From 495a4e5312b114736b552c047a1481e01e76f48e Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Fri, 26 Sep 2025 02:11:04 +0000 Subject: [PATCH 01/21] chore(deps): update dependency prometheus_postgres_exporter to v0.18.0-0 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 2a14deb9d..4307570e7 100644 --- a/requirements.yml +++ b/requirements.yml @@ -55,7 +55,7 @@ version: v1.9.1-11 name: prometheus_node_exporter - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus-postgres-exporter.git - version: v0.17.1-8 + version: v0.18.0-0 name: prometheus_postgres_exporter - src: git+https://github.com/devture/com.devture.ansible.role.systemd_docker_base.git version: v1.4.1-0 From 85504350aff33800d2183f7b2a77d7d9804e5e4e Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Sat, 27 Sep 2025 05:51:14 +0000 Subject: [PATCH 02/21] chore(deps): update dependency traefik to v3.5.3-0 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 4307570e7..323d0b3e5 100644 --- a/requirements.yml +++ b/requirements.yml @@ -67,7 +67,7 @@ version: v1.1.0-0 name: timesync - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-traefik.git - version: v3.5.2-0 + version: v3.5.3-0 name: traefik - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-traefik-certs-dumper.git version: v2.10.0-2 From 65d41bd84d0edb4e4d6cb0c67041bb110b4e1323 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Sat, 27 Sep 2025 09:29:21 +0000 Subject: [PATCH 03/21] chore(deps): update ghcr.io/jasonlaguidice/matrix-steam-bridge docker tag to v1.0.5 --- roles/custom/matrix-bridge-steam/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-steam/defaults/main.yml b/roles/custom/matrix-bridge-steam/defaults/main.yml index 644c19b99..f2cd6f1fe 100644 --- a/roles/custom/matrix-bridge-steam/defaults/main.yml +++ b/roles/custom/matrix-bridge-steam/defaults/main.yml @@ -13,7 +13,7 @@ matrix_steam_bridge_container_image_self_build_repo: "https://github.com/jasonla matrix_steam_bridge_container_image_self_build_repo_version: "{{ 'main' if matrix_steam_bridge_version == 'latest' else matrix_steam_bridge_version }}" # renovate: datasource=docker depName=ghcr.io/jasonlaguidice/matrix-steam-bridge -matrix_steam_bridge_version: 1.0.4 +matrix_steam_bridge_version: 1.0.5 matrix_steam_bridge_docker_image: "{{ matrix_steam_bridge_docker_image_registry_prefix }}jasonlaguidice/matrix-steam-bridge:{{ matrix_steam_bridge_version }}" matrix_steam_bridge_docker_image_registry_prefix: "{{ 'localhost/' if matrix_steam_bridge_container_image_self_build else matrix_steam_bridge_docker_image_registry_prefix_upstream }}" matrix_steam_bridge_docker_image_registry_prefix_upstream: "{{ matrix_steam_bridge_docker_image_registry_prefix_upstream_default }}" From 29d80b2243e1f0472d13f2908addb397fb94391d Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Sat, 27 Sep 2025 20:53:14 +0000 Subject: [PATCH 04/21] chore(deps): update dependency markupsafe to v3.0.3 --- i18n/requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/i18n/requirements.txt b/i18n/requirements.txt index 405fe8e51..aca2028f7 100644 --- a/i18n/requirements.txt +++ b/i18n/requirements.txt @@ -9,7 +9,7 @@ imagesize==1.4.1 Jinja2==3.1.6 linkify-it-py==2.0.3 markdown-it-py==4.0.0 -MarkupSafe==3.0.2 +MarkupSafe==3.0.3 mdit-py-plugins==0.5.0 mdurl==0.1.2 myst-parser==4.0.1 From 796b5597f48dde6c7fb05c271f164a7082a0920e Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 29 Sep 2025 06:04:27 +0000 Subject: [PATCH 05/21] chore(deps): update ajbura/cinny docker tag to v4.10.1 --- roles/custom/matrix-client-cinny/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-client-cinny/defaults/main.yml b/roles/custom/matrix-client-cinny/defaults/main.yml index a6d45b4c1..f57451acc 100644 --- a/roles/custom/matrix-client-cinny/defaults/main.yml +++ b/roles/custom/matrix-client-cinny/defaults/main.yml @@ -17,7 +17,7 @@ matrix_client_cinny_container_image_self_build: false matrix_client_cinny_container_image_self_build_repo: "https://github.com/ajbura/cinny.git" # renovate: datasource=docker depName=ajbura/cinny -matrix_client_cinny_version: v4.10.0 +matrix_client_cinny_version: v4.10.1 matrix_client_cinny_docker_image: "{{ matrix_client_cinny_docker_image_registry_prefix }}ajbura/cinny:{{ matrix_client_cinny_version }}" matrix_client_cinny_docker_image_registry_prefix: "{{ 'localhost/' if matrix_client_cinny_container_image_self_build else matrix_client_cinny_docker_image_registry_prefix_upstream }}" matrix_client_cinny_docker_image_registry_prefix_upstream: "{{ matrix_client_cinny_docker_image_registry_prefix_upstream_default }}" From 344f9bf7afdc798dbe7e0d83c0abcd19a2f873ca Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 29 Sep 2025 21:58:12 +0000 Subject: [PATCH 06/21] chore(deps): update dependency jitsi to v10532 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 323d0b3e5..74ebdc8b0 100644 --- a/requirements.yml +++ b/requirements.yml @@ -25,7 +25,7 @@ version: v11.6.5-1 name: grafana - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-jitsi.git - version: v10431-2 + version: v10532-0 name: jitsi - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-livekit-server.git version: v1.9.1-0 From a0858df60f242da20f81e1bf59480de496dcc7ee Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 29 Sep 2025 21:58:07 +0000 Subject: [PATCH 07/21] chore(deps): update dependency etherpad to v2.5.0-3 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 74ebdc8b0..759ef8745 100644 --- a/requirements.yml +++ b/requirements.yml @@ -16,7 +16,7 @@ version: 129c8590e106b83e6f4c259649a613c6279e937a name: docker_sdk_for_python - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-etherpad.git - version: v2.5.0-2 + version: v2.5.0-3 name: etherpad - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-exim-relay.git version: v4.98.1-r0-2-2 From 04773517dd24c00b8cc62adbff2b03fcbe14e84b Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 30 Sep 2025 05:46:46 +0000 Subject: [PATCH 08/21] chore(deps): update dependency prometheus_postgres_exporter to v0.18.1-0 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 759ef8745..343e3ff2c 100644 --- a/requirements.yml +++ b/requirements.yml @@ -55,7 +55,7 @@ version: v1.9.1-11 name: prometheus_node_exporter - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus-postgres-exporter.git - version: v0.18.0-0 + version: v0.18.1-0 name: prometheus_postgres_exporter - src: git+https://github.com/devture/com.devture.ansible.role.systemd_docker_base.git version: v1.4.1-0 From 91372da03cfd37838e4f1e14b77a823474d9926d Mon Sep 17 00:00:00 2001 From: adam-kress Date: Tue, 30 Sep 2025 06:28:25 -0400 Subject: [PATCH 09/21] Upgrade Jitsi (v10532-0 -> v10532-1-0) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 343e3ff2c..38f5019af 100644 --- a/requirements.yml +++ b/requirements.yml @@ -25,7 +25,7 @@ version: v11.6.5-1 name: grafana - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-jitsi.git - version: v10532-0 + version: v10532-1-0 name: jitsi - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-livekit-server.git version: v1.9.1-0 From 42aa749f1491c2a659e290afac4c78ff1b7bcf68 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 30 Sep 2025 12:23:41 +0000 Subject: [PATCH 10/21] chore(deps): update ghcr.io/element-hq/synapse docker tag to v1.139.0 --- roles/custom/matrix-synapse/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index 6b1cb5dd8..1db3c85dd 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -16,7 +16,7 @@ matrix_synapse_enabled: true matrix_synapse_github_org_and_repo: element-hq/synapse # renovate: datasource=docker depName=ghcr.io/element-hq/synapse -matrix_synapse_version: v1.138.2 +matrix_synapse_version: v1.139.0 matrix_synapse_username: '' matrix_synapse_uid: '' From 895f149a349ac733a284fe57653035c2b8f66764 Mon Sep 17 00:00:00 2001 From: Suguru Hirahara Date: Tue, 30 Sep 2025 23:25:04 +0900 Subject: [PATCH 11/21] Rename `etherpad_database_*` to `etherpad_database_postgres_*` Signed-off-by: Suguru Hirahara --- group_vars/matrix_servers | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 606681aab..8f56c8d74 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -3793,10 +3793,10 @@ etherpad_systemd_required_services_list_auto: | ([postgres_identifier ~ '.service'] if postgres_enabled else []) }} -etherpad_database_hostname: "{{ postgres_connection_hostname if postgres_enabled else '' }}" +etherpad_database_postgres_hostname: "{{ postgres_connection_hostname if postgres_enabled else '' }}" etherpad_database_name: matrix_etherpad -etherpad_database_username: matrix_etherpad -etherpad_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'etherpad.db', rounds=655555) | to_uuid }}" +etherpad_database_postgres_username: matrix_etherpad +etherpad_database_postgres_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'etherpad.db', rounds=655555) | to_uuid }}" ###################################################################### # @@ -4492,9 +4492,9 @@ postgres_managed_databases_auto: | + ([{ 'name': etherpad_database_name, - 'username': etherpad_database_username, - 'password': etherpad_database_password, - }] if (etherpad_enabled and etherpad_database_type == 'postgres' and etherpad_database_hostname == postgres_connection_hostname) else []) + 'username': etherpad_database_postgres_username, + 'password': etherpad_database_postgres_password, + }] if (etherpad_enabled and etherpad_database_type == 'postgres' and etherpad_database_postgres_hostname == postgres_connection_hostname) else []) + ([{ 'name': prometheus_postgres_exporter_database_name, From cb6ae3de763d51863c7e998712a0eee2bc03b71f Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 1 Oct 2025 15:22:57 +0300 Subject: [PATCH 12/21] Upgrade Postgres (v17.6-7 -> v18.0-0) Ref: - https://github.com/mother-of-all-self-hosting/ansible-role-postgres/commit/d00258c03d8630970ede5ffd2a944e6827d7e484 - https://github.com/mother-of-all-self-hosting/ansible-role-postgres/commit/1a6031855342b7edf237352f92702e716370a169 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 38f5019af..e331d66d9 100644 --- a/requirements.yml +++ b/requirements.yml @@ -43,7 +43,7 @@ version: ff2fd42e1c1a9e28e3312bbd725395f9c2fc7f16 name: playbook_state_preserver - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-postgres.git - version: v17.6-7 + version: v18.0-0 name: postgres - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-postgres-backup.git version: v17-8 From dccfbcbdf50cdf97a125af1b6bf5df7a62e21ce3 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 1 Oct 2025 12:27:59 +0000 Subject: [PATCH 13/21] chore(deps): update ansible/ansible-lint action to v25.9.1 --- .github/workflows/matrix.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/matrix.yml b/.github/workflows/matrix.yml index e28a7adac..0b3a77221 100644 --- a/.github/workflows/matrix.yml +++ b/.github/workflows/matrix.yml @@ -26,7 +26,7 @@ jobs: uses: actions/checkout@v5 - name: Run ansible-lint - uses: ansible/ansible-lint@v25.9.0 + uses: ansible/ansible-lint@v25.9.1 with: args: "roles/custom" setup_python: "true" From 1eaa399c65ae3c22b9b50e3f3c21f28340f66bd6 Mon Sep 17 00:00:00 2001 From: Aine Date: Wed, 1 Oct 2025 15:43:41 +0100 Subject: [PATCH 14/21] local postgres backup - support postgres v18 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index e331d66d9..e3223faf5 100644 --- a/requirements.yml +++ b/requirements.yml @@ -46,7 +46,7 @@ version: v18.0-0 name: postgres - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-postgres-backup.git - version: v17-8 + version: v18-0 name: postgres_backup - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus.git version: v3.5.0-1 From 704eae30406039b706089ac80038254fd597de40 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 1 Oct 2025 21:28:19 +0000 Subject: [PATCH 15/21] chore(deps): update dependency docker to v7.6.0 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index e3223faf5..982ad0275 100644 --- a/requirements.yml +++ b/requirements.yml @@ -10,7 +10,7 @@ version: v0.4.1-0 name: container_socket_proxy - src: git+https://github.com/geerlingguy/ansible-role-docker - version: 7.5.5 + version: 7.6.0 name: docker - src: git+https://github.com/devture/com.devture.ansible.role.docker_sdk_for_python.git version: 129c8590e106b83e6f4c259649a613c6279e937a From 1b8c153c4a5cf8d068e8407591105a0a10f3e66c