From 37165ef20259405e735b5aa2927025202e7573a8 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 2 Jun 2023 10:44:31 +0300 Subject: [PATCH 01/74] Upgrade Traefik (v2.10.1-0 -> v2.10.1-1) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index bd260d6cc..3c2572ab3 100644 --- a/requirements.yml +++ b/requirements.yml @@ -26,7 +26,7 @@ - src: git+https://github.com/devture/com.devture.ansible.role.timesync.git version: v1.0.0-0 - src: git+https://github.com/devture/com.devture.ansible.role.traefik.git - version: v2.10.1-0 + version: v2.10.1-1 - src: git+https://github.com/devture/com.devture.ansible.role.traefik_certs_dumper.git version: v2.8.1-0 - src: git+https://gitlab.com/etke.cc/roles/etherpad.git From e4498f9568667a2914a70942e0a8dc7231a5afe0 Mon Sep 17 00:00:00 2001 From: Luke Moch <19363185+mochman@users.noreply.github.com> Date: Fri, 2 Jun 2023 06:23:30 -0400 Subject: [PATCH 02/74] Fix for hookshot validation failure --- roles/custom/matrix-bridge-hookshot/tasks/setup_install.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-hookshot/tasks/setup_install.yml b/roles/custom/matrix-bridge-hookshot/tasks/setup_install.yml index 576eb0079..05e5cb856 100644 --- a/roles/custom/matrix-bridge-hookshot/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-hookshot/tasks/setup_install.yml @@ -81,7 +81,7 @@ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} --cap-drop=ALL -v {{ matrix_hookshot_base_path }}/config.yml:/config.yml - {{ matrix_hookshot_docker_image }} node Config/Config.js /config.yml + {{ matrix_hookshot_docker_image }} node config/Config.js /config.yml register: hookshot_config_validation_result changed_when: false From 1f0da9f744156eb36070e301842806046e93b62b Mon Sep 17 00:00:00 2001 From: Luke D Iremadze Date: Fri, 2 Jun 2023 12:50:46 -0600 Subject: [PATCH 03/74] Create hooks for user search ability --- roles/custom/matrix-synapse/defaults/main.yml | 5 +++++ .../matrix-synapse/templates/synapse/homeserver.yaml.j2 | 4 ++-- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index a0169eb0c..df2f7bf8c 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -334,6 +334,11 @@ matrix_synapse_limit_profile_requests_to_users_who_share_rooms: false # Defaults to 'true'. matrix_synapse_include_profile_data_on_invite: true + +# User search behaviour +matrix_synapse_search_all_users: false +matrix_synapse_prefer_local_users: false + # Controls whether people with access to the homeserver can register by themselves. matrix_synapse_enable_registration: false # Controls whether people with access to the homeserver can register by themselves without verification (email/msisdn/token) diff --git a/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 index a36df6fc0..ebfc2711c 100644 --- a/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -2630,7 +2630,7 @@ user_directory: # Uncomment to return search results containing all known users, even if that # user does not share a room with the requester. # - #search_all_users: true + search_all_users: {{ matrix_synapse_search_all_users|to_json }} # Defines whether to prefer local users in search query results. # If True, local users are more likely to appear above remote users @@ -2639,7 +2639,7 @@ user_directory: # Uncomment to prefer local over remote users in user directory search # results. # - #prefer_local_users: true + prefer_local_users: {{ matrix_synapse_prefer_local_users|to_json }} # User Consent configuration From 130c278a3c42b4ba601d6eff830cf7c34fee2b7a Mon Sep 17 00:00:00 2001 From: Luke D Iremadze Date: Fri, 2 Jun 2023 23:38:57 -0600 Subject: [PATCH 04/74] Update roles/custom/matrix-synapse/defaults/main.yml Co-authored-by: Slavi Pantaleev --- roles/custom/matrix-synapse/defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index df2f7bf8c..4376a960e 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -336,8 +336,8 @@ matrix_synapse_include_profile_data_on_invite: true # User search behaviour -matrix_synapse_search_all_users: false -matrix_synapse_prefer_local_users: false +matrix_synapse_user_directory_search_all_users: false +matrix_synapse_user_directory_prefer_local_users: false # Controls whether people with access to the homeserver can register by themselves. matrix_synapse_enable_registration: false From 2f4428bf5b4c1f6658d33236f824748db455b2f9 Mon Sep 17 00:00:00 2001 From: Luke D Iremadze Date: Fri, 2 Jun 2023 23:39:17 -0600 Subject: [PATCH 05/74] Update roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 Co-authored-by: Slavi Pantaleev --- .../custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 index ebfc2711c..05700c9b5 100644 --- a/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -2639,7 +2639,7 @@ user_directory: # Uncomment to prefer local over remote users in user directory search # results. # - prefer_local_users: {{ matrix_synapse_prefer_local_users|to_json }} + prefer_local_users: {{ matrix_synapse_user_directory_prefer_local_users | to_json }} # User Consent configuration From 5c0279f0c962b29ab6cf75c7bb7ff94d8e5e3e7e Mon Sep 17 00:00:00 2001 From: Luke D Iremadze Date: Fri, 2 Jun 2023 23:39:55 -0600 Subject: [PATCH 06/74] Update roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 Co-authored-by: Slavi Pantaleev --- .../custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 index 05700c9b5..f42f6e309 100644 --- a/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -2630,7 +2630,7 @@ user_directory: # Uncomment to return search results containing all known users, even if that # user does not share a room with the requester. # - search_all_users: {{ matrix_synapse_search_all_users|to_json }} + search_all_users: {{ matrix_synapse_user_directory_search_all_users | to_json }} # Defines whether to prefer local users in search query results. # If True, local users are more likely to appear above remote users From b96792ecf920297c167181f5d7341523db43aee2 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 6 Jun 2023 10:46:08 +0300 Subject: [PATCH 07/74] Upgrade ddclient (v3.10.0-ls111 -> v3.10.0-ls123) --- roles/custom/matrix-dynamic-dns/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-dynamic-dns/defaults/main.yml b/roles/custom/matrix-dynamic-dns/defaults/main.yml index 08cf023ca..5a60194a3 100644 --- a/roles/custom/matrix-dynamic-dns/defaults/main.yml +++ b/roles/custom/matrix-dynamic-dns/defaults/main.yml @@ -7,7 +7,7 @@ matrix_dynamic_dns_enabled: true # The dynamic dns daemon interval matrix_dynamic_dns_daemon_interval: '300' -matrix_dynamic_dns_version: v3.10.0-ls111 +matrix_dynamic_dns_version: v3.10.0-ls123 # The docker container to use when in mode matrix_dynamic_dns_docker_image: "{{ matrix_dynamic_dns_docker_image_name_prefix }}linuxserver/ddclient:{{ matrix_dynamic_dns_version }}" From 69cece9fa32a43217fc057e6bcd858b62c72149d Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 6 Jun 2023 13:51:25 +0300 Subject: [PATCH 08/74] Upgrade Synapse (v1.84.1 -> v1.85.0) --- roles/custom/matrix-synapse/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index 4376a960e..f9853c3de 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -4,7 +4,7 @@ matrix_synapse_enabled: true -matrix_synapse_version: v1.84.1 +matrix_synapse_version: v1.85.0 matrix_synapse_username: '' matrix_synapse_uid: '' From 0ce0a62eb7c540513086ba08decb8c697a314d6a Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Tue, 6 Jun 2023 23:48:08 +0300 Subject: [PATCH 09/74] Update hookshot 4.0.0 (4.1.0?) -> 4.2.0 --- roles/custom/matrix-bridge-hookshot/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-hookshot/defaults/main.yml b/roles/custom/matrix-bridge-hookshot/defaults/main.yml index 247c542b7..55dbdfea7 100644 --- a/roles/custom/matrix-bridge-hookshot/defaults/main.yml +++ b/roles/custom/matrix-bridge-hookshot/defaults/main.yml @@ -10,7 +10,7 @@ matrix_hookshot_container_image_self_build: false matrix_hookshot_container_image_self_build_repo: "https://github.com/matrix-org/matrix-hookshot.git" matrix_hookshot_container_image_self_build_branch: "{{ 'main' if matrix_hookshot_version == 'latest' else matrix_hookshot_version }}" -matrix_hookshot_version: 4.1.0 +matrix_hookshot_version: 4.2.0 matrix_hookshot_docker_image: "{{ matrix_hookshot_docker_image_name_prefix }}halfshot/matrix-hookshot:{{ matrix_hookshot_version }}" matrix_hookshot_docker_image_name_prefix: "{{ 'localhost/' if matrix_hookshot_container_image_self_build else matrix_container_global_registry_prefix }}" From 63473482baf2b0a1e323bb241883403b3eca11df Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Tue, 6 Jun 2023 23:50:38 +0300 Subject: [PATCH 10/74] Update grafana 9.5.2 -> 9.5.3 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 3c2572ab3..c88c27b67 100644 --- a/requirements.yml +++ b/requirements.yml @@ -35,7 +35,7 @@ version: 6.1.0 name: geerlingguy.docker - src: git+https://gitlab.com/etke.cc/roles/grafana.git - version: v9.5.2-0 + version: v9.5.3-0 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-jitsi.git version: v8615-0 name: jitsi From aab55d5b5cf471e5b84457c1172d43cabb6960dd Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Tue, 6 Jun 2023 23:53:18 +0300 Subject: [PATCH 11/74] Update borgmatic 1.7.13 -> 1.7.14 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 3c2572ab3..845f52fe7 100644 --- a/requirements.yml +++ b/requirements.yml @@ -4,7 +4,7 @@ version: v1.0.0-1 name: aux - src: git+https://gitlab.com/etke.cc/roles/backup_borg.git - version: v1.2.4-1.7.13-0 + version: v1.2.4-1.7.14-0 - src: git+https://github.com/devture/com.devture.ansible.role.container_socket_proxy.git version: v0.1.1-2 - src: git+https://github.com/devture/com.devture.ansible.role.docker_sdk_for_python.git From 3a458308a55ae7a70cbba42625e4a31445261ef9 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Tue, 6 Jun 2023 23:55:37 +0300 Subject: [PATCH 12/74] Update element 1.11.31 -> 1.11.32 --- roles/custom/matrix-client-element/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-client-element/defaults/main.yml b/roles/custom/matrix-client-element/defaults/main.yml index 109b42e87..ad30f16f7 100644 --- a/roles/custom/matrix-client-element/defaults/main.yml +++ b/roles/custom/matrix-client-element/defaults/main.yml @@ -10,7 +10,7 @@ matrix_client_element_container_image_self_build_repo: "https://github.com/vecto # - https://github.com/vector-im/element-web/issues/19544 matrix_client_element_container_image_self_build_low_memory_system_patch_enabled: "{{ ansible_memtotal_mb < 4096 }}" -matrix_client_element_version: v1.11.31 +matrix_client_element_version: v1.11.32 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}" matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}" From f320110e902bfe1f995f4a2361db8d7e4917594f Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 7 Jun 2023 14:12:38 +0300 Subject: [PATCH 13/74] Enable com.devture.shared_secret_auth login type for matrix-synapse-shared-secret-auth by default Now that Element v1.11.32 is out and https://github.com/vector-im/element-web/issues/19605 is fixed (by https://github.com/matrix-org/matrix-react-sdk/pull/10975), we don't need to force-disable this login type. --- roles/custom/matrix-synapse/defaults/main.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index f9853c3de..804ef17a4 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -792,8 +792,7 @@ matrix_synapse_ext_password_provider_shared_secret_auth_enabled: false matrix_synapse_ext_password_provider_shared_secret_auth_download_url: "https://raw.githubusercontent.com/devture/matrix-synapse-shared-secret-auth/2.0.2/shared_secret_authenticator.py" matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret: "" matrix_synapse_ext_password_provider_shared_secret_auth_m_login_password_support_enabled: true -# We'd like to enable this, but it causes trouble for Element: https://github.com/vector-im/element-web/issues/19605 -matrix_synapse_ext_password_provider_shared_secret_auth_com_devture_shared_secret_auth_support_enabled: false +matrix_synapse_ext_password_provider_shared_secret_auth_com_devture_shared_secret_auth_support_enabled: true matrix_synapse_ext_password_provider_shared_secret_config: "{{ matrix_synapse_ext_password_provider_shared_secret_config_yaml | from_yaml }}" matrix_synapse_ext_password_provider_shared_secret_config_yaml: | shared_secret: {{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret | string | to_json }} From 672b45648f335c945ec3d9e269326b1eb6ad2319 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 7 Jun 2023 14:20:52 +0300 Subject: [PATCH 14/74] Upgrade matrix-synapse-shared-secret-auth (2.0.2 -> 2.0.3) --- roles/custom/matrix-synapse/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index 804ef17a4..5917426b7 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -789,7 +789,7 @@ matrix_synapse_ext_password_provider_rest_auth_login_profile_name_autofill: fals # Enable this to activate the Shared Secret Auth password provider module. # See: https://github.com/devture/matrix-synapse-shared-secret-auth matrix_synapse_ext_password_provider_shared_secret_auth_enabled: false -matrix_synapse_ext_password_provider_shared_secret_auth_download_url: "https://raw.githubusercontent.com/devture/matrix-synapse-shared-secret-auth/2.0.2/shared_secret_authenticator.py" +matrix_synapse_ext_password_provider_shared_secret_auth_download_url: "https://raw.githubusercontent.com/devture/matrix-synapse-shared-secret-auth/2.0.3/shared_secret_authenticator.py" matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret: "" matrix_synapse_ext_password_provider_shared_secret_auth_m_login_password_support_enabled: true matrix_synapse_ext_password_provider_shared_secret_auth_com_devture_shared_secret_auth_support_enabled: true From ba868ba6c6d84c6ee1bf7e120bcce90ad6151d3b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 7 Jun 2023 16:50:54 +0300 Subject: [PATCH 15/74] Upgrade Synapse (v1.85.0 -> v1.85.1) --- roles/custom/matrix-synapse/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index 5917426b7..1aa5df3fa 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -4,7 +4,7 @@ matrix_synapse_enabled: true -matrix_synapse_version: v1.85.0 +matrix_synapse_version: v1.85.1 matrix_synapse_username: '' matrix_synapse_uid: '' From 55fcbca681528d63d2216c5be53f22594907f74c Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Thu, 8 Jun 2023 18:59:31 +0300 Subject: [PATCH 16/74] Update synapse 1.85.1 -> 1.85.2 --- roles/custom/matrix-synapse/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index 1aa5df3fa..32d63df7d 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -4,7 +4,7 @@ matrix_synapse_enabled: true -matrix_synapse_version: v1.85.1 +matrix_synapse_version: v1.85.2 matrix_synapse_username: '' matrix_synapse_uid: '' From 9709a83a4a845a8bf0e26bf2a44bdb483b6c85df Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Sun, 11 Jun 2023 08:37:54 +0300 Subject: [PATCH 17/74] Update