From ea22acc89936add20dfd013305ab6dd36ad2301c Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 25 Jun 2024 10:55:08 +0300 Subject: [PATCH 01/46] Fix Hookshot URL path generation regression Regression since 78912688734589d67a9213201dbae45d231fad84, where I removed the `matrix_hookshot_urlprefix` prefix group `group_vars/matrix_servers`, thinking the value in `roles/custom/matrix-bridge-hookshot/defaults/main.yml` was the same. The value in `defaults/main.yml` incorrectly included `matrix_hookshot_public_endpoint` in `matrix_hookshot_urlprefix`, which was leading to double-`/hookshot`-prefixing. We were previously saved by the `matrix_hookshot_urlprefix` override in `group_vars/matrix_servers`. This fix brings the correct URL prefix value (the one without `matrix_hookshot_public_endpoint`) to `defaults/main.yml`. --- roles/custom/matrix-bridge-hookshot/defaults/main.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-hookshot/defaults/main.yml b/roles/custom/matrix-bridge-hookshot/defaults/main.yml index 8bd0a1b8b..8950be581 100644 --- a/roles/custom/matrix-bridge-hookshot/defaults/main.yml +++ b/roles/custom/matrix-bridge-hookshot/defaults/main.yml @@ -34,7 +34,11 @@ matrix_hookshot_public_scheme: https matrix_hookshot_public_hostname: "{{ matrix_server_fqn_matrix }}" matrix_hookshot_public_endpoint: /hookshot -matrix_hookshot_urlprefix: "{{ matrix_hookshot_public_scheme }}://{{ matrix_hookshot_public_hostname }}{{ matrix_hookshot_public_endpoint }}" +# This is the base URL prefix shared among all endpoints. +# +# It intentionally does not include the path prefix (`matrix_hookshot_public_endpoint`), +# because of how it's used - it's concatenated with paths that already use matrix_hookshot_public_endpoint` within them. +matrix_hookshot_urlprefix: "{{ matrix_hookshot_public_scheme }}://{{ matrix_hookshot_public_hostname }}" # There is no need to edit ports. use matrix_hookshot_container_http_host_bind_ports below to expose ports instead. matrix_hookshot_appservice_port: 9993 From aafea6d259d5ed7568f4560b9647a330683276bf Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 25 Jun 2024 11:00:58 +0300 Subject: [PATCH 02/46] Fix typo in comment for `matrix_hookshot_container_labels_appservice_enabled` --- roles/custom/matrix-bridge-hookshot/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-hookshot/defaults/main.yml b/roles/custom/matrix-bridge-hookshot/defaults/main.yml index 8950be581..382d709b7 100644 --- a/roles/custom/matrix-bridge-hookshot/defaults/main.yml +++ b/roles/custom/matrix-bridge-hookshot/defaults/main.yml @@ -253,7 +253,7 @@ matrix_hookshot_container_labels_webhooks_traefik_entrypoints: "{{ matrix_hooksh matrix_hookshot_container_labels_webhooks_traefik_tls: "{{ matrix_hookshot_container_labels_webhooks_traefik_entrypoints != 'web' }}" matrix_hookshot_container_labels_webhooks_traefik_tls_certResolver: "{{ matrix_hookshot_container_labels_traefik_tls_certResolver }}" # noqa var-naming -# Controls whether labels will be added that expose Hookshot's generic endpoint +# Controls whether labels will be added that expose Hookshot's appservice endpoint matrix_hookshot_container_labels_appservice_enabled: true matrix_hookshot_container_labels_appservice_traefik_rule: "Host(`{{ matrix_hookshot_appservice_hostname }}`) && PathPrefix(`{{ matrix_hookshot_appservice_endpoint }}`)" matrix_hookshot_container_labels_appservice_traefik_priority: 0 From 4704a60718946fd469aeee7fc3ae8127c633bb6b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 25 Jun 2024 11:16:30 +0300 Subject: [PATCH 03/46] Use a /webhook path for generic webhooks By appending `/webhook` to the public URL (becoming `/hookshot/webhooks/webhook`) and by only stripping the `/hookshot/webhooks` prefix, we're effectively following what newer Hookshot versions advise (see https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1681). This change appears to be backward-compatible (old webhook URLs like `/hookshot/webhooks/:hookId` still work), until Hookshot behavior changes. --- docs/configuring-playbook-bridge-hookshot.md | 3 ++- roles/custom/matrix-bridge-hookshot/defaults/main.yml | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/docs/configuring-playbook-bridge-hookshot.md b/docs/configuring-playbook-bridge-hookshot.md index 917fe5fdd..1ca0d9465 100644 --- a/docs/configuring-playbook-bridge-hookshot.md +++ b/docs/configuring-playbook-bridge-hookshot.md @@ -50,7 +50,8 @@ Unless indicated otherwise, the following endpoints are reachable on your `matri | listener | default path | variable | used as | |---|---|---|---| -| webhooks | `/hookshot/webhooks/` | `matrix_hookshot_webhook_endpoint` | generics, GitHub "Webhook URL", GitLab "URL", etc. | +| - | `/hookshot/webhooks/` | `matrix_hookshot_webhook_endpoint` | Webhook-prefix, which affects all webhook-related URLs below | +| generic | `/hookshot/webhooks/webhook` | `matrix_hookshot_generic_endpoint` | Generic webhooks | | github oauth | `/hookshot/webhooks/oauth` | `matrix_hookshot_github_oauth_endpoint` | GitHub "Callback URL" | | jira oauth | `/hookshot/webhooks/jira/oauth` | `matrix_hookshot_jira_oauth_endpoint` | JIRA OAuth | | figma endpoint | `/hookshot/webhooks/figma/webhook` | `matrix_hookshot_figma_endpoint` | Figma | diff --git a/roles/custom/matrix-bridge-hookshot/defaults/main.yml b/roles/custom/matrix-bridge-hookshot/defaults/main.yml index 382d709b7..823af6257 100644 --- a/roles/custom/matrix-bridge-hookshot/defaults/main.yml +++ b/roles/custom/matrix-bridge-hookshot/defaults/main.yml @@ -154,7 +154,7 @@ matrix_hookshot_jira_oauth_redirect_uri: "{{ matrix_hookshot_urlprefix }}{{ matr matrix_hookshot_generic_enabled: true matrix_hookshot_generic_enableHttpGet: false # noqa var-naming # Default value of matrix_hookshot_generic_endpoint: "/hookshot/webhooks" -matrix_hookshot_generic_endpoint: "{{ matrix_hookshot_webhook_endpoint }}" +matrix_hookshot_generic_endpoint: "{{ matrix_hookshot_webhook_endpoint }}/webhook" # urlprefix gets updated with protocol & port in group_vars/matrix_servers matrix_hookshot_generic_urlPrefix: "{{ matrix_hookshot_urlprefix }}{{ matrix_hookshot_generic_endpoint }}" # noqa var-naming # If you're also using matrix-appservice-webhooks, take care that these prefixes don't overlap From 616cb3a91ca029c03adf947d2b2831fe05131d47 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 25 Jun 2024 11:30:41 +0300 Subject: [PATCH 04/46] Announce Hookshot webhooks serving at a {prefix}/webhook/:hookId path Related to 4704a60718946fd469aeee7fc3ae8127c633bb6b Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1681 --- CHANGELOG.md | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index cf92179aa..343979445 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,23 @@ +# 2024-06-25 + +## The URL-prefix for Hookshot generic webhooks has changed + +Until now, generic Hookshot webhook URLs looked like this: `https://matrix.DOMAIN/hookshot/webhooks/:hookId`. + +The `/hookshot/webhooks` common prefix gets stripped by Traefik automatically, so Hookshot only sees the part that comes after (`/:hookId`). + +[A few years ago](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1681), Hookshot started to prefer to handle webhooks at a `/webhook/:hookId` path (instead of directly at `/:hookId`). + +To avoid future problems, we've [reconfigured](https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/4704a60718946fd469aeee7fc3ae8127c633bb6b) our Hookshot configuration to use webhook URLs that include `/webhook` in the URL suffix (e.g. `/hookshot/webhooks/webhook/:hookId`, instead of `/hookshot/webhooks/:hookId`). This means that when we strip the common prefi (`/hookshot/webhooks`), we'll end up sending `/webhook/:hookId` to Hookshot, just like recommended. + +When generating new webhooks, you should start seeing the new URLs being used. + +**For now**, **both** old URLs (`/hookshot/webhooks/:hookId`) and new URLs (`/hookshot/webhooks/webhook/:hookId`) **continue to work***, so your webhooks will not break just yet. + +However, **we recommend that you update all your old webhook URLs** (configured in other systems) to include the new `/webhook` path component, so that future Hookshot changes (whenever they come) will not break your webhooks. You don't need to do anything on the Hookshot side - you merely need to reconfigure the remote systems that use your webhook URLs. + + + # 2024-06-22 ## The maubot user is now managed by the playbook From dc2c4f4fc0546c2957c68ca7b32116f1bd83a148 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 25 Jun 2024 11:34:07 +0000 Subject: [PATCH 05/46] chore(deps): update dependency grafana to v11.1.0-0 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index c9dc95760..56c0959a3 100644 --- a/requirements.yml +++ b/requirements.yml @@ -22,7 +22,7 @@ version: v4.97.1-r0-0-2 name: exim_relay - src: git+https://gitlab.com/etke.cc/roles/grafana.git - version: v11.0.0-1 + version: v11.1.0-0 name: grafana - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-jitsi.git version: v9457-5 From aac88f418d7042eb7bf1f77f466b95aee769602f Mon Sep 17 00:00:00 2001 From: Fabio Bonelli Date: Tue, 25 Jun 2024 21:01:23 +0200 Subject: [PATCH 06/46] Fix typo in Sliding Sync Proxy docs --- docs/configuring-playbook-sliding-sync-proxy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuring-playbook-sliding-sync-proxy.md b/docs/configuring-playbook-sliding-sync-proxy.md index f1ddba185..9ff453d21 100644 --- a/docs/configuring-playbook-sliding-sync-proxy.md +++ b/docs/configuring-playbook-sliding-sync-proxy.md @@ -23,7 +23,7 @@ If you'd like to run the Sliding Sync proxy on another hostname or path, use the ## Adjusting DNS records -If you've changed the default hostame, **you may need to adjust your DNS** records. +If you've changed the default hostname, **you may need to adjust your DNS** records. ## Adjusting the playbook configuration From 659df10799e19305cae8fe251fc43c24fbf573e0 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 26 Jun 2024 16:20:10 +0000 Subject: [PATCH 07/46] chore(deps): update matrixdotorg/sygnal docker tag to v0.15.0 --- roles/custom/matrix-sygnal/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-sygnal/defaults/main.yml b/roles/custom/matrix-sygnal/defaults/main.yml index 079dee066..7782954fc 100644 --- a/roles/custom/matrix-sygnal/defaults/main.yml +++ b/roles/custom/matrix-sygnal/defaults/main.yml @@ -13,7 +13,7 @@ matrix_sygnal_hostname: '' matrix_sygnal_path_prefix: / # renovate: datasource=docker depName=matrixdotorg/sygnal -matrix_sygnal_version: v0.14.3 +matrix_sygnal_version: v0.15.0 matrix_sygnal_base_path: "{{ matrix_base_data_path }}/sygnal" matrix_sygnal_config_path: "{{ matrix_sygnal_base_path }}/config" From ef90ee94954d03d840b50818142af1ea70f81b33 Mon Sep 17 00:00:00 2001 From: hagene Date: Thu, 27 Jun 2024 14:51:06 +0200 Subject: [PATCH 08/46] Allow configuring synapse `auto_join_mxid_localpart` `auto_join_mxid_localpart` defines the local part of the user id which is used to create auto-join rooms. The variable needs to be set to invite new users to any auto-join rooms which are set to invite-only. --- roles/custom/matrix-synapse/defaults/main.yml | 6 ++++++ .../matrix-synapse/templates/synapse/homeserver.yaml.j2 | 4 +++- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index 4c8465077..e31845741 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -537,12 +537,18 @@ matrix_synapse_account_threepid_delegates_msisdn: '' # Users who register on this homeserver will automatically be joined to these rooms. # Rooms are to be specified using addresses (e.g. `#address:example.com`) +# If any auto-join rooms are invite-only, you need to define `matrix_synapse_auto_join_mxid_localpart`. matrix_synapse_auto_join_rooms: [] # Controls whether auto-join rooms (`matrix_synapse_auto_join_rooms`) are to be created # automatically if they don't already exist. matrix_synapse_autocreate_auto_join_rooms: true +# The local part of the user id which is used to create auto-join rooms if `matrix_synapse_autocreate_auto_join_rooms` is true. +# Defaults to the initial user account that registers. +# The user id is also used to invite new users to any auto-join rooms which are set to invite-only. +matrix_synapse_auto_join_mxid_localpart: '' + # Controls whether room invites will be accepted on behalf of users. # See: https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#auto-accept-invites # This should not be used together with the `synapse_auto_accept_invite` module (see `matrix_synapse_ext_synapse_auto_accept_invite_enabled`). diff --git a/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 index dc9970ec9..f8e77930d 100644 --- a/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -1541,7 +1541,9 @@ autocreate_auto_join_rooms: {{ matrix_synapse_autocreate_auto_join_rooms|to_json # Note that, if the room already exists, this user must be joined and # have the appropriate permissions to invite new members. # -#auto_join_mxid_localpart: system +{% if matrix_synapse_auto_join_mxid_localpart %} +auto_join_mxid_localpart: {{ matrix_synapse_auto_join_mxid_localpart }} +{% endif %} # When auto_join_rooms is specified, setting this flag to false prevents # guest accounts from being automatically joined to the rooms. From 8541aeceb53b9642ea8e266766089fd0c4961150 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Thu, 27 Jun 2024 13:47:35 +0000 Subject: [PATCH 09/46] chore(deps): update dependency docker to v7.3.0 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 56c0959a3..03de8f3cb 100644 --- a/requirements.yml +++ b/requirements.yml @@ -10,7 +10,7 @@ version: v0.1.2-2 name: container_socket_proxy - src: git+https://github.com/geerlingguy/ansible-role-docker - version: 7.2.0 + version: 7.3.0 name: docker - src: git+https://github.com/devture/com.devture.ansible.role.docker_sdk_for_python.git version: 129c8590e106b83e6f4c259649a613c6279e937a From 4aa3345db0c6a1a13384e29f773787941f1412f5 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 27 Jun 2024 21:35:56 +0300 Subject: [PATCH 10/46] Simplify auto_join_mxid_localpart population --- .../matrix-synapse/templates/synapse/homeserver.yaml.j2 | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 index f8e77930d..48bacc4f6 100644 --- a/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -1541,9 +1541,7 @@ autocreate_auto_join_rooms: {{ matrix_synapse_autocreate_auto_join_rooms|to_json # Note that, if the room already exists, this user must be joined and # have the appropriate permissions to invite new members. # -{% if matrix_synapse_auto_join_mxid_localpart %} -auto_join_mxid_localpart: {{ matrix_synapse_auto_join_mxid_localpart }} -{% endif %} +auto_join_mxid_localpart: {{ matrix_synapse_auto_join_mxid_localpart | to_json }} # When auto_join_rooms is specified, setting this flag to false prevents # guest accounts from being automatically joined to the rooms. From d723ac67bebe0cc94619365f43bbb32f2c183514 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Fri, 28 Jun 2024 16:18:15 +0000 Subject: [PATCH 11/46] chore(deps): update ghcr.io/matrix-org/sliding-sync docker tag to v0.99.19 --- roles/custom/matrix-sliding-sync/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-sliding-sync/defaults/main.yml b/roles/custom/matrix-sliding-sync/defaults/main.yml index 3594e90ff..65f51be4c 100644 --- a/roles/custom/matrix-sliding-sync/defaults/main.yml +++ b/roles/custom/matrix-sliding-sync/defaults/main.yml @@ -6,7 +6,7 @@ matrix_sliding_sync_enabled: true # renovate: datasource=docker depName=ghcr.io/matrix-org/sliding-sync -matrix_sliding_sync_version: v0.99.18 +matrix_sliding_sync_version: v0.99.19 matrix_sliding_sync_scheme: https From e000cbf0f42874bec05611d57a2922259da292bc Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 1 Jul 2024 16:01:31 +0300 Subject: [PATCH 12/46] Auto-configure synapse-admin to be restricted to a single homeserver (the one managed by the playbook) --- CHANGELOG.md | 16 ++++++++ docs/configuring-playbook-synapse-admin.md | 10 ++--- .../matrix-synapse-admin/defaults/main.yml | 38 +++++++++++++++++++ .../tasks/setup_install.yml | 19 ++++++++-- .../templates/config.json.j2 | 3 ++ .../systemd/matrix-synapse-admin.service.j2 | 1 + 6 files changed, 77 insertions(+), 10 deletions(-) create mode 100644 roles/custom/matrix-synapse-admin/templates/config.json.j2 diff --git a/CHANGELOG.md b/CHANGELOG.md index 343979445..367b3a2bc 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,19 @@ +# 2024-07-01 + +## synapse-admin is now restricted to your homeserver's URL by default + +A new feature introduced in synapse-admin [v0.10.0](https://github.com/Awesome-Technologies/synapse-admin/releases/tag/0.10.0) (released and supported by the playbook since a a few months ago) provides the ability to [restrict its usage to a specific homeserver](https://github.com/Awesome-Technologies/synapse-admin/blob/e21e44362c879ac41f47c580b04210842b6ff3d7/README.md#restricting-available-homeserver) (or multiple homeservers). + +The playbook has just started making use of this feature. **From now on, your synapse-admin instance will be restricted to the homeserver you're managing via the playbook**. When configured like this, the *Homeserver URL* field in synapse-admin's web UI changes from a text field to a dropdown having a single value (the URL of your homeserver). This makes usage simpler for most people, as they won't need to manually enter a *Homeserver URL* anymore. + +If you'd like **to go back to the old unrestricted behavior**, use the following configuration: + +```yml +# Use this configuration to allow synapse-admin to manage any homeserver instance. +matrix_synapse_admin_config_restrictBaseUrl: [] +``` + + # 2024-06-25 ## The URL-prefix for Hookshot generic webhooks has changed diff --git a/docs/configuring-playbook-synapse-admin.md b/docs/configuring-playbook-synapse-admin.md index 1e3e8980e..0b80f27ba 100644 --- a/docs/configuring-playbook-synapse-admin.md +++ b/docs/configuring-playbook-synapse-admin.md @@ -20,14 +20,12 @@ matrix_synapse_admin_enabled: true - for [Synapse](./configuring-playbook-synapse.md) (our default homeserver implementation): `matrix_synapse_container_labels_public_client_synapse_admin_api_enabled: true` - for [Dendrite](./configuring-playbook-dendrite.md): `matrix_dendrite_container_labels_public_client_synapse_admin_api_enabled: true` +By default, synapse-admin installation will be [restricted to only work with one homeserver](https://github.com/Awesome-Technologies/synapse-admin/blob/e21e44362c879ac41f47c580b04210842b6ff3d7/README.md#restricting-available-homeserver) - the one managed by the playbook. To adjust these restrictions, tweak the `matrix_synapse_admin_config_restrictBaseUrl` variable. + ## Installing -After configuring the playbook, run the [installation](installing.md) command again: - -``` -ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start -``` +After configuring the playbook, run the [installation](installing.md) command again (`just install-all`). ## Usage @@ -35,5 +33,3 @@ ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start After installation, Synapse Admin will be accessible at: `https://matrix.DOMAIN/synapse-admin/` To use Synapse Admin, you need to have [registered at least one administrator account](registering-users.md) on your server. - -The Homeserver URL to use on Synapse Admin's login page is: `https://matrix.DOMAIN` diff --git a/roles/custom/matrix-synapse-admin/defaults/main.yml b/roles/custom/matrix-synapse-admin/defaults/main.yml index c439c9133..e46974256 100644 --- a/roles/custom/matrix-synapse-admin/defaults/main.yml +++ b/roles/custom/matrix-synapse-admin/defaults/main.yml @@ -6,6 +6,7 @@ matrix_synapse_admin_enabled: true # A path on host where all related files will be saved matrix_synapse_admin_base_path: "{{ matrix_base_data_path }}/synapse-admin" +matrix_synapse_admin_config_path: "{{ matrix_synapse_admin_base_path }}/config" matrix_synapse_admin_docker_src_files_path: "{{ matrix_synapse_admin_base_path }}/docker-src" matrix_synapse_admin_container_image_self_build: false @@ -135,3 +136,40 @@ matrix_synapse_admin_hostname: "{{ matrix_server_fqn_matrix }}" # The path at which Synapse Admin is exposed. # This value must either be `/` or not end with a slash (e.g. `/synapse-admin`). matrix_synapse_admin_path_prefix: /synapse-admin + +# Default synapse-admin configuration template which covers the generic use case. +# You can customize it by controlling the various variables inside it. +# +# For a more advanced customization, you can extend the default (see `matrix_synapse_admin_configuration_extension_json`) +# or completely replace this variable with your own template. +# +# The