Mon Sep 17 00:00:00 2001 From: Aine Date: Thu, 2 Oct 2025 12:11:33 +0100 Subject: [PATCH 16/21] Synapse Admin v0.11.1-etke48 --- roles/custom/matrix-synapse-admin/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-synapse-admin/defaults/main.yml b/roles/custom/matrix-synapse-admin/defaults/main.yml index f2709afa0..3beb54a11 100644 --- a/roles/custom/matrix-synapse-admin/defaults/main.yml +++ b/roles/custom/matrix-synapse-admin/defaults/main.yml @@ -25,7 +25,7 @@ matrix_synapse_admin_container_image_self_build: false matrix_synapse_admin_container_image_self_build_repo: "https://github.com/etkecc/synapse-admin.git" # renovate: datasource=docker depName=ghcr.io/etkecc/synapse-admin -matrix_synapse_admin_version: v0.11.1-etke47 +matrix_synapse_admin_version: v0.11.1-etke48 matrix_synapse_admin_docker_image: "{{ matrix_synapse_admin_docker_image_registry_prefix }}etkecc/synapse-admin:{{ matrix_synapse_admin_version }}" matrix_synapse_admin_docker_image_registry_prefix: "{{ 'localhost/' if matrix_synapse_admin_container_image_self_build else matrix_synapse_admin_docker_image_registry_prefix_upstream }}" matrix_synapse_admin_docker_image_registry_prefix_upstream: "{{ matrix_synapse_admin_docker_image_registry_prefix_upstream_default }}" From 8857f78a4d26dac499f37a684dabb461fd7c819b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 2 Oct 2025 14:36:51 +0300 Subject: [PATCH 17/21] Add `matrix_authentication_service_config_http_listener_web_resources*` variables for controlling Matrix Authentication Service's web HTTP listener's resources --- .../defaults/main.yml | 16 ++++++++++++++++ .../templates/config.yaml.j2 | 8 +------- 2 files changed, 17 insertions(+), 7 deletions(-) diff --git a/roles/custom/matrix-authentication-service/defaults/main.yml b/roles/custom/matrix-authentication-service/defaults/main.yml index 22f32457e..6358cee34 100644 --- a/roles/custom/matrix-authentication-service/defaults/main.yml +++ b/roles/custom/matrix-authentication-service/defaults/main.yml @@ -314,6 +314,22 @@ matrix_authentication_service_config_secrets_keys: |- # # ######################################################################################## +# Controls the resources exposed by the `web` HTTP listener. +matrix_authentication_service_config_http_listener_web_resources: "{{ matrix_authentication_service_config_http_listener_web_resources_default + matrix_authentication_service_config_http_listener_web_resources_auto + matrix_authentication_service_config_http_listener_web_resources_custom }}" +matrix_authentication_service_config_http_listener_web_resources_default: |- + {{ + [ + {'name': 'discovery'}, + {'name': 'human'}, + {'name': 'oauth'}, + {'name': 'compat'}, + {'name': 'graphql'}, + {'name': 'assets'}, + ] + }} +matrix_authentication_service_config_http_listener_web_resources_auto: [] +matrix_authentication_service_config_http_listener_web_resources_custom: [] + # Controls the `http.public_base` configuration setting. matrix_authentication_service_config_http_public_base: "https://{{ matrix_authentication_service_hostname }}{{ '/' if matrix_authentication_service_path_prefix == '/' else (matrix_authentication_service_path_prefix + '/') }}" diff --git a/roles/custom/matrix-authentication-service/templates/config.yaml.j2 b/roles/custom/matrix-authentication-service/templates/config.yaml.j2 index 32065d221..c0794ed77 100644 --- a/roles/custom/matrix-authentication-service/templates/config.yaml.j2 +++ b/roles/custom/matrix-authentication-service/templates/config.yaml.j2 @@ -2,13 +2,7 @@ http: listeners: - name: web - resources: - - name: discovery - - name: human - - name: oauth - - name: compat - - name: graphql - - name: assets + resources: {{ matrix_authentication_service_config_http_listener_web_resources | to_json }} binds: - address: '[::]:8080' proxy_protocol: false From db54063a0c9e4cde27b1e6c688113a888a6a0c28 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 2 Oct 2025 14:40:00 +0300 Subject: [PATCH 18/21] Add `matrix_authentication_service_admin_api_enabled` that controls if the Matrix Authentication Service's API is enabled Builds up on top of d0adc8a37473dee2214437b87b2db6b2081851ec --- .../custom/matrix-authentication-service/defaults/main.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/roles/custom/matrix-authentication-service/defaults/main.yml b/roles/custom/matrix-authentication-service/defaults/main.yml index 6358cee34..233dd5676 100644 --- a/roles/custom/matrix-authentication-service/defaults/main.yml +++ b/roles/custom/matrix-authentication-service/defaults/main.yml @@ -326,6 +326,8 @@ matrix_authentication_service_config_http_listener_web_resources_default: |- {'name': 'graphql'}, {'name': 'assets'}, ] + + + [{'name': 'adminapi'} if matrix_authentication_service_admin_api_enabled else []] }} matrix_authentication_service_config_http_listener_web_resources_auto: [] matrix_authentication_service_config_http_listener_web_resources_custom: [] @@ -625,6 +627,10 @@ matrix_authentication_service_syn2mas_subcommand_extra_options: [] # - avoid setting up the "compatibility layer" (that is, avoid installing container labels that capture login endpoints like `/_matrix/client/*/login`, etc.) matrix_authentication_service_migration_in_progress: false +# Controls whether the admin API is enabled. +# Ref: https://element-hq.github.io/matrix-authentication-service/topics/admin-api.html#enabling-the-api +matrix_authentication_service_admin_api_enabled: false + ######################################################################################## # # # /Misc # From 3bf56e931d7ae535f6971cd0832557fe26c2b0e6 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 2 Oct 2025 14:58:48 +0300 Subject: [PATCH 19/21] Add support for Element Admin --- CHANGELOG.md | 11 +++ docs/configuring-playbook-element-admin.md | 71 ++++++++++++++ ...