element 1.11.32 -> 1.11.33 --- roles/custom/matrix-client-element/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-client-element/defaults/main.yml b/roles/custom/matrix-client-element/defaults/main.yml index ad30f16f7..f0ddbbede 100644 --- a/roles/custom/matrix-client-element/defaults/main.yml +++ b/roles/custom/matrix-client-element/defaults/main.yml @@ -10,7 +10,7 @@ matrix_client_element_container_image_self_build_repo: "https://github.com/vecto # - https://github.com/vector-im/element-web/issues/19544 matrix_client_element_container_image_self_build_low_memory_system_patch_enabled: "{{ ansible_memtotal_mb < 4096 }}" -matrix_client_element_version: v1.11.32 +matrix_client_element_version: v1.11.33 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}" matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}" From 85f38421e34d4e29f2d01ff85c78f4cb1b6fc2ff Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 11 Jun 2023 21:28:22 +0300 Subject: [PATCH 18/74] Fix matrix-synapse-ldap3 docs link in README Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/2734 --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index ff93cd1f6..8b0265092 100644 --- a/README.md +++ b/README.md @@ -79,7 +79,7 @@ Extend and modify how users are authenticated on your homeserver. | ---- | -------- | ----------- | ------------- | | [matrix-synapse-rest-auth](https://github.com/ma1uta/matrix-synapse-rest-password-provider) (advanced) | x | REST authentication password provider module | [Link](docs/configuring-playbook-rest-auth.md) | |[matrix-synapse-shared-secret-auth](https://github.com/devture/matrix-synapse-shared-secret-auth) (advanced) | x | Password provider module | [Link](docs/configuring-playbook-shared-secret-auth.md) | -| [matrix-synapse-ldap3](https://github.com/matrix-org/matrix-synapse-ldap3) (advanced) | x | LDAP Auth password provider module | [Link](configuring-playbook-ldap-auth.md) | +| [matrix-synapse-ldap3](https://github.com/matrix-org/matrix-synapse-ldap3) (advanced) | x | LDAP Auth password provider module | [Link](docs/configuring-playbook-ldap-auth.md) | | [matrix-ldap-registration-proxy](https://gitlab.com/activism.international/matrix_ldap_registration_proxy) (advanced) | x | A proxy that handles Matrix registration requests and forwards them to LDAP. | [Link](docs/configuring-playbook-matrix-ldap-registration-proxy.md) | | [matrix-registration](https://github.com/ZerataX/matrix-registration) | x | A simple python application to have a token based matrix registration | [Link](docs/configuring-playbook-matrix-registration.md) | From 17a0f89775c03f4f05eadd3d6e073fe3d6f32006 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 12 Jun 2023 07:16:53 +0300 Subject: [PATCH 19/74] Upgrade Traefik (v2.10.1-1 -> v2.10.1-2) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index cb9e8f37b..e93903daa 100644 --- a/requirements.yml +++ b/requirements.yml @@ -26,7 +26,7 @@ - src: git+https://github.com/devture/com.devture.ansible.role.timesync.git version: v1.0.0-0 - src: git+https://github.com/devture/com.devture.ansible.role.traefik.git - version: v2.10.1-1 + version: v2.10.1-2 - src: git+https://github.com/devture/com.devture.ansible.role.traefik_certs_dumper.git version: v2.8.1-0 - src: git+https://gitlab.com/etke.cc/roles/etherpad.git From ceda4c41ccdd59f267bdb7eee8995d44a601e271 Mon Sep 17 00:00:00 2001 From: Zac Date: Tue, 13 Jun 2023 10:22:37 -0500 Subject: [PATCH 20/74] remove the offending lines --- .../tasks/ext/s3-storage-provider/validate_config.yml | 2 -- .../templates/synapse/ext/s3-storage-provider/env.j2 | 2 -- .../ext/s3-storage-provider/media_storage_provider.yaml.j2 | 2 -- 3 files changed, 6 deletions(-) diff --git a/roles/custom/matrix-synapse/tasks/ext/s3-storage-provider/validate_config.yml b/roles/custom/matrix-synapse/tasks/ext/s3-storage-provider/validate_config.yml index 317269b3c..dfa3d9e5a 100644 --- a/roles/custom/matrix-synapse/tasks/ext/s3-storage-provider/validate_config.yml +++ b/roles/custom/matrix-synapse/tasks/ext/s3-storage-provider/validate_config.yml @@ -8,8 +8,6 @@ with_items: - "matrix_synapse_ext_synapse_s3_storage_provider_config_bucket" - "matrix_synapse_ext_synapse_s3_storage_provider_config_region_name" - - "matrix_synapse_ext_synapse_s3_storage_provider_config_access_key_id" - - "matrix_synapse_ext_synapse_s3_storage_provider_config_secret_access_key" - "matrix_synapse_ext_synapse_s3_storage_provider_config_endpoint_url" - name: Fail if required matrix_synapse_ext_synapse_s3_storage_provider_config_endpoint_url looks invalid diff --git a/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/env.j2 b/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/env.j2 index 58d262558..d895b742d 100644 --- a/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/env.j2 +++ b/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/env.j2 @@ -1,5 +1,3 @@ -AWS_ACCESS_KEY_ID={{ matrix_synapse_ext_synapse_s3_storage_provider_config_access_key_id }} -AWS_SECRET_ACCESS_KEY={{ matrix_synapse_ext_synapse_s3_storage_provider_config_secret_access_key }} AWS_DEFAULT_REGION={{ matrix_synapse_ext_synapse_s3_storage_provider_config_region_name }} ENDPOINT={{ matrix_synapse_ext_synapse_s3_storage_provider_config_endpoint_url }} diff --git a/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/media_storage_provider.yaml.j2 b/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/media_storage_provider.yaml.j2 index ac2b58dbb..71394acef 100644 --- a/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/media_storage_provider.yaml.j2 +++ b/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/media_storage_provider.yaml.j2 @@ -6,8 +6,6 @@ config: bucket: {{ matrix_synapse_ext_synapse_s3_storage_provider_config_bucket | to_json }} region_name: {{ matrix_synapse_ext_synapse_s3_storage_provider_config_region_name | to_json }} endpoint_url: {{ matrix_synapse_ext_synapse_s3_storage_provider_config_endpoint_url | to_json }} - access_key_id: {{ matrix_synapse_ext_synapse_s3_storage_provider_config_access_key_id | to_json }} - secret_access_key: {{ matrix_synapse_ext_synapse_s3_storage_provider_config_secret_access_key | to_json }} {% if matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_enabled %} sse_customer_key: {{ matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_key | to_json }} From 0e701bbecec26df41dab8c65036252532d624f47 Mon Sep 17 00:00:00 2001 From: cbackas Date: Tue, 13 Jun 2023 11:08:14 -0500 Subject: [PATCH 21/74] add var to make the creds optional --- roles/custom/matrix-synapse/defaults/main.yml | 2 ++ .../s3-storage-provider/validate_config.yml | 21 +++++++++++++++---- .../synapse/ext/s3-storage-provider/env.j2 | 4 ++++ .../media_storage_provider.yaml.j2 | 4 ++++ 4 files changed, 27 insertions(+), 4 deletions(-) diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index 32d63df7d..fa09d83f7 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -885,6 +885,8 @@ matrix_synapse_ext_synapse_s3_storage_provider_config_region_name: '' matrix_synapse_ext_synapse_s3_storage_provider_config_endpoint_url: '' matrix_synapse_ext_synapse_s3_storage_provider_config_access_key_id: '' matrix_synapse_ext_synapse_s3_storage_provider_config_secret_access_key: '' +# Enable this to use EC2 instance profile metadata to grab IAM credentials instead of passing credentials directly. +matrix_synapse_ext_synapse_s3_storage_provider_config_ec2_instance_profile: false matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_enabled: false matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_key: '' matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_algo: 'AES256' diff --git a/roles/custom/matrix-synapse/tasks/ext/s3-storage-provider/validate_config.yml b/roles/custom/matrix-synapse/tasks/ext/s3-storage-provider/validate_config.yml index dfa3d9e5a..c3034531d 100644 --- a/roles/custom/matrix-synapse/tasks/ext/s3-storage-provider/validate_config.yml +++ b/roles/custom/matrix-synapse/tasks/ext/s3-storage-provider/validate_config.yml @@ -1,14 +1,27 @@ --- +- name: Set base required s3-storage-provider settings + set_fact: + base_s3_storage_provider_config: + - "matrix_synapse_ext_synapse_s3_storage_provider_config_bucket" + - "matrix_synapse_ext_synapse_s3_storage_provider_config_region_name" + - "matrix_synapse_ext_synapse_s3_storage_provider_config_endpoint_url" + +- name: Set optional required s3-storage-provider settings + set_fact: + optional_s3_storage_provider_config: + - "matrix_synapse_ext_synapse_s3_storage_provider_config_access_key_id" + - "matrix_synapse_ext_synapse_s3_storage_provider_config_secret_access_key" + +- name: Prepare a list of required s3-storage-provider settings + set_fact: + required_s3_settings: "{{ base_s3_storage_provider_config + (optional_s3_storage_provider_config if not matrix_synapse_ext_synapse_s3_storage_provider_config_ec2_instance_profile|default(false)|bool else []) }}" - name: Fail if required s3-storage-provider settings not defined ansible.builtin.fail: msg: >- You need to define a required configuration setting (`{{ item }}`) for using s3-storage-provider. when: "vars[item] == ''" - with_items: - - "matrix_synapse_ext_synapse_s3_storage_provider_config_bucket" - - "matrix_synapse_ext_synapse_s3_storage_provider_config_region_name" - - "matrix_synapse_ext_synapse_s3_storage_provider_config_endpoint_url" + with_items: "{{ required_s3_settings }}" - name: Fail if required matrix_synapse_ext_synapse_s3_storage_provider_config_endpoint_url looks invalid ansible.builtin.fail: diff --git a/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/env.j2 b/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/env.j2 index d895b742d..c5e896032 100644 --- a/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/env.j2 +++ b/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/env.j2 @@ -1,3 +1,7 @@ +{% if not matrix_synapse_ext_synapse_s3_storage_provider_config_ec2_instance_profile|default(false)|bool %} +AWS_ACCESS_KEY_ID={{ matrix_synapse_ext_synapse_s3_storage_provider_config_access_key_id }} +AWS_SECRET_ACCESS_KEY={{ matrix_synapse_ext_synapse_s3_storage_provider_config_secret_access_key }} +{% endif %} AWS_DEFAULT_REGION={{ matrix_synapse_ext_synapse_s3_storage_provider_config_region_name }} ENDPOINT={{ matrix_synapse_ext_synapse_s3_storage_provider_config_endpoint_url }} diff --git a/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/media_storage_provider.yaml.j2 b/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/media_storage_provider.yaml.j2 index 71394acef..32c8a0d17 100644 --- a/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/media_storage_provider.yaml.j2 +++ b/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/media_storage_provider.yaml.j2 @@ -6,6 +6,10 @@ config: bucket: {{ matrix_synapse_ext_synapse_s3_storage_provider_config_bucket | to_json }} region_name: {{ matrix_synapse_ext_synapse_s3_storage_provider_config_region_name | to_json }} endpoint_url: {{ matrix_synapse_ext_synapse_s3_storage_provider_config_endpoint_url | to_json }} +{% if not matrix_synapse_ext_synapse_s3_storage_provider_config_ec2_instance_profile|default(false)|bool %} + access_key_id: {{ matrix_synapse_ext_synapse_s3_storage_provider_config_access_key_id | to_json }} + secret_access_key: {{ matrix_synapse_ext_synapse_s3_storage_provider_config_secret_access_key | to_json }} +{% endif %} {% if matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_enabled %} sse_customer_key: {{ matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_key | to_json }} From f6d260dc0036a7049daef262b09dbe0f85b3ff7e Mon Sep 17 00:00:00 2001 From: cbackas Date: Tue, 13 Jun 2023 11:58:19 -0500 Subject: [PATCH 22/74] this is better --- .../s3-storage-provider/validate_config.yml | 31 ++++++++----------- 1 file changed, 13 insertions(+), 18 deletions(-) diff --git a/roles/custom/matrix-synapse/tasks/ext/s3-storage-provider/validate_config.yml b/roles/custom/matrix-synapse/tasks/ext/s3-storage-provider/validate_config.yml index c3034531d..78b02f387 100644 --- a/roles/custom/matrix-synapse/tasks/ext/s3-storage-provider/validate_config.yml +++ b/roles/custom/matrix-synapse/tasks/ext/s3-storage-provider/validate_config.yml @@ -1,27 +1,22 @@ --- -- name: Set base required s3-storage-provider settings - set_fact: - base_s3_storage_provider_config: - - "matrix_synapse_ext_synapse_s3_storage_provider_config_bucket" - - "matrix_synapse_ext_synapse_s3_storage_provider_config_region_name" - - "matrix_synapse_ext_synapse_s3_storage_provider_config_endpoint_url" - -- name: Set optional required s3-storage-provider settings - set_fact: - optional_s3_storage_provider_config: - - "matrix_synapse_ext_synapse_s3_storage_provider_config_access_key_id" - - "matrix_synapse_ext_synapse_s3_storage_provider_config_secret_access_key" - -- name: Prepare a list of required s3-storage-provider settings - set_fact: - required_s3_settings: "{{ base_s3_storage_provider_config + (optional_s3_storage_provider_config if not matrix_synapse_ext_synapse_s3_storage_provider_config_ec2_instance_profile|default(false)|bool else []) }}" - - name: Fail if required s3-storage-provider settings not defined ansible.builtin.fail: msg: >- You need to define a required configuration setting (`{{ item }}`) for using s3-storage-provider. when: "vars[item] == ''" - with_items: "{{ required_s3_settings }}" + with_items: + - "matrix_synapse_ext_synapse_s3_storage_provider_config_bucket" + - "matrix_synapse_ext_synapse_s3_storage_provider_config_region_name" + - "matrix_synapse_ext_synapse_s3_storage_provider_config_endpoint_url" + +- name: Fail if required s3-storage-provider auth settings not defined + ansible.builtin.fail: + msg: >- + You need to define a required configuration setting (`{{ item }}`) for using s3-storage-provider. + when: "not matrix_synapse_ext_synapse_s3_storage_provider_config_ec2_instance_profile|default(false)|bool and vars[item] == ''" + with_items: + - "matrix_synapse_ext_synapse_s3_storage_provider_config_access_key_id" + - "matrix_synapse_ext_synapse_s3_storage_provider_config_secret_access_key" - name: Fail if required matrix_synapse_ext_synapse_s3_storage_provider_config_endpoint_url looks invalid ansible.builtin.fail: From f026c7cee1dff3fe577a0d37bd153ecf5c1f8295 Mon Sep 17 00:00:00 2001 From: Zac Date: Tue, 13 Jun 2023 14:48:44 -0500 Subject: [PATCH 23/74] Apply suggestions from code review Co-authored-by: Slavi Pantaleev --- roles/custom/matrix-synapse/defaults/main.yml | 3 ++- .../tasks/ext/s3-storage-provider/validate_config.yml | 4 ++-- .../templates/synapse/ext/s3-storage-provider/env.j2 | 2 +- .../ext/s3-storage-provider/media_storage_provider.yaml.j2 | 2 +- 4 files changed, 6 insertions(+), 5 deletions(-) diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index fa09d83f7..88ef768e9 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -885,7 +885,8 @@ matrix_synapse_ext_synapse_s3_storage_provider_config_region_name: '' matrix_synapse_ext_synapse_s3_storage_provider_config_endpoint_url: '' matrix_synapse_ext_synapse_s3_storage_provider_config_access_key_id: '' matrix_synapse_ext_synapse_s3_storage_provider_config_secret_access_key: '' -# Enable this to use EC2 instance profile metadata to grab IAM credentials instead of passing credentials directly. +# Enable this to use EC2 instance profile metadata to grab IAM credentials instead of passing credentials directly +# via matrix_synapse_ext_synapse_s3_storage_provider_config_access_key_id and matrix_synapse_ext_synapse_s3_storage_provider_config_secret_access_key matrix_synapse_ext_synapse_s3_storage_provider_config_ec2_instance_profile: false matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_enabled: false matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_key: '' diff --git a/roles/custom/matrix-synapse/tasks/ext/s3-storage-provider/validate_config.yml b/roles/custom/matrix-synapse/tasks/ext/s3-storage-provider/validate_config.yml index 78b02f387..406f186dc 100644 --- a/roles/custom/matrix-synapse/tasks/ext/s3-storage-provider/validate_config.yml +++ b/roles/custom/matrix-synapse/tasks/ext/s3-storage-provider/validate_config.yml @@ -9,11 +9,11 @@ - "matrix_synapse_ext_synapse_s3_storage_provider_config_region_name" - "matrix_synapse_ext_synapse_s3_storage_provider_config_endpoint_url" -- name: Fail if required s3-storage-provider auth settings not defined +- name: Fail if required s3-storage-provider auth settings not defined when not using an EC2 profile ansible.builtin.fail: msg: >- You need to define a required configuration setting (`{{ item }}`) for using s3-storage-provider. - when: "not matrix_synapse_ext_synapse_s3_storage_provider_config_ec2_instance_profile|default(false)|bool and vars[item] == ''" + when: "not matrix_synapse_ext_synapse_s3_storage_provider_config_ec2_instance_profile | bool and vars[item] == ''" with_items: - "matrix_synapse_ext_synapse_s3_storage_provider_config_access_key_id" - "matrix_synapse_ext_synapse_s3_storage_provider_config_secret_access_key" diff --git a/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/env.j2 b/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/env.j2 index c5e896032..227fd89e4 100644 --- a/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/env.j2 +++ b/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/env.j2 @@ -1,4 +1,4 @@ -{% if not matrix_synapse_ext_synapse_s3_storage_provider_config_ec2_instance_profile|default(false)|bool %} +{% if not matrix_synapse_ext_synapse_s3_storage_provider_config_ec2_instance_profile | bool %} AWS_ACCESS_KEY_ID={{ matrix_synapse_ext_synapse_s3_storage_provider_config_access_key_id }} AWS_SECRET_ACCESS_KEY={{ matrix_synapse_ext_synapse_s3_storage_provider_config_secret_access_key }} {% endif %} diff --git a/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/media_storage_provider.yaml.j2 b/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/media_storage_provider.yaml.j2 index 32c8a0d17..97387e55c 100644 --- a/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/media_storage_provider.yaml.j2 +++ b/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/media_storage_provider.yaml.j2 @@ -6,7 +6,7 @@ config: bucket: {{ matrix_synapse_ext_synapse_s3_storage_provider_config_bucket | to_json }} region_name: {{ matrix_synapse_ext_synapse_s3_storage_provider_config_region_name | to_json }} endpoint_url: {{ matrix_synapse_ext_synapse_s3_storage_provider_config_endpoint_url | to_json }} -{% if not matrix_synapse_ext_synapse_s3_storage_provider_config_ec2_instance_profile|default(false)|bool %} +{% if not matrix_synapse_ext_synapse_s3_storage_provider_config_ec2_instance_profile | bool %} access_key_id: {{ matrix_synapse_ext_synapse_s3_storage_provider_config_access_key_id | to_json }} secret_access_key: {{ matrix_synapse_ext_synapse_s3_storage_provider_config_secret_access_key | to_json }} {% endif %} From d9f8ac0f8b81a026e0ecd194029c2268980b5e47 Mon Sep 17 00:00:00 2001 From: cbackas Date: Tue, 13 Jun 2023 14:55:07 -0500 Subject: [PATCH 24/74] add thing to docs --- docs/configuring-playbook-synapse-s3-storage-provider.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/docs/configuring-playbook-synapse-s3-storage-provider.md b/docs/configuring-playbook-synapse-s3-storage-provider.md index d5d5ca5e2..549fe6010 100644 --- a/docs/configuring-playbook-synapse-s3-storage-provider.md +++ b/docs/configuring-playbook-synapse-s3-storage-provider.md @@ -37,6 +37,10 @@ matrix_synapse_ext_synapse_s3_storage_provider_config_access_key_id: access-key- matrix_synapse_ext_synapse_s3_storage_provider_config_secret_access_key: secret-key-goes-here matrix_synapse_ext_synapse_s3_storage_provider_config_storage_class: STANDARD # or STANDARD_IA, etc. +# If you're using an EC2 instance with an instance profile that grants it permissions to access S3, set the following variable to true +# Defaulted to false, when this is enabled you do not need to provide the access_key_id or secret_access_key. +matrix_synapse_ext_synapse_s3_storage_provider_config_ec2_instance_profile: true + # For additional advanced settings, take a look at `roles/custom/matrix-synapse/defaults/main.yml` ``` From ba3534903ac4c6167d11b4f743cfba39f540f7e1 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 14 Jun 2023 09:27:40 +0300 Subject: [PATCH 25/74] Make S3 authentication options clearer --- ...uring-playbook-synapse-s3-storage-provider.md | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/docs/configuring-playbook-synapse-s3-storage-provider.md b/docs/configuring-playbook-synapse-s3-storage-provider.md index 549fe6010..c704a747f 100644 --- a/docs/configuring-playbook-synapse-s3-storage-provider.md +++ b/docs/configuring-playbook-synapse-s3-storage-provider.md @@ -30,16 +30,22 @@ After [creating the S3 bucket and configuring it](configuring-playbook-s3.md#buc ```yaml matrix_synapse_ext_synapse_s3_storage_provider_enabled: true + matrix_synapse_ext_synapse_s3_storage_provider_config_bucket: your-bucket-name matrix_synapse_ext_synapse_s3_storage_provider_config_region_name: some-region-name # e.g. eu-central-1 matrix_synapse_ext_synapse_s3_storage_provider_config_endpoint_url: https://s3.REGION_NAME.amazonaws.com # adjust this -matrix_synapse_ext_synapse_s3_storage_provider_config_access_key_id: access-key-goes-here -matrix_synapse_ext_synapse_s3_storage_provider_config_secret_access_key: secret-key-goes-here matrix_synapse_ext_synapse_s3_storage_provider_config_storage_class: STANDARD # or STANDARD_IA, etc. -# If you're using an EC2 instance with an instance profile that grants it permissions to access S3, set the following variable to true -# Defaulted to false, when this is enabled you do not need to provide the access_key_id or secret_access_key. -matrix_synapse_ext_synapse_s3_storage_provider_config_ec2_instance_profile: true +# Authentication Method 1 - (access key id + secret) +# This works on all providers (AWS and other compatible systems). +# Uncomment the variables below to use it. +# matrix_synapse_ext_synapse_s3_storage_provider_config_access_key_id: access-key-goes-here +# matrix_synapse_ext_synapse_s3_storage_provider_config_secret_access_key: secret-key-goes-here + +# Authentication Method 2 - EC2 instance profile which grants permission to access S3 +# This only works on AWS when your server is hosted on an EC2 instance with the correct instance profile set. +# Uncomment the variable below to use it. +# matrix_synapse_ext_synapse_s3_storage_provider_config_ec2_instance_profile: true # For additional advanced settings, take a look at `roles/custom/matrix-synapse/defaults/main.yml` ``` From 6a2d90006b47831b756e7ddd866ae0f62ff07dbd Mon Sep 17 00:00:00 2001 From: Tupsi Date: Wed, 14 Jun 2023 15:22:38 +0200 Subject: [PATCH 26/74] Update configuring-playbook-synapse-s3-storage-provider.md added syntax to upload to wasabi (needs --endpoint param) --- ...figuring-playbook-synapse-s3-storage-provider.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/docs/configuring-playbook-synapse-s3-storage-provider.md b/docs/configuring-playbook-synapse-s3-storage-provider.md index c704a747f..62ace208e 100644 --- a/docs/configuring-playbook-synapse-s3-storage-provider.md +++ b/docs/configuring-playbook-synapse-s3-storage-provider.md @@ -112,6 +112,19 @@ docker run -it --rm \ docker.io/amazon/aws-cli:2.9.16 \ -c 'aws s3 sync /work/. s3://$BUCKET/' ``` +#### Copying data to Wasabi + +To copy to Wasabi, start a container on the Matrix server like this: + +```sh +docker run -it --rm \ +-w /work \ +--env-file=/matrix/synapse/ext/s3-storage-provider/env \ +--mount type=bind,src=/matrix/synapse/storage/media-store,dst=/work,ro \ +--entrypoint=/bin/sh \ +docker.io/amazon/aws-cli:2.9.16 \ +-c 'aws s3 sync /work/. s3://$BUCKET/ --endpoint-url=$ENDPOINT' +``` #### Copying data to Backblaze B2 From bfd8ee3977e4514f00dc245956f472821507e6de Mon Sep 17 00:00:00 2001 From: SapuSeven Date: Thu, 15 Jun 2023 22:34:38 +0200 Subject: [PATCH 27/74] Fix installing 'aux'-role on NTFS - Fixes #2738 --- playbooks/matrix.yml | 2 +- requirements.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/playbooks/matrix.yml b/playbooks/matrix.yml index 9ce1aebea..266f3b9e5 100755 --- a/playbooks/matrix.yml +++ b/playbooks/matrix.yml @@ -114,7 +114,7 @@ - custom/matrix-nginx-proxy - custom/matrix-coturn - - role: galaxy/aux + - role: galaxy/auxiliary - role: galaxy/com.devture.ansible.role.postgres_backup diff --git a/requirements.yml b/requirements.yml index e93903daa..867e6c53b 100644 --- a/requirements.yml +++ b/requirements.yml @@ -2,7 +2,7 @@ - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-aux.git version: v1.0.0-1 - name: aux + name: auxiliary - src: git+https://gitlab.com/etke.cc/roles/backup_borg.git version: v1.2.4-1.7.14-0 - src: git+https://github.com/devture/com.devture.ansible.role.container_socket_proxy.git From 76db1587292951ea05bd2cb7dba2ac297d4cc6df Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 16 Jun 2023 09:11:53 +0300 Subject: [PATCH 28/74] Adjust S3 docs section to not be so Wasabi-specific --- ...ng-playbook-synapse-s3-storage-provider.md | 19 +++++++------------ 1 file changed, 7 insertions(+), 12 deletions(-) diff --git a/docs/configuring-playbook-synapse-s3-storage-provider.md b/docs/configuring-playbook-synapse-s3-storage-provider.md index 62ace208e..9fb26212a 100644 --- a/docs/configuring-playbook-synapse-s3-storage-provider.md +++ b/docs/configuring-playbook-synapse-s3-storage-provider.md @@ -112,23 +112,18 @@ docker run -it --rm \ docker.io/amazon/aws-cli:2.9.16 \ -c 'aws s3 sync /work/. s3://$BUCKET/' ``` -#### Copying data to Wasabi -To copy to Wasabi, start a container on the Matrix server like this: +#### Copying data to an S3 alternative using the aws-s3 tool -```sh -docker run -it --rm \ --w /work \ ---env-file=/matrix/synapse/ext/s3-storage-provider/env \ ---mount type=bind,src=/matrix/synapse/storage/media-store,dst=/work,ro \ ---entrypoint=/bin/sh \ -docker.io/amazon/aws-cli:2.9.16 \ --c 'aws s3 sync /work/. s3://$BUCKET/ --endpoint-url=$ENDPOINT' -``` +To copy to a provider other than AWS S3 (e.g. Wasabi, Digital Ocean Spaces, etc.), you can use the command for [Copying data to Amazon S3](#copying-data-to-amazon-s3) with an added `--endpoint-url=$ENDPOINT` argument. + +Add this argument to the command **as-is** (`$ENDPOINT` is an environment variable corresponding to `matrix_synapse_ext_synapse_s3_storage_provider_config_endpoint_url`, so you don't need to touch it). Make sure to add the argument **before** the final quote (`'`) of the command. #### Copying data to Backblaze B2 -To copy to Backblaze B2, start a container on the Matrix server like this: +You can copy files to Backblaze B2 either by following the [Copying data to an S3 alternative using the aws-s3 tool](#copying-data-to-an-s3-alternative-using-the-aws-s3-tool) or by using the B2-specific [b2 command-line tool](https://www.backblaze.com/b2/docs/quick_command_line.html) as described below. + +To copy the data using the `b2` tool, start a container on the Matrix server like this: ```sh docker run -it --rm \ From bbe11f2612c1fad4162dd3175d11a215ac4817ef Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Fri, 16 Jun 2023 16:11:06 +0300 Subject: [PATCH 29/74] Update mautrix-discord 0.4.0 -> 0.5.0 --- roles/custom/matrix-bridge-mautrix-discord/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-mautrix-discord/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-discord/defaults/main.yml index 98291d80d..dbb73aa45 100644 --- a/roles/custom/matrix-bridge-mautrix-discord/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-discord/defaults/main.yml @@ -8,7 +8,7 @@ matrix_mautrix_discord_container_image_self_build: false matrix_mautrix_discord_container_image_self_build_repo: "https://mau.dev/mautrix/discord.git" matrix_mautrix_discord_container_image_self_build_branch: "{{ 'main' if matrix_mautrix_discord_version == 'latest' else matrix_mautrix_discord_version }}" -matrix_mautrix_discord_version: v0.4.0 +matrix_mautrix_discord_version: v0.5.0 # See: https://mau.dev/mautrix/discord/container_registry matrix_mautrix_discord_docker_image: "{{ matrix_mautrix_discord_docker_image_name_prefix }}mautrix/discord:{{ matrix_mautrix_discord_version }}" matrix_mautrix_discord_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_discord_container_image_self_build else 'dock.mau.dev/' }}" From 245a86f439b78e51a654cc6fb48a2a27b768f6ae Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Fri, 16 Jun 2023 16:12:03 +0300 Subject: [PATCH 30/74] Update mautrix-whatsapp 0.8.5 -> 0.8.6 --- roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml index 20cafa7ad..9ee461b5c 100644 --- a/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml @@ -8,7 +8,7 @@ matrix_mautrix_whatsapp_container_image_self_build: false matrix_mautrix_whatsapp_container_image_self_build_repo: "https://mau.dev/mautrix/whatsapp.git" matrix_mautrix_whatsapp_container_image_self_build_branch: "{{ 'master' if matrix_mautrix_whatsapp_version == 'latest' else matrix_mautrix_whatsapp_version }}" -matrix_mautrix_whatsapp_version: v0.8.5 +matrix_mautrix_whatsapp_version: v0.8.6 # See: https://mau.dev/mautrix/whatsapp/container_registry matrix_mautrix_whatsapp_docker_image: "{{ matrix_mautrix_whatsapp_docker_image_name_prefix }}mautrix/whatsapp:{{ matrix_mautrix_whatsapp_version }}" matrix_mautrix_whatsapp_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_whatsapp_container_image_self_build else 'dock.mau.dev/' }}" From df07b8fb7dbd575c260b38dd0389250fed75c17e Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Fri, 16 Jun 2023 16:13:15 +0300 Subject: [PATCH 31/74] Update coturn 4.6.1-r3 -> 4.6.2-r3 --- roles/custom/matrix-coturn/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-coturn/defaults/main.yml