side-effect of this lookup is that Ansible would even parse the JSON for us, returning a dict. +# This is unlike what it does when looking up YAML template files (no automatic parsing there). +matrix_synapse_admin_configuration_default: "{{ lookup('template', 'templates/config.json.j2') }}" + +# Your custom JSON configuration for synapse-admin should go to `matrix_synapse_admin_configuration_extension_json`. +# This configuration extends the default starting configuration (`matrix_synapse_admin_configuration_default`). +# +# You can override individual variables from the default configuration, or introduce new ones. +# +# If you need something more special, you can take full control by +# completely redefining `matrix_synapse_admin_configuration_default`. +# +# Example configuration extension follows: +# +# matrix_synapse_admin_configuration_extension_json: | +# { +# "some_setting": true, +# "another_setting": false +# } +matrix_synapse_admin_configuration_extension_json: '{}' + +matrix_synapse_admin_configuration_extension: "{{ matrix_synapse_admin_configuration_extension_json | from_json if matrix_synapse_admin_configuration_extension_json | from_json is mapping else {} }}" + +# Holds the final synapse-admin configuration (a combination of the default and its extension). +# You most likely don't need to touch this variable. Instead, see `matrix_synapse_admin_configuration_default`. +matrix_synapse_admin_configuration: "{{ matrix_synapse_admin_configuration_default | combine(matrix_synapse_admin_configuration_extension, recursive=True) }}" + +# Controls the restrictBaseUrl configuration setting, which, if defined, +# restricts the homeserver(s), so that the user can no longer define a homeserver manually during login. +matrix_synapse_admin_config_restrictBaseUrl: "{{ [matrix_homeserver_url] }}" # noqa var-naming diff --git a/roles/custom/matrix-synapse-admin/tasks/setup_install.yml b/roles/custom/matrix-synapse-admin/tasks/setup_install.yml index d8819524f..6e7b8160b 100644 --- a/roles/custom/matrix-synapse-admin/tasks/setup_install.yml +++ b/roles/custom/matrix-synapse-admin/tasks/setup_install.yml @@ -1,12 +1,17 @@ --- -- name: Ensure matrix-synapse-admin path exist +- name: Ensure matrix-synapse-admin paths exists ansible.builtin.file: - path: "{{ matrix_synapse_admin_base_path }}" + path: "{{ item.path }}" state: directory - mode: 0700 + mode: 0750 owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" + with_items: + - {path: "{{ matrix_synapse_admin_base_path }}", when: true} + - {path: "{{ matrix_synapse_admin_config_path }}", when: true} + - {path: "{{ matrix_synapse_admin_docker_src_files_path }}", when: "{{ matrix_synapse_admin_container_image_self_build }}"} + when: "item.when | bool" - name: Ensure matrix-synapse-admin labels file is created ansible.builtin.template: @@ -16,6 +21,14 @@ group: "{{ matrix_user_groupname }}" mode: 0640 +- name: Ensure matrix-synapse-admin configuration installed + ansible.builtin.copy: + content: "{{ matrix_synapse_admin_configuration | to_nice_json }}" + dest: "{{ matrix_synapse_admin_config_path }}/config.json" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + - name: Ensure matrix-synapse-admin image is pulled community.docker.docker_image: name: "{{ matrix_synapse_admin_docker_image }}" diff --git a/roles/custom/matrix-synapse-admin/templates/config.json.j2 b/roles/custom/matrix-synapse-admin/templates/config.json.j2 new file mode 100644 index 000000000..dbd32d6d4 --- /dev/null +++ b/roles/custom/matrix-synapse-admin/templates/config.json.j2 @@ -0,0 +1,3 @@ +{ + "restrictBaseUrl": {{ matrix_synapse_admin_config_restrictBaseUrl | to_json }} +} diff --git a/roles/custom/matrix-synapse-admin/templates/systemd/matrix-synapse-admin.service.j2 b/roles/custom/matrix-synapse-admin/templates/systemd/matrix-synapse-admin.service.j2 index aa305718e..ed72bef7c 100644 --- a/roles/custom/matrix-synapse-admin/templates/systemd/matrix-synapse-admin.service.j2 +++ b/roles/custom/matrix-synapse-admin/templates/systemd/matrix-synapse-admin.service.j2 @@ -30,6 +30,7 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ -p {{ matrix_synapse_admin_container_http_host_bind_port }}:80 \ {% endif %} --label-file={{ matrix_synapse_admin_base_path }}/labels \ + --mount type=bind,src={{ matrix_synapse_admin_config_path }}/config.json,dst=/app/config.json,ro \ {% for arg in matrix_synapse_admin_container_extra_arguments %} {{ arg }} \ {% endfor %} From e02ea07511d0939339cf9ad4e6fa250c19134df1 Mon Sep 17 00:00:00 2001 From: adam-kress Date: Tue, 2 Jul 2024 19:08:40 -0400 Subject: [PATCH 13/46] Upgrade Jitsi (v9457-5 -> v9584-0) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 03de8f3cb..582afc38d 100644 --- a/requirements.yml +++ b/requirements.yml @@ -25,7 +25,7 @@ version: v11.1.0-0 name: grafana - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-jitsi.git - version: v9457-5 + version: v9584-0 name: jitsi - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-keydb.git version: v6.3.4-2 From 2c4ac736859d505b27fc07eeae2e55e0301e215b Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 3 Jul 2024 19:50:40 +0000 Subject: [PATCH 14/46] chore(deps): update ghcr.io/element-hq/synapse docker tag to v1.110.0 --- roles/custom/matrix-synapse/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index e31845741..61a3aca94 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -16,7 +16,7 @@ matrix_synapse_enabled: true matrix_synapse_github_org_and_repo: element-hq/synapse # renovate: datasource=docker depName=ghcr.io/element-hq/synapse -matrix_synapse_version: v1.109.0 +matrix_synapse_version: v1.110.0 matrix_synapse_username: '' matrix_synapse_uid: '' From 752de4406eaeafa89cd208efaa9dc3ac03daa2f2 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 4 Jul 2024 09:48:05 +0300 Subject: [PATCH 15/46] Make use of the new --exists-ok flag for register_new_matrix_user Related to https://github.com/element-hq/synapse/pull/17304 --- .../tasks/util/ensure_user_registered_synapse.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/custom/matrix-user-creator/tasks/util/ensure_user_registered_synapse.yml b/roles/custom/matrix-user-creator/tasks/util/ensure_user_registered_synapse.yml index 00189e5c5..753573415 100644 --- a/roles/custom/matrix-user-creator/tasks/util/ensure_user_registered_synapse.yml +++ b/roles/custom/matrix-user-creator/tasks/util/ensure_user_registered_synapse.yml @@ -16,7 +16,7 @@ --user_type={{ user.initial_type | quote }} {% endif %} {% endif %} + --exists-ok http://localhost:{{ matrix_synapse_container_client_api_port }} register: matrix_synapse_register_user_result - changed_when: matrix_synapse_register_user_result.rc == 0 and 'User ID already taken' not in matrix_synapse_register_user_result.stdout - failed_when: matrix_synapse_register_user_result.rc != 0 and 'User ID already taken' not in matrix_synapse_register_user_result.stdout + changed_when: matrix_synapse_register_user_result.rc == 0 and 'User already exists' not in matrix_synapse_register_user_result.stdout From 18130f843673e4e86db20e84a5538264056316c3 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 4 Jul 2024 11:20:32 +0300 Subject: [PATCH 16/46] Upgrade Postgres (v16.3-1 -> v16.3-2) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 582afc38d..98ea28821 100644 --- a/requirements.yml +++ b/requirements.yml @@ -43,7 +43,7 @@ version: ff2fd42e1c1a9e28e3312bbd725395f9c2fc7f16 name: playbook_state_preserver - src: git+https://github.com/devture/com.devture.ansible.role.postgres.git - version: v16.3-1 + version: v16.3-2 name: postgres - src: git+https://github.com/devture/com.devture.ansible.role.postgres_backup.git version: 8c3585fb4857dbac026b2974bb6525289240effb From 74bb81273950e978c01b8b2f610217b9815575b8 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 4 Jul 2024 13:56:47 +0300 Subject: [PATCH 17/46] Revert "Make use of the new --exists-ok flag for register_new_matrix_user" This reverts commit 752de4406eaeafa89cd208efaa9dc3ac03daa2f2. Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/3393 When running the playbook against an existing server, it invokes `register_new_matrix_user` as part of the `matrix-user-creator` role, which runs before the `systemd_service_manager`. At that time, `matrix-user-creator` detects that Synapse is up (from before), but it's the old version. Services have not yet been restarted, so it's actually the older Synapse version that is up, not the new one. The old version does not support the `--exists-ok` flag yet. Basically, this `--exists-ok` patch landed too early and has affected existing playbook users that have an older version of Synapse in operation. It will be safer to bring back this patch some time in the future. However, users upgrading from Synapse <= v1.109.0 even long into the future will bump into the same issue. As such, it would be better to either add special handling or to delay bringing back this patch enough so as to ensure everyone using the playbook is on Synapse >= 1.110.0. --- .../tasks/util/ensure_user_registered_synapse.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/custom/matrix-user-creator/tasks/util/ensure_user_registered_synapse.yml b/roles/custom/matrix-user-creator/tasks/util/ensure_user_registered_synapse.yml index 753573415..00189e5c5 100644 --- a/roles/custom/matrix-user-creator/tasks/util/ensure_user_registered_synapse.yml +++ b/roles/custom/matrix-user-creator/tasks/util/ensure_user_registered_synapse.yml @@ -16,7 +16,7 @@ --user_type={{ user.initial_type | quote }} {% endif %} {% endif %} - --exists-ok http://localhost:{{ matrix_synapse_container_client_api_port }} register: matrix_synapse_register_user_result - changed_when: matrix_synapse_register_user_result.rc == 0 and 'User already exists' not in matrix_synapse_register_user_result.stdout + changed_when: matrix_synapse_register_user_result.rc == 0 and 'User ID already taken' not in matrix_synapse_register_user_result.stdout + failed_when: matrix_synapse_register_user_result.rc != 0 and 'User ID already taken' not in matrix_synapse_register_user_result.stdout From e2cc4e944750c0509a3b42b15a72ab8c95b63017 Mon Sep 17 00:00:00 2001 From: adam-kress Date: Thu, 4 Jul 2024 11:08:12 -0400 Subject: [PATCH 18/46] Upgrade Jitsi (v9584-0 -> v9584-1) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 98ea28821..1a5b2ccf9 100644 --- a/requirements.yml +++ b/requirements.yml @@ -25,7 +25,7 @@ version: v11.1.0-0 name: grafana - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-jitsi.git - version: v9584-0 + version: v9584-1 name: jitsi - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-keydb.git version: v6.3.4-2 From 5d1b844fca72ec96fc7b9ef2050a19167ca7a3a6 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 4 Jul 2024 21:19:19 +0300 Subject: [PATCH 19/46] Upgrade exim-relay (v4.97.1-r0-0-2 -> v4.97.1-r0-1-0) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 1a5b2ccf9..4082e8d88 100644 --- a/requirements.yml +++ b/requirements.yml @@ -19,7 +19,7 @@ version: v2.1.0-1 name: etherpad - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-exim-relay.git - version: v4.97.1-r0-0-2 + version: v4.97.1-r0-1-0 name: exim_relay - src: git+https://gitlab.com/etke.cc/roles/grafana.git version: v11.1.0-0 From 4322c0b49661463da8fbd2b35f233e6bdae53e00 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 4 Jul 2024 21:27:33 +0300 Subject: [PATCH 20/46] Upgrade devture/ansible (2.16.1-r0-0 -> 2.17.0-r0-0) --- docs/ansible.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/ansible.md b/docs/ansible.md index f20c78261..007cc25c7 100644 --- a/docs/ansible.md +++ b/docs/ansible.md @@ -65,7 +65,7 @@ docker run -it --rm \ -w /work \ -v `pwd`:/work \ --entrypoint=/bin/sh \ -docker.io/devture/ansible:2.16.1-r0-0 +docker.io/devture/ansible:2.17.0-r0-0 ``` Once you execute the above command, you'll be dropped into a `/work` directory inside a Docker container. @@ -86,7 +86,7 @@ docker run -it --rm \ -v `pwd`:/work \ -v $HOME/.ssh/id_rsa:/root/.ssh/id_rsa:ro \ --entrypoint=/bin/sh \ -docker.io/devture/ansible:2.16.1-r0-0 +docker.io/devture/ansible:2.17.0-r0-0 ``` The above command tries to mount an SSH key (`$HOME/.ssh/id_rsa`) into the container (at `/root/.ssh/id_rsa`). From 3e3ce659fef67158e634ddeea16b758a3a2ab7e5 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 4 Jul 2024 22:05:25 +0300 Subject: [PATCH 21/46] Upgrade matrix-corporal (2.7.0 -> 2.8.0) --- roles/custom/matrix-corporal/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-corporal/defaults/main.yml b/roles/custom/matrix-corporal/defaults/main.yml index 93120843b..2ff8f6685 100644 --- a/roles/custom/matrix-corporal/defaults/main.yml +++ b/roles/custom/matrix-corporal/defaults/main.yml @@ -5,7 +5,7 @@ matrix_corporal_enabled: true # renovate: datasource=docker depName=devture/matrix-corporal -matrix_corporal_version: 2.7.0 +matrix_corporal_version: 2.8.0 matrix_corporal_container_image_self_build: false matrix_corporal_container_image_self_build_repo: "https://github.com/devture/matrix-corporal.git" From 329796f4d48ea8406a34467cb1331fccfd12e54d Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 6 Jul 2024 10:59:28 +0300 Subject: [PATCH 22/46] Upgrade Traefik to v3 and adapt matrix-media-repo role `matrix-media-repo` is the only role that seems incompatible with the changes introduced by Traefik v3, due to its use of `PathPrefix` with regular expressions in a few places. Regular expressions should now be used with `PathRegexp`, not `PathPrefix`. Furthermore, they should follow the Golang regexp syntax, as described in the migration guide: https://doc.traefik.io/traefik/migration/v2-to-v3-details/#dynamic-configuration-changes --- requirements.yml | 2 +- roles/custom/matrix-media-repo/defaults/main.yml | 16 ++++++++-------- .../matrix-media-repo/tasks/validate_config.yml | 4 ++++ 3 files changed, 13 insertions(+), 9 deletions(-) diff --git a/requirements.yml b/requirements.yml index 4082e8d88..d05919e8b 100644 --- a/requirements.yml +++ b/requirements.yml @@ -70,7 +70,7 @@ version: v1.0.0-0 name: timesync - src: git+https://github.com/devture/com.devture.ansible.role.traefik.git - version: v2.11.4-0 + version: v3.0.4-1 name: traefik - src: git+https://github.com/devture/com.devture.ansible.role.traefik_certs_dumper.git version: v2.8.3-2 diff --git a/roles/custom/matrix-media-repo/defaults/main.yml b/roles/custom/matrix-media-repo/defaults/main.yml index a09744401..42a28cc48 100755 --- a/roles/custom/matrix-media-repo/defaults/main.yml +++ b/roles/custom/matrix-media-repo/defaults/main.yml @@ -81,8 +81,8 @@ matrix_media_repo_container_labels_traefik_internal_media_entrypoints: "" # /_matrix/client/r0/logout # /_matrix/client/r0/logout/all -matrix_media_repo_container_labels_traefik_logout_path_prefix: "/_matrix/client/{version:(r0|v1|v3|unstable)}/{endpoint:(logout|logout/all)}" -matrix_media_repo_container_labels_traefik_logout_rule: "Host(`{{ matrix_server_fqn_matrix }}`) && PathPrefix(`{{ matrix_media_repo_container_labels_traefik_logout_path_prefix }}`)" +matrix_media_repo_container_labels_traefik_logout_path_regexp: "^/_matrix/client/(?Pr0|v1|v3|unstable)/(?Plogout|logout/all)" +matrix_media_repo_container_labels_traefik_logout_rule: "Host(`{{ matrix_server_fqn_matrix }}`) && PathRegexp(`{{ matrix_media_repo_container_labels_traefik_logout_path_regexp }}`)" matrix_media_repo_container_labels_traefik_logout_priority: 0 matrix_media_repo_container_labels_traefik_logout_entrypoints: "{{ matrix_media_repo_container_labels_traefik_entrypoints }}" matrix_media_repo_container_labels_traefik_logout_tls: "{{ matrix_media_repo_container_labels_traefik_logout_entrypoints != 'web' }}" @@ -90,8 +90,8 @@ matrix_media_repo_container_labels_traefik_logout_tls_certResolver: default # n # /_matrix/client/r0/admin/purge_media_cache # /_matrix/client/r0/admin/quarantine_media/{roomId:[^/]+} -matrix_media_repo_container_labels_traefik_admin_path_prefix: "/_matrix/client/{version:(r0|v1|v3|unstable)}/admin/{endpoint:(purge_media_cache|quarantine_media/.*)}" -matrix_media_repo_container_labels_traefik_admin_rule: "Host(`{{ matrix_server_fqn_matrix }}`) && PathPrefix(`{{ matrix_media_repo_container_labels_traefik_admin_path_prefix }}`)" +matrix_media_repo_container_labels_traefik_admin_path_regexp: "^/_matrix/client/(?P(r0|v1|v3|unstable))/admin/(?P(purge_media_cache|quarantine_media/.*))" +matrix_media_repo_container_labels_traefik_admin_rule: "Host(`{{ matrix_server_fqn_matrix }}`) && PathRegexp(`{{ matrix_media_repo_container_labels_traefik_admin_path_regexp }}`)" matrix_media_repo_container_labels_traefik_admin_priority: 0 matrix_media_repo_container_labels_traefik_admin_entrypoints: "{{ matrix_media_repo_container_labels_traefik_entrypoints }}" matrix_media_repo_container_labels_traefik_admin_tls: "{{ matrix_media_repo_container_labels_traefik_admin_entrypoints != 'web' }}" @@ -114,8 +114,8 @@ matrix_media_repo_container_labels_traefik_media_federation_tls_certResolver: de # /_matrix/client/r0/logout # /_matrix/client/r0/logout/all -matrix_media_repo_container_labels_traefik_logout_federation_path_prefix: "/_matrix/client/{version:(r0|v1|v3|unstable)}/{endpoint:(logout|logout/all)}" -matrix_media_repo_container_labels_traefik_logout_federation_rule: "Host(`{{ matrix_server_fqn_matrix }}`) && PathPrefix(`{{ matrix_media_repo_container_labels_traefik_logout_path_prefix }}`)" +matrix_media_repo_container_labels_traefik_logout_federation_path_regexp: "{{ matrix_media_repo_container_labels_traefik_logout_path_regexp }}" +matrix_media_repo_container_labels_traefik_logout_federation_rule: "Host(`{{ matrix_server_fqn_matrix }}`) && PathRegexp(`{{ matrix_media_repo_container_labels_traefik_logout_federation_path_regexp }}`)" matrix_media_repo_container_labels_traefik_logout_federation_priority: 0 matrix_media_repo_container_labels_traefik_logout_federation_entrypoints: "{{ matrix_federation_traefik_entrypoint_name }}" matrix_media_repo_container_labels_traefik_logout_federation_tls: "{{ matrix_media_repo_container_labels_traefik_logout_entrypoints != 'web' }}" @@ -123,8 +123,8 @@ matrix_media_repo_container_labels_traefik_logout_federation_tls_certResolver: d # /_matrix/client/r0/admin/purge_media_cache # /_matrix/client/r0/admin/quarantine_media/{roomId:[^/]+} -matrix_media_repo_container_labels_traefik_admin_federation_path_prefix: "/_matrix/client/{version:(r0|v1|v3|unstable)}/admin/{endpoint:(purge_media_cache|quarantine_media/.