-playbook-matrix-authentication-service.md | 2 +- docs/configuring-playbook-synapse-admin.md | 4 +- group_vars/matrix_servers | 45 ++++++++- .../matrix-element-admin/defaults/main.yml | 97 +++++++++++++++++++ .../matrix-element-admin/tasks/install.yml | 77 +++++++++++++++ .../matrix-element-admin/tasks/main.yml | 24 +++++ .../matrix-element-admin/tasks/uninstall.yml | 29 ++++++ .../tasks/validate_config.yml | 26 +++++ .../matrix-element-admin/templates/env.j2 | 9 ++ .../matrix-element-admin/templates/labels.j2 | 45 +++++++++ .../systemd/matrix-element-admin.service.j2 | 52 ++++++++++ .../matrix-element-admin.service.j2.license | 3 + .../tasks/validate_config.yml | 2 +- setup.yml | 1 + 16 files changed, 494 insertions(+), 4 deletions(-) create mode 100644 docs/configuring-playbook-element-admin.md create mode 100644 roles/custom/matrix-element-admin/defaults/main.yml create mode 100644 roles/custom/matrix-element-admin/tasks/install.yml create mode 100644 roles/custom/matrix-element-admin/tasks/main.yml create mode 100644 roles/custom/matrix-element-admin/tasks/uninstall.yml create mode 100644 roles/custom/matrix-element-admin/tasks/validate_config.yml create mode 100644 roles/custom/matrix-element-admin/templates/env.j2 create mode 100644 roles/custom/matrix-element-admin/templates/labels.j2 create mode 100644 roles/custom/matrix-element-admin/templates/systemd/matrix-element-admin.service.j2 create mode 100644 roles/custom/matrix-element-admin/templates/systemd/matrix-element-admin.service.j2.license diff --git a/CHANGELOG.md b/CHANGELOG.md index cd8d2089e..4502b7512 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,14 @@ +# 2025-10-02 + +## Element Admin support + +The playbook now supports [Element Admin](./docs/configuring-playbook-element-admin.md) - a new web-based administration panel for Synapse and [Matrix Authentication Service](./docs/configuring-playbook-matrix-authentication-service.md). + +Deployments based on Matrix Authentication Service may find it useful to run both Synapse Admin and Element Admin at the same time. + +Deployments that don't rely on Matrix Authentication Service are unlikely to find anything useful in Element Admin right now (it's too basic in its current form). + + # 2025-04-26 ## Continuwuity support diff --git a/docs/configuring-playbook-element-admin.md b/docs/configuring-playbook-element-admin.md new file mode 100644 index 000000000..d0b676971 --- /dev/null +++ b/docs/configuring-playbook-element-admin.md @@ -0,0 +1,71 @@ + + +# Setting up Element Admin (optional) + +The playbook can install and configure [Element Admin](https://github.com/element-hq/element-admin) for you. + +Element Admin is a web-based administration panel for Synapse and [Matrix Authentication Service](./configuring-playbook-matrix-authentication-service.md). + +See the project's [documentation](https://github.com/element-hq/element-admin) to learn more. + +💡 **Note**: This project is still very young and doesn't have many features. For now, it's recommended to use [Synapse Admin](./configuring-playbook-synapse-admin.md) instead. Deployments that use [Matrix Authentication Service](./configuring-playbook-matrix-authentication-service.md) can use Element Admin for user-management (something that Synapse Admin can't do), while continuing to use Synapse Admin for all other purposes. + +## Prerequisites + +- A [Synapse](configuring-playbook-synapse.md) homeserver with its Admin API enabled (the playbook automatically enables it for you when you enable Element Admin) +- [Matrix Authentication Service](./configuring-playbook-matrix-authentication-service.md) with its Admin API enabled (the playbook automatically enables it for you when you enable Element Admin) + +## Decide on a domain and path + +By default, the Element Admin is configured to be served on the `admin.element.example.com` domain. + +If you'd like to run Element Admin on another hostname, see the [Adjusting the Element Admin URL](#adjusting-the-element-admin-url-optional) section below. + +## Adjusting DNS records (optional) + +By default, this playbook installs Element Admin on the `admin.element.` subdomain (`admin.element.example.com`) and requires you to create a `CNAME` record for `admin.element`, which targets `matrix.example.com`. + +When setting these values, replace `example.com` with your own. + +## Adjusting the playbook configuration + +Add the following configuration to your `inventory/host_vars/matrix.example.com/vars.yml` file: + +```yaml +matrix_element_admin_enabled: true +``` + +### Adjusting the Element Admin URL (optional) + +By tweaking the `matrix_element_admin_hostname` variable, you can easily make the service available at a **different hostname** than the default one. + +Example additional configuration for your `vars.yml` file: + +```yaml +matrix_element_admin_hostname: element-admin.example.com +``` + +> [!WARNING] +> A `matrix_element_admin_path_prefix` variable is also available and mean to let you configure a path prefix for the Element Admin service, but **Element Admin does not support running under a sub-path yet**. + +## Installing + +After configuring the playbook and potentially [adjusting your DNS records](#adjusting-dns-records), run the playbook with [playbook tags](playbook-tags.md) as below: + + +```sh +ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start +``` + +The shortcut commands with the [`just` program](just.md) are also available: `just install-all` or `just setup-all` + +`just install-all` is useful for maintaining your setup quickly ([2x-5x faster](../CHANGELOG.md#2x-5x-performance-improvements-in-playbook-runtime) than `just setup-all`) when its components remain unchanged. If you adjust your `vars.yml` to remove other components, you'd need to run `just setup-all`, or these components will still remain installed. Note these shortcuts run the `ensure-matrix-users-created` tag too. + +## Usage + +Once installed, Element Call integrates seamlessly with Matrix clients like [Element Web](configuring-playbook-client-element-web.md) and Element X on mobile (iOS and Android). diff --git a/docs/configuring-playbook-matrix-authentication-service.md b/docs/configuring-playbook-matrix-authentication-service.md index 9173bd399..b1a110cf0 100644 --- a/docs/configuring-playbook-matrix-authentication-service.md +++ b/docs/configuring-playbook-matrix-authentication-service.md @@ -51,7 +51,7 @@ This section