b/roles/custom/matrix-coturn/defaults/main.yml index ebeed45f6..2abfe6f15 100644 --- a/roles/custom/matrix-coturn/defaults/main.yml +++ b/roles/custom/matrix-coturn/defaults/main.yml @@ -8,7 +8,7 @@ matrix_coturn_container_image_self_build_repo: "https://github.com/coturn/coturn matrix_coturn_container_image_self_build_repo_version: "docker/{{ matrix_coturn_version }}" matrix_coturn_container_image_self_build_repo_dockerfile_path: "docker/coturn/alpine/Dockerfile" -matrix_coturn_version: 4.6.1-r3 +matrix_coturn_version: 4.6.2-r3 matrix_coturn_docker_image: "{{ matrix_coturn_docker_image_name_prefix }}coturn/coturn:{{ matrix_coturn_version }}-alpine" matrix_coturn_docker_image_name_prefix: "{{ 'localhost/' if matrix_coturn_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_coturn_docker_image_force_pull: "{{ matrix_coturn_docker_image.endswith(':latest') }}" From 9315ba571d2006fb681e1faf169300f2698dc0ae Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Fri, 16 Jun 2023 16:15:02 +0300 Subject: [PATCH 32/74] Update nginx 1.25.1 --- roles/custom/matrix-nginx-proxy/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-nginx-proxy/defaults/main.yml b/roles/custom/matrix-nginx-proxy/defaults/main.yml index 77e501b7c..8ad11b375 100644 --- a/roles/custom/matrix-nginx-proxy/defaults/main.yml +++ b/roles/custom/matrix-nginx-proxy/defaults/main.yml @@ -1,7 +1,7 @@ --- # Project source code URL: https://github.com/nginx/nginx matrix_nginx_proxy_enabled: true -matrix_nginx_proxy_version: 1.23.3-alpine +matrix_nginx_proxy_version: 1.25.1-alpine # We use an official nginx image, which we fix-up to run unprivileged. # An alternative would be an `nginxinc/nginx-unprivileged` image, but From 71e9b04fbe36e5c479847d9334750587b3467e05 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Fri, 16 Jun 2023 16:18:34 +0300 Subject: [PATCH 33/74] Update mautrix-googlechat 0.4.0 -> 0.5.0 --- roles/custom/matrix-bridge-mautrix-googlechat/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-mautrix-googlechat/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-googlechat/defaults/main.yml index 85f07b9d9..de0123043 100644 --- a/roles/custom/matrix-bridge-mautrix-googlechat/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-googlechat/defaults/main.yml @@ -8,7 +8,7 @@ matrix_mautrix_googlechat_container_image_self_build: false matrix_mautrix_googlechat_container_image_self_build_repo: "https://github.com/mautrix/googlechat.git" matrix_mautrix_googlechat_container_image_self_build_repo_version: "{{ 'master' if matrix_mautrix_googlechat_version == 'latest' else matrix_mautrix_googlechat_version }}" -matrix_mautrix_googlechat_version: v0.4.0 +matrix_mautrix_googlechat_version: v0.5.0 # See: https://mau.dev/mautrix/googlechat/container_registry matrix_mautrix_googlechat_docker_image: "{{ matrix_mautrix_googlechat_docker_image_name_prefix }}mautrix/googlechat:{{ matrix_mautrix_googlechat_version }}" matrix_mautrix_googlechat_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_googlechat_container_image_self_build else 'dock.mau.dev/' }}" From 91fdd25e14ab2053caebce14dce66f4b149bff6a Mon Sep 17 00:00:00 2001 From: Antonis Christofides Date: Mon, 5 Jun 2023 17:28:05 +0300 Subject: [PATCH 34/74] Move playbooks to root directory (fixes #2513) Some time ago a "playbooks" subdirectory had been created and setup.yml had been moved there (as matrix.yml), together with the new jitsi_jvb.yml. However, jitsi_jvb.yml wouldn't work at all, unless a symbolic link to it was created from the root directory. A symbolic link setup.yml for playbooks/matrix.yml had already been created and committed. This seems to indicate that the developers thought they should place all playbooks in a subdirectory, but when this didn't work, they linked to one of them, leaving the other one inoperative. We fix this by moving the playbooks to the root directory. This works, and the pollution of the root directory is not too bad since it's only two playbooks. We also change the mode of setup.yml to 644 (it had inexplicably changed to 755 in 9735a2f600). This contribution is provided by GRNET S.A. (grnet.gr). --- playbooks/jitsi_jvb.yml => jitsi_jvb.yml | 0 playbooks/matrix.yml | 143 ---------------------- setup.yml | 144 ++++++++++++++++++++++- 3 files changed, 143 insertions(+), 144 deletions(-) rename playbooks/jitsi_jvb.yml => jitsi_jvb.yml (100%) delete mode 100755 playbooks/matrix.yml mode change 120000 => 100644 setup.yml diff --git a/playbooks/jitsi_jvb.yml b/jitsi_jvb.yml similarity index 100% rename from playbooks/jitsi_jvb.yml rename to jitsi_jvb.yml diff --git a/playbooks/matrix.yml b/playbooks/matrix.yml deleted file mode 100755 index 266f3b9e5..000000000 --- a/playbooks/matrix.yml +++ /dev/null @@ -1,143 +0,0 @@ ---- -- name: "Set up a Matrix server" - hosts: "{{ target if target is defined else 'matrix_servers' }}" - become: true - - roles: - # Most of the roles below are not distributed with the playbook, but downloaded separately using `ansible-galaxy` via the `just roles` command (see `justfile`). - - role: galaxy/com.devture.ansible.role.playbook_help - - - role: galaxy/com.devture.ansible.role.systemd_docker_base - - - role: custom/matrix_playbook_migration - - - when: matrix_playbook_docker_installation_enabled | bool - role: galaxy/geerlingguy.docker - vars: - docker_install_compose: false - tags: - - setup-docker - - setup-all - - install-docker - - install-all - - - when: devture_docker_sdk_for_python_installation_enabled | bool - role: galaxy/com.devture.ansible.role.docker_sdk_for_python - tags: - - setup-docker - - setup-all - - install-docker - - install-all - - - when: devture_timesync_installation_enabled | bool - role: galaxy/com.devture.ansible.role.timesync - tags: - - setup-timesync - - setup-all - - install-timesync - - install-all - - - custom/matrix-base - - custom/matrix-dynamic-dns - - custom/matrix-mailer - - - role: galaxy/com.devture.ansible.role.postgres - - - galaxy/redis - - custom/matrix-corporal - - custom/matrix-bridge-appservice-discord - - custom/matrix-bridge-appservice-slack - - custom/matrix-bridge-appservice-webhooks - - custom/matrix-bridge-appservice-irc - - custom/matrix-bridge-appservice-kakaotalk - - custom/matrix-bridge-beeper-linkedin - - custom/matrix-bridge-go-skype-bridge - - custom/matrix-bridge-mautrix-facebook - - custom/matrix-bridge-mautrix-twitter - - custom/matrix-bridge-mautrix-hangouts - - custom/matrix-bridge-mautrix-googlechat - - custom/matrix-bridge-mautrix-instagram - - custom/matrix-bridge-mautrix-signal - - custom/matrix-bridge-mautrix-telegram - - custom/matrix-bridge-mautrix-whatsapp - - custom/matrix-bridge-mautrix-discord - - custom/matrix-bridge-mautrix-slack - - custom/matrix-bridge-mx-puppet-discord - - custom/matrix-bridge-mx-puppet-groupme - - custom/matrix-bridge-mx-puppet-steam - - custom/matrix-bridge-mx-puppet-slack - - custom/matrix-bridge-mx-puppet-twitter - - custom/matrix-bridge-mx-puppet-instagram - - custom/matrix-bridge-sms - - custom/matrix-bridge-heisenbridge - - custom/matrix-bridge-hookshot - - custom/matrix-bot-matrix-reminder-bot - - custom/matrix-bot-matrix-registration-bot - - custom/matrix-bot-maubot - - custom/matrix-bot-buscarron - - custom/matrix-bot-honoroit - - custom/matrix-bot-postmoogle - - custom/matrix-bot-go-neb - - custom/matrix-bot-mjolnir - - custom/matrix-bot-draupnir - - custom/matrix-bot-chatgpt - - custom/matrix-cactus-comments - - custom/matrix-rageshake - - custom/matrix-synapse - - custom/matrix-synapse-auto-compressor - - custom/matrix-synapse-reverse-proxy-companion - - custom/matrix-dendrite - - custom/matrix-conduit - - custom/matrix-synapse-admin - - galaxy/prometheus_node_exporter - - galaxy/prometheus_postgres_exporter - - custom/matrix-prometheus-nginxlog-exporter - - galaxy/prometheus - - galaxy/grafana - - custom/matrix-prometheus-services-connect - - custom/matrix-prometheus-services-proxy-connect - - custom/matrix-registration - - custom/matrix-client-element - - custom/matrix-client-hydrogen - - custom/matrix-client-cinny - - galaxy/jitsi - - custom/matrix-user-verification-service - - custom/matrix-ldap-registration-proxy - - custom/matrix-ma1sd - - custom/matrix-dimension - - galaxy/etherpad - - custom/etherpad-proxy-connect - - custom/matrix-sliding-sync - - custom/matrix-email2matrix - - custom/matrix-sygnal - - galaxy/ntfy - - custom/matrix-nginx-proxy - - custom/matrix-coturn - - - role: galaxy/auxiliary - - - role: galaxy/com.devture.ansible.role.postgres_backup - - - role: galaxy/backup_borg - - - custom/matrix-user-creator - - custom/matrix-common-after - - - role: galaxy/com.devture.ansible.role.container_socket_proxy - - - role: galaxy/com.devture.ansible.role.traefik - - - role: galaxy/com.devture.ansible.role.traefik_certs_dumper - - - when: devture_systemd_service_manager_enabled | bool - role: galaxy/com.devture.ansible.role.systemd_service_manager - - # This is pretty much last, because we want it to better serve as a "last known good configuration". - # See: https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/2217#issuecomment-1301487601 - - when: devture_playbook_state_preserver_enabled | bool - role: galaxy/com.devture.ansible.role.playbook_state_preserver - tags: - - setup-all - - install-all - - - role: galaxy/com.devture.ansible.role.playbook_runtime_messages diff --git a/setup.yml b/setup.yml deleted file mode 120000 index 7acc4c4c9..000000000 --- a/setup.yml +++ /dev/null @@ -1 +0,0 @@ -playbooks/matrix.yml \ No newline at end of file diff --git a/setup.yml b/setup.yml new file mode 100644 index 000000000..266f3b9e5 --- /dev/null +++ b/setup.yml @@ -0,0 +1,143 @@ +--- +- name: "Set up a Matrix server" + hosts: "{{ target if target is defined else 'matrix_servers' }}" + become: true + + roles: + # Most of the roles below are not distributed with the playbook, but downloaded separately using `ansible-galaxy` via the `just roles` command (see `justfile`). + - role: galaxy/com.devture.ansible.role.playbook_help + + - role: galaxy/com.devture.ansible.role.systemd_docker_base + + - role: custom/matrix_playbook_migration + + - when: matrix_playbook_docker_installation_enabled | bool + role: galaxy/geerlingguy.docker + vars: + docker_install_compose: false + tags: + - setup-docker + - setup-all + - install-docker + - install-all + + - when: devture_docker_sdk_for_python_installation_enabled | bool + role: galaxy/com.devture.ansible.role.docker_sdk_for_python + tags: + - setup-docker + - setup-all + - install-docker + - install-all + + - when: devture_timesync_installation_enabled | bool + role: galaxy/com.devture.ansible.role.timesync + tags: + - setup-timesync + - setup-all + - install-timesync + - install-all + + - custom/matrix-base + - custom/matrix-dynamic-dns + - custom/matrix-mailer + + - role: galaxy/com.devture.ansible.role.postgres + + - galaxy/redis + - custom/matrix-corporal + - custom/matrix-bridge-appservice-discord + - custom/matrix-bridge-appservice-slack + - custom/matrix-bridge-appservice-webhooks + - custom/matrix-bridge-appservice-irc + - custom/matrix-bridge-appservice-kakaotalk + - custom/matrix-bridge-beeper-linkedin + - custom/matrix-bridge-go-skype-bridge + - custom/matrix-bridge-mautrix-facebook + - custom/matrix-bridge-mautrix-twitter + - custom/matrix-bridge-mautrix-hangouts + - custom/matrix-bridge-mautrix-googlechat + - custom/matrix-bridge-mautrix-instagram + - custom/matrix-bridge-mautrix-signal + - custom/matrix-bridge-mautrix-telegram + - custom/matrix-bridge-mautrix-whatsapp + - custom/matrix-bridge-mautrix-discord + - custom/matrix-bridge-mautrix-slack + - custom/matrix-bridge-mx-puppet-discord + - custom/matrix-bridge-mx-puppet-groupme + - custom/matrix-bridge-mx-puppet-steam + - custom/matrix-bridge-mx-puppet-slack + - custom/matrix-bridge-mx-puppet-twitter + - custom/matrix-bridge-mx-puppet-instagram + - custom/matrix-bridge-sms + - custom/matrix-bridge-heisenbridge + - custom/matrix-bridge-hookshot + - custom/matrix-bot-matrix-reminder-bot + - custom/matrix-bot-matrix-registration-bot + - custom/matrix-bot-maubot + - custom/matrix-bot-buscarron + - custom/matrix-bot-honoroit + - custom/matrix-bot-postmoogle + - custom/matrix-bot-go-neb + - custom/matrix-bot-mjolnir + - custom/matrix-bot-draupnir + - custom/matrix-bot-chatgpt + - custom/matrix-cactus-comments + - custom/matrix-rageshake + - custom/matrix-synapse + - custom/matrix-synapse-auto-compressor + - custom/matrix-synapse-reverse-proxy-companion + - custom/matrix-dendrite + - custom/matrix-conduit + - custom/matrix-synapse-admin + - galaxy/prometheus_node_exporter + - galaxy/prometheus_postgres_exporter + - custom/matrix-prometheus-nginxlog-exporter + - galaxy/prometheus + - galaxy/grafana + - custom/matrix-prometheus-services-connect + - custom/matrix-prometheus-services-proxy-connect + - custom/matrix-registration + - custom/matrix-client-element + - custom/matrix-client-hydrogen + - custom/matrix-client-cinny + - galaxy/jitsi + - custom/matrix-user-verification-service + - custom/matrix-ldap-registration-proxy + - custom/matrix-ma1sd + - custom/matrix-dimension + - galaxy/etherpad + - custom/etherpad-proxy-connect + - custom/matrix-sliding-sync + - custom/matrix-email2matrix + - custom/matrix-sygnal + - galaxy/ntfy + - custom/matrix-nginx-proxy + - custom/matrix-coturn + + - role: galaxy/auxiliary + + - role: galaxy/com.devture.ansible.role.postgres_backup + + - role: galaxy/backup_borg + + - custom/matrix-user-creator + - custom/matrix-common-after + + - role: galaxy/com.devture.ansible.role.container_socket_proxy + + - role: galaxy/com.devture.ansible.role.traefik + + - role: galaxy/com.devture.ansible.role.traefik_certs_dumper + + - when: devture_systemd_service_manager_enabled | bool + role: galaxy/com.devture.ansible.role.systemd_service_manager + + # This is pretty much last, because we want it to better serve as a "last known good configuration". + # See: https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/2217#issuecomment-1301487601 + - when: devture_playbook_state_preserver_enabled | bool + role: galaxy/com.devture.ansible.role.playbook_state_preserver + tags: + - setup-all + - install-all + + - role: galaxy/com.devture.ansible.role.playbook_runtime_messages From 71ed745be67e0132b67541d83ca4bbad61c642fd Mon Sep 17 00:00:00 2001 From: Antonis Christofides Date: Mon, 5 Jun 2023 17:54:29 +0300 Subject: [PATCH 35/74] Documentation typo --- docs/configuring-playbook-jitsi.