*)}" -matrix_media_repo_container_labels_traefik_admin_federation_rule: "Host(`{{ matrix_server_fqn_matrix }}`) && PathPrefix(`{{ matrix_media_repo_container_labels_traefik_admin_path_prefix }}`)" +matrix_media_repo_container_labels_traefik_admin_federation_path_regexp: "{{ matrix_media_repo_container_labels_traefik_admin_path_regexp }}" +matrix_media_repo_container_labels_traefik_admin_federation_rule: "Host(`{{ matrix_server_fqn_matrix }}`) && PathRegexp(`{{ matrix_media_repo_container_labels_traefik_admin_federation_path_regexp }}`)" matrix_media_repo_container_labels_traefik_admin_federation_priority: 0 matrix_media_repo_container_labels_traefik_admin_federation_entrypoints: "{{ matrix_federation_traefik_entrypoint_name }}" matrix_media_repo_container_labels_traefik_admin_federation_tls: "{{ matrix_media_repo_container_labels_traefik_admin_entrypoints != 'web' }}" diff --git a/roles/custom/matrix-media-repo/tasks/validate_config.yml b/roles/custom/matrix-media-repo/tasks/validate_config.yml index 2f31ba03c..57fdf8595 100644 --- a/roles/custom/matrix-media-repo/tasks/validate_config.yml +++ b/roles/custom/matrix-media-repo/tasks/validate_config.yml @@ -29,3 +29,7 @@ - {'old': 'matrix_media_repo_url_previews', 'new': ''} - {'old': 'matrix_media_repo_thumbnails', 'new': ''} - {'old': 'matrix_media_repo_feature_support', 'new': ''} + - {'old': 'matrix_media_repo_container_labels_traefik_logout_path_prefix', 'new': 'matrix_media_repo_container_labels_traefik_logout_path_regexp'} + - {'old': 'matrix_media_repo_container_labels_traefik_admin_path_prefix', 'new': 'matrix_media_repo_container_labels_traefik_admin_path_regexp'} + - {'old': 'matrix_media_repo_container_labels_traefik_logout_federation_path_prefix', 'new': 'matrix_media_repo_container_labels_traefik_logout_federation_path_regexp'} + - {'old': 'matrix_media_repo_container_labels_traefik_admin_federation_path_prefix', 'new': 'matrix_media_repo_container_labels_traefik_admin_federation_path_regexp'} From 9b5be6825d1c9661de847fb0708e0ab6dfeff963 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 6 Jul 2024 11:00:59 +0300 Subject: [PATCH 23/46] Enable HTTP/3 by default for web-secure and matrix-federation HTTP/3 is no longer considered experimental in Traefik v3, so it's a good time to enable it. --- group_vars/matrix_servers | 3 +++ roles/custom/matrix-base/defaults/main.yml | 12 +++++++++++- 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index f84bf4e55..bd851c675 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -38,6 +38,9 @@ matrix_playbook_reverse_proxy_hostname: "{{ devture_traefik_identifier if devtur # A separate Matrix Federation entrypoint is always enabled, unless the federation port matches one of the ports for existing (default) entrypoints matrix_playbook_public_matrix_federation_api_traefik_entrypoint_enabled: "{{ matrix_federation_public_port not in [devture_traefik_config_entrypoint_web_port, devture_traefik_config_entrypoint_web_secure_port] }}" +# We only enable HTTP/3 on the federation entrypoint if the main web-secure entrypoint has it enabled. +matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http3_enabled: "{{ devture_traefik_config_entrypoint_web_secure_http3_enabled }}" + # `devture_traefik_config_entrypoint_web_secure_enabled` is the variable we currently follow to determine if SSL is enabled or not. # `matrix_playbook_ssl_enabled` is merely an indicator if (when looked at it publicly), the server supports SSL or not, # and affects how services configure their public URLs. diff --git a/roles/custom/matrix-base/defaults/main.yml b/roles/custom/matrix-base/defaults/main.yml index 393063980..ba5efa26a 100644 --- a/roles/custom/matrix-base/defaults/main.yml +++ b/roles/custom/matrix-base/defaults/main.yml @@ -263,7 +263,16 @@ matrix_playbook_public_matrix_federation_api_traefik_entrypoint_enabled: true matrix_playbook_public_matrix_federation_api_traefik_entrypoint_name: "{{ matrix_federation_traefik_entrypoint_name }}" matrix_playbook_public_matrix_federation_api_traefik_entrypoint_port: "{{ matrix_federation_public_port }}" matrix_playbook_public_matrix_federation_api_traefik_entrypoint_host_bind_port: "{{ matrix_federation_public_port }}" -matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config: "{{ matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_auto | combine(matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_custom, recursive=True) }}" +matrix_playbook_public_matrix_federation_api_traefik_entrypoint_host_bind_port_udp: "{{ matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http3_advertisedPort if matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http3_enabled else '' }}" +matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config: "{{ (matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_default | combine (matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_auto)) | combine(matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_custom, recursive=True) }}" +matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http3_enabled: true +matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http3_advertisedPort: "{{ matrix_playbook_public_matrix_federation_api_traefik_entrypoint_port }}" +matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_default: | + {{ + ({'http3': {'advertisedPort': matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http3_advertisedPort | int}}) + if matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http3_enabled + else {} + }} matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_auto: {} matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_custom: {} @@ -271,6 +280,7 @@ matrix_playbook_public_matrix_federation_api_traefik_entrypoint_definition: name: "{{ matrix_playbook_public_matrix_federation_api_traefik_entrypoint_name }}" port: "{{ matrix_playbook_public_matrix_federation_api_traefik_entrypoint_port }}" host_bind_port: "{{ matrix_playbook_public_matrix_federation_api_traefik_entrypoint_host_bind_port }}" + host_bind_port_udp: "{{ matrix_playbook_public_matrix_federation_api_traefik_entrypoint_host_bind_port_udp }}" config: "{{ matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config }}" # Controls whether to enable an additional Traefik entrypoint for the purpose of serving the homeserver's Client-Server API internally. From aad167561abecdab3cde4925eaae21095a34d708 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 6 Jul 2024 11:03:51 +0300 Subject: [PATCH 24/46] Announce Traefik v3 and HTTP/3 --- CHANGELOG.md | 49 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 49 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 367b3a2bc..5d3bec193 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,52 @@ +# 2024-07-06 + +## Traefik v3 and HTTP/3 are here now + +**TLDR**: Traefik was migrated from v2 to v3. Minor changes were done to the playbook. Mostly everything else worked out of the box. Most people will not have to do any tweaks to their configuration. In addition, [HTTP/3](https://en.wikipedia.org/wiki/HTTP/3) support is now auto-enabled for the `web-secure` (port 443) and `matrix-federation` (port `8448`) entrypoints. If you have a firewall in front of your server and you wish to benefit from `HTTP3`, you will need to open the `443` and `8448` UDP ports in it. + +### Traefik v3 + +The reverse-proxy that the playbook uses by default (Traefik) has recently been upgraded to v3 (see [this blog post](https://traefik.io/blog/announcing-traefik-proxy-v3-rc/) to learn about its new features). Version 3 includes some small breaking configuration changes requiring a [migration](https://doc.traefik.io/traefik/migration/v2-to-v3/). + +We have **updated the playbook to Traefik v3** (make sure to run `just roles` / `make roles` to get it). + +There were **only minor playbook changes required** to adapt to Traefik v3, and only to the Ansible role for [matrix-media-repo](./docs/configuring-playbook-matrix-media-repo.md) where we changed a few [`PathPrefix` instances to `PathRegexp`](https://doc.traefik.io/traefik/routing/routers/#path-pathprefix-and-pathregexp), because these instances were using a regular expression instead of a fixed path. For fixed-path values, `PathPrefix` is still the preferred matcher function to use. + +**Most people using the playbook should not have to do any changes**. + +If you're using the playbook's Traefik instance to reverse-proxy to some other services of your own (not managed by the playbook), you may wish to review their Traefik labels and make sure they're in line with the [Traefik v2 to v3 migration guide](https://doc.traefik.io/traefik/migration/v2-to-v3/). + +If you've tweaked any of this playbook's `_path_prefix` variables and made them use a regular expression, you will now need to make additional adjustments. The playbook makes extensive use of `PathPrefix()` matchers in Traefik rules and `PathPrefix` does not support regular expressions anymore. To work around it, you may now need to override a whole `_traefik_rule` variable and switch it from [`PathPrefix` to `PathRegexp`](https://doc.traefik.io/traefik/routing/routers/#path-pathprefix-and-pathregexp). + +If you're not using [matrix-media-repo](./docs/configuring-playbook-matrix-media-repo.md) (the only role we had to tweak to adapt it to Traefik v3), you **may potentially downgrade to Traefik v2** (if necessary) by adding `devture_traefik_verison: v2.11.4` to your configuration. People using `matrix-media-repo` cannot downgrade this way, because `matrix-media-repo` has been adjusted to use `PathRegexp` - a [routing matcher](https://doc.traefik.io/traefik/v2.11/routing/routers/#rule) that Traefik v2 does not understand. + + +### HTTP/3 is enabled by default + +In Traefik v3, [HTTP/3](https://en.wikipedia.org/wiki/HTTP/3) support is no longer considered experimental now. +Due to this, **the playbook auto-enables HTTP3** for the `web-secure` (port 443) and `matrix-federation` (port `8448`) entrypoints. + +HTTP3 uses the UDP protocol and **the playbook (together with Docker) will make sure that the appropriate ports** (`443` over UDP & `8448` over UDP) **are exposed and whitelisted in your server's firewall**. However, **if you have another firewall in front of your server** (as is the case for many cloud providers), **you will need to manually open these UDP ports**. + +If you do not open the UDP ports correctly or there is some other issue, clients (browsers, mostly) will fall-back to [HTTP/2](https://en.wikipedia.org/wiki/HTTP/2) or even [HTTP/1.1](https://en.wikipedia.org/wiki/HTTP). + +Still, if HTTP/3 cannot function correctly in your setup, it's best to disable advertising support for it (and misleading clients into trying to use HTTP/3). + +To **disable HTTP/3**, you can use the following configuration: + +```yml +devture_traefik_config_entrypoint_web_secure_http3_enabled: false + +# Disabling HTTP/3 for the web-secure entrypoint (above), +# automatically disables it for the Matrix Federation entrypoint as well, +# so you do not necessarily need the configuration line below. +# +# Feel free to only keep it around if you're keeping HTTP/3 enabled for web-secure (by removing the line above), +# and would only like to disable HTTP/3 for the Matrix Federation entrypoint. +matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http3_enabled: false +``` + + # 2024-07-01 ## synapse-admin is now restricted to your homeserver's URL by default From c87bb206da55e59ac419955e888a13d1c27dbb53 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 6 Jul 2024 11:15:34 +0300 Subject: [PATCH 25/46] Fix ansible-lint-reported error --- roles/custom/matrix-base/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-base/defaults/main.yml b/roles/custom/matrix-base/defaults/main.yml index ba5efa26a..36b248b1f 100644 --- a/roles/custom/matrix-base/defaults/main.yml +++ b/roles/custom/matrix-base/defaults/main.yml @@ -266,7 +266,7 @@ matrix_playbook_public_matrix_federation_api_traefik_entrypoint_host_bind_port: matrix_playbook_public_matrix_federation_api_traefik_entrypoint_host_bind_port_udp: "{{ matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http3_advertisedPort if matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http3_enabled else '' }}" matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config: "{{ (matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_default | combine (matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_auto)) | combine(matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_custom, recursive=True) }}" matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http3_enabled: true -matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http3_advertisedPort: "{{ matrix_playbook_public_matrix_federation_api_traefik_entrypoint_port }}" +matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http3_advertisedPort: "{{ matrix_playbook_public_matrix_federation_api_traefik_entrypoint_port }}" # noqa var-naming matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_default: | {{ ({'http3': {'advertisedPort': matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http3_advertisedPort | int}}) From 032b76bd62ecaa2914a177e64fd0ef1100718fc2 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 6 Jul 2024 21:48:41 +0300 Subject: [PATCH 26/46] Add support for matrix-alertmanager-receiver --- CHANGELOG.md | 7 + ...figuring-playbook-alertmanager-receiver.md | 93 +++++++ docs/configuring-playbook.md | 2 + group_vars/matrix_servers | 50 ++++ .../defaults/main.yml | 236 ++++++++++++++++++ .../tasks/install.yml | 80 ++++++ .../tasks/main.yml | 20 ++ .../tasks/uninstall.yml | 25 ++ .../tasks/validate_config.yml | 14 ++ .../templates/config.yml.j2 | 37 +++ .../templates/labels.j2 | 69 +++++ .../matrix-alertmanager-receiver.service.j2 | 50 ++++ setup.yml | 1 + 13 files changed, 684 insertions(+) create mode 100644 docs/configuring-playbook-alertmanager-receiver.md create mode 100644 roles/custom/matrix-alertmanager-receiver/defaults/main.yml create mode 100644 roles/custom/matrix-alertmanager-receiver/tasks/install.yml create mode 100644 roles/custom/matrix-alertmanager-receiver/tasks/main.yml create mode 100644 roles/custom/matrix-alertmanager-receiver/tasks/uninstall.yml create mode 100644 roles/custom/matrix-alertmanager-receiver/tasks/validate_config.yml create mode 100644 roles/custom/matrix-alertmanager-receiver/templates/config.yml.j2 create mode 100644 roles/custom/matrix-alertmanager-receiver/templates/labels.j2 create mode 100644 roles/custom/matrix-alertmanager-receiver/templates/systemd/matrix-alertmanager-receiver.service.j2 diff --git a/CHANGELOG.md b/CHANGELOG.md index 5d3bec193..0011dac45 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,12 @@ # 2024-07-06 +## matrix-alertmanager-receiver support + +For those wishing to more easily integrate [Prometheus](https://prometheus.io/)' alerting service ([Alertmanager](https://prometheus.io/docs/alerting/latest/alertmanager/)) with Matrix, the playbook can now set up [matrix-alertmanager-receiver](https://github.com/metio/matrix-alertmanager-receiver). + +See [Setting up Prometheus Alertmanager integration via matrix-alertmanager-receiver](./docs/configuring-playbook-alertmanager-receiver.md) for more details. + + ## Traefik v3 and HTTP/3 are here now **TLDR**: Traefik was migrated from v2 to v3. Minor changes were done to the playbook. Mostly everything else worked out of the box. Most people will not have to do any tweaks to their configuration. In addition, [HTTP/3](https://en.wikipedia.org/wiki/HTTP/3) support is now auto-enabled for the `web-secure` (port 443) and `matrix-federation` (port `8448`) entrypoints. If you have a firewall in front of your server and you wish to benefit from `HTTP3`, you will need to open the `443` and `8448` UDP ports in it. diff --git a/docs/configuring-playbook-alertmanager-receiver.md b/docs/configuring-playbook-alertmanager-receiver.md new file mode 100644 index 000000000..f85facefe --- /dev/null +++ b/docs/configuring-playbook-alertmanager-receiver.md @@ -0,0 +1,93 @@ +# Setting up matrix-alertmanager-receiver (optional) + +The playbook can install and configure the [matrix-alertmanager-receiver](https://github.com/metio/matrix-alertmanager-receiver) service for you. It's a [client](https://prometheus.io/docs/alerting/latest/clients/) for Prometheus' [Alertmanager](https://prometheus.io/docs/alerting/latest/alertmanager/), allowing you to deliver alerts to Matrix rooms. + +See the project's [documentation](https://github.com/metio/matrix-alertmanager-receiver) to learn more about what this component does and why it might be useful to you. + +At the moment, **setting up this service's bot requires some manual actions** as described below in [Account and room preparation](#account-and-room-preparation). + +This service is meant to be used with an external [Alertmanager](https://prometheus.io/docs/alerting/latest/alertmanager/) instance. It's **not** meant to be integrated with the [Prometheus & Grafana stack](./configuring-playbook-prometheus-grafana.md) installed by this playbook, because the Alertmanager component is not installed by it. + + +## Configuration + +```yml +matrix_alertmanager_receiver_enabled: true + +# This exposes matrix-alertmanager-receiver on the `matrix.` domain. +# Adjust, if necessary. +matrix_alertmanager_receiver_hostname: "{{ matrix_server_fqn_matrix }}" + +# This exposes matrix-alertmanager-receiver under a path prefix containing a random (secret) value. +# Adjust the `RANDOM_VALUE_HERE` part with a long and secure value. +matrix_alertmanager_receiver_path_prefix: /matrix-alertmanager-receiver-RANDOM_VALUE_HERE + +# If you'd like to change the username for this bot, uncomment and adjust. Otherwise, remove. +# matrix_alertmanager_receiver_config_matrix_user_id_localpart: "bot.alertmanager.receiver" + +# Specify the bot user's access token here. +# See the "Account and room preparation" section below. +matrix_alertmanager_receiver_config_matrix_access_token: '' + +# Optionally, configure some mappings (URL-friendly room name -> actual Matrix room ID). +# +# If you don't configure mappings, you can still deliver alerts using URLs like this: +# https://matrix.DOMAIN/matrix-alertmanager-receiver-RANDOM_VALUE_HERE/alert/!some-room-id:example.com +# +# If a mapping like the one below is configured, you can deliver alerts using friendlier URLs like this: +# https://matrix.DOMAIN/matrix-alertmanager-receiver-RANDOM_VALUE_HERE/alert/some-room-name +matrix_alertmanager_receiver_config_matrix_room_mapping: + some-room-name: "!some-room-id:{{ matrix_domain }}" +``` + +See `roles/custom/matrix-alertmanager-receiver/defaults/main.yml` for additional configuration variables. + + +## Account and room preparation + +The playbook can automatically create users, but it cannot automatically obtain access tokens, nor perform any of the other manual actions below. + +`matrix-alertmanager-receiver` uses a bot (with a username specified in `matrix_alertmanager_receiver_config_matrix_user_id_localpart` - see above) for delivering messages. You need to **manually register this bot acccount and obtain an access token for it**. + +1. [Register a new user](registering-users.md): `ansible-playbook -i inventory/hosts setup.yml --extra-vars='username=bot.alertmanager.receiver password=PASSWORD_FOR_THE_BOT admin=no' --tags=register-user` +2. [Obtain an access token](obtaining-access-tokens.md) for the bot's user account +3. Invite the bot to a room where you'd like to alerts to be delivered +4. Log in as the bot using any Matrix client of your choosing, accept the room invitation from the bot's account and log out +5. (Optionally) Adjust `matrix_alertmanager_receiver_config_matrix_room_mapping` to create a mapping between the new room and its id + +Steps 1 and 2 above only need to be done once, while preparing your [configuration](#configuration). + +Steps 3 and 4 need to be done for each new room you'd like the bot to deliver alerts to. Step 5 is optional and provides cleaner `/alert/` URLs. + + +## Installation + +Now that you've [prepared the bot account and room](#account-and-room-preparation) and have [configured the playbook](#configuration), you can re-run the [installation](./installing.md) process (`just install-all`). + +Then, you can proceed to [Usage](#usage). + + +## Usage + +Configure your Prometheus Alertmanager with configuration like this: + +```yml + receivers: + - name: matrix + webhook_configs: + - send_resolved: true + url: URL_HERE + route: + group_by: + - namespace + group_interval: 5m + group_wait: 30s + receiver: "matrix" + repeat_interval: 12h + routes: + - receiver: matrix +``` + +.. where `URL_HERE` looks like `https://matrix.DOMAIN/matrix-alertmanager-receiver-RANDOM_VALUE_HERE/alert/some-room-name` or `https://matrix.DOMAIN/matrix-alertmanager-receiver-RANDOM_VALUE_HERE/alert/!some-room-id:DOMAIN`. + +This bot does **not** accept room invitations automatically (like many other bots do). To deliver messages to rooms, **the bot must be joined to all rooms manually** - see Step 5 of the [Account and room preparation](#account-and-room-preparation) section. diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index 708367083..64c47fbe6 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -224,3 +224,5 @@ When you're done with all the configuration you'd like to do, continue with [Ins - [Setting up a Cactus Comments server](configuring-playbook-cactus-comments.md) - a federated comment system built on Matrix (optional) - [Setting up the Rageshake bug report server](configuring-playbook-rageshake.md) (optional) + +- [Setting up Prometheus Alertmanager integration via matrix-alertmanager-receiver](configuring-playbook-alertmanager-receiver.md) (optional) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index bd851c675..3746d26cc 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -267,6 +267,8 @@ devture_systemd_service_manager_services_list_auto: | {{ ([{'name': (backup_borg_identifier + '.timer'), 'priority': 5000, 'groups': ['matrix', 'backup', 'borg']}] if backup_borg_enabled else []) + + ([{'name': 'matrix-alertmanager-receiver.service', 'priority': 2200, 'groups': ['matrix', 'alertmanager-receiver']}] if matrix_alertmanager_receiver_enabled else []) + + ([{'name': 'matrix-bot-buscarron.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'buscarron', 'bot-buscarron']}] if matrix_bot_buscarron_enabled else []) + ([{'name': 'matrix-bot-go-neb.