details what you can expect when switching to the Matrix Authentica - ❌ **Synapse password providers will need to be disabled**. You can no longer use [shared-secret-auth](./configuring-playbook-shared-secret-auth.md), [rest-auth](./configuring-playbook-rest-auth.md), [LDAP auth](./configuring-playbook-ldap-auth.md), etc. When the authentication flow is handled by MAS (not by Synapse anymore), it doesn't make sense to extend the Synapse authentication flow with additional modules. Many bridges used to rely on shared-secret-auth for doing double-puppeting (impersonating other users), but most (at least the mautrix bridges) nowadays use [Appservice Double Puppet](./configuring-playbook-appservice-double-puppet.md) as a better alternative. Older/maintained bridges may still rely on shared-secret-auth, as do other services like [matrix-corporal](./configuring-playbook-matrix-corporal.md). -- ❌ Certain **tools like [synapse-admin](./configuring-playbook-synapse-admin.md) do not have full compatibility with MAS yet**. synapse-admin already supports [login with access token](https://github.com/etkecc/synapse-admin/pull/58), browsing users (which Synapse will internally fetch from MAS) and updating user avatars. However, editing users (passwords, etc.) now needs to happen directly against MAS using the [MAS Admin API](https://element-hq.github.io/matrix-authentication-service/api/index.html), which synapse-admin cannot interact with yet. +- ❌ Certain **tools like [synapse-admin](./configuring-playbook-synapse-admin.md) do not have full compatibility with MAS yet**. synapse-admin already supports [login with access token](https://github.com/etkecc/synapse-admin/pull/58), browsing users (which Synapse will internally fetch from MAS) and updating user avatars. However, editing users (passwords, etc.) now needs to happen directly against MAS using the [MAS Admin API](https://element-hq.github.io/matrix-authentication-service/api/index.html), which synapse-admin cannot interact with yet. You may be interested in using [Element Admin](./configuring-playbook-element-admin.md) for these purposes. - ❌ **Some services experience issues when authenticating via MAS**: diff --git a/docs/configuring-playbook-synapse-admin.md b/docs/configuring-playbook-synapse-admin.md index 4c992e09b..b35b28ccb 100644 --- a/docs/configuring-playbook-synapse-admin.md +++ b/docs/configuring-playbook-synapse-admin.md @@ -18,6 +18,8 @@ synapse-admin is a web UI tool you can use to **administrate users, rooms, media 💡 **Note**: the latest version of synapse-admin is hosted by [etke.cc](https://etke.cc/) at [admin.etke.cc](https://admin.etke.cc/). If you only need this service occasionally and trust giving your admin credentials to a 3rd party Single Page Application, you can consider using it from there and avoiding the (small) overhead of self-hosting. +💡 **Note**: The playbook also supports an alternative management UI in the shape of [Element Admin](./configuring-playbook-element-admin.md). However, it's currently less feature-rich than Synapse Admin and has a dependency on [Matrix Authentication Service](./configuring-playbook-matrix-authentication-service.md). + ## Adjusting DNS records (optional) By default, this playbook installs Synapse Admin on the `matrix.` subdomain, at the `/synapse-admin` path (https://matrix.example.com/synapse-admin). This makes it easy to install it, because it **doesn't require additional DNS records to be set up**. If that's okay, you can skip this section. @@ -40,7 +42,7 @@ matrix_synapse_admin_enabled: true By default, synapse-admin installation will be [restricted to only work with one homeserver](https://github.com/etkecc/synapse-admin/blob/e21e44362c879ac41f47c580b04210842b6ff3d7/README.md#restricting-available-homeserver) — the one managed by the playbook. To adjust these restrictions, tweak the `matrix_synapse_admin_config_restrictBaseUrl` variable. > [!WARNING] -> If you're using [Matrix Authentication Service](./configuring-playbook-matrix-authentication-service.md) (MAS) for authentication, you will be able to [log into synapse-admin with an access token](https://github.com/etkecc/synapse-admin/pull/58), but certain synapse-admin features (especially those around user management) will be limited or not work at all. +> If you're using [Matrix Authentication Service](./configuring-playbook-matrix-authentication-service.md) (MAS) for authentication, you will be able to [log into synapse-admin with an access token](https://github.com/etkecc/synapse-admin/pull/58), but certain synapse-admin features (especially those around user management) will be limited or not work at all. You may be interested in using [Element Admin](docs/configuring-playbook-element-admin.md) for these purposes. ### Adjusting the Synapse Admin URL (optional) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 8f56c8d74..a7cbb0369 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -453,6 +453,8 @@ devture_systemd_service_manager_services_list_auto: | + ([{'name': 'matrix-pantalaimon.service', 'priority': 4000, 'groups': ['matrix', 'pantalaimon']}] if matrix_pantalaimon_enabled else []) + + ([{'name': 'matrix-element-admin.service', 'priority': 4000, 'groups': ['matrix', 'element-admin']}] if matrix_element_admin_enabled else []) + + ([{'name': 'matrix-element-call.service', 'priority': 4000, 'groups': ['matrix', 'element-call']}] if matrix_element_call_enabled else []) + ([{'name': 'matrix-livekit-jwt-service.service', 'priority': 3500, 'groups': ['matrix', 'livekit-jwt-service']}] if matrix_livekit_jwt_service_enabled else []) @@ -682,6 +684,8 @@ matrix_authentication_service_config_email_port: "{{ 8025 if exim_relay_enabled matrix_authentication_service_config_email_mode: "{{ 'plain' if exim_relay_enabled else 'starttls' }}" matrix_authentication_service_config_email_from_address: "{{ exim_relay_sender_address }}" +matrix_authentication_service_admin_api_enabled: "{{ matrix_element_admin_enabled }}" + matrix_authentication_service_container_image_registry_prefix_upstream: "{{ matrix_container_global_registry_prefix_override if matrix_container_global_registry_prefix_override