature, you need to set matrix_coturn_turn_external_ip_address_auto_detection_echoip_service_url" @@ -24,8 +24,8 @@ delay: "{{ matrix_coturn_turn_external_ip_address_auto_detection_echoip_service_retries_delay }}" until: not result_matrix_coturn_turn_external_ip_address_auto_detection_echoip_response.failed - - when: "(result_matrix_coturn_turn_external_ip_address_auto_detection_echoip_response.failed or 'json' not in result_matrix_coturn_turn_external_ip_address_auto_detection_echoip_response)" - name: Fail if EchoIP service failed + - name: Fail if EchoIP service failed + when: "(result_matrix_coturn_turn_external_ip_address_auto_detection_echoip_response.failed or 'json' not in result_matrix_coturn_turn_external_ip_address_auto_detection_echoip_response)" ansible.builtin.fail: msg: "Failed contacting EchoIP service API at `{{ matrix_coturn_turn_external_ip_address_auto_detection_echoip_service_url }}` (controlled by `matrix_coturn_turn_external_ip_address_auto_detection_echoip_service_url`). Full error: {{ result_matrix_coturn_turn_external_ip_address_auto_detection_echoip_response }}" From 7e54417fcad034209ac90c51a43239c4be5a750a Mon Sep 17 00:00:00 2001 From: throny Date: Wed, 11 Oct 2023 11:26:42 +0200 Subject: [PATCH 15/21] Update maintenance-postgres.md no postgres 16 support with borg, 15 works. --- docs/maintenance-postgres.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/maintenance-postgres.md b/docs/maintenance-postgres.md index 7c52b3139..a69922841 100644 --- a/docs/maintenance-postgres.md +++ b/docs/maintenance-postgres.md @@ -87,7 +87,7 @@ This playbook can upgrade your existing Postgres setup with the following comman just run-tags upgrade-postgres ``` -**Warning: If you're using Borg Backup keep in mind that there is no official Postgres 15 support yet.** +**Warning: If you're using Borg Backup keep in mind that there is no official Postgres 16 support yet.** **The old Postgres data directory is backed up** automatically, by renaming it to `/matrix/postgres/data-auto-upgrade-backup`. To rename to a different path, pass some extra flags to the command above, like this: `--extra-vars="postgres_auto_upgrade_backup_data_path=/another/disk/matrix-postgres-before-upgrade"` From 2441cf3ab10a7e8cecc8610f61393df93d02aaa7 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 11 Oct 2023 20:37:17 +0300 Subject: [PATCH 16/21] Upgrade sliding-sync (v0.99.10 -> v0.99.11) --- roles/custom/matrix-sliding-sync/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-sliding-sync/defaults/main.yml b/roles/custom/matrix-sliding-sync/defaults/main.yml index 73afcaf3f..ac1fe9034 100644 --- a/roles/custom/matrix-sliding-sync/defaults/main.yml +++ b/roles/custom/matrix-sliding-sync/defaults/main.yml @@ -5,7 +5,7 @@ matrix_sliding_sync_enabled: true -matrix_sliding_sync_version: v0.99.10 +matrix_sliding_sync_version: v0.99.11 matrix_sliding_sync_scheme: https From c301c06a538efdd75e588119f1fe9d1e48f1eb22 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 11 Oct 2023 20:38:42 +0300 Subject: [PATCH 17/21] Add support for injecting additional environment-variables into sliding-sync --- roles/custom/matrix-sliding-sync/defaults/main.yml | 3 +++ roles/custom/matrix-sliding-sync/templates/env.j2 | 2 ++ 2 files changed, 5 insertions(+) diff --git a/roles/custom/matrix-sliding-sync/defaults/main.yml b/roles/custom/matrix-sliding-sync/defaults/main.yml index ac1fe9034..c6a3f94c5 100644 --- a/roles/custom/matrix-sliding-sync/defaults/main.yml +++ b/roles/custom/matrix-sliding-sync/defaults/main.yml @@ -85,6 +85,9 @@ matrix_sliding_sync_environment_variable_syncv3_secret: '' # Controls the SYNCV3_DB environment variable matrix_sliding_sync_environment_variable_syncv3_db: 'user={{ matrix_sliding_sync_database_username }} password={{ matrix_sliding_sync_database_password }} host={{ matrix_sliding_sync_database_hostname }} port={{ matrix_sliding_sync_database_port }} dbname={{ matrix_sliding_sync_database_name }} sslmode={{ matrix_sliding_sync_database_sslmode }}' +# Additional environment variables. +matrix_sliding_sync_environment_variables_additional_variables: '' + matrix_sliding_sync_database_username: 'matrix_sliding_sync' matrix_sliding_sync_database_password: '' matrix_sliding_sync_database_hostname: '' diff --git a/roles/custom/matrix-sliding-sync/templates/env.j2 b/roles/custom/matrix-sliding-sync/templates/env.j2 index 1269bd2a1..5d800a1b3 100644 --- a/roles/custom/matrix-sliding-sync/templates/env.j2 +++ b/roles/custom/matrix-sliding-sync/templates/env.j2 @@ -2,3 +2,5 @@ SYNCV3_SERVER={{ matrix_sliding_sync_environment_variable_syncv3_server }} SYNCV3_SECRET={{ matrix_sliding_sync_environment_variable_syncv3_secret }} SYNCV3_BINDADDR=:8008 SYNCV3_DB={{ matrix_sliding_sync_environment_variable_syncv3_db }} + +{{ matrix_sliding_sync_environment_variables_additional_variables }} From 495a890e1c77accbc9033d5e30a5b1a3a6b278d2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Gonz=C3=A1lez?= Date: Wed, 11 Oct 2023 21:24:29 +0200 Subject: [PATCH 18/21] Update Admin-API link the old one is deprecated (says the page at the link target), and refers to this new one. --- docs/configuring-playbook-synapse-admin.