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'go-neb', 'bot-go-neb']}] if matrix_bot_go_neb_enabled else []) @@ -558,6 +560,54 @@ matrix_integration_manager_ui_url: "{{ matrix_dimension_integrations_ui_url if m ###################################################################### +###################################################################### +# +# matrix-alertmanager-receiver +# +###################################################################### + +# We don't enable this by default. +matrix_alertmanager_receiver_enabled: false + +matrix_alertmanager_receiver_container_image_self_build: "{{ matrix_architecture != 'amd64' }}" + +matrix_alertmanager_receiver_container_network: "{{ matrix_addons_container_network }}" + +matrix_alertmanager_receiver_container_additional_networks_auto: |- + {{ + ( + ([] if matrix_addons_homeserver_container_network == '' else [matrix_addons_homeserver_container_network]) + + + ([matrix_playbook_reverse_proxyable_services_additional_network] if (matrix_playbook_reverse_proxyable_services_additional_network and matrix_alertmanager_receiver_container_labels_traefik_enabled) else []) + ) | unique + }} + +matrix_alertmanager_receiver_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}" +matrix_alertmanager_receiver_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" +matrix_alertmanager_receiver_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" +matrix_alertmanager_receiver_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" + +matrix_alertmanager_receiver_container_labels_metrics_middleware_basic_auth_enabled: "{{ matrix_metrics_exposure_http_basic_auth_enabled }}" +matrix_alertmanager_receiver_container_labels_metrics_middleware_basic_auth_users: "{{ matrix_metrics_exposure_http_basic_auth_users }}" + +matrix_alertmanager_receiver_systemd_required_services_list_auto: "{{ matrix_addons_homeserver_systemd_services_list }}" + +matrix_alertmanager_receiver_config_matrix_homeserver_url: "{{ matrix_addons_homeserver_client_api_url }}" + +matrix_alertmanager_receiver_metrics_enabled: "{{ prometheus_enabled or matrix_metrics_exposure_enabled }}" + +matrix_alertmanager_receiver_metrics_proxying_enabled: "{{ matrix_alertmanager_receiver_config_http_metrics_enabled and matrix_metrics_exposure_enabled }}" +matrix_alertmanager_receiver_metrics_proxying_hostname: "{{ matrix_metrics_exposure_hostname }}" +matrix_alertmanager_receiver_metrics_proxying_path: "{{ matrix_metrics_exposure_path_prefix }}/matrix-alertmanager-receiver" + +###################################################################### +# +# /matrix-alertmanager-receiver +# +###################################################################### + + + ###################################################################### # # matrix-bridge-appservice-discord diff --git a/roles/custom/matrix-alertmanager-receiver/defaults/main.yml b/roles/custom/matrix-alertmanager-receiver/defaults/main.yml new file mode 100644 index 000000000..d802c9c77 --- /dev/null +++ b/roles/custom/matrix-alertmanager-receiver/defaults/main.yml @@ -0,0 +1,236 @@ +--- + +# matrix-alertmanager-receiver is a service which receives webhook payloads from Prometheus' Alertmanager and forwards them to a Matrix room. +# Project source code URL: https://github.com/metio/matrix-alertmanager-receiver + +matrix_alertmanager_receiver_enabled: true + +# renovate: datasource=docker depName=docker.io/metio/matrix-alertmanager-receiver +matrix_alertmanager_receiver_version: 2024.7.3 + +matrix_alertmanager_receiver_scheme: https + +# The hostname at which matrix-alertmanager-receiver is served. +matrix_alertmanager_receiver_hostname: '' + +# The path at which matrix-alertmanager-receiver is served. +# This value must either be `/` or not end with a slash (e.g. `/matrix-alertmanager-receiver`). +matrix_alertmanager_receiver_path_prefix: / + +matrix_alertmanager_receiver_base_path: "{{ matrix_base_data_path }}/alertmanager-receiver" +matrix_alertmanager_receiver_config_path: "{{ matrix_alertmanager_receiver_base_path }}/config" + +matrix_alertmanager_receiver_container_image_self_build: false +matrix_alertmanager_receiver_container_image_self_build_repo: https://github.com/metio/matrix-alertmanager-receiver +matrix_alertmanager_receiver_container_image_self_build_repo_version: "{{ 'main' if matrix_alertmanager_receiver_version == 'main' else matrix_alertmanager_receiver_version }}" +matrix_alertmanager_receiver_container_src_path: "{{ matrix_alertmanager_receiver_base_path }}/container-src" + +matrix_alertmanager_receiver_container_image: "{{ matrix_alertmanager_receiver_container_image_name_prefix }}metio/matrix-alertmanager-receiver:{{ matrix_alertmanager_receiver_container_image_tag }}" +matrix_alertmanager_receiver_container_image_name_prefix: "{{ 'localhost/' if matrix_alertmanager_receiver_container_image_self_build else matrix_alertmanager_receiver_container_image_registry_prefix }}" +matrix_alertmanager_receiver_container_image_tag: "{{ matrix_alertmanager_receiver_version }}" +matrix_alertmanager_receiver_container_image_force_pull: "{{ matrix_alertmanager_receiver_container_image.endswith(':main') }}" +matrix_alertmanager_receiver_container_image_registry_prefix: docker.io/ + +# The base container network. It will be auto-created by this role if it doesn't exist already. +matrix_alertmanager_receiver_container_network: '' + +# A list of additional container networks that the container would be connected to. +# The role does not create these networks, so make sure they already exist. +matrix_alertmanager_receiver_container_additional_networks: "{{ matrix_alertmanager_receiver_container_additional_networks_default + matrix_alertmanager_receiver_container_additional_networks_auto + matrix_alertmanager_receiver_container_additional_networks_custom }}" +matrix_alertmanager_receiver_container_additional_networks_default: [] +matrix_alertmanager_receiver_container_additional_networks_auto: [] +matrix_alertmanager_receiver_container_additional_networks_custom: [] + +# Controls whether matrix-alertmanager-receiver metrics should be proxied (exposed) on `matrix.DOMAIN/metrics/matrix-alertmanager-receiver` +matrix_alertmanager_receiver_metrics_proxying_enabled: false +matrix_alertmanager_receiver_metrics_proxying_hostname: '' +matrix_alertmanager_receiver_metrics_proxying_path: /metrics/matrix-alertmanager-receiver + +# matrix_alertmanager_receiver_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container. +# See `../templates/labels.j2` for details. +# +# To inject your own other container labels, see `matrix_alertmanager_receiver_container_labels_additional_labels`. +matrix_alertmanager_receiver_container_labels_traefik_enabled: true +matrix_alertmanager_receiver_container_labels_traefik_docker_network: "{{ matrix_alertmanager_receiver_container_network }}" +matrix_alertmanager_receiver_container_labels_traefik_hostname: "{{ matrix_alertmanager_receiver_hostname }}" +# The path prefix must either be `/` or not end with a slash (e.g. `/matrix-alertmanager-receiver`). +matrix_alertmanager_receiver_container_labels_traefik_path_prefix: "{{ matrix_alertmanager_receiver_path_prefix }}" +matrix_alertmanager_receiver_container_labels_traefik_rule: "Host(`{{ matrix_alertmanager_receiver_container_labels_traefik_hostname }}`){% if matrix_alertmanager_receiver_container_labels_traefik_path_prefix != '/' %} && PathPrefix(`{{ matrix_alertmanager_receiver_container_labels_traefik_path_prefix }}`){% endif %}" +matrix_alertmanager_receiver_container_labels_traefik_priority: 0 +matrix_alertmanager_receiver_container_labels_traefik_entrypoints: web-secure +matrix_alertmanager_receiver_container_labels_traefik_tls: "{{ matrix_alertmanager_receiver_container_labels_traefik_entrypoints != 'web' }}" +matrix_alertmanager_receiver_container_labels_traefik_tls_certResolver: default # noqa var-naming + +# Controls whether labels will be added that expose metrics (see `matrix_alertmanager_receiver_metrics_proxying_enabled`) for matrix-alertmanager-receiver +matrix_alertmanager_receiver_container_labels_public_metrics_enabled: "{{ matrix_alertmanager_receiver_metrics_enabled and matrix_alertmanager_receiver_metrics_proxying_enabled }}" +matrix_alertmanager_receiver_container_labels_public_metrics_traefik_path: "{{ matrix_alertmanager_receiver_metrics_proxying_path }}" +matrix_alertmanager_receiver_container_labels_public_metrics_traefik_rule: "Host(`{{ matrix_alertmanager_receiver_metrics_proxying_hostname }}`) && Path(`{{ matrix_alertmanager_receiver_container_labels_public_metrics_traefik_path }}`)" +matrix_alertmanager_receiver_container_labels_public_metrics_traefik_priority: 0 +matrix_alertmanager_receiver_container_labels_public_metrics_traefik_entrypoints: "{{ matrix_alertmanager_receiver_container_labels_traefik_entrypoints }}" +matrix_alertmanager_receiver_container_labels_public_metrics_traefik_tls: "{{ matrix_alertmanager_receiver_container_labels_public_metrics_traefik_entrypoints != 'web' }}" +matrix_alertmanager_receiver_container_labels_public_metrics_traefik_tls_certResolver: "{{ matrix_alertmanager_receiver_container_labels_traefik_tls_certResolver }}" # noqa var-naming +matrix_alertmanager_receiver_container_labels_public_metrics_middleware_basic_auth_enabled: false +# See: https://doc.traefik.io/traefik/middlewares/http/basicauth/#users +matrix_alertmanager_receiver_container_labels_public_metrics_middleware_basic_auth_users: '' + +# matrix_alertmanager_receiver_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file. +# See `../templates/labels.j2` for details. +# +# Example: +# matrix_alertmanager_receiver_container_labels_additional_labels: | +# my.label=1 +# another.label="here" +matrix_alertmanager_receiver_container_labels_additional_labels: '' + +# A list of extra arguments to pass to the container +matrix_alertmanager_receiver_container_extra_arguments: [] + +# Controls the `--log-level` argument passed to the container process. +# Valid values: error, warn, info, debug +matrix_alertmanager_receiver_container_process_argument_log_level: info + +# A list of extra arguments to pass to the container process. +matrix_alertmanager_receiver_container_process_extra_arguments: [] + +# List of systemd services that matrix-alertmanager-receiver-proxy.service depends on +matrix_alertmanager_receiver_systemd_required_services_list: "{{ matrix_alertmanager_receiver_systemd_required_services_list_default + matrix_alertmanager_receiver_systemd_required_services_list_auto + matrix_alertmanager_receiver_systemd_required_services_list_custom }}" +matrix_alertmanager_receiver_systemd_required_services_list_default: "{{ [devture_systemd_docker_base_docker_service_name] if devture_systemd_docker_base_docker_service_name else [] }}" +matrix_alertmanager_receiver_systemd_required_services_list_auto: [] +matrix_alertmanager_receiver_systemd_required_services_list_custom: [] + +# List of systemd services that matrix-alertmanager-receiver-proxy.service wants +matrix_alertmanager_receiver_systemd_wanted_services_list: [] + +# Controls the `http.port` configuration setting. +matrix_alertmanager_receiver_config_http_port: 12345 + +# Controls the `http.alerts-path-prefix` configuration setting. +matrix_alertmanager_receiver_config_http_alerts_path_prefix: /alerts + +# Controls the `http.metrics-enabled` configuration setting. +matrix_alertmanager_receiver_config_http_metrics_enabled: false + +# Controls the `http.metrics-path` configuration setting. +matrix_alertmanager_receiver_config_http_metrics_path: /metrics + +# Controls the `matrix.homeserver-url` configuration setting. +matrix_alertmanager_receiver_config_matrix_homeserver_url: '' + +# Controls the `matrix.user-id` configuration setting. +matrix_alertmanager_receiver_config_matrix_user_id: "@{{ matrix_alertmanager_receiver_config_matrix_user_id_localpart }}:{{ matrix_domain }}" +matrix_alertmanager_receiver_config_matrix_user_id_localpart: "bot.alertmanager.receiver" + +# Controls the `matrix.access-token` configuration setting. +matrix_alertmanager_receiver_config_matrix_access_token: '' + +# Controls the `matrix.room-mapping` configuration setting. +# +# Example: +# matrix_alertmanager_receiver_config_matrix_room: +# simple-name: "!qohfwef7qwerf:example.com" +# another-name: "!bf3zfio3wbanw:example.com" +matrix_alertmanager_receiver_config_matrix_room_mapping: {} + +# Controls the `templating.external-url-mapping` configuration setting. +# +# The key is the original value taken from the Alertmanager payload +# The value is the mapped value which will be available as '.ExternalURL' in templates +# +# Example: +# matrix_alertmanager_receiver_config_templating_external_url_mapping: +# "http://alertmanager:9093": https://alertmanager.example.com +# "http://alertmanager:9094": https://another.alertmanager.example.com +matrix_alertmanager_receiver_config_templating_external_url_mapping: {} + +# Controls the `templating.generator-url-mapping` configuration setting. +# +# The key is the original value taken from the Alertmanager payload +# The value is the mapped value which will be available as '.ExternalURL' in templates +# +# Example: +# matrix_alertmanager_receiver_config_templating_generator_url_mapping: +# "http://prometheus:8080": https://prometheus.example.com +# "http://prometheus:8081": https://another.prometheus.example.com +matrix_alertmanager_receiver_config_templating_generator_url_mapping: {} + +# Controls the `templating.computed-values` configuration setting. +matrix_alertmanager_receiver_config_templating_computed_values: "{{ matrix_alertmanager_receiver_config_templating_computed_values_default + matrix_alertmanager_receiver_config_templating_computed_values_auto + matrix_alertmanager_receiver_config_templating_computed_values_custom }}" +matrix_alertmanager_receiver_config_templating_computed_values_default: + - values: # always set 'color' to 'yellow' + color: yellow + - values: # set 'color' to 'orange' when alert label 'severity' is 'warning' + color: orange + when-matching-labels: + severity: warning + - values: # set 'color' to 'red' when alert label 'severity' is 'critical' + color: red + when-matching-labels: + severity: critical + - values: # set 'color' to 'green' when alert status is 'resolved' + color: green + when-matching-status: resolved +matrix_alertmanager_receiver_config_templating_computed_values_auto: [] +matrix_alertmanager_receiver_config_templating_computed_values_custom: [] + +# Controls the `templating.firing-template` configuration setting. +matrix_alertmanager_receiver_config_templating_firing_template: |- + {% raw %} +

+ {{ .Alert.Status | ToUpper }} + {{ if .Alert.Labels.name }} + {{ .Alert.Labels.name }} + {{ else if .Alert.Labels.alertname }} + {{ .Alert.Labels.alertname }} + {{ end }} + >> + {{ if .Alert.Labels.severity }} + {{ .Alert.Labels.severity | ToUpper }}: + {{ end }} + {{ if .Alert.Annotations.description }} + {{ .Alert.Annotations.description }} + {{ else if .Alert.Annotations.summary }} + {{ .Alert.Annotations.summary }} + {{ end }} + >> + {{ if .Alert.Annotations.runbook_url }} + Runbook | + {{ end }} + {{ if .Alert.Annotations.dashboard }} + Dashboard | + {{ end }} + Silence +

+ {% endraw %} + +# Controls the `templating.resolved-template` configuration setting. +matrix_alertmanager_receiver_config_templating_resolved_template: |- + {% raw %} + {{ .Alert.Status | ToUpper }}{{ .Alert.Labels.name }}' + {% endraw %} + +# Default matrix-alertmanager-receiver configuration template which covers the generic use case. +# You can customize it by controlling the various variables inside it. +# +# For a more advanced customization, you can extend the default (see `matrix_alertmanager_receiver_configuration_extension_yaml`) +# or completely replace this variable with your own template. +matrix_alertmanager_receiver_configuration_yaml: "{{ lookup('template', 'templates/config.yml.j2') }}" + +matrix_alertmanager_receiver_configuration_extension_yaml: | + # Your custom YAML configuration for matrix-alertmanager-receiver goes here. + # This configuration extends the default starting configuration (`matrix_alertmanager_receiver_configuration_yaml`). + # + # You can override individual variables from the default configuration, or introduce new ones. + # + # If you need something more special, you can take full control by + # completely redefining `matrix_alertmanager_receiver_configuration_yaml`. + # + # Example configuration extension follows: + # + # http: + # address: '' + +matrix_alertmanager_receiver_configuration_extension: "{{ matrix_alertmanager_receiver_configuration_extension_yaml | from_yaml if matrix_alertmanager_receiver_configuration_extension_yaml | from_yaml is mapping else {} }}" + +# Holds the final matrix-alertmanager-receiver configuration (a combination of the default and its extension). +# You most likely don't need to touch this variable. Instead, see `matrix_alertmanager_receiver_configuration_yaml`. +matrix_alertmanager_receiver_configuration: "{{ matrix_alertmanager_receiver_configuration_yaml | from_yaml | combine(matrix_alertmanager_receiver_configuration_extension, recursive=True) }}" diff --git a/roles/custom/matrix-alertmanager-receiver/tasks/install.yml b/roles/custom/matrix-alertmanager-receiver/tasks/install.yml new file mode 100644 index 000000000..de946bb5a --- /dev/null +++ b/roles/custom/matrix-alertmanager-receiver/tasks/install.yml @@ -0,0 +1,80 @@ +--- + +- name: Ensure matrix-alertmanager-receiver paths exist + ansible.builtin.file: + path: "{{ item.path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - path: "{{ matrix_alertmanager_receiver_base_path }}" + when: true + - path: "{{ matrix_alertmanager_receiver_config_path }}" + when: true + - path: "{{ matrix_alertmanager_receiver_container_src_path }}" + when: "{{ matrix_alertmanager_receiver_container_image_self_build }}" + when: item.when | bool + +- name: Ensure matrix-alertmanager-receiver configuration installed + ansible.builtin.copy: + content: "{{ matrix_alertmanager_receiver_configuration | to_nice_yaml(indent=2, width=999999) }}" + dest: "{{ matrix_alertmanager_receiver_config_path }}/config.yml" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure matrix-alertmanager-receiver support files installed + ansible.builtin.template: + src: "{{ role_path }}/templates/{{ item }}.j2" + dest: "{{ matrix_alertmanager_receiver_base_path }}/{{ item }}" + mode: 0640 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - labels + +- name: Ensure matrix-alertmanager-receiver container image is pulled + community.docker.docker_image: + name: "{{ matrix_alertmanager_receiver_container_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_alertmanager_receiver_container_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_alertmanager_receiver_container_image_force_pull }}" + when: "not matrix_alertmanager_receiver_container_image_self_build | bool" + register: result + retries: "{{ devture_playbook_help_container_retries_count }}" + delay: "{{ devture_playbook_help_container_retries_delay }}" + until: result is not failed + +- when: matrix_alertmanager_receiver_container_image_self_build | bool + block: + - name: Ensure matrix-alertmanager-receiver repository is present on self-build + ansible.builtin.git: + repo: "{{ matrix_alertmanager_receiver_container_image_self_build_repo }}" + version: "{{ matrix_alertmanager_receiver_container_image_self_build_repo_version }}" + dest: "{{ matrix_alertmanager_receiver_container_src_path }}" + force: "yes" + become: true + become_user: "{{ matrix_user_username }}" + register: matrix_alertmanager_receiver_git_pull_results + + - name: Ensure matrix-alertmanager-receiver container image is built + ansible.builtin.command: + cmd: |- + {{ devture_systemd_docker_base_host_command_docker }} buildx build + --tag={{ matrix_alertmanager_receiver_container_image }} + --file={{ matrix_alertmanager_receiver_container_src_path }}/contrib/Dockerfile + {{ matrix_alertmanager_receiver_container_src_path }} + changed_when: true + +- name: Ensure matrix-alertmanager-receiver container network is created + community.general.docker_network: + enable_ipv6: "{{ devture_systemd_docker_base_ipv6_enabled }}" + name: "{{ matrix_alertmanager_receiver_container_network }}" + driver: bridge + +- name: Ensure matrix-alertmanager-receiver.service installed + ansible.builtin.template: + src: "{{ role_path }}/templates/systemd/matrix-alertmanager-receiver.service.j2" + dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-alertmanager-receiver.service" + mode: 0644 diff --git a/roles/custom/matrix-alertmanager-receiver/tasks/main.yml b/roles/custom/matrix-alertmanager-receiver/tasks/main.yml new file mode 100644 index 000000000..b6ff76aca --- /dev/null +++ b/roles/custom/matrix-alertmanager-receiver/tasks/main.yml @@ -0,0 +1,20 @@ +--- + +- tags: + - setup-all + - setup-alertmanager-receiver + - install-all + - install-alertmanager-receiver + block: + - when: matrix_alertmanager_receiver_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" + + - when: matrix_alertmanager_receiver_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/install.yml" + +- tags: + - setup-all + - setup-alertmanager-receiver + block: + - when: not matrix_alertmanager_receiver_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/uninstall.yml" diff --git a/roles/custom/matrix-alertmanager-receiver/tasks/uninstall.yml b/roles/custom/matrix-alertmanager-receiver/tasks/uninstall.yml new file mode 100644 index 000000000..f0a82acbf --- /dev/null +++ b/roles/custom/matrix-alertmanager-receiver/tasks/uninstall.yml @@ -0,0 +1,25 @@ +--- + +- name: Check existence of matrix-alertmanager-receiver service + ansible.builtin.stat: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-alertmanager-receiver.service" + register: matrix_alertmanager_receiver_service_stat + +- when: matrix_alertmanager_receiver_service_stat.stat.exists | bool + block: + - name: Ensure matrix-alertmanager-receiver is stopped + ansible.builtin.service: + name: matrix-alertmanager-receiver + state: stopped + enabled: false + daemon_reload: true + + - name: Ensure matrix-alertmanager-receiver.