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuring-playbook-jitsi.md b/docs/configuring-playbook-jitsi.md index 4157231a5..ddae16b03 100644 --- a/docs/configuring-playbook-jitsi.md +++ b/docs/configuring-playbook-jitsi.md @@ -165,7 +165,7 @@ jitsi_prosody_max_participants: 4 # example value By default, a single JVB ([Jitsi VideoBridge](https://github.com/jitsi/jitsi-videobridge)) is deployed on the same host as the Matrix server. To allow more video-conferences to happen at the same time, you may need to provision additional JVB services on other hosts. There is an ansible playbook that can be run with the following tag: -` ansible-playbook -i inventory/hosts --limit jitsi_jvb_servers jitsi_jvb.yml --tags=common,setup-additional-jitsi-jvb,start` +`ansible-playbook -i inventory/hosts --limit jitsi_jvb_servers jitsi_jvb.yml --tags=common,setup-additional-jitsi-jvb,start` For this role to work you will need an additional section in the ansible hosts file with the details of the JVB hosts, for example: ``` From 6ce94ba33f749480a5dc2418a3e273ac132650ff Mon Sep 17 00:00:00 2001 From: Antonis Christofides Date: Sun, 11 Jun 2023 20:04:01 +0300 Subject: [PATCH 36/74] Fix additional JVB broken after move to external Jitsi role (fixes #2733) This contribution is provided by GRNET S.A. (grnet.gr). --- docs/configuring-playbook-jitsi.md | 10 ++++++++++ group_vars/jitsi_jvb_servers | 4 ++++ 2 files changed, 14 insertions(+) create mode 100644 group_vars/jitsi_jvb_servers diff --git a/docs/configuring-playbook-jitsi.md b/docs/configuring-playbook-jitsi.md index ddae16b03..d1353bb01 100644 --- a/docs/configuring-playbook-jitsi.md +++ b/docs/configuring-playbook-jitsi.md @@ -208,6 +208,16 @@ However, it can also be set the ip address of the matrix server. This can be use jitsi_xmpp_server: "192.168.0.1" ``` +For the JVB to be able ito contact the XMPP server, the latter must expose the XMPP port (5222). By default, the Matrix server does not expose the +port; only the XMPP container exposes it internally inside the host, which means that the first JVB (which runs on the Matrix server) can reach it but +the additional JVB cannot. The port is exposed by setting `jitsi_prosody_container_jvb_host_bind_port` like this: + +```yaml +jitsi_prosody_container_jvb_host_bind_port: 5222 +``` + +(The default is empty; if it's set then docker forwards the port.) + The nginx configuration will also need to be updated in order to deal with the additional JVB servers. This is achieved via its own configuration variable `matrix_nginx_proxy_proxy_jitsi_additional_jvbs`, which contains a dictionary of server ids to ip addresses. diff --git a/group_vars/jitsi_jvb_servers b/group_vars/jitsi_jvb_servers new file mode 100644 index 000000000..67815f7c0 --- /dev/null +++ b/group_vars/jitsi_jvb_servers @@ -0,0 +1,4 @@ +jitsi_architecture: "{{ matrix_architecture }}" +jitsi_hostname: "{{ matrix_server_fqn_jitsi }}" +jitsi_uid: "{{ matrix_user_uid }}" +jitsi_gid: "{{ matrix_user_gid }}" From 2191136369f26c43129949db7a508f1ebf3aa9eb Mon Sep 17 00:00:00 2001 From: Antonis Christofides Date: Sun, 11 Jun 2023 20:32:54 +0300 Subject: [PATCH 37/74] Enable jitsi_jvb service on additional JVB (fixes #2708) This contribution is provided by GRNET S.A. (grnet.gr). --- group_vars/jitsi_jvb_servers | 5 +++++ jitsi_jvb.yml | 3 +++ 2 files changed, 8 insertions(+) diff --git a/group_vars/jitsi_jvb_servers b/group_vars/jitsi_jvb_servers index 67815f7c0..84009e2ca 100644 --- a/group_vars/jitsi_jvb_servers +++ b/group_vars/jitsi_jvb_servers @@ -2,3 +2,8 @@ jitsi_architecture: "{{ matrix_architecture }}" jitsi_hostname: "{{ matrix_server_fqn_jitsi }}" jitsi_uid: "{{ matrix_user_uid }}" jitsi_gid: "{{ matrix_user_gid }}" + +devture_systemd_service_manager_services_list_auto: | + {{ + ([{'name': (jitsi_identifier + '-jvb.service'), 'priority': 4100, 'groups': ['matrix', 'jitsi', 'jitsi-jvb']}] if jitsi_enabled else []) + }} diff --git a/jitsi_jvb.yml b/jitsi_jvb.yml index 4054d308c..1ea63855a 100644 --- a/jitsi_jvb.yml +++ b/jitsi_jvb.yml @@ -10,3 +10,6 @@ - custom/matrix-base - galaxy/jitsi - custom/matrix-common-after + + - when: devture_systemd_service_manager_enabled | bool + role: galaxy/com.devture.ansible.role.systemd_service_manager From cfc845b45e90082ada9c9d0da70f9f169a8a5166 Mon Sep 17 00:00:00 2001 From: Antonis Christofides Date: Mon, 5 Jun 2023 19:59:27 +0300 Subject: [PATCH 38/74] Ensure docker is installed on additional JVBs (fixes #2706) This contribution is provided by GRNET S.A. (grnet.gr). --- group_vars/jitsi_jvb_servers | 2 ++ jitsi_jvb.yml | 20 ++++++++++++++++++++ 2 files changed, 22 insertions(+) diff --git a/group_vars/jitsi_jvb_servers b/group_vars/jitsi_jvb_servers index 84009e2ca..af927c9f1 100644 --- a/group_vars/jitsi_jvb_servers +++ b/group_vars/jitsi_jvb_servers @@ -7,3 +7,5 @@ devture_systemd_service_manager_services_list_auto: | {{ ([{'name': (jitsi_identifier + '-jvb.service'), 'priority': 4100, 'groups': ['matrix', 'jitsi', 'jitsi-jvb']}] if jitsi_enabled else []) }} + +matrix_playbook_docker_installation_enabled: true diff --git a/jitsi_jvb.yml b/jitsi_jvb.yml index 1ea63855a..16acd0ee6 100644 --- a/jitsi_jvb.yml +++ b/jitsi_jvb.yml @@ -7,6 +7,26 @@ - role: galaxy/com.devture.ansible.role.playbook_help - role: galaxy/com.devture.ansible.role.systemd_docker_base + - when: matrix_playbook_docker_installation_enabled | bool + role: galaxy/geerlingguy.docker + vars: + docker_install_compose: false + tags: + - setup-docker + - setup-all + - setup-additional-jitsi-jvb + - install-docker + - install-all + + - when: devture_docker_sdk_for_python_installation_enabled | bool + role: galaxy/com.devture.ansible.role.docker_sdk_for_python + tags: + - setup-docker + - setup-all + - setup-additional-jitsi-jvb + - install-docker + - install-all + - custom/matrix-base - galaxy/jitsi - custom/matrix-common-after From 8c0119d7d89c75e4de04ac444114c211a9ce7c48 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 18 Jun 2023 08:50:55 +0300 Subject: [PATCH 39/74] Fix typo --- docs/configuring-playbook-jitsi.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuring-playbook-jitsi.md b/docs/configuring-playbook-jitsi.md index d1353bb01..1213f46a7 100644 --- a/docs/configuring-playbook-jitsi.md +++ b/docs/configuring-playbook-jitsi.md @@ -208,7 +208,7 @@ However, it can also be set the ip address of the matrix server. This can be use jitsi_xmpp_server: "192.168.0.1" ``` -For the JVB to be able ito contact the XMPP server, the latter must expose the XMPP port (5222). By default, the Matrix server does not expose the +For the JVB to be able to contact the XMPP server, the latter must expose the XMPP port (5222). By default, the Matrix server does not expose the port; only the XMPP container exposes it internally inside the host, which means that the first JVB (which runs on the Matrix server) can reach it but the additional JVB cannot. The port is exposed by setting `jitsi_prosody_container_jvb_host_bind_port` like this: From 704a9abd9bc203194a3f47bdab1b0dcc0938fb3d Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 18 Jun 2023 08:54:55 +0300 Subject: [PATCH 40/74] Fix file path in comment Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/2746 --- group_vars/matrix_servers | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 79a503d5a..d225cc302 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -192,7 +192,7 @@ matrix_homeserver_app_service_config_files_auto: | # This list is not exhaustive and final. # Synapse workers are still injected into the list at runtime. -# Additional JVB workers (playbooks/jitsi_jvb.yml -- roles/galaxy/jitsi/tasks/init_additional_jvb.yml) override this variable at runtime as well. +# Additional JVB workers (jitsi_jvb.yml -- roles/galaxy/jitsi/tasks/init_additional_jvb.yml) override this variable at runtime as well. # # Priority levels are like this: # - core services (the homeserver) get a level of ~1000 From 0174840296f59c87db01e0334013cc3721834e8e Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 19 Jun 2023 18:02:36 +0300 Subject: [PATCH 41/74] Upgrade Hookshot (4.2.0 -> 4.3.0) --- roles/custom/matrix-bridge-hookshot/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-hookshot/defaults/main.yml b/roles/custom/matrix-bridge-hookshot/defaults/main.yml index 55dbdfea7..9276b6136 100644 --- a/roles/custom/matrix-bridge-hookshot/defaults/main.yml +++ b/roles/custom/matrix-bridge-hookshot/defaults/main.yml @@ -10,7 +10,7 @@ matrix_hookshot_container_image_self_build: false matrix_hookshot_container_image_self_build_repo: "https://github.com/matrix-org/matrix-hookshot.git" matrix_hookshot_container_image_self_build_branch: "{{ 'main' if matrix_hookshot_version == 'latest' else matrix_hookshot_version }}" -matrix_hookshot_version: 4.2.0 +matrix_hookshot_version: 4.3.0 matrix_hookshot_docker_image: "{{ matrix_hookshot_docker_image_name_prefix }}halfshot/matrix-hookshot:{{ matrix_hookshot_version }}" matrix_hookshot_docker_image_name_prefix: "{{ 'localhost/' if matrix_hookshot_container_image_self_build else matrix_container_global_registry_prefix }}" From c720d7bb1a37252e274ebaa6fad8ea500e0b4b2c Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 20 Jun 2023 10:55:05 +0300 Subject: [PATCH 42/74] Upgrade ddclient (v3.10.0-ls123 -> v3.10.0-ls24) --- roles/custom/matrix-dynamic-dns/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-dynamic-dns/defaults/main.yml b/roles/custom/matrix-dynamic-dns/defaults/main.yml index 5a60194a3..363122c2e 100644 --- a/roles/custom/matrix-dynamic-dns/defaults/main.yml +++ b/roles/custom/matrix-dynamic-dns/defaults/main.yml @@ -7,7 +7,7 @@ matrix_dynamic_dns_enabled: true # The dynamic dns daemon interval matrix_dynamic_dns_daemon_interval: '300' -matrix_dynamic_dns_version: v3.10.0-ls123 +matrix_dynamic_dns_version: v3.10.0-ls124 # The docker container to use when in mode matrix_dynamic_dns_docker_image: "{{ matrix_dynamic_dns_docker_image_name_prefix }}linuxserver/ddclient:{{ matrix_dynamic_dns_version }}" From 2ca1b6f164d3e314cba3e8aec1939f06a7ba92cc Mon Sep 17 00:00:00 2001 From: Kevin Kengen Date: Tue, 20 Jun 2023 21:09:19 +1200 Subject: [PATCH 43/74] modified: roles/custom/matrix-bridge-mautrix-instagram/templates/config.yaml.j2 --- .../templates/config.yaml.j2 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/custom/matrix-bridge-mautrix-instagram/templates/config.yaml.j2 b/roles/custom/matrix-bridge-mautrix-instagram/templates/config.yaml.j2 index 830adca71..1949a2532 100644 --- a/roles/custom/matrix-bridge-mautrix-instagram/templates/config.yaml.j2 +++ b/roles/custom/matrix-bridge-mautrix-instagram/templates/config.yaml.j2 @@ -143,15 +143,15 @@ bridge: # application service. encryption: # Allow encryption, work in group chat rooms with e2ee enabled - allow: {{ matrix_mautrix_discord_bridge_encryption_allow|to_json }} + allow: {{ matrix_mautrix_instagram_bridge_encryption_allow|to_json }} # Default to encryption, force-enable encryption in all portals the bridge creates # This will cause the bridge bot to be in private chats for the encryption to work properly. - default: {{ matrix_mautrix_discord_bridge_encryption_default|to_json }} + default: {{ matrix_mautrix_instagram_bridge_encryption_default|to_json }} # Options for automatic key sharing. key_sharing: # Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled. # You must use a client that supports requesting keys from other users to use this feature. - allow: {{ matrix_mautrix_discord_bridge_encryption_key_sharing_allow|to_json }} + allow: {{ matrix_mautrix_instagram_bridge_encryption_key_sharing_allow|to_json }} # Require the requesting device to have a valid cross-signing signature? # This doesn't require that the bridge has verified the device, only that the user has verified it. # Not yet implemented. From a94ebe7424d69806445a3f18c257d2ff5db38678 Mon Sep 17 00:00:00 2001 From: Antoine-Ali Zarrouk <3798576+sidewinder94@users.noreply.github.com> Date: Tue, 20 Jun 2023 15:03:12 +0200 Subject: [PATCH 44/74] Add documentation to detail the steps needed to federate using SRV delegation --- docs/howto-server-delegation.md | 1 + docs/howto-srv-server-delegation.md | 203 ++++++++++++++++++++++++++++ 2 files changed, 204 insertions(+) create mode 100644 docs/howto-srv-server-delegation.md diff --git a/docs/howto-server-delegation.md b/docs/howto-server-delegation.md index e9ca5bde6..36b0c2ab8 100644 --- a/docs/howto-server-delegation.md +++ b/docs/howto-server-delegation.md @@ -49,6 +49,7 @@ To use DNS SRV record validation, you need to: - ensure that you are serving the Matrix Federation API (tcp/8448) with a certificate for `` (not `matrix.`!). Getting this certificate to the `matrix.` server may be complicated. The playbook's automatic SSL obtaining/renewal flow will likely not work and you'll need to copy certificates around manually. See below. +For more details on [how to configure the playbook to work with SRV delegation]() ### Obtaining certificates diff --git a/docs/howto-srv-server-delegation.md b/docs/howto-srv-server-delegation.md new file mode 100644 index 000000000..cb0263045 --- /dev/null +++ b/docs/howto-srv-server-delegation.md @@ -0,0 +1,203 @@ +# Server Delegation via a DNS SRV record (advanced) + +**Reminder** : unless you are affected by the [Downsides of well-known-based Server Delegation](#downsides-of-well-known-based-server-delegation), we suggest you stay on the simple/default path : [Server Delegation](howto-server-delegation.md) + +## Prerequisites + +SRV delegation while still using the playbook provided traefik to get / renew the certificate requires a wildcard certificate. + +To obtain / renew one from let's encrypt, one needs to use a dns-01 challenge method instead of the default http-01. + +This means that thi is limited to the list of providers supported by traefik, unless you bring in your own certificate. + +The up-to-date list can be accessed on [traefik's documentation](https://doc.traefik.io/traefik/https/acme/#providers) + +## The changes + +### Federation Endpoint + +```yaml +# To serve the federation from any domain, as long as the path match +matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_rule: PathPrefix(`/_matrix`) +``` + +This is because with SRV federation, some servers / tools (one of which being the federation tester) try to access the federation API using the resolved IP address instead of the domain name (or they are not using SNI). This change will make traefik route all traffic for which the path match this rule go to the federation endpoint. + +### Tell Traefik which certificate to serve for the federation endpoint + +Now that the federation endpoint is not bound to a domain anymore we need to explicitely tell traefik to use a wildcard certificate in addition to one containing the base name. + +This is because the matrix specification expects the federation endpoint to be served using a certificate comatible with the base domain, however, the other resources on the endpoint still need a valid certificate to work. + +```yaml +# To let traefik know which domains certificates to serve +matrix_nginx_proxy_container_labels_additional_labels: | + traefik.http.routers.matrix-nginx-proxy-matrix-federation.tls.domains.main="example.com" + traefik.http.routers.matrix-nginx-proxy-matrix-federation.tls.domains.sans="*.example.com" +``` + +### Configure the DNS-01 challenge for let's encrypt + +Since we're now requesting a wildcard certificate, we need to change the ACME challenge method. To request a wildcard certificate from let's encrypt we are required to use the DNS-01 challenge. + +This will need 3 changes : +1. Add a new certificate resolver that works with DNS-01 +2. Configure the resolver to allow access to the DNS zone to configure the reocrds to answer the challenge (refer to [traefik's documentation](https://doc.traefik.io/traefik/https/acme/#providers) to know which environment variables to set) +3. Tell the playbook to use the new resolver as default + +We cannot just disable the default resolver as that would disable SSL in quite a few places in the playbook. + + +```yaml +# 1. Add a new ACME configuration without having to disable the default one, since it would have a wide range of side effects +devture_traefik_configuration_extension_yaml: | + certificatesResolvers: + dns: + acme: + # caServer: https://acme-staging-v02.api.letsencrypt.org/directory + email: {{ devture_traefik_config_certificatesResolvers_acme_email | to_json }} + dnsChallenge: + provider: cloudflare + resolvers: + - "1.1.1.1:53" + - "8.8.8.8:53" + storage: {{ devture_traefik_config_certificatesResolvers_acme_storage | to_json }} + +# 2. Configure the environment variables needed by traefik to automate the ACME DNS CHallenge (example for cloudflare) +devture_traefik_environment_variables: | + CF_API_EMAIL=redacted + CF_ZONE_API_TOKEN=redacted + CF_DNS_API_TOKEN=redacted + LEGO_DISABLE_CNAME_SUPPORT=true + +# 3. Instruct thep laybook to use the new ACME configuration +devture_traefik_certResolver_primary: "dns" +``` + +## Adjust coturn's configuration + +Last step is to alter the generated coturn configuration. + +By default, it is configured to wait on the certificate for the matrix subdomain using an instanced service using the domain name as the parameter for this service. However, we need to serve the wildcard certificate, which is incompatible with systemd, it will try to exxpand the "*" preventing coturn from starting. + +We also need to indicate to coturn where the wildcard certificate is. + +**⚠ WARNING ⚠** : On first start of the services, coturn might still fail to start because traefik is still in thep rocess of obtaining the certificates. If you still get an error, make sure traefik obtained the certificates and restart the coturn service. + +This should not happen again afterwards as traefik will renew certificates well before their expiry date, and the coturn service is setup to restart periodically. + +```yaml +# Only depend on docker.service, this removes the dependency on the certificate exporter, might imply the need to manually restart coturn on the first installation once the certificates are obtained, afterwards, the reload service should handle things +matrix_coturn_systemd_required_services_list: ['docker.service'] + +# This changes the path of the loaded certificate, while maintaining the original functionality, we're now loading the wildcard certificate. +matrix_coturn_container_additional_volumes: | + {{ + ( + [ + { + 'src': (matrix_ssl_config_dir_path + '/live/*.' + matrix_domain + '/fullchain.pem'), + 'dst': '/fullchain.pem', + 'options': 'ro', + }, + { + 'src': (matrix_ssl_config_dir_path + '/live/*.' + matrix_domain + '/privkey.pem'), + 'dst': '/privkey.pem', + 'options': 'ro', + }, + ] if matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] and matrix_coturn_tls_enabled else [] + ) + + + ( + [ + { + 'src': (devture_traefik_certs_dumper_dumped_certificates_dir_path + '/*.' + matrix_domain + '/certificate.crt'), + 'dst': '/certificate.crt', + 'options': 'ro', + }, + { + 'src': (devture_traefik_certs_dumper_dumped_certificates_dir_path + '/*.' + matrix_domain + '/privatekey.key'), + 'dst': '/privatekey.key', + 'options': 'ro', + }, + ] if matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] and devture_traefik_certs_dumper_enabled and matrix_coturn_tls_enabled else [] + ) + }} +``` + +## Full example of a working configuration + +```yaml +# Choosing the reverse proxy implementation +matrix_playbook_reverse_proxy_type: playbook-managed-traefik +devture_traefik_config_certificatesResolvers_acme_email: redacted@example.com + +# To serve the federation from any domain, as long as the path match +matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_rule: PathPrefix(`/_matrix`) + +# To let traefik know which domains certificates to serve +matrix_nginx_proxy_container_labels_additional_labels: | + traefik.http.routers.matrix-nginx-proxy-matrix-federation.tls.domains.main="example.com" + traefik.http.routers.matrix-nginx-proxy-matrix-federation.tls.domains.sans="*.example.com" + +# Add a new ACME configuration without having to disable the default one, since it would have a wide range of side effects +devture_traefik_configuration_extension_yaml: | + certificatesResolvers: + dns: + acme: + # caServer: https://acme-staging-v02.api.letsencrypt.org/directory + email: {{ devture_traefik_config_certificatesResolvers_acme_email | to_json }} + dnsChallenge: + provider: cloudflare + resolvers: + - "1.1.1.1:53" + - "8.8.8.8:53" + storage: {{ devture_traefik_config_certificatesResolvers_acme_storage | to_json }} + +# Instruct thep laybook to use the new ACME configuration +devture_traefik_certResolver_primary: "dns" + +# Configure the environment variables needed by traefik to automate the ACME DNS CHallenge +devture_traefik_environment_variables: | + CF_API_EMAIL=redacted + CF_ZONE_API_TOKEN=redacted + CF_DNS_API_TOKEN=redacted + LEGO_DISABLE_CNAME_SUPPORT=true + +# Only depend on docker.service, this removes the dependency on the certificate exporter, might imply the need to manually restart coturn on the first installation once the certificates are obtained, afterwards, the reload service should handle things +matrix_coturn_systemd_required_services_list: ['docker.service'] + +# This changes the path of the loaded certificate, while maintaining the original functionality, we're now loading the wildcard certificate. +matrix_coturn_container_additional_volumes: | + {{ + ( + [ + { + 'src': (matrix_ssl_config_dir_path + '/live/*.' + matrix_domain + '/fullchain.pem'), + 'dst': '/fullchain.pem', + 'options': 'ro', + }, + { + 'src': (matrix_ssl_config_dir_path + '/live/*.' + matrix_domain + '/privkey.pem'), + 'dst': '/privkey.pem', + 'options': 'ro', + }, + ] if matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] and matrix_coturn_tls_enabled else [] + ) + + + ( + [ + { + 'src': (devture_traefik_certs_dumper_dumped_certificates_dir_path + '/*.' + matrix_domain + '/certificate.crt'), + 'dst': '/certificate.crt', + 'options': 'ro', + }, + { + 'src': (devture_traefik_certs_dumper_dumped_certificates_dir_path + '/*.' + matrix_domain + '/privatekey.key'), + 'dst': '/privatekey.key', + 'options': 'ro', + }, + ] if matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] and devture_traefik_certs_dumper_enabled and matrix_coturn_tls_enabled else [] + ) + }} +``` \ No newline at end of file From 9ab50ac8de89588accb9748c67bff8c8087833b3 Mon Sep 17 00:00:00 2001 From: Antoine-Ali ZARROUK <3798576+sidewinder94@users.noreply.github.com> Date: Tue, 20 Jun 2023 16:32:50 +0200 Subject: [PATCH 45/74] Fix inter-doc links --- docs/howto-server-delegation.md | 2 +- docs/howto-srv-server-delegation.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/howto-server-delegation.md b/docs/howto-server-delegation.md index 36b0c2ab8..e9a6b23d8 100644 --- a/docs/howto-server-delegation.md +++ b/docs/howto-server-delegation.md @@ -49,7 +49,7 @@ To use DNS SRV record validation, you need to: - ensure that you are serving the Matrix Federation API (tcp/8448) with a certificate for `` (not `matrix.`!). Getting this certificate to the `matrix.` server may be complicated. The playbook's automatic SSL obtaining/renewal flow will likely not work and you'll need to copy certificates around manually. See below. -For more details on [how to configure the playbook to work with SRV delegation]() +For more details on [how to configure the playbook to work with SRV delegation](howto-srv-server-delegation.md) ### Obtaining certificates diff --git a/docs/howto-srv-server-delegation.md b/docs/howto-srv-server-delegation.md index cb0263045..284977aa4 100644 --- a/docs/howto-srv-server-delegation.md +++ b/docs/howto-srv-server-delegation.md @@ -1,6 +1,6 @@ # Server Delegation via a DNS SRV record (advanced) -**Reminder** : unless you are affected by the [Downsides of well-known-based Server Delegation](#downsides-of-well-known-based-server-delegation), we suggest you stay on the simple/default path : [Server Delegation](howto-server-delegation.md) +**Reminder** : unless you are affected by the [Downsides of well-known-based Server Delegation](howto-server-delegation.md#downsides-of-well-known-based-server-delegation), we suggest you stay on the simple/default path : [Server Delegation](howto-server-delegation.md) ## Prerequisites From eece91d7e22653b1b463bf2b0002f14ae264b8ae Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Tue, 20 Jun 2023 20:56:39 +0300 Subject: [PATCH 46/74] Update element v1.11.33 -> v1.11.34 --- roles/custom/matrix-client-element/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-client-element/defaults/main.yml b/roles/custom/matrix-client-element/defaults/main.yml index f0ddbbede..a4e22a784 100644 --- a/roles/custom/matrix-client-element/defaults/main.yml +++ b/roles/custom/matrix-client-element/defaults/main.yml @@ -10,7 +10,7 @@ matrix_client_element_container_image_self_build_repo: "https://github.com/vecto # - https://github.com/vector-im/element-web/issues/19544 matrix_client_element_container_image_self_build_low_memory_system_patch_enabled: "{{ ansible_memtotal_mb < 4096 }}" -matrix_client_element_version: v1.11.33 +matrix_client_element_version: v1.11.34 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}" matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}" From ce7a3fa6d74c25c7f755201dc97a6252f0d1c82b Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Tue, 20 Jun 2023 21:12:39 +0300 Subject: [PATCH 47/74] Update etherpad 1.8.18 -> 1.9.0 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 867e6c53b..680b23d84 100644 --- a/requirements.yml +++ b/requirements.yml @@ -30,7 +30,7 @@ - src: git+https://github.com/devture/com.devture.ansible.role.traefik_certs_dumper.git version: v2.8.1-0 - src: git+https://gitlab.com/etke.cc/roles/etherpad.git - version: v1.8.18-2 + version: v1.9.0-0 - src: git+https://github.com/geerlingguy/ansible-role-docker version: 6.1.0 name: geerlingguy.docker From 2da4d81ff6fbefa1b12c05c742e8708042538ef7 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Tue, 20 Jun 2023 21:14:23 +0300 Subject: [PATCH 48/74] Update synapse 1.85.2 -> 1.86.0 --- roles/custom/matrix-synapse/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index 88ef768e9..964fde115 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -4,7 +4,7 @@ matrix_synapse_enabled: true -matrix_synapse_version: v1.85.2 +matrix_synapse_version: v1.86.0 matrix_synapse_username: '' matrix_synapse_uid: '' From a60a7d270545c6842bbfca8087e845f6cd999fd6 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 21 Jun 2023 09:05:11 +0300 Subject: [PATCH 49/74] Upgrade Traefik (v2.10.1-2 -> v2.10.3-0) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 867e6c53b..ddc81b7dd 100644 --- a/requirements.yml +++ b/requirements.yml @@ -26,7 +26,7 @@ - src: git+https://github.com/devture/com.devture.ansible.role.timesync.git version: v1.0.0-0 - src: git+https://github.com/devture/com.devture.ansible.role.traefik.git - version: v2.10.1-2 + version: v2.10.3-0 - src: git+https://github.com/devture/com.devture.ansible.role.traefik_certs_dumper.git version: v2.8.1-0 - src: git+https://gitlab.com/etke.cc/roles/etherpad.git From eef0fd69bfba2974a148fdeb19a4a793e0ba2de2 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 21 Jun 2023 09:56:16 +0300 Subject: [PATCH 50/74] Fix some typos, add more links --- docs/howto-srv-server-delegation.md | 51 +++++++++++++++-------------- 1 file changed, 27 insertions(+), 24 deletions(-) diff --git a/docs/howto-srv-server-delegation.md b/docs/howto-srv-server-delegation.md index 284977aa4..a1afe59de 100644 --- a/docs/howto-srv-server-delegation.md +++ b/docs/howto-srv-server-delegation.md @@ -1,14 +1,16 @@ # Server Delegation via a DNS SRV record (advanced) -**Reminder** : unless you are affected by the [Downsides of well-known-based Server Delegation](howto-server-delegation.md#downsides-of-well-known-based-server-delegation), we suggest you stay on the simple/default path : [Server Delegation](howto-server-delegation.md) +**Reminder** : unless you are affected by the [Downsides of well-known-based Server Delegation](howto-server-delegation.md#downsides-of-well-known-based-server-delegation), we suggest you **stay on the simple/default path**: [Server Delegation](howto-server-delegation.md) by [configuring well-known files](configuring-well-known.md) at the base domain. + +This guide is about configuring Server Delegation using DNS SRV records (for the [Traefik](https://doc.traefik.io/traefik/) webserver). This method has special requirements when it comes to SSL certificates, so various changes are required. ## Prerequisites -SRV delegation while still using the playbook provided traefik to get / renew the certificate requires a wildcard certificate. +SRV delegation while still using the playbook provided Traefik to get / renew the certificate requires a wildcard certificate. -To obtain / renew one from let's encrypt, one needs to use a dns-01 challenge method instead of the default http-01. +To obtain / renew one from [Let's Encrypt](https://letsencrypt.org/), one needs to use a [DNS-01 challenge](https://letsencrypt.org/docs/challenge-types/#dns-01-challenge) method instead of the default [HTTP-01](https://letsencrypt.org/docs/challenge-types/#http-01-challenge). -This means that thi is limited to the list of providers supported by traefik, unless you bring in your own certificate. +This means that this is **limited to the list of DNS providers supported by Traefik**, unless you bring in your own certificate. The up-to-date list can be accessed on [traefik's documentation](https://doc.traefik.io/traefik/https/acme/#providers) @@ -21,16 +23,16 @@ The up-to-date list can be accessed on [traefik's documentation](https://doc.tra matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_rule: PathPrefix(`/_matrix`) ``` -This is because with SRV federation, some servers / tools (one of which being the federation