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuring-playbook-synapse-admin.md b/docs/configuring-playbook-synapse-admin.md index 1099553bf..001d0044f 100644 --- a/docs/configuring-playbook-synapse-admin.md +++ b/docs/configuring-playbook-synapse-admin.md @@ -15,7 +15,7 @@ Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars. matrix_synapse_admin_enabled: true ``` -**Note**: Synapse Admin requires Synapse's [Admin APIs](https://github.com/matrix-org/synapse/tree/master/docs/admin_api) to function. Access to them is restricted with a valid access token, so exposing them publicly should not be a real security concern. Still, for additional security, we normally leave them unexposed, following [official Synapse reverse-proxying recommendations](https://github.com/matrix-org/synapse/blob/master/docs/reverse_proxy.md#synapse-administration-endpoints). Because Synapse Admin needs these APIs to function, when installing Synapse Admin, we **automatically** exposes them publicly for you (equivalent to `matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled: true`). +**Note**: Synapse Admin requires Synapse's [Admin APIs](https://matrix-org.github.io/synapse/latest/) to function. Access to them is restricted with a valid access token, so exposing them publicly should not be a real security concern. Still, for additional security, we normally leave them unexposed, following [official Synapse reverse-proxying recommendations](https://github.com/matrix-org/synapse/blob/master/docs/reverse_proxy.md#synapse-administration-endpoints). Because Synapse Admin needs these APIs to function, when installing Synapse Admin, we **automatically** exposes them publicly for you (equivalent to `matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled: true`). ## Installing From af899a6558290a292ba1658891acb428bb931911 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 11 Oct 2023 22:31:07 +0300 Subject: [PATCH 19/21] Update Synapse Admin APIs link --- docs/configuring-playbook-synapse-admin.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuring-playbook-synapse-admin.md b/docs/configuring-playbook-synapse-admin.md index 001d0044f..fdd11f2e8 100644 --- a/docs/configuring-playbook-synapse-admin.md +++ b/docs/configuring-playbook-synapse-admin.md @@ -15,7 +15,7 @@ Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars. matrix_synapse_admin_enabled: true ``` -**Note**: Synapse Admin requires Synapse's [Admin APIs](https://matrix-org.github.io/synapse/latest/) to function. Access to them is restricted with a valid access token, so exposing them publicly should not be a real security concern. Still, for additional security, we normally leave them unexposed, following [official Synapse reverse-proxying recommendations](https://github.com/matrix-org/synapse/blob/master/docs/reverse_proxy.md#synapse-administration-endpoints). Because Synapse Admin needs these APIs to function, when installing Synapse Admin, we **automatically** exposes them publicly for you (equivalent to `matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled: true`). +**Note**: Synapse Admin requires Synapse's [Admin APIs](https://matrix-org.github.io/synapse/latest/usage/administration/admin_api/index.html) to function. Access to them is restricted with a valid access token, so exposing them publicly should not be a real security concern. Still, for additional security, we normally leave them unexposed, following [official Synapse reverse-proxying recommendations](https://github.com/matrix-org/synapse/blob/master/docs/reverse_proxy.md#synapse-administration-endpoints). Because Synapse Admin needs these APIs to function, when installing Synapse Admin, we **automatically** exposes them publicly for you (equivalent to `matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled: true`). ## Installing From 4e46fb3cce3aa416fa3e29001eb82790615e98bd Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 12 Oct 2023 01:09:42 +0300 Subject: [PATCH 20/21] Upgrade Traefik (v2.10.4-1 -> v2.10.5-0) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 49ae0a0f1..a35625a42 100644 --- a/requirements.yml +++ b/requirements.yml @@ -26,7 +26,7 @@ - src: git+https://github.com/devture/com.devture.ansible.role.timesync.git version: v1.0.0-0 - src: git+https://github.com/devture/com.devture.ansible.role.traefik.git - version: v2.10.4-1 + version: v2.10.5-0 - src: git+https://github.com/devture/com.devture.ansible.role.traefik_certs_dumper.git version: v2.8.1-0 - src: git+https://gitlab.com/etke.cc/roles/etherpad.git From 3b2cb1cbc274fd255d592355d50ebe1ba8ce421a Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Thu, 12 Oct 2023 18:54:16 +0300 Subject: [PATCH 21/21] update grafana 10.1.4 -> 10.1.5 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index a35625a42..86ee8e65f 100644 --- a/requirements.yml +++ b/requirements.yml @@ -35,7 +35,7 @@ version: 7.0.1 name: geerlingguy.docker - src: git+https://gitlab.com/etke.cc/roles/grafana.git - version: v10.1.4-0 + version: v10.1.5-0 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-jitsi.git version: v8960-1 name: jitsi