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-alertmanager-receiver.service" + state: absent + + - name: Ensure matrix-alertmanager-receiver paths don't exist + ansible.builtin.file: + path: "{{ matrix_alertmanager_receiver_base_path }}" + state: absent diff --git a/roles/custom/matrix-alertmanager-receiver/tasks/validate_config.yml b/roles/custom/matrix-alertmanager-receiver/tasks/validate_config.yml new file mode 100644 index 000000000..83591a956 --- /dev/null +++ b/roles/custom/matrix-alertmanager-receiver/tasks/validate_config.yml @@ -0,0 +1,14 @@ +--- +- name: Fail if required matrix-alertmanager-receiver settings not defined + ansible.builtin.fail: + msg: > + You need to define a required configuration setting (`{{ item.name }}`). + when: "item.when | bool and vars[item.name] == ''" + with_items: + - {'name': 'matrix_alertmanager_receiver_hostname', when: true} + - {'name': 'matrix_alertmanager_receiver_path_prefix', when: true} + - {'name': 'matrix_alertmanager_receiver_config_matrix_homeserver_url', when: true} + - {'name': 'matrix_alertmanager_receiver_config_matrix_access_token', when: true} + - {'name': 'matrix_alertmanager_receiver_container_network', when: true} + - {'name': 'matrix_alertmanager_receiver_metrics_proxying_hostname', when: "{{ matrix_alertmanager_receiver_metrics_proxying_enabled }}"} + - {'name': 'matrix_alertmanager_receiver_metrics_proxying_path_prefix', when: "{{ matrix_alertmanager_receiver_metrics_proxying_enabled }}"} diff --git a/roles/custom/matrix-alertmanager-receiver/templates/config.yml.j2 b/roles/custom/matrix-alertmanager-receiver/templates/config.yml.j2 new file mode 100644 index 000000000..40d37f9b7 --- /dev/null +++ b/roles/custom/matrix-alertmanager-receiver/templates/config.yml.j2 @@ -0,0 +1,37 @@ +#jinja2: lstrip_blocks: "True" +# configuration of the HTTP server +http: + address: 0.0.0.0 # bind address for this service. Can be left unspecified to bind on all interfaces + port: {{ matrix_alertmanager_receiver_config_http_port | to_json }} # port used by this service + alerts-path-prefix: {{ matrix_alertmanager_receiver_config_http_alerts_path_prefix | to_json }} # URL path for the webhook receiver called by an Alertmanager. Defaults to /alerts + metrics-path: {{ matrix_alertmanager_receiver_config_http_metrics_path | to_json }} # URL path to collect metrics. Defaults to /metrics + metrics-enabled: {{ matrix_alertmanager_receiver_config_http_metrics_enabled | to_json }} # Whether to enable metrics or not. Defaults to false + +# configuration for the Matrix connection +matrix: + homeserver-url: {{ matrix_alertmanager_receiver_config_matrix_homeserver_url | to_json }} # FQDN of the homeserver + user-id: {{ matrix_alertmanager_receiver_config_matrix_user_id | to_json }} # ID of the user used by this service + access-token: {{ matrix_alertmanager_receiver_config_matrix_access_token | to_json }} # Access token for the user ID + # define short names for Matrix room ID + room-mapping: {{ matrix_alertmanager_receiver_config_matrix_room_mapping | to_json }} + +# configuration of the templating features +templating: + # mapping of ExternalURL values + # key is the original value taken from the Alertmanager payload + # value is the mapped value which will be available as '.ExternalURL' in templates + external-url-mapping: {{ matrix_alertmanager_receiver_config_templating_external_url_mapping | to_json }} + # mapping of GeneratorURL values + # key is the original value taken from the Alertmanager payload + # value is the mapped value which will be available as '.GeneratorURL' in templates + generator-url-mapping: {{ matrix_alertmanager_receiver_config_templating_generator_url_mapping | to_json }} + + # computation of arbitrary values based on matching alert annotations, labels, or status + # values will be evaluated top to bottom, last entry wins + computed-values: {{ matrix_alertmanager_receiver_config_templating_computed_values | to_json }} + + # template for alerts in status 'firing' + firing-template: {{ matrix_alertmanager_receiver_config_templating_firing_template | to_json }} + + # template for alerts in status 'resolved', if not specified will use the firing-template + resolved-template: {{ matrix_alertmanager_receiver_config_templating_resolved_template | to_json }} diff --git a/roles/custom/matrix-alertmanager-receiver/templates/labels.j2 b/roles/custom/matrix-alertmanager-receiver/templates/labels.j2 new file mode 100644 index 000000000..8bf7d22b9 --- /dev/null +++ b/roles/custom/matrix-alertmanager-receiver/templates/labels.j2 @@ -0,0 +1,69 @@ +{% if matrix_alertmanager_receiver_container_labels_traefik_enabled %} +traefik.enable=true + +{% if matrix_alertmanager_receiver_container_labels_traefik_docker_network %} +traefik.docker.network={{ matrix_alertmanager_receiver_container_labels_traefik_docker_network }} +{% endif %} + +traefik.http.services.matrix-alertmanager-receiver.loadbalancer.server.port={{ matrix_alertmanager_receiver_config_http_port }} + +{% set middlewares = [] %} + +{% if matrix_alertmanager_receiver_container_labels_traefik_path_prefix != '/' %} +traefik.http.middlewares.matrix-alertmanager-receiver-slashless-redirect.redirectregex.regex=({{ matrix_alertmanager_receiver_container_labels_traefik_path_prefix | quote }})$ +traefik.http.middlewares.matrix-alertmanager-receiver-slashless-redirect.redirectregex.replacement=${1}/ +{% set middlewares = middlewares + ['matrix-alertmanager-receiver-slashless-redirect'] %} +{% endif %} + +{% if matrix_alertmanager_receiver_container_labels_traefik_path_prefix != '/' %} +traefik.http.middlewares.matrix-alertmanager-receiver-strip-prefix.stripprefix.prefixes={{ matrix_alertmanager_receiver_container_labels_traefik_path_prefix }} +{% set middlewares = middlewares + ['matrix-alertmanager-receiver-strip-prefix'] %} +{% endif %} + +traefik.http.routers.matrix-alertmanager-receiver.rule={{ matrix_alertmanager_receiver_container_labels_traefik_rule }} +{% if matrix_alertmanager_receiver_container_labels_traefik_priority | int > 0 %} +traefik.http.routers.matrix-alertmanager-receiver.priority={{ matrix_alertmanager_receiver_container_labels_traefik_priority }} +{% endif %} +traefik.http.routers.matrix-alertmanager-receiver.service=matrix-alertmanager-receiver +{% if middlewares | length > 0 %} +traefik.http.routers.matrix-alertmanager-receiver.middlewares={{ middlewares | join(',') }} +{% endif %} +traefik.http.routers.matrix-alertmanager-receiver.entrypoints={{ matrix_alertmanager_receiver_container_labels_traefik_entrypoints }} +traefik.http.routers.matrix-alertmanager-receiver.tls={{ matrix_alertmanager_receiver_container_labels_traefik_tls | to_json }} +{% if matrix_alertmanager_receiver_container_labels_traefik_tls %} +traefik.http.routers.matrix-alertmanager-receiver.tls.certResolver={{ matrix_alertmanager_receiver_container_labels_traefik_tls_certResolver }} +{% endif %} + +{% if matrix_alertmanager_receiver_container_labels_public_metrics_enabled %} +{% set metrics_middlewares = [] %} + +{% if matrix_alertmanager_receiver_container_labels_public_metrics_middleware_basic_auth_enabled %} +{% set metrics_middlewares = metrics_middlewares + ['matrix-alertmanager-receiver-metrics-basic-auth'] %} +traefik.http.middlewares.matrix-alertmanager-receiver-metrics-basic-auth.basicauth.users={{ matrix_alertmanager_receiver_container_labels_public_metrics_middleware_basic_auth_users }} +{% endif %} + +{% set metrics_middlewares = metrics_middlewares + ['matrix-alertmanager-receiver-metrics-replacepath'] %} +traefik.http.middlewares.matrix-alertmanager-receiver-metrics-replacepath.replacepath.path={{ matrix_alertmanager_receiver_config_http_metrics_path }} + +traefik.http.routers.matrix-alertmanager-receiver-metrics.rule={{ matrix_alertmanager_receiver_container_labels_public_metrics_traefik_rule }} + +{% if metrics_middlewares | length > 0 %} +traefik.http.routers.matrix-alertmanager-receiver-metrics.middlewares={{ metrics_middlewares | join(',') }} +{% endif %} + +{% if matrix_alertmanager_receiver_container_labels_public_metrics_traefik_priority | int > 0 %} +traefik.http.routers.matrix-alertmanager-receiver-metrics.priority={{ matrix_alertmanager_receiver_container_labels_public_metrics_traefik_priority }} +{% endif %} + +traefik.http.routers.matrix-alertmanager-receiver-metrics.service=matrix-alertmanager-receiver +traefik.http.routers.matrix-alertmanager-receiver-metrics.entrypoints={{ matrix_alertmanager_receiver_container_labels_public_metrics_traefik_entrypoints }} + +traefik.http.routers.matrix-alertmanager-receiver-metrics.tls={{ matrix_alertmanager_receiver_container_labels_public_metrics_traefik_tls | to_json }} +{% if matrix_alertmanager_receiver_container_labels_public_metrics_traefik_tls %} +traefik.http.routers.matrix-alertmanager-receiver-metrics.tls.certResolver={{ matrix_alertmanager_receiver_container_labels_public_metrics_traefik_tls_certResolver }} +{% endif %} +{% endif %} + +{% endif %} + +{{ matrix_alertmanager_receiver_container_labels_additional_labels }} diff --git a/roles/custom/matrix-alertmanager-receiver/templates/systemd/matrix-alertmanager-receiver.service.j2 b/roles/custom/matrix-alertmanager-receiver/templates/systemd/matrix-alertmanager-receiver.service.j2 new file mode 100644 index 000000000..4d7e43c54 --- /dev/null +++ b/roles/custom/matrix-alertmanager-receiver/templates/systemd/matrix-alertmanager-receiver.service.j2 @@ -0,0 +1,50 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=matrix-alertmanager-receiver +{% for service in matrix_alertmanager_receiver_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +{% for service in matrix_alertmanager_receiver_systemd_wanted_services_list %} +Wants={{ service }} +{% endfor %} +DefaultDependencies=no + +[Service] +Type=simple +Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" +ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-alertmanager-receiver 2>/dev/null || true' +ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-alertmanager-receiver 2>/dev/null || true' + +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ + --rm \ + --name=matrix-alertmanager-receiver \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --read-only \ + --network={{ matrix_alertmanager_receiver_container_network }} \ + --mount type=bind,src={{ matrix_alertmanager_receiver_config_path }},dst=/config,ro \ + --label-file={{ matrix_alertmanager_receiver_base_path }}/labels \ + {% for arg in matrix_alertmanager_receiver_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_alertmanager_receiver_container_image }} \ + --config-path=/config/config.yml {{ matrix_alertmanager_receiver_container_process_extra_arguments | join(' ') }} \ + --log-level={{ matrix_alertmanager_receiver_container_process_argument_log_level }} + +{% for network in matrix_alertmanager_receiver_container_additional_networks %} +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-alertmanager-receiver +{% endfor %} + +ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-alertmanager-receiver + +ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-alertmanager-receiver 2>/dev/null || true' +ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-alertmanager-receiver 2>/dev/null || true' + +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-alertmanager-receiver + +[Install] +WantedBy=multi-user.target diff --git a/setup.yml b/setup.yml index f284ec88c..c0551b7fe 100644 --- a/setup.yml +++ b/setup.yml @@ -51,6 +51,7 @@ - galaxy/keydb - custom/matrix-corporal - custom/matrix-appservice-draupnir-for-all + - custom/matrix-alertmanager-receiver - custom/matrix-bridge-appservice-discord - custom/matrix-bridge-appservice-slack - custom/matrix-bridge-appservice-webhooks From 2617d00e7567360b99c5430e9b6a423fc59d0688 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 6 Jul 2024 21:53:08 +0300 Subject: [PATCH 27/46] Adjust indentation for matrix-alertmanager-receiver --- ...figuring-playbook-alertmanager-receiver.md | 28 +++++++++---------- .../defaults/main.yml | 26 ++++++++--------- 2 files changed, 27 insertions(+), 27 deletions(-) diff --git a/docs/configuring-playbook-alertmanager-receiver.md b/docs/configuring-playbook-alertmanager-receiver.md index f85facefe..3fd90643c 100644 --- a/docs/configuring-playbook-alertmanager-receiver.md +++ b/docs/configuring-playbook-alertmanager-receiver.md @@ -72,20 +72,20 @@ Then, you can proceed to [Usage](#usage). Configure your Prometheus Alertmanager with configuration like this: ```yml - receivers: - - name: matrix - webhook_configs: - - send_resolved: true - url: URL_HERE - route: - group_by: - - namespace - group_interval: 5m - group_wait: 30s - receiver: "matrix" - repeat_interval: 12h - routes: - - receiver: matrix +receivers: + - name: matrix + webhook_configs: + - send_resolved: true + url: URL_HERE +route: + group_by: + - namespace + group_interval: 5m + group_wait: 30s + receiver: "matrix" + repeat_interval: 12h + routes: + - receiver: matrix ``` .. where `URL_HERE` looks like `https://matrix.DOMAIN/matrix-alertmanager-receiver-RANDOM_VALUE_HERE/alert/some-room-name` or `https://matrix.DOMAIN/matrix-alertmanager-receiver-RANDOM_VALUE_HERE/alert/!some-room-id:DOMAIN`. diff --git a/roles/custom/matrix-alertmanager-receiver/defaults/main.yml b/roles/custom/matrix-alertmanager-receiver/defaults/main.yml index d802c9c77..d88db1cb1 100644 --- a/roles/custom/matrix-alertmanager-receiver/defaults/main.yml +++ b/roles/custom/matrix-alertmanager-receiver/defaults/main.yml @@ -156,19 +156,19 @@ matrix_alertmanager_receiver_config_templating_generator_url_mapping: {} # Controls the `templating.computed-values` configuration setting. matrix_alertmanager_receiver_config_templating_computed_values: "{{ matrix_alertmanager_receiver_config_templating_computed_values_default + matrix_alertmanager_receiver_config_templating_computed_values_auto + matrix_alertmanager_receiver_config_templating_computed_values_custom }}" matrix_alertmanager_receiver_config_templating_computed_values_default: - - values: # always set 'color' to 'yellow' - color: yellow - - values: # set 'color' to 'orange' when alert label 'severity' is 'warning' - color: orange - when-matching-labels: - severity: warning - - values: # set 'color' to 'red' when alert label 'severity' is 'critical' - color: red - when-matching-labels: - severity: critical - - values: # set 'color' to 'green' when alert status is 'resolved' - color: green - when-matching-status: resolved + - values: # always set 'color' to 'yellow' + color: yellow + - values: # set 'color' to 'orange' when alert label 'severity' is 'warning' + color: orange + when-matching-labels: + severity: warning + - values: # set 'color' to 'red' when alert label 'severity' is 'critical' + color: red + when-matching-labels: + severity: critical + - values: # set 'color' to 'green' when alert status is 'resolved' + color: green + when-matching-status: resolved matrix_alertmanager_receiver_config_templating_computed_values_auto: [] matrix_alertmanager_receiver_config_templating_computed_values_custom: [] From f5a088b820a0389d7e5f0bb21f6bd89f3ba99d69 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 6 Jul 2024 22:10:23 +0300 Subject: [PATCH 28/46] Remove useless quote --- roles/custom/matrix-alertmanager-receiver/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-alertmanager-receiver/defaults/main.yml b/roles/custom/matrix-alertmanager-receiver/defaults/main.yml index d88db1cb1..05338c638 100644 --- a/roles/custom/matrix-alertmanager-receiver/defaults/main.yml +++ b/roles/custom/matrix-alertmanager-receiver/defaults/main.yml @@ -205,7 +205,7 @@ matrix_alertmanager_receiver_config_templating_firing_template: |- # Controls the `templating.resolved-template` configuration setting. matrix_alertmanager_receiver_config_templating_resolved_template: |- {% raw %} - {{ .Alert.Status | ToUpper }}{{ .Alert.Labels.name }}' + {{ .Alert.Status | ToUpper }}{{ .Alert.Labels.name }} {% endraw %} # Default matrix-alertmanager-receiver configuration template which covers the generic use case. From a3200523b521ade70c1da4e87dd3c3231df2bf5d Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Sun, 7 Jul 2024 04:40:55 +0000 Subject: [PATCH 29/46] honoroit v0.9.22 (#3398) * honoroit v0.9.22 * Add more spaces before comments to make yamllint happy * Add more spaces before comment to make yamllint happy --------- Co-authored-by: Slavi Pantaleev --- .../matrix-bot-honoroit/defaults/main.yml | 33 ++++++++++++------- .../tasks/setup_install.yml | 23 ------------- .../matrix-bot-honoroit/templates/env.j2 | 16 +++++++-- .../matrix-bot-honoroit/templates/labels.j2 | 5 --- 4 files changed, 35 insertions(+), 42 deletions(-) diff --git a/roles/custom/matrix-bot-honoroit/defaults/main.yml b/roles/custom/matrix-bot-honoroit/defaults/main.yml index 670e8499b..630c90dbd 100644 --- a/roles/custom/matrix-bot-honoroit/defaults/main.yml +++ b/roles/custom/matrix-bot-honoroit/defaults/main.yml @@ -21,7 +21,7 @@ matrix_bot_honoroit_docker_repo_version: "{{ matrix_bot_honoroit_version }}" matrix_bot_honoroit_docker_src_files_path: "{{ matrix_base_data_path }}/honoroit/docker-src" # renovate: datasource=docker depName=registry.gitlab.com/etke.cc/honoroit -matrix_bot_honoroit_version: v0.9.21 +matrix_bot_honoroit_version: v0.9.22 matrix_bot_honoroit_docker_image: "{{ matrix_bot_honoroit_docker_image_name_prefix }}etke.cc/honoroit:{{ matrix_bot_honoroit_version }}" matrix_bot_honoroit_docker_image_name_prefix: "{{ 'localhost/' if matrix_bot_honoroit_container_image_self_build else 'registry.gitlab.com/' }}" matrix_bot_honoroit_docker_image_force_pull: "{{ matrix_bot_honoroit_docker_image.endswith(':latest') }}" @@ -39,15 +39,6 @@ matrix_bot_honoroit_container_network: "" # Use this to expose this container to another reverse proxy, which runs in a different container network. matrix_bot_honoroit_container_additional_networks: [] -# enable basic auth for metrics -matrix_bot_honoroit_basicauth_enabled: false -# temporary file name on the host that runs ansible -matrix_bot_honoroit_basicauth_file: "/tmp/matrix_bot_honoroit_htpasswd" -# username -matrix_bot_honoroit_basicauth_user: '' -# password -matrix_bot_honoroit_basicauth_password: '' - # matrix_bot_honoroit_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container. # See `../templates/labels.j2` for details. # @@ -149,8 +140,26 @@ matrix_bot_honoroit_sentry: '' # Log level matrix_bot_honoroit_loglevel: '' -# Disable encryption -matrix_bot_honoroit_noencryption: false +# /metrics basic auth login +matrix_bot_honoroit_auth_metrics_login: '' +# /metrics basic auth password +matrix_bot_honoroit_auth_metrics_password: '' +# /metrics basic auth allowed IPs +matrix_bot_honoroit_auth_metrics_ips: [] + +# Optional healthchecks.io integration +matrix_bot_honoroit_healthchecks_url: 'https://hc-ping.com' +matrix_bot_honoroit_healthchecks_uuid: '' +matrix_bot_honoroit_healthchecks_duration: 60 # in seconds + +# Optional Redmine integration +matrix_bot_honoroit_redmine_host: '' # e.g. https://redmine.example.com +matrix_bot_honoroit_redmine_apikey: '' +matrix_bot_honoroit_redmine_project: '' # project identifier (e.g. 