tester) try to access the federation API using the resolved IP address instead of the domain name (or they are not using SNI). This change will make traefik route all traffic for which the path match this rule go to the federation endpoint. +This is because with SRV federation, some servers / tools (one of which being the federation tester) try to access the federation API using the resolved IP address instead of the domain name (or they are not using SNI). This change will make Traefik route all traffic for which the path match this rule go to the federation endpoint. ### Tell Traefik which certificate to serve for the federation endpoint -Now that the federation endpoint is not bound to a domain anymore we need to explicitely tell traefik to use a wildcard certificate in addition to one containing the base name. +Now that the federation endpoint is not bound to a domain anymore we need to explicitely tell Traefik to use a wildcard certificate in addition to one containing the base name. This is because the matrix specification expects the federation endpoint to be served using a certificate comatible with the base domain, however, the other resources on the endpoint still need a valid certificate to work. ```yaml -# To let traefik know which domains certificates to serve +# To let Traefik know which domains' certificates to serve matrix_nginx_proxy_container_labels_additional_labels: | traefik.http.routers.matrix-nginx-proxy-matrix-federation.tls.domains.main="example.com" traefik.http.routers.matrix-nginx-proxy-matrix-federation.tls.domains.sans="*.example.com" @@ -38,22 +40,22 @@ matrix_nginx_proxy_container_labels_additional_labels: | ### Configure the DNS-01 challenge for let's encrypt -Since we're now requesting a wildcard certificate, we need to change the ACME challenge method. To request a wildcard certificate from let's encrypt we are required to use the DNS-01 challenge. +Since we're now requesting a wildcard certificate, we need to change the ACME challenge method. To request a wildcard certificate from Let's Encrypt we are required to use the DNS-01 challenge. -This will need 3 changes : +This will need 3 changes: 1. Add a new certificate resolver that works with DNS-01 -2. Configure the resolver to allow access to the DNS zone to configure the reocrds to answer the challenge (refer to [traefik's documentation](https://doc.traefik.io/traefik/https/acme/#providers) to know which environment variables to set) +2. Configure the resolver to allow access to the DNS zone to configure the records to answer the challenge (refer to [Traefik's documentation](https://doc.traefik.io/traefik/https/acme/#providers) to know which environment variables to set) 3. Tell the playbook to use the new resolver as default We cannot just disable the default resolver as that would disable SSL in quite a few places in the playbook. - ```yaml # 1. Add a new ACME configuration without having to disable the default one, since it would have a wide range of side effects devture_traefik_configuration_extension_yaml: | certificatesResolvers: dns: acme: + # To use a staging endpoint for testing purposes, uncomment the line below. # caServer: https://acme-staging-v02.api.letsencrypt.org/directory email: {{ devture_traefik_config_certificatesResolvers_acme_email | to_json }} dnsChallenge: @@ -63,28 +65,28 @@ devture_traefik_configuration_extension_yaml: | - "8.8.8.8:53" storage: {{ devture_traefik_config_certificatesResolvers_acme_storage | to_json }} -# 2. Configure the environment variables needed by traefik to automate the ACME DNS CHallenge (example for cloudflare) +# 2. Configure the environment variables needed by Rraefik to automate the ACME DNS Challenge (example for Cloudflare) devture_traefik_environment_variables: | CF_API_EMAIL=redacted CF_ZONE_API_TOKEN=redacted CF_DNS_API_TOKEN=redacted LEGO_DISABLE_CNAME_SUPPORT=true -# 3. Instruct thep laybook to use the new ACME configuration -devture_traefik_certResolver_primary: "dns" +# 3. Instruct the playbook to use the new ACME configuration +devture_traefik_certResolver_primary: dns ``` -## Adjust coturn's configuration +## Adjust Coturn's configuration -Last step is to alter the generated coturn configuration. +The last step is to alter the generated Coturn configuration. -By default, it is configured to wait on the certificate for the matrix subdomain using an instanced service using the domain name as the parameter for this service. However, we need to serve the wildcard certificate, which is incompatible with systemd, it will try to exxpand the "*" preventing coturn from starting. +By default, Coturn is configured to wait on the certificate for the `matrix.` subdomain using an [instantiated systemd service](https://www.freedesktop.org/software/systemd/man/systemd.service.html#Service%20Templates) using the domain name as the parameter for this service. However, we need to serve the wildcard certificate, which is incompatible with systemd, it will try to expand the `*`, which will break and prevent Coturn from starting. -We also need to indicate to coturn where the wildcard certificate is. +We also need to indicate to Coturn where the wildcard certificate is. -**⚠ WARNING ⚠** : On first start of the services, coturn might still fail to start because traefik is still in thep rocess of obtaining the certificates. If you still get an error, make sure traefik obtained the certificates and restart the coturn service. +**⚠ WARNING ⚠** : On first start of the services, Coturn might still fail to start because Traefik is still in the process of obtaining the certificates. If you still get an error, make sure Traefik obtained the certificates and restart the Coturn service (`just start-group coturn`). -This should not happen again afterwards as traefik will renew certificates well before their expiry date, and the coturn service is setup to restart periodically. +This should not happen again afterwards as Traefik will renew certificates well before their expiry date, and the Coturn service is setup to restart periodically. ```yaml # Only depend on docker.service, this removes the dependency on the certificate exporter, might imply the need to manually restart coturn on the first installation once the certificates are obtained, afterwards, the reload service should handle things @@ -135,7 +137,7 @@ devture_traefik_config_certificatesResolvers_acme_email: redacted@example.com # To serve the federation from any domain, as long as the path match matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_rule: PathPrefix(`/_matrix`) -# To let traefik know which domains certificates to serve +# To let Traefik know which domains' certificates to serve matrix_nginx_proxy_container_labels_additional_labels: | traefik.http.routers.matrix-nginx-proxy-matrix-federation.tls.domains.main="example.com" traefik.http.routers.matrix-nginx-proxy-matrix-federation.tls.domains.sans="*.example.com" @@ -145,6 +147,7 @@ devture_traefik_configuration_extension_yaml: | certificatesResolvers: dns: acme: + # To use a staging endpoint for testing purposes, uncomment the line below. # caServer: https://acme-staging-v02.api.letsencrypt.org/directory email: {{ devture_traefik_config_certificatesResolvers_acme_email | to_json }} dnsChallenge: @@ -157,14 +160,14 @@ devture_traefik_configuration_extension_yaml: | # Instruct thep laybook to use the new ACME configuration devture_traefik_certResolver_primary: "dns" -# Configure the environment variables needed by traefik to automate the ACME DNS CHallenge +# Configure the environment variables needed by Traefik to automate the ACME DNS Challenge (example for Cloudflare) devture_traefik_environment_variables: | CF_API_EMAIL=redacted CF_ZONE_API_TOKEN=redacted CF_DNS_API_TOKEN=redacted LEGO_DISABLE_CNAME_SUPPORT=true -# Only depend on docker.service, this removes the dependency on the certificate exporter, might imply the need to manually restart coturn on the first installation once the certificates are obtained, afterwards, the reload service should handle things +# Only depend on docker.service, this removes the dependency on the certificate exporter, might imply the need to manually restart Coturn on the first installation once the certificates are obtained, afterwards, the reload service should handle things matrix_coturn_systemd_required_services_list: ['docker.service'] # This changes the path of the loaded certificate, while maintaining the original functionality, we're now loading the wildcard certificate. @@ -200,4 +203,4 @@ matrix_coturn_container_additional_volumes: | ] if matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] and devture_traefik_certs_dumper_enabled and matrix_coturn_tls_enabled else [] ) }} -``` \ No newline at end of file +``` From b035ef1fa301636aa9815a514e8dc152f882cfc8 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Wed, 21 Jun 2023 17:37:29 +0300 Subject: [PATCH 51/74] Update hydrogen 0.3.8 -> 0.4.0 --- roles/custom/matrix-client-hydrogen/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-client-hydrogen/defaults/main.yml b/roles/custom/matrix-client-hydrogen/defaults/main.yml index f3ddb81b6..de16c8b69 100644 --- a/roles/custom/matrix-client-hydrogen/defaults/main.yml +++ b/roles/custom/matrix-client-hydrogen/defaults/main.yml @@ -6,7 +6,7 @@ matrix_client_hydrogen_enabled: true matrix_client_hydrogen_container_image_self_build: false matrix_client_hydrogen_container_image_self_build_repo: "https://github.com/vector-im/hydrogen-web.git" -matrix_client_hydrogen_version: v0.3.8 +matrix_client_hydrogen_version: v0.4.0 matrix_client_hydrogen_docker_image: "{{ matrix_client_hydrogen_docker_image_name_prefix }}vector-im/hydrogen-web:{{ matrix_client_hydrogen_version }}" matrix_client_hydrogen_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_hydrogen_container_image_self_build else 'ghcr.io/' }}" matrix_client_hydrogen_docker_image_force_pull: "{{ matrix_client_hydrogen_docker_image.endswith(':latest') }}" From a6e60378d9dd72e1879ca553feb5325b4bfcfed9 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Thu, 22 Jun 2023 21:16:39 +0300 Subject: [PATCH 52/74] Update grafana 9.5.3 -> 10.0.0 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 9ac4f9cef..34995e950 100644 --- a/requirements.yml +++ b/requirements.yml @@ -35,7 +35,7 @@ version: 6.1.0 name: geerlingguy.docker - src: git+https://gitlab.com/etke.cc/roles/grafana.git - version: v9.5.3-0 + version: v10.0.0-0 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-jitsi.git version: v8615-0 name: jitsi From 5e1c7c6cf189a49762e4b9e1d1511096b847be93 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Thu, 22 Jun 2023 21:17:18 +0300 Subject: [PATCH 53/74] Update prometheus postgres exporter 0.12.0 -> 0.13.0 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 9ac4f9cef..c8deb481b 100644 --- a/requirements.yml +++ b/requirements.yml @@ -47,7 +47,7 @@ - src: git+https://gitlab.com/etke.cc/roles/prometheus_node_exporter.git version: v1.6.0-0 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus-postgres-exporter.git - version: v0.12.0-0 + version: v0.13.0-0 name: prometheus_postgres_exporter - src: git+https://gitlab.com/etke.cc/roles/redis.git version: v7.0.10-0 From 38c8bd858a1d16f2472fce8c283312f74bc78743 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Thu, 22 Jun 2023 21:22:30 +0300 Subject: [PATCH 54/74] Update grafana 10.0.0 -> 10.0.1 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 34995e950..d424f38e5 100644 --- a/requirements.yml +++ b/requirements.yml @@ -35,7 +35,7 @@ version: 6.1.0 name: geerlingguy.docker - src: git+https://gitlab.com/etke.cc/roles/grafana.git - version: v10.0.0-0 + version: v10.0.1-0 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-jitsi.git version: v8615-0 name: jitsi From fa2a81fc5ea4096214c0b332a314ff5bf226b00a Mon Sep 17 00:00:00 2001 From: Dan Arnfield Date: Fri, 23 Jun 2023 18:02:56 -0500 Subject: [PATCH 55/74] Update prometheus_postgres_exporter --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 852fbf6a3..292b7a528 100644 --- a/requirements.yml +++ b/requirements.yml @@ -47,7 +47,7 @@ - src: git+https://gitlab.com/etke.cc/roles/prometheus_node_exporter.git version: v1.6.0-0 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus-postgres-exporter.git - version: v0.13.0-0 + version: v0.13.0-1 name: prometheus_postgres_exporter - src: git+https://gitlab.com/etke.cc/roles/redis.git version: v7.0.10-0 From 05faf1f73fc1d13f6c2ac9fe2a666854103fad40 Mon Sep 17 00:00:00 2001 From: Dan Arnfield Date: Fri, 23 Jun 2023 18:05:47 -0500 Subject: [PATCH 56/74] Update synapse reverse proxy companion --- .../matrix-synapse-reverse-proxy-companion/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-synapse-reverse-proxy-companion/defaults/main.yml b/roles/custom/matrix-synapse-reverse-proxy-companion/defaults/main.yml index 364cf2c7e..048ded6bb 100644 --- a/roles/custom/matrix-synapse-reverse-proxy-companion/defaults/main.yml +++ b/roles/custom/matrix-synapse-reverse-proxy-companion/defaults/main.yml @@ -25,7 +25,7 @@ matrix_synapse_reverse_proxy_companion_enabled: true -matrix_synapse_reverse_proxy_companion_version: 1.23.3-alpine +matrix_synapse_reverse_proxy_companion_version: 1.25.1-alpine matrix_synapse_reverse_proxy_companion_base_path: "{{ matrix_synapse_base_path }}/reverse-proxy-companion" matrix_synapse_reverse_proxy_companion_confd_path: "{{ matrix_synapse_reverse_proxy_companion_base_path }}/conf.d" From 5b968f47d2c254220be2ecb8afea855b455f1cd1 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Sun, 25 Jun 2023 10:35:14 +0300 Subject: [PATCH 57/74] Update prometheus 2.44.0 -> 2.45.0 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 292b7a528..d4bb1241e 100644 --- a/requirements.yml +++ b/requirements.yml @@ -42,7 +42,7 @@ - src: git+https://gitlab.com/etke.cc/roles/ntfy.git version: v2.5.0-0 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus.git - version: v2.44.0-0 + version: v2.45.0-0 name: prometheus - src: git+https://gitlab.com/etke.cc/roles/prometheus_node_exporter.git version: v1.6.0-0 From 9142f4d2ee73f561f14f2aa1bc67b544e4895568 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Sun, 25 Jun 2023 10:35:53 +0300 Subject: [PATCH 58/74] Update borgmatic 1.7.14 -> 1.7.15 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 292b7a528..b61e230c8 100644 --- a/requirements.yml +++ b/requirements.yml @@ -4,7 +4,7 @@ version: v1.0.0-1 name: auxiliary - src: git+https://gitlab.com/etke.cc/roles/backup_borg.git - version: v1.2.4-1.7.14-0 + version: v1.2.4-1.7.15-0 - src: git+https://github.com/devture/com.devture.ansible.role.container_socket_proxy.git version: v0.1.1-2 - src: git+https://github.com/devture/com.devture.ansible.role.docker_sdk_for_python.git From 7b10e7d4e04c774675374b362c1fec257edcf14b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 