'myproject') +matrix_bot_honoroit_redmine_tracker_id: '' # tracker id (e.g. 1) +matrix_bot_honoroit_redmine_new_status_id: '' # new status id (e.g. 1) +matrix_bot_honoroit_redmine_in_progress_status_id: '' # in progress status id (e.g. 2) +matrix_bot_honoroit_redmine_done_status_id: '' # done status id (e.g. 3) # A list of whitelisted users allowed to use/invite honoroit # If not defined, everyone is allowed. diff --git a/roles/custom/matrix-bot-honoroit/tasks/setup_install.yml b/roles/custom/matrix-bot-honoroit/tasks/setup_install.yml index 93e219e89..438612eb7 100644 --- a/roles/custom/matrix-bot-honoroit/tasks/setup_install.yml +++ b/roles/custom/matrix-bot-honoroit/tasks/setup_install.yml @@ -40,21 +40,6 @@ - {path: "{{ matrix_bot_honoroit_docker_src_files_path }}", when: true} when: "item.when | bool" -- name: Determine basicauth filename - ansible.builtin.set_fact: - matrix_bot_honoroit_basicauth_file_tmp: "{{ matrix_bot_honoroit_basicauth_file }}_{{ inventory_hostname }}" - when: matrix_bot_honoroit_basicauth_enabled | bool - -- name: Generate basic auth file - community.general.htpasswd: - path: "{{ matrix_bot_honoroit_basicauth_file }}" - name: "{{ matrix_bot_honoroit_basicauth_user }}" - password: "{{ matrix_bot_honoroit_basicauth_password }}" - mode: 0640 - become: false - delegate_to: 127.0.0.1 - when: matrix_bot_honoroit_basicauth_enabled | bool - - name: Ensure honoroit support files installed ansible.builtin.template: src: "{{ role_path }}/templates/{{ item }}.j2" @@ -66,14 +51,6 @@ - env - labels -- name: Ensure temporary basic auth file is removed - ansible.builtin.file: - path: "{{ matrix_bot_honoroit_basicauth_file }}" - state: absent - become: false - delegate_to: 127.0.0.1 - when: matrix_bot_honoroit_basicauth_enabled | bool - - name: Ensure honoroit image is pulled community.docker.docker_image: name: "{{ matrix_bot_honoroit_docker_image }}" diff --git a/roles/custom/matrix-bot-honoroit/templates/env.j2 b/roles/custom/matrix-bot-honoroit/templates/env.j2 index 0cfd88c1d..e061a3687 100644 --- a/roles/custom/matrix-bot-honoroit/templates/env.j2 +++ b/roles/custom/matrix-bot-honoroit/templates/env.j2 @@ -5,10 +5,22 @@ HONOROIT_ROOMID={{ matrix_bot_honoroit_roomid }} HONOROIT_DB_DSN={{ matrix_bot_honoroit_database_connection_string }} HONOROIT_DB_DIALECT={{ matrix_bot_honoroit_database_dialect }} HONOROIT_PREFIX={{ matrix_bot_honoroit_prefix }} -HONOROIT_SENTRY={{ matrix_bot_honoroit_sentry }} +HONOROIT_AUTH_METRICS_LOGIN={{ matrix_bot_honoroit_auth_metrics_login }} +HONOROIT_AUTH_METRICS_PASSWORD={{ matrix_bot_honoroit_auth_metrics_password }} +HONOROIT_AUTH_METRICS_IPS={{ matrix_bot_honoroit_auth_metrics_ips | default([]) | join(' ') }} +HONOROIT_REDMINE_HOST={{ matrix_bot_honoroit_redmine_host }} +HONOROIT_REDMINE_APIKEY={{ matrix_bot_honoroit_redmine_apikey }} +HONOROIT_REDMINE_PROJECT={{ matrix_bot_honoroit_redmine_project }} +HONOROIT_REDMINE_TRACKERID={{ matrix_bot_honoroit_redmine_tracker_id }} +HONOROIT_REDMINE_NEWSTATUSID={{ matrix_bot_honoroit_redmine_new_status_id }} +HONOROIT_REDMINE_INPROGRESSSTATUSID={{ matrix_bot_honoroit_redmine_in_progress_status_id }} +HONOROIT_REDMINE_DONESTATUSID={{ matrix_bot_honoroit_redmine_done_status_id }} +HONOROIT_MONITORING_SENTRY_DSN={{ matrix_bot_honoroit_sentry }} +HONOROIT_MONITORING_HEALTHCHECKS_URL={{ matrix_bot_honoroit_healthchecks_url }} +HONOROIT_MONITORING_HEALTHCHECKS_UUID={{ matrix_bot_honoroit_healthchecks_uuid }} +HONOROIT_MONITORING_HEALTHCHECKS_DURATION={{ matrix_bot_honoroit_healthchecks_duration }} HONOROIT_LOGLEVEL={{ matrix_bot_honoroit_loglevel }} HONOROIT_CACHESIZE={{ matrix_bot_honoroit_cachesize }} -HONOROIT_NOENCRYPTION={{ matrix_bot_honoroit_noencryption }} HONOROIT_IGNORENOTHREAD={{ matrix_bot_honoroit_ignorenothread }} HONOROIT_IGNOREDROOMS={{ matrix_bot_honoroit_ignoredrooms | join(' ') }} HONOROIT_ALLOWEDUSERS={{ matrix_bot_honoroit_allowedusers | join(' ') }} diff --git a/roles/custom/matrix-bot-honoroit/templates/labels.j2 b/roles/custom/matrix-bot-honoroit/templates/labels.j2 index ef210c49d..74e357914 100644 --- a/roles/custom/matrix-bot-honoroit/templates/labels.j2 +++ b/roles/custom/matrix-bot-honoroit/templates/labels.j2 @@ -28,11 +28,6 @@ traefik.http.middlewares.matrix-bot-honoroit-add-headers.headers.customresponseh {% set middlewares = middlewares + ['matrix-bot-honoroit-add-headers'] %} {% endif %} -{% if matrix_bot_honoroit_basicauth_enabled %} -traefik.http.middlewares.matrix-bot-honoroit-auth.basicauth.users={{ lookup('ansible.builtin.file', matrix_bot_honoroit_basicauth_file) }} -{% set middlewares_metrics = middlewares + ['matrix-bot-honoroit-auth'] %} -{% endif %} - {% if middlewares_metrics | length > 0 %} traefik.http.routers.matrix-bot-honoroit-metrics.rule={{ matrix_bot_honoroit_container_labels_traefik_metrics_rule }} {% if matrix_bot_honoroit_container_labels_traefik_priority | int > 0 %} From 0f037bba48ebaa02b2218a425551c7f0a1fba0fd Mon Sep 17 00:00:00 2001 From: Kuchenmampfer <79256346+Kuchenmampfer@users.noreply.github.com> Date: Sun, 7 Jul 2024 16:44:19 +0000 Subject: [PATCH 30/46] Update broken link in configuring-playbook-prometheus-grafana.md --- docs/configuring-playbook-prometheus-grafana.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuring-playbook-prometheus-grafana.md b/docs/configuring-playbook-prometheus-grafana.md index 6f127ca36..131b1752e 100644 --- a/docs/configuring-playbook-prometheus-grafana.md +++ b/docs/configuring-playbook-prometheus-grafana.md @@ -121,7 +121,7 @@ scrape_configs: ## More information -- [Understanding Synapse Performance Issues Through Grafana Graphs](https://github.com/element-hq/synapse/wiki/Understanding-Synapse-Performance-Issues-Through-Grafana-Graphs) at the Synapse Github Wiki +- [Understanding Synapse Performance Issues Through Grafana Graphs](https://element-hq.github.io/synapse/latest/usage/administration/understanding_synapse_through_grafana_graphs.html) at the Synapse Github Wiki - [The Prometheus scraping rules](https://github.com/element-hq/synapse/tree/master/contrib/prometheus) (we use v2) - [The Synapse Grafana dashboard](https://github.com/element-hq/synapse/tree/master/contrib/grafana) - [The Node Exporter dashboard](https://github.com/rfrail3/grafana-dashboards) (for generic non-synapse performance graphs) From a56c2f8921bfaff6c31ef1669e14b04c022e386d Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 8 Jul 2024 07:22:05 +0300 Subject: [PATCH 31/46] Mention matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http3_enabled to people running their own webserver Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/3402 --- CHANGELOG.md | 12 ++++++++++++ docs/configuring-playbook-own-webserver.md | 8 ++++++++ 2 files changed, 20 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0011dac45..3304d3a93 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -53,6 +53,18 @@ devture_traefik_config_entrypoint_web_secure_http3_enabled: false matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http3_enabled: false ``` +If you are using [your own webserver](./docs/configuring-playbook-own-webserver.md) (in front of Traefik), port binding on UDP port `8448` by default due to HTTP/3 is either unnecessary or [may get in the way](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/3402). If it does, you can disable it: + +```yml +# Disable HTTP/3 for the federation entrypoint. +# If you'd like HTTP/3, consider configuring it for your other reverse-proxy. +# +# Disabling this also sets `matrix_playbook_public_matrix_federation_api_traefik_entrypoint_host_bind_port_udp` to an empty value. +# If you'd like to keep HTTP/3 enabled here (for whatever reason), you may wish to explicitly +# set `matrix_playbook_public_matrix_federation_api_traefik_entrypoint_host_bind_port_udp` to something like '127.0.0.1:8449'. +matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http3_enabled: false +``` + # 2024-07-01 diff --git a/docs/configuring-playbook-own-webserver.md b/docs/configuring-playbook-own-webserver.md index 702103670..399d8a9f1 100644 --- a/docs/configuring-playbook-own-webserver.md +++ b/docs/configuring-playbook-own-webserver.md @@ -171,6 +171,14 @@ devture_traefik_config_entrypoint_web_forwardedHeaders_insecure: true # - adjusting `matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_custom` (below) - removing `insecure: true` and enabling/configuring `trustedIPs` matrix_playbook_public_matrix_federation_api_traefik_entrypoint_host_bind_port: '127.0.0.1:8449' +# Disable HTTP/3 for the federation entrypoint. +# If you'd like HTTP/3, consider configuring it for your other reverse-proxy. +# +# Disabling this also sets `matrix_playbook_public_matrix_federation_api_traefik_entrypoint_host_bind_port_udp` to an empty value. +# If you'd like to keep HTTP/3 enabled here (for whatever reason), you may wish to explicitly +# set `matrix_playbook_public_matrix_federation_api_traefik_entrypoint_host_bind_port_udp` to something like '127.0.0.1:8449'. +matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http3_enabled: false + # Depending on the value of `matrix_playbook_public_matrix_federation_api_traefik_entrypoint_host_bind_port` above, # this may need to be reconfigured. See the comments above. matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_custom: From 6c3746b23753c7c45fd6d33e83484eeff3a61630 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 8 Jul 2024 07:33:50 +0300 Subject: [PATCH 32/46] Update migrating guide to make it clear that switching CPU architecture requires skipping /matrix/postgres/data --- docs/maintenance-migrating.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/maintenance-migrating.md b/docs/maintenance-migrating.md index 4c1f71198..6a56b9a04 100644 --- a/docs/maintenance-migrating.md +++ b/docs/maintenance-migrating.md @@ -1,6 +1,6 @@ -> **Note**: This migration guide is applicable if you migrate from one server to another server having the same CPU architecture (e.g. both servers being `amd64`). -> -> If you're trying to migrate between different architectures (e.g. `amd64` --> `arm64`), simply copying the complete `/matrix` directory is not possible as it would move the raw PostgreSQL data between different architectures. In this specific case, you can use the guide below as a reference, but you would also need to dump the database on your current server and import it properly on the new server. See our [Backing up PostgreSQL](maintenance-postgres.md#backing-up-postgresql) docs for help with PostgreSQL backup/restore. +> **Note**: This migration guide is applicable if you migrate from one server to another server having the same CPU architecture (e.g. both servers being `amd64`). +> +> If you're trying to migrate between different architectures (e.g. `amd64` --> `arm64`), simply copying the complete `/matrix` directory is not possible as it would move the raw PostgreSQL data (`/matrix/postgres/data`) between different architectures. In this specific case, you can use the guide below as a reference, but you would also need to avoid syncing `/matrix/postgres/data` to the new host, and also dump the database on your current server and import it properly on the new server. See our [Backing up PostgreSQL](maintenance-postgres.md#backing-up-postgresql) docs for help with PostgreSQL backup/restore. # Migrating to new server From e32190433d5ecaba3afd516b79f03f120d0e8e5d Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 8 Jul 2024 07:28:18 +0000 Subject: [PATCH 33/46] Update dependency etherpad to v2.1.1-0 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index d05919e8b..8880f28d6 100644 --- a/requirements.yml +++ b/requirements.yml @@ -16,7 +16,7 @@ version: 129c8590e106b83e6f4c259649a613c6279e937a name: docker_sdk_for_python - src: git+https://gitlab.com/etke.cc/roles/etherpad.git - version: v2.1.0-1 + version: v2.1.1-0 name: etherpad - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-exim-relay.git version: v4.97.1-r0-1-0 From 8e7ab4e23ffbd63751471634356a788e77a97da4 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 8 Jul 2024 14:38:08 +0000 Subject: [PATCH 34/46] Update vectorim/element-web Docker tag to v1.11.70 --- roles/custom/matrix-client-element/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-client-element/defaults/main.yml b/roles/custom/matrix-client-element/defaults/main.yml index 1444dd114..b650d0cac 100644 --- a/roles/custom/matrix-client-element/defaults/main.yml +++ b/roles/custom/matrix-client-element/defaults/main.yml @@ -11,7 +11,7 @@ matrix_client_element_container_image_self_build_repo: "https://github.com/eleme matrix_client_element_container_image_self_build_low_memory_system_patch_enabled: "{{ ansible_memtotal_mb < 4096 }}" # renovate: datasource=docker depName=vectorim/element-web -matrix_client_element_version: v1.11.69 +matrix_client_element_version: v1.11.70 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}" matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_container_global_registry_prefix }}" From 7d5e430ee92d7984b30a277f97a3c732f086293c Mon Sep 17 00:00:00 2001 From: Samuel S <44732143+Progrsam@users.noreply.github.com> Date: Mon, 8 Jul 2024 17:12:03 +0200 Subject: [PATCH 35/46] Autocreate webhook in Gitlab instance with Hookshot bot (#3405) * Add public url for gitlab hookshot to autocreate webhook on gitlab instance * Add `noqa var-naming` comment to variable --------- Co-authored-by: Slavi Pantaleev --- roles/custom/matrix-bridge-hookshot/defaults/main.yml | 1 + roles/custom/matrix-bridge-hookshot/templates/config.yml.j2 | 1 + 2 files changed, 2 insertions(+) diff --git a/roles/custom/matrix-bridge-hookshot/defaults/main.yml b/roles/custom/matrix-bridge-hookshot/defaults/main.yml index 823af6257..519ff75ee 100644 --- a/roles/custom/matrix-bridge-hookshot/defaults/main.yml +++ b/roles/custom/matrix-bridge-hookshot/defaults/main.yml @@ -125,6 +125,7 @@ matrix_hookshot_gitlab_instances: # This will be the "Secret token" you have to enter into all GitLab instances for authentication matrix_hookshot_gitlab_webhook_secret: '' +matrix_hookshot_gitlab_webhook_publicUrl: "{{ matrix_hookshot_urlprefix }}{{ matrix_hookshot_webhook_endpoint }}" # noqa var-naming matrix_hookshot_figma_enabled: false diff --git a/roles/custom/matrix-bridge-hookshot/templates/config.yml.j2 b/roles/custom/matrix-bridge-hookshot/templates/config.yml.j2 index cf60803a8..346310933 100644 --- a/roles/custom/matrix-bridge-hookshot/templates/config.yml.j2 +++ b/roles/custom/matrix-bridge-hookshot/templates/config.yml.j2 @@ -47,6 +47,7 @@ gitlab: instances: {{ matrix_hookshot_gitlab_instances | to_json }} webhook: secret: {{ matrix_hookshot_gitlab_webhook_secret | to_json }} + publicUrl: {{ matrix_hookshot_gitlab_webhook_publicUrl | to_json }} {% endif %} {% if matrix_hookshot_figma_enabled %} figma: From 2e1ef654b3ee4898877b40e48f52be46a0bb4203 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 9 Jul 2024 13:45:24 +0300 Subject: [PATCH 36/46] Upgrade container-socket-proxy (v0.1.2-2 -> v0.2.0-0) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 8880f28d6..8add4d769 100644 --- a/requirements.yml +++ b/requirements.yml @@ -7,7 +7,7 @@ version: v1.2.8-1.8.11-1 name: backup_borg - src: git+https://github.com/devture/com.devture.ansible.role.container_socket_proxy.git - version: v0.1.2-2 + version: v0.2.0-0 name: container_socket_proxy - src: git+https://github.com/geerlingguy/ansible-role-docker version: 7.3.0 From b71b59dd8ed5808e585f4a0a068762ea13ca1efa Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 9 Jul 2024 10:46:03 +0000 Subject: [PATCH 37/46] Update awesometechnologies/synapse-admin Docker tag to v0.10.2 --- roles/custom/matrix-synapse-admin/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-synapse-admin/defaults/main.yml b/roles/custom/matrix-synapse-admin/defaults/main.yml index e46974256..bcdfad264 100644 --- a/roles/custom/matrix-synapse-admin/defaults/main.yml +++ b/roles/custom/matrix-synapse-admin/defaults/main.yml @@ -13,7 +13,7 @@ matrix_synapse_admin_container_image_self_build: false matrix_synapse_admin_container_image_self_build_repo: "https://github.com/Awesome-Technologies/synapse-admin.git" # renovate: datasource=docker depName=awesometechnologies/synapse-admin -matrix_synapse_admin_version: 0.10.1 +matrix_synapse_admin_version: 0.10.2 matrix_synapse_admin_docker_image: "{{ matrix_synapse_admin_docker_image_name_prefix }}awesometechnologies/synapse-admin:{{ matrix_synapse_admin_version }}" matrix_synapse_admin_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_admin_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_synapse_admin_docker_image_force_pull: "{{ matrix_synapse_admin_docker_image.endswith(':latest') }}" From c044c815bc3aec1f231fd90de1457dae9c44b39b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 10 Jul 2024 06:45:26 +0300 Subject: [PATCH 38/46] Fix fixing-template for matrix-alertmanager-receiver to also consider the `alertname` annotation My alerts seem to contain `annotations.alertname` in the payload, so the default configuration (coming from the matrix-alertmanager-receiver README) seems to be outdated or something. --- .../custom/matrix-alertmanager-receiver/defaults/main.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/roles/custom/matrix-alertmanager-receiver/defaults/main.yml b/roles/custom/matrix-alertmanager-receiver/defaults/main.yml index 05338c638..697e5cf74 100644 --- a/roles/custom/matrix-alertmanager-receiver/defaults/main.yml +++ b/roles/custom/matrix-alertmanager-receiver/defaults/main.yml @@ -205,7 +205,12 @@ matrix_alertmanager_receiver_config_templating_firing_template: |- # Controls the `templating.resolved-template` configuration setting. matrix_alertmanager_receiver_config_templating_resolved_template: |- {% raw %} - {{ .Alert.Status | ToUpper }}{{ .Alert.Labels.name }} + {{ .Alert.Status | ToUpper }} + {{ if .Alert.Labels.name }} + {{ .Alert.Labels.name }} + {{ else if .Alert.Labels.alertname }} + {{ .Alert.Labels.alertname }} + {{ end }} {% endraw %} # Default matrix-alertmanager-receiver configuration template which covers the generic use case. From 07c73f77237e6efa6bb988c6447dca96d3e9e8f2 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 10 Jul 2024 11:57:41 +0000 Subject: [PATCH 39/46] Update dependency prometheus to v2.53.1-0 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 8add4d769..6956494c9 100644 --- a/requirements.yml +++ b/requirements.yml @@ -49,7 +49,7 @@ version: 8c3585fb4857dbac026b2974bb6525289240effb name: postgres_backup - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus.git - version: v2.53.0-0 + version: v2.53.1-0 name: prometheus - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus-node-exporter.git version: v1.8.1-1 From 386d98886de4c5f4bcdd6707ed4966a79707f706 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 10 Jul 2024 18:26:43 +0000 Subject: [PATCH 40/46] Update ghcr.io/t2bot/matrix-media-repo Docker tag to v1.3.6 --- roles/custom/matrix-media-repo/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-media-repo/defaults/main.yml b/roles/custom/matrix-media-repo/defaults/main.yml index 42a28cc48..6abceb1e6 100755 --- a/roles/custom/matrix-media-repo/defaults/main.yml +++ b/roles/custom/matrix-media-repo/defaults/main.yml @@ -19,7 +19,7 @@ matrix_media_repo_docker_image_path: "t2bot/matrix-media-repo" matrix_media_repo_docker_image: "{{ matrix_media_repo_docker_image_name_prefix }}{{ matrix_media_repo_docker_image_path }}:{{ matrix_media_repo_docker_image_tag }}" matrix_media_repo_docker_image_name_prefix: "{{ 'localhost/' if matrix_media_repo_container_image_self_build else 'ghcr.io/' }}" # renovate: datasource=docker depName=ghcr.io/t2bot/matrix-media-repo -matrix_media_repo_docker_image_tag: "v1.3.4" +matrix_media_repo_docker_image_tag: "v1.3.6" matrix_media_repo_docker_image_force_pull: "{{ matrix_media_repo_docker_image.endswith(':latest') }}" matrix_media_repo_base_path: "{{ matrix_base_data_path }}/{{ matrix_media_repo_identifier }}" From de91fe933d94afcdbfdb0c6cf75a1dfa43dfdf43 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 11 Jul 2024 07:03:14 +0300 Subject: [PATCH 41/46] Add Traefik labels for handling authenticated media (MSC3916) in matrix-media-repo Related to: - https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/3409 - https://github.com/t2bot/matrix-media-repo/releases/tag/v1.3.5 - https://github.com/matrix-org/matrix-spec-proposals/pull/3916 Support for authenticated media routes is enabled by default, but variables are in place to disable it if necessary. This change has not been tested. --- group_vars/matrix_servers | 3 + .../matrix-media-repo/defaults/main.yml | 59 ++++++++++-- .../tasks/validate_config.yml | 1 + .../templates/media-repo/labels.j2 | 94 +++++++++++++++++++ 4 files changed, 148 insertions(+), 9 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 3746d26cc..b5add2445 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -3604,6 +3604,9 @@ matrix_media_repo_container_labels_traefik_tls_certResolver: "{{ devture_traefik matrix_media_repo_container_labels_traefik_internal_media_enabled: "{{ matrix_playbook_internal_matrix_client_api_traefik_entrypoint_enabled }}" matrix_media_repo_container_labels_traefik_internal_media_entrypoints: "{{ matrix_playbook_internal_matrix_client_api_traefik_entrypoint_name }}" +matrix_media_repo_container_labels_traefik_internal_matrix_client_media_enabled: "{{ matrix_playbook_internal_matrix_client_api_traefik_entrypoint_enabled }}" +matrix_media_repo_container_labels_traefik_internal_matrix_client_media_entrypoints: "{{ matrix_playbook_internal_matrix_client_api_traefik_entrypoint_name }}" + matrix_media_repo_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" matrix_media_repo_database_username: matrix_media_repo matrix_media_repo_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mediarepo.db', rounds=655555) | to_uuid }}" diff --git a/roles/custom/matrix-media-repo/defaults/main.yml b/roles/custom/matrix-media-repo/defaults/main.yml index 6abceb1e6..3b37ea2fe 100755 --- a/roles/custom/matrix-media-repo/defaults/main.yml +++ b/roles/custom/matrix-media-repo/defaults/main.yml @@ -65,6 +65,8 @@ matrix_media_repo_container_labels_traefik_enabled: true matrix_media_repo_container_labels_traefik_docker_network: "{{ matrix_media_repo_container_network }}" matrix_media_repo_container_labels_traefik_entrypoints: web-secure +# Traefik labels handling the old `/_matrix/media` endpoints on the Client-API (web-secure) entrypoint. +# These are being superseded by `/_matrix/client/VERSION/media` endpoints - see `matrix_media_repo_container_labels_traefik_client_matrix_client_media_*`. matrix_media_repo_container_labels_traefik_media_path_prefix: "/_matrix/media" matrix_media_repo_container_labels_traefik_media_rule: "Host(`{{ matrix_server_fqn_matrix }}`) && PathPrefix(`{{ matrix_media_repo_container_labels_traefik_media_path_prefix | quote }}`)" matrix_media_repo_container_labels_traefik_media_priority: 0 @@ -72,15 +74,36 @@ matrix_media_repo_container_labels_traefik_media_entrypoints: "{{ matrix_media_r matrix_media_repo_container_labels_traefik_media_tls: "{{ matrix_media_repo_container_labels_traefik_media_entrypoints != 'web' }}" matrix_media_repo_container_labels_traefik_media_tls_certResolver: default # noqa var-naming +# Traefik labels handling the new `/_matrix/client/VERSION/media` endpoints on the Client-API (web-secure) entrypoint. +# See: https://github.com/matrix-org/matrix-spec-proposals/pull/3916 +matrix_media_repo_container_labels_traefik_client_matrix_client_media_enabled: true +matrix_media_repo_container_labels_traefik_client_matrix_client_media_path_regexp: "/_matrix/client/(?P(v1))/media" +matrix_media_repo_container_labels_traefik_client_matrix_client_media_rule: "Host(`{{ matrix_server_fqn_matrix }}`) && PathRegexp(`{{ matrix_media_repo_container_labels_traefik_client_matrix_client_media_path_regexp | quote }}`)" +matrix_media_repo_container_labels_traefik_client_matrix_client_media_priority: 0 +matrix_media_repo_container_labels_traefik_client_matrix_client_media_entrypoints: "{{ matrix_media_repo_container_labels_traefik_entrypoints }}" +matrix_media_repo_container_labels_traefik_client_matrix_client_media_tls: "{{ matrix_media_repo_container_labels_traefik_client_matrix_client_media_entrypoints != 'web' }}" +matrix_media_repo_container_labels_traefik_client_matrix_client_media_tls_certResolver: default # noqa var-naming + +# Traefik labels handling the old `/_matrix/media` endpoints on the internal entrypoint. # This is like `matrix_media_repo_container_labels_traefik_media_*`, but on an internal Traefik entrypoint. +# These are being superseded by `/_matrix/client/VERSION/media` endpoints - see `matrix_media_repo_container_labels_traefik_internal_matrix_client_media_*`. matrix_media_repo_container_labels_traefik_internal_media_enabled: false matrix_media_repo_container_labels_traefik_internal_media_path_prefix: "{{ matrix_media_repo_container_labels_traefik_media_path_prefix }}" matrix_media_repo_container_labels_traefik_internal_media_rule: "PathPrefix(`{{ matrix_media_repo_container_labels_traefik_internal_media_path_prefix | quote }}`)" matrix_media_repo_container_labels_traefik_internal_media_priority: "{{ matrix_media_repo_container_labels_traefik_media_priority }}" matrix_media_repo_container_labels_traefik_internal_media_entrypoints: "" -# /_matrix/client/r0/logout -# /_matrix/client/r0/logout/all +# Traefik labels handling the new `/_matrix/client/VERSION/media` endpoints on the internal entrypoint. +# See: https://github.com/matrix-org/matrix-spec-proposals/pull/3916 +matrix_media_repo_container_labels_traefik_internal_matrix_client_media_enabled: false +matrix_media_repo_container_labels_traefik_internal_matrix_client_media_path_regexp: "{{ matrix_media_repo_container_labels_traefik_client_matrix_client_media_path_regexp }}" +matrix_media_repo_container_labels_traefik_internal_matrix_client_media_rule: "PathRegexp(`{{ matrix_media_repo_container_labels_traefik_internal_matrix_client_media_path_regexp | quote }}`)" +matrix_media_repo_container_labels_traefik_internal_matrix_client_media_priority: "{{ matrix_media_repo_container_labels_traefik_client_matrix_client_media_priority }}" +matrix_media_repo_container_labels_traefik_internal_matrix_client_media_entrypoints: "" + +# Traefik labels handling some additional routes on the Client-API (web-secure) entrypoint: +# - /_matrix/client/r0/logout +# - /_matrix/client/r0/logout/all matrix_media_repo_container_labels_traefik_logout_path_regexp: "^/_matrix/client/(?Pr0|v1|v3|unstable)/(?Plogout|logout/all)" matrix_media_repo_container_labels_traefik_logout_rule: "Host(`{{ matrix_server_fqn_matrix }}`) && PathRegexp(`{{ matrix_media_repo_container_labels_traefik_logout_path_regexp }}`)" matrix_media_repo_container_labels_traefik_logout_priority: 0 @@ -88,8 +111,9 @@ matrix_media_repo_container_labels_traefik_logout_entrypoints: "{{ matrix_media_ matrix_media_repo_container_labels_traefik_logout_tls: "{{ matrix_media_repo_container_labels_traefik_logout_entrypoints != 'web' }}" matrix_media_repo_container_labels_traefik_logout_tls_certResolver: default # noqa var-naming -# /_matrix/client/r0/admin/purge_media_cache -# /_matrix/client/r0/admin/quarantine_media/{roomId:[^/]+} +# Traefik labels handling some additional routes on the Client-API (web-secure) entrypoint: +# - /_matrix/client/r0/admin/purge_media_cache +# - /_matrix/client/r0/admin/quarantine_media/{roomId:[^/]+} matrix_media_repo_container_labels_traefik_admin_path_regexp: "^/_matrix/client/(?P(r0|v1|v3|unstable))/admin/(?P(purge_media_cache|quarantine_media/.*))" matrix_media_repo_container_labels_traefik_admin_rule: "Host(`{{ matrix_server_fqn_matrix }}`) && PathRegexp(`{{ matrix_media_repo_container_labels_traefik_admin_path_regexp }}`)" matrix_media_repo_container_labels_traefik_admin_priority: 0 @@ -97,6 +121,8 @@ matrix_media_repo_container_labels_traefik_admin_entrypoints: "{{ matrix_media_r matrix_media_repo_container_labels_traefik_admin_tls: "{{ matrix_media_repo_container_labels_traefik_admin_entrypoints != 'web' }}" matrix_media_repo_container_labels_traefik_admin_tls_certResolver: default # noqa var-naming +# Traefik labels handling some additional routes on the Client-API (web-secure) entrypoint: +# - /_matrix/client/unstable/io.t2bot.media matrix_media_repo_container_labels_traefik_t2bot_path_prefix: "/_matrix/client/unstable/io.t2bot.media" matrix_media_repo_container_labels_traefik_t2bot_rule: "Host(`{{ matrix_server_fqn_matrix }}`) && PathPrefix(`{{ matrix_media_repo_container_labels_traefik_t2bot_path_prefix | quote }}`)" matrix_media_repo_container_labels_traefik_t2bot_priority: 0 @@ -104,7 +130,8 @@ matrix_media_repo_container_labels_traefik_t2bot_entrypoints: "{{ matrix_media_r matrix_media_repo_container_labels_traefik_t2bot_tls: "{{ matrix_media_repo_container_labels_traefik_t2bot_entrypoints != 'web' }}" matrix_media_repo_container_labels_traefik_t2bot_tls_certResolver: default # noqa var-naming -# Traefik federation labels +# Traefik labels handling the old `/_matrix/media` endpoints on the federation entrypint. +# These are being superseded by `/_matrix/federation/VERSION/media` endpoints - see `matrix_media_repo_container_labels_traefik_federation_matrix_federation_media_*`. matrix_media_repo_container_labels_traefik_media_federation_path_prefix: "/_matrix/media" matrix_media_repo_container_labels_traefik_media_federation_rule: "Host(`{{ matrix_server_fqn_matrix }}`) && PathPrefix(`{{ matrix_media_repo_container_labels_traefik_media_path_prefix | quote }}`)" matrix_media_repo_container_labels_traefik_media_federation_priority: 0 @@ -112,8 +139,19 @@ matrix_media_repo_container_labels_traefik_media_federation_entrypoints: "{{ mat matrix_media_repo_container_labels_traefik_media_federation_tls: "{{ matrix_media_repo_container_labels_traefik_media_entrypoints != 'web' }}" matrix_media_repo_container_labels_traefik_media_federation_tls_certResolver: default # noqa var-naming -# /_matrix/client/r0/logout -# /_matrix/client/r0/logout/all +# Traefik labels handling the new `/_matrix/federation/VERSION/media` endpoints on the federation entrypint. +# See: https://github.com/matrix-org/matrix-spec-proposals/pull/3916 +matrix_media_repo_container_labels_traefik_federation_matrix_federation_media_enabled: true +matrix_media_repo_container_labels_traefik_federation_matrix_federation_media_path_regexp: "/_matrix/federation/(?P(v1))/media" +matrix_media_repo_container_labels_traefik_federation_matrix_federation_media_rule: "Host(`{{ matrix_server_fqn_matrix }}`) && PathRegexp(`{{ matrix_media_repo_container_labels_traefik_federation_matrix_federation_media_path_regexp | quote }}`)" +matrix_media_repo_container_labels_traefik_federation_matrix_federation_media_priority: 0 +matrix_media_repo_container_labels_traefik_federation_matrix_federation_media_entrypoints: "{{ matrix_federation_traefik_entrypoint_name }}" +matrix_media_repo_container_labels_traefik_federation_matrix_federation_media_tls: "{{ matrix_media_repo_container_labels_traefik_federation_matrix_federation_media_entrypoints != 'web' }}" +matrix_media_repo_container_labels_traefik_federation_matrix_federation_media_tls_certResolver: default # noqa var-naming + +# Traefik labels handling some additional routes on the federation entrypoint: +# - /_matrix/client/r0/logout +# - /_matrix/client/r0/logout/all matrix_media_repo_container_labels_traefik_logout_federation_path_regexp: "{{ matrix_media_repo_container_labels_traefik_logout_path_regexp }}" matrix_media_repo_container_labels_traefik_logout_federation_rule: "Host(`{{ matrix_server_fqn_matrix }}`) && PathRegexp(`{{ matrix_media_repo_container_labels_traefik_logout_federation_path_regexp }}`)" matrix_media_repo_container_labels_traefik_logout_federation_priority: 0 @@ -121,8 +159,9 @@ matrix_media_repo_container_labels_traefik_logout_federation_entrypoints: "{{ ma matrix_media_repo_container_labels_traefik_logout_federation_tls: "{{ matrix_media_repo_container_labels_traefik_logout_entrypoints != 'web' }}" matrix_media_repo_container_labels_traefik_logout_federation_tls_certResolver: default # noqa var-naming -# /_matrix/client/r0/admin/purge_media_cache -# /_matrix/client/r0/admin/quarantine_media/{roomId:[^/]+} +# Traefik labels handling some additional routes on the federation entrypoint: +# - /_matrix/client/r0/admin/purge_media_cache +# - /_matrix/client/r0/admin/quarantine_media/{roomId:[^/]+} matrix_media_repo_container_labels_traefik_admin_federation_path_regexp: "{{ matrix_media_repo_container_labels_traefik_admin_path_regexp }}" matrix_media_repo_container_labels_traefik_admin_federation_rule: "Host(`{{ matrix_server_fqn_matrix }}`) && PathRegexp(`{{ matrix_media_repo_container_labels_traefik_admin_federation_path_regexp }}`)" matrix_media_repo_container_labels_traefik_admin_federation_priority: 0 @@ -130,6 +169,8 @@ matrix_media_repo_container_labels_traefik_admin_federation_entrypoints: "{{ mat matrix_media_repo_container_labels_traefik_admin_federation_tls: "{{ matrix_media_repo_container_labels_traefik_admin_entrypoints != 'web' }}" matrix_media_repo_container_labels_traefik_admin_federation_tls_certResolver: default # noqa var-naming +# Traefik labels handling some additional routes on the federation entrypoint: +# - /_matrix/client/unstable/io.t2bot.media matrix_media_repo_container_labels_traefik_t2bot_federation_path_prefix: "/_matrix/client/unstable/io.t2bot.media" matrix_media_repo_container_labels_traefik_t2bot_federation_rule: "Host(`{{ matrix_server_fqn_matrix }}`) && PathPrefix(`{{ matrix_media_repo_container_labels_traefik_t2bot_path_prefix | quote }}`)" matrix_media_repo_container_labels_traefik_t2bot_federation_priority: 0 diff --git a/roles/custom/matrix-media-repo/tasks/validate_config.yml b/roles/custom/matrix-media-repo/tasks/validate_config.yml index 57fdf8595..8b0ecb7cd 100644 --- a/roles/custom/matrix-media-repo/tasks/validate_config.yml +++ b/roles/custom/matrix-media-repo/tasks/validate_config.yml @@ -8,6 +8,7 @@ with_items: - {'name': 'matrix_media_repo_database_hostname', when: true} - {'name': 'matrix_media_repo_container_labels_traefik_internal_media_entrypoints', when: "{{ matrix_media_repo_container_labels_traefik_internal_media_enabled }}"} + - {'name': 'matrix_media_repo_container_labels_traefik_internal_matrix_client_media_entrypoints', when: "{{ matrix_media_repo_container_labels_traefik_internal_matrix_client_media_enabled }}"} - name: (Deprecation) Catch and report renamed matrix-media-repo settings ansible.builtin.fail: diff --git a/roles/custom/matrix-media-repo/templates/media-repo/labels.j2 b/roles/custom/matrix-media-repo/templates/media-repo/labels.j2 index 297fd72c2..9f45c5125 100755 --- a/roles/custom/matrix-media-repo/templates/media-repo/labels.j2 +++ b/roles/custom/matrix-media-repo/templates/media-repo/labels.j2 @@ -49,6 +49,39 @@ traefik.http.routers.matrix-media-repo-public-media.tls.certResolver={{ matrix_m ############################################################ +{% if matrix_media_repo_container_labels_traefik_client_matrix_client_media_enabled %} +########################################################################## +# # +# Public Client Media (/_matrix/client/VERSION/media) - MSC3916 # +# # +########################################################################## + +traefik.http.routers.matrix-media-repo-public-client-matrix-client-media.rule={{ matrix_media_repo_container_labels_traefik_client_matrix_client_media_rule }} + +{% if matrix_media_repo_container_labels_traefik_client_matrix_client_media_priority | int > 0 %} +traefik.http.routers.matrix-media-repo-public-client-matrix-client-media.priority={{ matrix_media_repo_container_labels_traefik_client_matrix_client_media_priority }} +{% endif %} + +{% if middlewares | length > 0 %} +traefik.http.routers.matrix-media-repo-public-client-matrix-client-media.middlewares={{ middlewares | join(',') }} +{% endif %} + +traefik.http.routers.matrix-media-repo-public-client-matrix-client-media.service=matrix-media-repo +traefik.http.routers.matrix-media-repo-public-client-matrix-client-media.entrypoints={{ matrix_media_repo_container_labels_traefik_client_matrix_client_media_entrypoints }} + +traefik.http.routers.matrix-media-repo-public-client-matrix-client-media.tls={{ matrix_media_repo_container_labels_traefik_client_matrix_client_media_tls | to_json }} +{% if matrix_media_repo_container_labels_traefik_client_matrix_client_media_tls %} +traefik.http.routers.matrix-media-repo-public-client-matrix-client-media.tls.certResolver={{ matrix_media_repo_container_labels_traefik_client_matrix_client_media_tls_certResolver }} +{% endif %} + +########################################################################## +# # +# /Public Client Media (/_matrix/client/VERSION/media) - MSC3916 # +# # +########################################################################## +{% endif %} + + {% if matrix_media_repo_container_labels_traefik_internal_media_enabled %} ############################################################ # # @@ -77,6 +110,34 @@ traefik.http.routers.matrix-media-repo-internal-media.entrypoints={{ matrix_medi {% endif %} +{% if matrix_media_repo_container_labels_traefik_internal_matrix_client_media_enabled %} +########################################################################## +# # +# Internal Client Media (/_matrix/client/VERSION/media) - MSC3916 # +# # +########################################################################## + +traefik.http.routers.matrix-media-repo-internal-matrix-client-media.rule={{ matrix_media_repo_container_labels_traefik_internal_matrix_client_media_rule }} + +{% if matrix_media_repo_container_labels_traefik_internal_matrix_client_media_priority | int > 0 %} +traefik.http.routers.matrix-media-repo-internal-matrix-client-media.priority={{ matrix_media_repo_container_labels_traefik_internal_matrix_client_media_priority }} +{% endif %} + +{% if middlewares | length > 0 %} +traefik.http.routers.matrix-media-repo-internal-matrix-client-media.middlewares={{ middlewares | join(',') }} +{% endif %} + +traefik.http.routers.matrix-media-repo-internal-matrix-client-media.service=matrix-media-repo +traefik.http.routers.matrix-media-repo-internal-matrix-client-media.entrypoints={{ matrix_media_repo_container_labels_traefik_internal_matrix_client_media_entrypoints }} + +########################################################################## +# # +# /Internal Client Media (/_matrix/client/VERSION/media) - MSC3916 # +# # +########################################################################## +{% endif %} + + {% if matrix_media_repo_access_tokens_max_cache_time_seconds > 0 %} ############################################################ # # @@ -210,6 +271,39 @@ traefik.http.routers.matrix-media-repo-public-media-federation.tls.certResolver= ############################################################ +{% if matrix_media_repo_container_labels_traefik_federation_matrix_federation_media_enabled %} +########################################################################## +# # +# Public Federation Media (/_matrix/federation/VERSION/media) - MSC3916 # +# # +########################################################################## + +traefik.http.routers.matrix-media-repo-public-federation-matrix-federation-media.rule={{ matrix_media_repo_container_labels_traefik_federation_matrix_federation_media_rule }} + +{% if matrix_media_repo_container_labels_traefik_federation_matrix_federation_media_priority | int > 0 %} +traefik.http.routers.matrix-media-repo-public-federation-matrix-federation-media.priority={{ matrix_media_repo_container_labels_traefik_federation_matrix_federation_media_priority }} +{% endif %} + +{% if middlewares | length > 0 %} +traefik.http.routers.matrix-media-repo-public-federation-matrix-federation-media.middlewares={{ middlewares | join(',') }} +{% endif %} + +traefik.http.routers.matrix-media-repo-public-federation-matrix-federation-media.service=matrix-media-repo +traefik.http.routers.matrix-media-repo-public-federation-matrix-federation-media.entrypoints={{ matrix_media_repo_container_labels_traefik_federation_matrix_federation_media_entrypoints }} + +traefik.http.routers.matrix-media-repo-public-federation-matrix-federation-media.tls={{ matrix_media_repo_container_labels_traefik_federation_matrix_federation_media_tls | to_json }} +{% if matrix_media_repo_container_labels_traefik_federation_matrix_federation_media_tls %} +traefik.http.routers.matrix-media-repo-public-federation-matrix-federation-media.tls.certResolver={{ matrix_media_repo_container_labels_traefik_federation_matrix_federation_media_tls_certResolver }} +{% endif %} + +########################################################################## +# # +# /Public Federation Media (/_matrix/federation/VERSION/media) - MSC3916 # +# # +########################################################################## +{% endif %} + + {% if matrix_media_repo_access_tokens_max_cache_time_seconds > 0 %} ############################################################ # # From f794aa200599b132d9ccf6e0bc15feea24d1f1af Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 11 Jul 2024 07:10:33 +0300 Subject: [PATCH 42/46] Add support for enabling/disabling all the other matrix-media-repo Traefik labels This is provoked by de91fe933d94afcdbfdb0c6cf75a1dfa43dfdf43, where I've added a few new labels and made it possible for people to disable them. In this patch, I'm making it possible to disable any of the old Traefik labels in a similar way. --- .../custom/matrix-media-repo/defaults/main.yml | 8 ++++++++ .../templates/media-repo/labels.j2 | 18 ++++++++++++++++-- 2 files changed, 24 insertions(+), 2 deletions(-) diff --git a/roles/custom/matrix-media-repo/defaults/main.yml b/roles/custom/matrix-media-repo/defaults/main.yml index 3b37ea2fe..1ac4d6b56 100755 --- a/roles/custom/matrix-media-repo/defaults/main.yml +++ b/roles/custom/matrix-media-repo/defaults/main.yml @@ -67,6 +67,7 @@ matrix_media_repo_container_labels_traefik_entrypoints: web-secure # Traefik labels handling the old `/_matrix/media` endpoints on the Client-API (web-secure) entrypoint. # These are being superseded by `/_matrix/client/VERSION/media` endpoints - see `matrix_media_repo_container_labels_traefik_client_matrix_client_media_*`. +matrix_media_repo_container_labels_traefik_media_enabled: true matrix_media_repo_container_labels_traefik_media_path_prefix: "/_matrix/media" matrix_media_repo_container_labels_traefik_media_rule: "Host(`{{ matrix_server_fqn_matrix }}`) && PathPrefix(`{{ matrix_media_repo_container_labels_traefik_media_path_prefix | quote }}`)" matrix_media_repo_container_labels_traefik_media_priority: 0 @@ -104,6 +105,7 @@ matrix_media_repo_container_labels_traefik_internal_matrix_client_media_entrypoi # Traefik labels handling some additional routes on the Client-API (web-secure) entrypoint: # - /_matrix/client/r0/logout # - /_matrix/client/r0/logout/all +matrix_media_repo_container_labels_traefik_logout_enabled: true matrix_media_repo_container_labels_traefik_logout_path_regexp: "^/_matrix/client/(?Pr0|v1|v3|unstable)/(?Plogout|logout/all)" matrix_media_repo_container_labels_traefik_logout_rule: "Host(`{{ matrix_server_fqn_matrix }}`) && PathRegexp(`{{ matrix_media_repo_container_labels_traefik_logout_path_regexp }}`)" matrix_media_repo_container_labels_traefik_logout_priority: 0 @@ -114,6 +116,7 @@ matrix_media_repo_container_labels_traefik_logout_tls_certResolver: default # n # Traefik labels handling some additional routes on the Client-API (web-secure) entrypoint: # - /_matrix/client/r0/admin/purge_media_cache # - /_matrix/client/r0/admin/quarantine_media/{roomId:[^/]+} +matrix_media_repo_container_labels_traefik_admin_enabled: true matrix_media_repo_container_labels_traefik_admin_path_regexp: "^/_matrix/client/(?P(r0|v1|v3|unstable))/admin/(?P(purge_media_cache|quarantine_media/.