26 Jun 2023 17:35:55 +0300 Subject: [PATCH 59/74] Upgrade mautrix-telegram (0.14.0 -> 0.14.1) --- roles/custom/matrix-bridge-mautrix-telegram/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-mautrix-telegram/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-telegram/defaults/main.yml index c5b7b9a39..79f835932 100644 --- a/roles/custom/matrix-bridge-mautrix-telegram/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-telegram/defaults/main.yml @@ -17,7 +17,7 @@ matrix_mautrix_telegram_docker_repo: "https://mau.dev/mautrix/telegram.git" matrix_mautrix_telegram_docker_repo_version: "{{ 'master' if matrix_mautrix_telegram_version == 'latest' else matrix_mautrix_telegram_version }}" matrix_mautrix_telegram_docker_src_files_path: "{{ matrix_base_data_path }}/mautrix-telegram/docker-src" -matrix_mautrix_telegram_version: v0.14.0 +matrix_mautrix_telegram_version: v0.14.1 # See: https://mau.dev/mautrix/telegram/container_registry matrix_mautrix_telegram_docker_image: "{{ matrix_mautrix_telegram_docker_image_name_prefix }}mautrix/telegram:{{ matrix_mautrix_telegram_version }}" matrix_mautrix_telegram_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_telegram_container_image_self_build else 'dock.mau.dev/' }}" From d5fa6feeef2be95b1bc2b30fdc2ecc52e7e2837a Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 27 Jun 2023 10:36:47 +0300 Subject: [PATCH 60/74] Upgrade ddclient (v3.10.0-ls124 -> v3.10.0-ls25) --- roles/custom/matrix-dynamic-dns/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-dynamic-dns/defaults/main.yml b/roles/custom/matrix-dynamic-dns/defaults/main.yml index 363122c2e..98b8e9d45 100644 --- a/roles/custom/matrix-dynamic-dns/defaults/main.yml +++ b/roles/custom/matrix-dynamic-dns/defaults/main.yml @@ -7,7 +7,7 @@ matrix_dynamic_dns_enabled: true # The dynamic dns daemon interval matrix_dynamic_dns_daemon_interval: '300' -matrix_dynamic_dns_version: v3.10.0-ls124 +matrix_dynamic_dns_version: v3.10.0-ls125 # The docker container to use when in mode matrix_dynamic_dns_docker_image: "{{ matrix_dynamic_dns_docker_image_name_prefix }}linuxserver/ddclient:{{ matrix_dynamic_dns_version }}" From b7d79a95fa65b4b7d07f5b2146526d9acf21bfee Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Wed, 28 Jun 2023 13:04:37 +0300 Subject: [PATCH 61/74] Update prometheus postgres exporter 0.13.0 -> 0.13.1 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 42cdf2849..4a8b77b72 100644 --- a/requirements.yml +++ b/requirements.yml @@ -47,7 +47,7 @@ - src: git+https://gitlab.com/etke.cc/roles/prometheus_node_exporter.git version: v1.6.0-0 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus-postgres-exporter.git - version: v0.13.0-1 + version: v0.13.1-0 name: prometheus_postgres_exporter - src: git+https://gitlab.com/etke.cc/roles/redis.git version: v7.0.10-0 From 19b83360d06bfb8d066783c7fb97abf956d27594 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Wed, 28 Jun 2023 21:54:06 +0300 Subject: [PATCH 62/74] Update ntfy 2.5.0 -> 2.6.0 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 4a8b77b72..63613a8cc 100644 --- a/requirements.yml +++ b/requirements.yml @@ -40,7 +40,7 @@ version: v8615-0 name: jitsi - src: git+https://gitlab.com/etke.cc/roles/ntfy.git - version: v2.5.0-0 + version: v2.6.0-0 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus.git version: v2.45.0-0 name: prometheus From 47b643f870a3adf583dea54fd5dcbbaad6c810ac Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Wed, 28 Jun 2023 21:55:31 +0300 Subject: [PATCH 63/74] Update hookshot 4.3.0 -> 4.4.0 --- roles/custom/matrix-bridge-hookshot/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-hookshot/defaults/main.yml b/roles/custom/matrix-bridge-hookshot/defaults/main.yml index 9276b6136..3c1ba5193 100644 --- a/roles/custom/matrix-bridge-hookshot/defaults/main.yml +++ b/roles/custom/matrix-bridge-hookshot/defaults/main.yml @@ -10,7 +10,7 @@ matrix_hookshot_container_image_self_build: false matrix_hookshot_container_image_self_build_repo: "https://github.com/matrix-org/matrix-hookshot.git" matrix_hookshot_container_image_self_build_branch: "{{ 'main' if matrix_hookshot_version == 'latest' else matrix_hookshot_version }}" -matrix_hookshot_version: 4.3.0 +matrix_hookshot_version: 4.4.0 matrix_hookshot_docker_image: "{{ matrix_hookshot_docker_image_name_prefix }}halfshot/matrix-hookshot:{{ matrix_hookshot_version }}" matrix_hookshot_docker_image_name_prefix: "{{ 'localhost/' if matrix_hookshot_container_image_self_build else matrix_container_global_registry_prefix }}" From 4a34efbe972354a7134c80280368a50fc3af006e Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 29 Jun 2023 09:57:03 +0300 Subject: [PATCH 64/74] Upgrade ntfy (v2.6.0-0 -> v2.6.1-0) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 63613a8cc..6f0262a3a 100644 --- a/requirements.yml +++ b/requirements.yml @@ -40,7 +40,7 @@ version: v8615-0 name: jitsi - src: git+https://gitlab.com/etke.cc/roles/ntfy.git - version: v2.6.0-0 + version: v2.6.1-0 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus.git version: v2.45.0-0 name: prometheus From 0db4ca74fa4110bde9fd1f4ab35a928988bb0b6f Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 30 Jun 2023 11:49:32 +0300 Subject: [PATCH 65/74] Upgrade Dendrite (0.12.0 -> 0.13.0) Untested. --- roles/custom/matrix-dendrite/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-dendrite/defaults/main.yml b/roles/custom/matrix-dendrite/defaults/main.yml index 3c083b99d..1a83c7039 100644 --- a/roles/custom/matrix-dendrite/defaults/main.yml +++ b/roles/custom/matrix-dendrite/defaults/main.yml @@ -10,7 +10,7 @@ matrix_dendrite_container_image_self_build_repo: "https://github.com/matrix-org/ matrix_dendrite_docker_image_path: "matrixdotorg/dendrite-monolith" matrix_dendrite_docker_image: "{{ matrix_dendrite_docker_image_name_prefix }}{{ matrix_dendrite_docker_image_path }}:{{ matrix_dendrite_docker_image_tag }}" matrix_dendrite_docker_image_name_prefix: "{{ 'localhost/' if matrix_dendrite_container_image_self_build else matrix_container_global_registry_prefix }}" -matrix_dendrite_docker_image_tag: "v0.12.0" +matrix_dendrite_docker_image_tag: "v0.13.0" matrix_dendrite_docker_image_force_pull: "{{ matrix_dendrite_docker_image.endswith(':latest') }}" matrix_dendrite_base_path: "{{ matrix_base_data_path }}/dendrite" From d9bbe08771d2349afa98485e5256f386d7acf20d Mon Sep 17 00:00:00 2001 From: David Holdeman Date: Fri, 30 Jun 2023 22:06:36 -0500 Subject: [PATCH 66/74] add note --- examples/hosts | 1 + 1 file changed, 1 insertion(+) diff --git a/examples/hosts b/examples/hosts index ba08107b9..f96725f58 100644 --- a/examples/hosts +++ b/examples/hosts @@ -3,6 +3,7 @@ # # To connect using a non-root user (and elevate to root with sudo later), # replace `ansible_ssh_user=root` with something like this: `ansible_ssh_user=username become=true become_user=root` +# If sudo requires a password, be sure to use the -K flag when calling Ansible to provide the password. # # For improved Ansible performance, SSH pipelining is enabled by default in `ansible.cfg`. # If this causes SSH connection troubles, disable it by adding `ansible_ssh_pipelining=False` From 8f93853845aff568f235d3d6f3ea6a5debfbf2bb Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 1 Jul 2023 09:32:30 +0300 Subject: [PATCH 67/74] Upgrade ntfy (v2.6.1-0 -> v2.6.2-0) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 6f0262a3a..5a20ffe83 100644 --- a/requirements.yml +++ b/requirements.yml @@ -40,7 +40,7 @@ version: v8615-0 name: jitsi - src: git+https://gitlab.com/etke.cc/roles/ntfy.git - version: v2.6.1-0 + version: v2.6.2-0 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus.git version: v2.45.0-0 name: prometheus From 321a3a93ab112115b830a6df90d598a020ff8b94 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 1 Jul 2023 09:39:19 +0300 Subject: [PATCH 68/74] Update hosts --- examples/hosts | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/examples/hosts b/examples/hosts index f96725f58..cb6459f97 100644 --- a/examples/hosts +++ b/examples/hosts @@ -2,8 +2,9 @@ # If you'd rather use a local IP here, make sure to set up `matrix_coturn_turn_external_ip_address`. # # To connect using a non-root user (and elevate to root with sudo later), -# replace `ansible_ssh_user=root` with something like this: `ansible_ssh_user=username become=true become_user=root` -# If sudo requires a password, be sure to use the -K flag when calling Ansible to provide the password. +# replace `ansible_ssh_user=root` with something like this: `ansible_ssh_user=username become=true become_user=root`. +# If sudo requires a password, either add `become_password=PASSWORD_HERE` to the host line +# or tell Ansible to ask you for the password interactively by adding a `--ask-become-pass` (`-K`) flag to all `ansible-playbook` (or `just`) commands. # # For improved Ansible performance, SSH pipelining is enabled by default in `ansible.cfg`. # If this causes SSH connection troubles, disable it by adding `ansible_ssh_pipelining=False` From 462d48814a42060d468b8b1cac209eafbff081fd Mon Sep 17 00:00:00 2001 From: Paul ALNET Date: Sun, 2 Jul 2023 09:23:35 +0200 Subject: [PATCH 69/74] fix(linkedin): mismatched appservice id Updated to match value in `roles/custom/matrix-bridge-beeper-linkedin/templates/config.yaml.j2`. --- roles/custom/matrix-bridge-beeper-linkedin/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-beeper-linkedin/defaults/main.yml b/roles/custom/matrix-bridge-beeper-linkedin/defaults/main.yml index ffcae97f1..75e9de550 100644 --- a/roles/custom/matrix-bridge-beeper-linkedin/defaults/main.yml +++ b/roles/custom/matrix-bridge-beeper-linkedin/defaults/main.yml @@ -111,7 +111,7 @@ matrix_beeper_linkedin_configuration_extension: "{{ matrix_beeper_linkedin_confi matrix_beeper_linkedin_configuration: "{{ matrix_beeper_linkedin_configuration_yaml | from_yaml | combine(matrix_beeper_linkedin_configuration_extension, recursive=True) }}" matrix_beeper_linkedin_registration_yaml: | - id: linkedin + id: beeper_linkedin url: {{ matrix_beeper_linkedin_appservice_address }} as_token: "{{ matrix_beeper_linkedin_appservice_token }}" hs_token: "{{ matrix_beeper_linkedin_homeserver_token }}" From 36c55bcb331d5de9553b29b2d63dc8c08a79b475 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 4 Jul 2023 14:14:27 +0300 Subject: [PATCH 70/74] Upgrade ddclient (v3.10.0-ls125 -> v3.10.0-ls26) --- roles/custom/matrix-dynamic-dns/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-dynamic-dns/defaults/main.yml b/roles/custom/matrix-dynamic-dns/defaults/main.yml index 98b8e9d45..6369f1096 100644 --- a/roles/custom/matrix-dynamic-dns/defaults/main.yml +++ b/roles/custom/matrix-dynamic-dns/defaults/main.yml @@ -7,7 +7,7 @@ matrix_dynamic_dns_enabled: true # The dynamic dns daemon interval matrix_dynamic_dns_daemon_interval: '300' -matrix_dynamic_dns_version: v3.10.0-ls125 +matrix_dynamic_dns_version: v3.10.0-ls126 # The docker container to use when in mode matrix_dynamic_dns_docker_image: "{{ matrix_dynamic_dns_docker_image_name_prefix }}linuxserver/ddclient:{{ matrix_dynamic_dns_version }}" From ce0eb973b05109cc7d0489d5ae1439aeb509d5a6 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 4 Jul 2023 16:47:35 +0300 Subject: [PATCH 71/74] Upgrade Coturn (4.6.2-r3 -> 4.6.2-r4) --- roles/custom/matrix-coturn/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-coturn/defaults/main.yml b/roles/custom/matrix-coturn/defaults/main.yml index 2abfe6f15..dd25df709 100644 --- a/roles/custom/matrix-coturn/defaults/main.yml +++ b/roles/custom/matrix-coturn/defaults/main.yml @@ -8,7 +8,7 @@ matrix_coturn_container_image_self_build_repo: "https://github.com/coturn/coturn matrix_coturn_container_image_self_build_repo_version: "docker/{{ matrix_coturn_version }}" matrix_coturn_container_image_self_build_repo_dockerfile_path: "docker/coturn/alpine/Dockerfile" -matrix_coturn_version: 4.6.2-r3 +matrix_coturn_version: 4.6.2-r4 matrix_coturn_docker_image: "{{ matrix_coturn_docker_image_name_prefix }}coturn/coturn:{{ matrix_coturn_version }}-alpine" matrix_coturn_docker_image_name_prefix: "{{ 'localhost/' if matrix_coturn_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_coturn_docker_image_force_pull: "{{ matrix_coturn_docker_image.endswith(':latest') }}" From 2d941f2e7b20eb82bb30b58bd0bacdb7dff9180a Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 4 Jul 2023 17:38:49 +0300 Subject: [PATCH 72/74] Upgrade Element (v1.11.34 -> v1.11.35) --- roles/custom/matrix-client-element/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-client-element/defaults/main.yml b/roles/custom/matrix-client-element/defaults/main.yml index a4e22a784..368639cb0 100644 --- a/roles/custom/matrix-client-element/defaults/main.yml +++ b/roles/custom/matrix-client-element/defaults/main.yml @@ -10,7 +10,7 @@ matrix_client_element_container_image_self_build_repo: "https://github.com/vecto # - https://github.com/vector-im/element-web/issues/19544 matrix_client_element_container_image_self_build_low_memory_system_patch_enabled: "{{ ansible_memtotal_mb < 4096 }}" -matrix_client_element_version: v1.11.34 +matrix_client_element_version: v1.11.35 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}" matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}" From 13fb286dbe6568ba15c2ddbda8ddf3823fe6b46e Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 4 Jul 2023 22:13:05 +0300 Subject: [PATCH 73/74] Upgrade Synapse (v1.86.0 -> v1.87.0) --- roles/custom/matrix-synapse/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index 964fde115..768c71594 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -4,7 +4,7 @@ matrix_synapse_enabled: true -matrix_synapse_version: v1.86.0 +matrix_synapse_version: v1.87.0 matrix_synapse_username: '' matrix_synapse_uid: '' From 8668b0d772f698aa2b62231b0937d5e389f7b82c Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 4 Jul 2023 22:14:34 +0300 Subject: [PATCH 74/74] Do not handle ^/_matrix/client/unstable/org.matrix.msc2716/rooms/.*/batch_send$ from workers anymore Related to https://github.com/matrix-org/synapse/commit/0f02f0b4da92229e88e27a92ea3bfa523457bfc1 --- roles/custom/matrix-synapse/vars/main.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/custom/matrix-synapse/vars/main.yml b/roles/custom/matrix-synapse/vars/main.yml index 0c6d6296c..9ac7afeb7 100644 --- a/roles/custom/matrix-synapse/vars/main.yml +++ b/roles/custom/matrix-synapse/vars/main.yml @@ -153,7 +153,6 @@ matrix_synapse_workers_generic_worker_endpoints: - ^/_matrix/client/v1/rooms/.*/hierarchy$ - ^/_matrix/client/(v1|unstable)/rooms/.*/relations/ - ^/_matrix/client/v1/rooms/.*/threads$ - - ^/_matrix/client/unstable/org.matrix.msc2716/rooms/.*/batch_send$ - ^/_matrix/client/unstable/im.nheko.summary/rooms/.*/summary$ - ^/_matrix/client/(r0|v3|unstable)/account/3pid$ - ^/_matrix/client/(r0|v3|unstable)/account/whoami$