*))" matrix_media_repo_container_labels_traefik_admin_rule: "Host(`{{ matrix_server_fqn_matrix }}`) && PathRegexp(`{{ matrix_media_repo_container_labels_traefik_admin_path_regexp }}`)" matrix_media_repo_container_labels_traefik_admin_priority: 0 @@ -123,6 +126,7 @@ matrix_media_repo_container_labels_traefik_admin_tls_certResolver: default # no # Traefik labels handling some additional routes on the Client-API (web-secure) entrypoint: # - /_matrix/client/unstable/io.t2bot.media +matrix_media_repo_container_labels_traefik_t2bot_enabled: true matrix_media_repo_container_labels_traefik_t2bot_path_prefix: "/_matrix/client/unstable/io.t2bot.media" matrix_media_repo_container_labels_traefik_t2bot_rule: "Host(`{{ matrix_server_fqn_matrix }}`) && PathPrefix(`{{ matrix_media_repo_container_labels_traefik_t2bot_path_prefix | quote }}`)" matrix_media_repo_container_labels_traefik_t2bot_priority: 0 @@ -132,6 +136,7 @@ matrix_media_repo_container_labels_traefik_t2bot_tls_certResolver: default # no # Traefik labels handling the old `/_matrix/media` endpoints on the federation entrypint. # These are being superseded by `/_matrix/federation/VERSION/media` endpoints - see `matrix_media_repo_container_labels_traefik_federation_matrix_federation_media_*`. +matrix_media_repo_container_labels_traefik_media_federation_enabled: true matrix_media_repo_container_labels_traefik_media_federation_path_prefix: "/_matrix/media" matrix_media_repo_container_labels_traefik_media_federation_rule: "Host(`{{ matrix_server_fqn_matrix }}`) && PathPrefix(`{{ matrix_media_repo_container_labels_traefik_media_path_prefix | quote }}`)" matrix_media_repo_container_labels_traefik_media_federation_priority: 0 @@ -152,6 +157,7 @@ matrix_media_repo_container_labels_traefik_federation_matrix_federation_media_tl # Traefik labels handling some additional routes on the federation entrypoint: # - /_matrix/client/r0/logout # - /_matrix/client/r0/logout/all +matrix_media_repo_container_labels_traefik_logout_federation_enabled: true matrix_media_repo_container_labels_traefik_logout_federation_path_regexp: "{{ matrix_media_repo_container_labels_traefik_logout_path_regexp }}" matrix_media_repo_container_labels_traefik_logout_federation_rule: "Host(`{{ matrix_server_fqn_matrix }}`) && PathRegexp(`{{ matrix_media_repo_container_labels_traefik_logout_federation_path_regexp }}`)" matrix_media_repo_container_labels_traefik_logout_federation_priority: 0 @@ -162,6 +168,7 @@ matrix_media_repo_container_labels_traefik_logout_federation_tls_certResolver: d # Traefik labels handling some additional routes on the federation entrypoint: # - /_matrix/client/r0/admin/purge_media_cache # - /_matrix/client/r0/admin/quarantine_media/{roomId:[^/]+} +matrix_media_repo_container_labels_traefik_admin_federation_enabled: true matrix_media_repo_container_labels_traefik_admin_federation_path_regexp: "{{ matrix_media_repo_container_labels_traefik_admin_path_regexp }}" matrix_media_repo_container_labels_traefik_admin_federation_rule: "Host(`{{ matrix_server_fqn_matrix }}`) && PathRegexp(`{{ matrix_media_repo_container_labels_traefik_admin_federation_path_regexp }}`)" matrix_media_repo_container_labels_traefik_admin_federation_priority: 0 @@ -171,6 +178,7 @@ matrix_media_repo_container_labels_traefik_admin_federation_tls_certResolver: de # Traefik labels handling some additional routes on the federation entrypoint: # - /_matrix/client/unstable/io.t2bot.media +matrix_media_repo_container_labels_traefik_t2bot_federation_enabled: true matrix_media_repo_container_labels_traefik_t2bot_federation_path_prefix: "/_matrix/client/unstable/io.t2bot.media" matrix_media_repo_container_labels_traefik_t2bot_federation_rule: "Host(`{{ matrix_server_fqn_matrix }}`) && PathPrefix(`{{ matrix_media_repo_container_labels_traefik_t2bot_path_prefix | quote }}`)" matrix_media_repo_container_labels_traefik_t2bot_federation_priority: 0 diff --git a/roles/custom/matrix-media-repo/templates/media-repo/labels.j2 b/roles/custom/matrix-media-repo/templates/media-repo/labels.j2 index 9f45c5125..e6b675880 100755 --- a/roles/custom/matrix-media-repo/templates/media-repo/labels.j2 +++ b/roles/custom/matrix-media-repo/templates/media-repo/labels.j2 @@ -18,6 +18,7 @@ traefik.http.middlewares.matrix-media-repo-add-headers.headers.customrequesthead # Matrix Client +{% if matrix_media_repo_container_labels_traefik_media_enabled %} ############################################################ # # # Public Media (/_matrix/media) # @@ -47,6 +48,7 @@ traefik.http.routers.matrix-media-repo-public-media.tls.certResolver={{ matrix_m # /Public Media (/_matrix/media) # # # ############################################################ +{% endif %} {% if matrix_media_repo_container_labels_traefik_client_matrix_client_media_enabled %} @@ -138,7 +140,7 @@ traefik.http.routers.matrix-media-repo-internal-matrix-client-media.entrypoints= {% endif %} -{% if matrix_media_repo_access_tokens_max_cache_time_seconds > 0 %} +{% if matrix_media_repo_container_labels_traefik_logout_enabled and matrix_media_repo_access_tokens_max_cache_time_seconds > 0 %} ############################################################ # # # Public Client Logout # @@ -173,6 +175,7 @@ traefik.http.routers.matrix-media-repo-public-logout.tls.certResolver={{ matrix_ {% endif %} +{% if matrix_media_repo_container_labels_traefik_admin_enabled %} ############################################################ # # # Public Client Admin (/_matrix/client/r0/admin/*) # @@ -202,8 +205,10 @@ traefik.http.routers.matrix-media-repo-public-admin-federation.tls.certResolver= # /Public Client Admin (/_matrix/client/r0/admin/*) # # # ############################################################ +{% endif %} +{% if matrix_media_repo_container_labels_traefik_t2bot_enabled %} ############################################################ # # # Public Client t2bot APIs # @@ -235,11 +240,14 @@ traefik.http.routers.matrix-media-repo-public-t2bot.tls.certResolver={{ matrix_m # (/_matrix/client/unstable/io.t2bot.media) # # # ############################################################ +{% endif %} + {% if matrix_media_repo_homeserver_federation_enabled %} # Matrix Federation +{% if matrix_media_repo_container_labels_traefik_media_federation_enabled %} ############################################################ # # # Public Federation Media (/_matrix/media) # @@ -269,6 +277,7 @@ traefik.http.routers.matrix-media-repo-public-media-federation.tls.certResolver= # /Public Federation Media (/_matrix/media) # # # ############################################################ +{% endif %} {% if matrix_media_repo_container_labels_traefik_federation_matrix_federation_media_enabled %} @@ -304,7 +313,7 @@ traefik.http.routers.matrix-media-repo-public-federation-matrix-federation-media {% endif %} -{% if matrix_media_repo_access_tokens_max_cache_time_seconds > 0 %} +{% if matrix_media_repo_container_labels_traefik_logout_federation_enabled and matrix_media_repo_access_tokens_max_cache_time_seconds > 0 %} ############################################################ # # # Public Federation Logout # @@ -339,6 +348,7 @@ traefik.http.routers.matrix-media-repo-public-logout-federation.tls.certResolver {% endif %} +{% if matrix_media_repo_container_labels_traefik_admin_federation_enabled %} ############################################################ # # # Public Federation Admin (/_matrix/client/r0/admin/*) # @@ -368,8 +378,10 @@ traefik.http.routers.matrix-media-repo-public-admin.tls.certResolver={{ matrix_m # /Public Federation Admin (/_matrix/client/r0/admin/*) # # # ############################################################ +{% endif %} +{% if matrix_media_repo_container_labels_traefik_t2bot_federation_enabled %} ############################################################ # # # Public Federation t2bot APIs # @@ -401,6 +413,8 @@ traefik.http.routers.matrix-media-repo-public-t2bot-federation.tls.certResolver= # (/_matrix/client/unstable/io.t2bot.media) # # # ############################################################ +{% endif %} + {% endif %} {# end of matrix_media_repo_homeserver_federation_enabled if-check #} From 30baeded64f2c8e00cd1f2354240065528c17df7 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 12 Jul 2024 20:52:34 +0300 Subject: [PATCH 43/46] Upgrade exim-relay (v4.97.1-r0-1-0 -> v4.98-r0-0-0) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 6956494c9..781933b66 100644 --- a/requirements.yml +++ b/requirements.yml @@ -19,7 +19,7 @@ version: v2.1.1-0 name: etherpad - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-exim-relay.git - version: v4.97.1-r0-1-0 + version: v4.98-r0-0-0 name: exim_relay - src: git+https://gitlab.com/etke.cc/roles/grafana.git version: v11.1.0-0 From 3b2fd0ba2c904ba23f503c0b0002b9625c35f5fd Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Sun, 14 Jul 2024 16:08:11 +0000 Subject: [PATCH 44/46] Update dependency prometheus_node_exporter to v1.8.2-0 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 781933b66..89165394d 100644 --- a/requirements.yml +++ b/requirements.yml @@ -52,7 +52,7 @@ version: v2.53.1-0 name: prometheus - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus-node-exporter.git - version: v1.8.1-1 + version: v1.8.2-0 name: prometheus_node_exporter - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus-postgres-exporter.git version: v0.14.0-5 From b347d98161d3a4f7067f8ea75b0fabbf1a64ade8 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Mon, 15 Jul 2024 04:57:08 +0000 Subject: [PATCH 45/46] rewrite `just update` command to provide a one-line command to update everything (#3410) * rewrite `just update` command to provide a one-line command to update everything * update prefix * uncomment update-self * Revert requirements.yml updates not belonging to this PR * Justfile and documentation updates to make things clearer --------- Co-authored-by: Slavi Pantaleev --- docs/faq.md | 4 ++-- docs/installing.md | 4 +++- docs/maintenance-upgrading-services.md | 9 +++++---- docs/prerequisites.md | 2 +- justfile | 23 ++++++++++++++++++++--- 5 files changed, 31 insertions(+), 11 deletions(-) diff --git a/docs/faq.md b/docs/faq.md index 82e2f3a17..427d2d25c 100644 --- a/docs/faq.md +++ b/docs/faq.md @@ -342,7 +342,7 @@ As described in [How is the effective configuration determined?](#how-is-the-eff Refer to both of these for inspiration. Still, as mentioned in [Configuring the playbook](configuring-playbook.md), you're only ever supposed to edit your own `inventory/host_vars/matrix.DOMAIN/vars.yml` file and nothing else inside the playbook (unless you're meaning to contribute new features). -**Note**: some of the roles (`roles/galaxy/*`) live in separate repositories and are only installed after your run `just roles` (or `make roles`). +**Note**: some of the roles (`roles/galaxy/*`) live in separate repositories and are only installed after your run `just roles` (or `make roles`) or `just update` (which automatically does `git pull` and `just roles`). ### I'd like to adjust some configuration which doesn't have a corresponding variable. How do I do it? @@ -356,7 +356,7 @@ Besides that, each role (component) aims to provide a `matrix_SOME_COMPONENT_con Check each role's `roles/*/*/defaults/main.yml` for the corresponding variable and an example for how use it. -**Note**: some of the roles (`roles/galaxy/*`) live in separate repositories and are only installed after your run `just roles` (or `make roles`). +**Note**: some of the roles (`roles/galaxy/*`) live in separate repositories and are only installed after your run `just roles` (or `make roles`) or `just update` (which automatically does `git pull` and `just roles`). ## Installation diff --git a/docs/installing.md b/docs/installing.md index c85ce1e63..01cf20e84 100644 --- a/docs/installing.md +++ b/docs/installing.md @@ -2,7 +2,9 @@ If you've [configured your DNS](configuring-dns.md) and have [configured the playbook](configuring-playbook.md), you can start the installation procedure. -**Before installing** and each time you update the playbook in the future, you will need to update the Ansible roles in this playbook by running `just roles`. `just roles` is a shortcut (a `roles` target defined in [`justfile`](../justfile) and executed by the [`just`](https://github.com/casey/just) utility) which ultimately runs [ansible-galaxy](https://docs.ansible.com/ansible/latest/cli/ansible-galaxy.html) to download Ansible roles. If you don't have `just`, you can also manually run the `roles` commands seen in the `justfile`. +**Before installing** and each time you update the playbook in the future, you will need to update the Ansible roles in this playbook by running `just roles`. `just roles` is a shortcut (a `roles` target defined in [`justfile`](../justfile) and executed by the [`just`](https://github.com/casey/just) utility) which ultimately runs [agru](https://gitlab.com/etke.cc/tools/agru) or [ansible-galaxy](https://docs.ansible.com/ansible/latest/cli/ansible-galaxy.html) (depending on what is available in your system) to download Ansible roles. If you don't have `just`, you can also manually run the `roles` commands seen in the `justfile`. + +There's another shortcut (`just update`) which updates the playbook (`git pull`) and updates roles (`just update`) at the same time. ## Playbook tags introduction diff --git a/docs/maintenance-upgrading-services.md b/docs/maintenance-upgrading-services.md index b65eadd77..8b903fbb4 100644 --- a/docs/maintenance-upgrading-services.md +++ b/docs/maintenance-upgrading-services.md @@ -6,12 +6,13 @@ If you want to be notified when new versions of Synapse are released, you should To upgrade services: -- update your playbook directory (`git pull`), so you'd obtain everything new we've done +- update your playbook directory and all upstream Ansible roles (defined in the `requirements.yml` file) using: -- take a look at [the changelog](../CHANGELOG.md) to see if there have been any backward-incompatible changes that you need to take care of +- either: `just update` +- or: a combination of `git pull` and `just role` (or `make roles`) -- download the upstream Ansible roles used by the playbook by running `just roles` +- take a look at [the changelog](../CHANGELOG.md) to see if there have been any backward-incompatible changes that you need to take care of -- re-run the [playbook setup](installing.md) and restart all services: `just setup-all` +- re-run the [playbook setup](installing.md) and restart all services: `just install-all` or `just setup-all` **Note**: major version upgrades to the internal PostgreSQL database are not done automatically. To upgrade it, refer to the [upgrading PostgreSQL guide](maintenance-postgres.md#upgrading-postgresql). diff --git a/docs/prerequisites.md b/docs/prerequisites.md index d1259e6fc..9fcadd275 100644 --- a/docs/prerequisites.md +++ b/docs/prerequisites.md @@ -26,7 +26,7 @@ If your distro runs within an [LXC container](https://linuxcontainers.org/), you - [`git`](https://git-scm.com/) is the recommended way to download the playbook to your computer. `git` may also be required on the server if you will be [self-building](self-building.md) components. -- [`just`](https://github.com/casey/just) for running `just roles`, etc. (see [`justfile`](../justfile)), although you can also run these commands manually +- [`just`](https://github.com/casey/just) for running `just roles`, `just update`, etc. (see [`justfile`](../justfile)), although you can also run these commands manually - An HTTPS-capable web server at the base domain name (``) which is capable of serving static files. Unless you decide to [Serve the base domain from the Matrix server](configuring-playbook-base-domain-serving.md) or alternatively, to use DNS SRV records for [Server Delegation](howto-server-delegation.md). diff --git a/justfile b/justfile index b7ca7d2c4..72609d572 100644 --- a/justfile +++ b/justfile @@ -5,6 +5,7 @@ default: # Pulls external Ansible roles roles: #!/usr/bin/env sh + echo "[NOTE] This command just updates the roles, but if you want to update everything at once (playbook, roles, etc.) - use 'just update'" if [ -x "$(command -v agru)" ]; then agru else @@ -12,9 +13,25 @@ roles: ansible-galaxy install -r requirements.yml -p roles/galaxy/ --force fi -# Updates requirements.yml if there are any new tags available. Requires agru -update: - @agru -u +# Updates the playbook and installs the necessary Ansible roles pinned in requirements.yml. If a -u flag is passed, also updates the requirements.yml file with new role versions (if available) +update *flags: update-playbook-only + #!/usr/bin/env sh + if [ -x "$(command -v agru)" ]; then + echo {{ if flags == "" { "Installing roles pinned in requirements.yml..." } else if flags == "-u" { "Updating roles and pinning new versions in requirements.yml..." } else { "Unknown flags passed" } }} + agru {{ flags }} + else + echo "[NOTE] You are using the standard ansible-galaxy tool to install roles, which is slow and lacks other features. We recommend installing the 'agru' tool to speed up the process: https://gitlab.com/etke.cc/tools/agru#where-to-get" + echo "Installing roles..." + rm -rf roles/galaxy + ansible-galaxy install -r requirements.yml -p roles/galaxy/ --force + fi + +# Updates the playbook without installing/updating Ansible roles +update-playbook-only: + @echo "Updating playbook..." + @git stash -q + @git pull -q + @-git stash pop -q # Runs ansible-lint against all roles in the playbook lint: From e818b981f31a58de9a81d3488d71f7132ddbd0c9 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 15 Jul 2024 08:09:28 +0300 Subject: [PATCH 46/46] Update Redis (v7.2.4-1 -> v7.2.4-2) and Backup Borg (v1.2.8-1.8.11-1 -> v1.2.8-1.8.13-0) --- requirements.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/requirements.yml b/requirements.yml index 89165394d..03bccac33 100644 --- a/requirements.yml +++ b/requirements.yml @@ -4,7 +4,7 @@ version: v1.0.0-3 name: auxiliary - src: git+https://gitlab.com/etke.cc/roles/backup_borg.git - version: v1.2.8-1.8.11-1 + version: v1.2.8-1.8.13-0 name: backup_borg - src: git+https://github.com/devture/com.devture.ansible.role.container_socket_proxy.git version: v0.2.0-0 @@ -58,7 +58,7 @@ version: v0.14.0-5 name: prometheus_postgres_exporter - src: git+https://gitlab.com/etke.cc/roles/redis.git - version: v7.2.4-1 + version: v7.2.4-2 name: redis - src: git+https://github.com/devture/com.devture.ansible.role.systemd_docker_base.git version: v1.2.0-0