else matrix_authentication_service_container_image_registry_prefix_upstream_default }}" matrix_authentication_service_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}" @@ -4960,7 +4964,7 @@ matrix_synapse_container_labels_matrix_labels_enabled: "{{ not matrix_synapse_wo matrix_synapse_container_labels_public_client_root_redirection_enabled: "{{ matrix_synapse_container_labels_public_client_root_redirection_url != '' }}" matrix_synapse_container_labels_public_client_root_redirection_url: "{{ (('https://' if matrix_playbook_ssl_enabled else 'http://') + matrix_server_fqn_element) if matrix_client_element_enabled else '' }}" -matrix_synapse_container_labels_public_client_synapse_admin_api_enabled: "{{ matrix_synapse_admin_enabled }}" +matrix_synapse_container_labels_public_client_synapse_admin_api_enabled: "{{ matrix_synapse_admin_enabled or matrix_element_admin_enabled }}" matrix_synapse_container_labels_internal_client_synapse_admin_api_enabled: "{{ (matrix_bot_draupnir_enabled and matrix_bot_draupnir_admin_api_enabled) }}" matrix_synapse_container_labels_internal_client_synapse_admin_api_traefik_entrypoints: "{{ matrix_playbook_internal_matrix_client_api_traefik_entrypoint_name }}" @@ -6437,6 +6441,45 @@ traefik_certs_dumper_container_image_registry_prefix_upstream: "{{ matrix_contai # # ######################################################################## +######################################################################## +# # +# matrix-element-admin # +# # +######################################################################## + +# We don't enable this by default. +matrix_element_admin_enabled: false + +matrix_element_admin_scheme: "{{ 'https' if matrix_playbook_ssl_enabled else 'http' }}" + +matrix_element_admin_container_image_registry_prefix_upstream: "{{ matrix_container_global_registry_prefix_override if matrix_container_global_registry_prefix_override else matrix_element_admin_container_image_registry_prefix_upstream_default }}" + +matrix_element_admin_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}" + +matrix_element_admin_container_network: "{{ matrix_addons_container_network }}" + +matrix_element_admin_container_additional_networks_auto: |- + {{ + ( + ([] if matrix_addons_homeserver_container_network == '' else [matrix_addons_homeserver_container_network]) + + + ([matrix_playbook_reverse_proxyable_services_additional_network] if (matrix_playbook_reverse_proxyable_services_additional_network and matrix_element_admin_container_labels_traefik_enabled) else []) + ) | unique + }} + +matrix_element_admin_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}" +matrix_element_admin_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" +matrix_element_admin_container_labels_traefik_entrypoints: "{{ traefik_entrypoint_primary }}" +matrix_element_admin_container_labels_traefik_tls_certResolver: "{{ traefik_certResolver_primary }}" + +matrix_element_admin_systemd_required_services_list_auto: "{{ matrix_addons_homeserver_systemd_services_list }}" + +###################################################################### +# # +# /matrix-element-admin # +# # +###################################################################### + ######################################################################## # # diff --git a/roles/custom/matrix-element-admin/defaults/main.yml b/roles/custom/matrix-element-admin/defaults/main.yml new file mode 100644 index 000000000..ea76aa97a --- /dev/null +++ b/roles/custom/matrix-element-admin/defaults/main.yml @@ -0,0 +1,97 @@ +# SPDX-FileCopyrightText: 2024 - 2025 Slavi Pantaleev +# SPDX-FileCopyrightText: 2024 - 2025 Suguru Hirahara +# +# SPDX-License-Identifier: AGPL-3.0-or-later + +--- + +# Element Admin is a web-based administration panel for Synapse and Matrix Authentication Service +# Project source code URL: https://github.com/element-hq/element-admin + +matrix_element_admin_enabled: true + +# renovate: datasource=docker depName=oci.element.io/element-admin +matrix_element_admin_version: 0.1.3 + +matrix_element_admin_scheme: https + +# The hostname at which Element Admin is served. +matrix_element_admin_hostname: "admin.{{ matrix_server_fqn_element }}" + +# The path at which Element Admin is served. +# This value must either be `/` or not end with a slash (e.g. `/element-admin`). +matrix_element_admin_path_prefix: / + +matrix_element_admin_base_path: "{{ matrix_base_data_path }}/element-admin" + +matrix_element_admin_container_image_self_build: false +matrix_element_admin_container_image_self_build_repo: https://github.com/element-hq/element-admin +matrix_element_admin_container_image_self_build_repo_version: "{{ 'main' if matrix_element_admin_version == 'main' else matrix_element_admin_version }}" +matrix_element_admin_container_src_path: "{{ matrix_element_admin_base_path }}/container-src" + +matrix_element_admin_container_image: "{{ matrix_element_admin_container_image_registry_prefix }}element-admin:{{ matrix_element_admin_container_image_tag }}" +matrix_element_admin_container_image_tag: "{{ matrix_element_admin_version }}" +matrix_element_admin_container_image_force_pull: "{{ matrix_element_admin_container_image.endswith(':main') }}" +matrix_element_admin_container_image_registry_prefix: "{{ matrix_element_admin_container_image_registry_prefix_upstream }}" +matrix_element_admin_container_image_registry_prefix_upstream: "{{ matrix_element_admin_container_image_registry_prefix_upstream_default }}" +matrix_element_admin_container_image_registry_prefix_upstream_default: "oci.element.io/" + +# The base container network. It will be auto-created by this role if it doesn't exist already. +matrix_element_admin_container_network: '' + +# A list of additional container networks that the container would be connected to. +# The role does not create these networks, so make sure they already exist. +matrix_element_admin_container_additional_networks: "{{ matrix_element_admin_container_additional_networks_default + matrix_element_admin_container_additional_networks_auto + matrix_element_admin_container_additional_networks_custom }}" +matrix_element_admin_container_additional_networks_default: [] +matrix_element_admin_container_additional_networks_auto: [] +matrix_element_admin_container_additional_networks_custom: [] + +# matrix_element_admin_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container. +# See `../templates/labels.j2` for details. +# +# To inject your own other container labels, see `matrix_element_admin_container_labels_additional_labels`. +matrix_element_admin_container_labels_traefik_enabled: true +matrix_element_admin_container_labels_traefik_docker_network: "{{ matrix_element_admin_container_network }}" +matrix_element_admin_container_labels_traefik_hostname: "{{ matrix_element_admin_hostname }}" +# The path prefix must either be `/` or not end with a slash (e.g. `/element-admin`). +matrix_element_admin_container_labels_traefik_path_prefix: "{{ matrix_element_admin_path_prefix }}" +matrix_element_admin_container_labels_traefik_rule: "Host(`{{ matrix_element_admin_container_labels_traefik_hostname }}`){% if matrix_element_admin_container_labels_traefik_path_prefix != '/' %} && PathPrefix(`{{ matrix_element_admin_container_labels_traefik_path_prefix }}`){% endif %}" +matrix_element_admin_container_labels_traefik_priority: 0 +matrix_element_admin_container_labels_traefik_entrypoints: web-secure +matrix_element_admin_container_labels_traefik_tls: "{{ matrix_element_admin_container_labels_traefik_entrypoints != 'web' }}" +matrix_element_admin_container_labels_traefik_tls_certResolver: default # noqa var-naming + +# matrix_element_admin_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file. +# See `../templates/labels.j2` for details. +# +# Example: +# matrix_element_admin_container_labels_additional_labels: | +# my.label=1 +# another.label="here" +matrix_element_admin_container_labels_additional_labels: '' + +# A list of extra arguments to pass to the container +matrix_element_admin_container_extra_arguments: [] + +# A list of extra arguments to pass to the container process. +matrix_element_admin_container_process_extra_arguments: [] + +# List of systemd services that the Element Admin service depends on +matrix_element_admin_systemd_required_services_list: "{{ matrix_element_admin_systemd_required_services_list_default + matrix_element_admin_systemd_required_services_list_auto + matrix_element_admin_systemd_required_services_list_custom }}" +matrix_element_admin_systemd_required_services_list_default: "{{ [devture_systemd_docker_base_docker_service_name] if devture_systemd_docker_base_docker_service_name else [] }}" +matrix_element_admin_systemd_required_services_list_auto: [] +matrix_element_admin_systemd_required_services_list_custom: [] + +# List of systemd services that the Element Admin service wants +matrix_element_admin_systemd_wanted_services_list: [] + +# Controls the `SERVER_NAME` environment variable, which should point to a Matrix homeserver domain name. +matrix_element_admin_environment_variable_server_name: "{{ matrix_domain }}" + +# Additional environment variables. +# +# Example: +# matrix_element_admin_environment_variables_additional_variables: | +# SOMETHING=1 +# ANOTHER="here" +matrix_element_admin_environment_variables_additional_variables: '' \ No newline at end of file diff --git a/roles/custom/matrix-element-admin/tasks/install.yml b/roles/custom/matrix-element-admin/tasks/install.yml new file mode 100644 index 000000000..d26973111 --- /dev/null +++ b/roles/custom/matrix-element-admin/tasks/install.yml @@ -0,0 +1,77 @@ +# SPDX-FileCopyrightText: 2024 David Mehren +# SPDX-FileCopyrightText: 2024 - 2025 Slavi Pantaleev +# +# SPDX-License-Identifier: AGPL-3.0-or-later + +--- + +- name: Ensure Element Admin paths exist + ansible.builtin.file: + path: "{{ item.path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_name }}" + group: "{{ matrix_group_name }}" + with_items: + - path: "{{ matrix_element_admin_base_path }}" + when: true + - path: "{{ matrix_element_admin_container_src_path }}" + when: "{{ matrix_element_admin_container_image_self_build }}" + when: item.when | bool + +- name: Ensure Element Admin support files installed + ansible.builtin.template: + src: "{{ role_path }}/templates/{{ item }}.j2" + dest: "{{ matrix_element_admin_base_path }}/{{ item }}" + mode: 0640 + owner: "{{ matrix_user_name }}" + group: "{{ matrix_group_name }}" + with_items: + - labels + - env + +- name: Ensure Element Admin container image is pulled + community.docker.docker_image: + name: "{{ matrix_element_admin_container_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_element_admin_container_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_element_admin_container_image_force_pull }}" + when: "not matrix_element_admin_container_image_self_build | bool" + register: result + retries: "{{ devture_playbook_help_container_retries_count }}" + delay: "{{ devture_playbook_help_container_retries_delay }}" + until: result is not failed + +- when: matrix_element_admin_container_image_self_build | bool + block: + - name: Ensure Element Admin repository is present on self-build + ansible.builtin.git: + repo: "{{ matrix_element_admin_container_image_self_build_repo }}" + version: "{{ matrix_element_admin_container_image_self_build_repo_version }}" + dest: "{{ matrix_element_admin_container_src_path }}" + force: "yes" + become: true + become_user: "{{ matrix_user_name }}" + register: matrix_element_admin_git_pull_results + + - name: Ensure Element Admin container image is built + ansible.builtin.command: + cmd: |- + {{ devture_systemd_docker_base_host_command_docker }} buildx build + --tag={{ matrix_element_admin_container_image }} + --file={{ matrix_element_admin_container_src_path }}/Dockerfile + {{ matrix_element_admin_container_src_path }} + changed_when: true + +- name: Ensure Element Admin container network is created + community.general.docker_network: + enable_ipv6: "{{ devture_systemd_docker_base_ipv6_enabled }}" + name: "{{ matrix_element_admin_container_network }}" + driver: bridge + driver_options: "{{ devture_systemd_docker_base_container_networks_driver_options }}" + +- name: Ensure Element Admin systemd service installed + ansible.builtin.template: + src: "{{ role_path }}/templates/systemd/matrix-element-admin.service.j2" + dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-element-admin.service" + mode: 0644 diff --git a/roles/custom/matrix-element-admin/tasks/main.yml b/roles/custom/matrix-element-admin/tasks/main.yml new file mode 100644 index 000000000..524aba91e --- /dev/null +++ b/roles/custom/matrix-element-admin/tasks/main.yml @@ -0,0 +1,24 @@ +# SPDX-FileCopyrightText: 2024 Slavi Pantaleev +# +# SPDX-License-Identifier: AGPL-3.0-or-later + +--- + +- tags: + - setup-all + - setup-element-admin + - install-all + - install-element-admin + block: + - when: matrix_element_admin_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" + + - when: matrix_element_admin_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/install.yml" + +- tags: + - setup-all + - setup-element-admin + block: + - when: not matrix_element_admin_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/uninstall.yml" diff --git a/roles/custom/matrix-element-admin/tasks/uninstall.yml b/roles/custom/matrix-element-admin/tasks/uninstall.yml new file mode 100644 index 000000000..d375d2179 --- /dev/null +++ b/roles/custom/matrix-element-admin/tasks/uninstall.yml @@ -0,0 +1,29 @@ +# SPDX-FileCopyrightText: 2024 - 2025 Slavi Pantaleev +# +# SPDX-License-Identifier: AGPL-3.0-or-later + +--- + +- name: Check existence of Element Admin service + ansible.builtin.stat: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-element-admin.service" + register: matrix_element_admin_service_stat + +- when: matrix_element_admin_service_stat.stat.exists | bool + block: + - name: Ensure Element Admin is stopped + ansible.builtin.service: + name: matrix-element-admin + state: stopped + enabled: false + daemon_reload: true + + - name: Ensure Element Admin systemd service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-element-admin.service" + state: absent + + - name: Ensure Element Admin paths don't exist + ansible.builtin.file: + path: "{{ matrix_element_admin_base_path }}" + state: absent diff --git a/roles/custom/matrix-element-admin/tasks/validate_config.yml b/roles/custom/matrix-element-admin/tasks/validate_config.yml new file mode 100644 index 000000000..f531af567 --- /dev/null +++ b/roles/custom/matrix-element-admin/tasks/validate_config.yml @@ -0,0 +1,26 @@ +# SPDX-FileCopyrightText: 2024 - 2025 Slavi Pantaleev +# +# SPDX-License-Identifier: AGPL-3.0-or-later + +--- + +- name: Fail if required Element Admin settings not defined + ansible.builtin.fail: + msg: > + You need to define a required configuration setting (`{{ item.name }}`). + when: "item.when | bool and lookup('vars', item.name, default='') | string | length == 0" + with_items: + - {'name': 'matrix_element_admin_hostname', when: true} + - {'name': 'matrix_element_admin_path_prefix', when: true} + - {'name': 'matrix_element_admin_container_network', when: true} + - {'name': 'matrix_element_admin_environment_variable_server_name', when: true} + +# Element Admin appears to hardcode all paths to `/` (e.g. `/config.json`, `/assets/...`). +# While we can properly serve the homepage and handle stripping the path prefix on our side, +# the hardcoded URLs in the Element Admin are pointing people to the wrong place, which is a problem. +- name: Fail if Element Admin path prefix is different than / + ansible.builtin.fail: + msg: >- + Element Admin with a path prefix other than '/' is not supported yet. + You have configured matrix_element_admin_path_prefix to '{{ matrix_element_admin_path_prefix }}'. + when: "matrix_element_admin_path_prefix != '/'" \ No newline at end of file diff --git a/roles/custom/matrix-element-admin/templates/env.j2 b/roles/custom/matrix-element-admin/templates/env.j2 new file mode 100644 index 000000000..b02e99c64 --- /dev/null +++ b/roles/custom/matrix-element-admin/templates/env.j2 @@ -0,0 +1,9 @@ +{# +SPDX-FileCopyrightText: 2024 - 2025 Slavi Pantaleev + +SPDX-License-Identifier: AGPL-3.0-or-later +#} + +SERVER_NAME={{ matrix_element_admin_environment_variable_server_name }} + +{{ matrix_element_admin_environment_variables_additional_variables }} \ No newline at end of file diff --git a/roles/custom/matrix-element-admin/templates/labels.j2 b/roles/custom/matrix-element-admin/templates/labels.j2 new file mode 100644 index 000000000..f3b628258 --- /dev/null +++ b/roles/custom/matrix-element-admin/templates/labels.j2 @@ -0,0 +1,45 @@ +{# +SPDX-FileCopyrightText: 2024 - 2025 Slavi Pantaleev + +SPDX-License-Identifier: AGPL-3.0-or-later +#} + +{% if matrix_element_admin_container_labels_traefik_enabled %} +traefik.enable=true + +{% if matrix_element_admin_container_labels_traefik_docker_network %} +traefik.docker.network={{ matrix_element_admin_container_labels_traefik_docker_network }} +{% endif %} + +traefik.http.services.matrix-element-admin.loadbalancer.server.port=8080 + +{% set middlewares = [] %} + +{% if matrix_element_admin_container_labels_traefik_path_prefix != '/' %} +traefik.http.middlewares.matrix-element-admin-slashless-redirect.redirectregex.regex=({{ matrix_element_admin_container_labels_traefik_path_prefix | quote }})$ +traefik.http.middlewares.matrix-element-admin-slashless-redirect.redirectregex.replacement=${1}/ +{% set middlewares = middlewares + ['matrix-element-admin-slashless-redirect'] %} +{% endif %} + +{% if matrix_element_admin_container_labels_traefik_path_prefix != '/' %} +traefik.http.middlewares.matrix-element-admin-strip-prefix.stripprefix.prefixes={{ matrix_element_admin_container_labels_traefik_path_prefix }} +{% set middlewares = middlewares + ['matrix-element-admin-strip-prefix'] %} +{% endif %} + +traefik.http.routers.matrix-element-admin.rule={{ matrix_element_admin_container_labels_traefik_rule }} +{% if matrix_element_admin_container_labels_traefik_priority | int > 0 %} +traefik.http.routers.matrix-element-admin.priority={{ matrix_element_admin_container_labels_traefik_priority }} +{% endif %} +traefik.http.routers.matrix-element-admin.service=matrix-element-admin +{% if middlewares | length > 0 %} +traefik.http.routers.matrix-element-admin.middlewares={{ middlewares | join(',') }} +{% endif %} +traefik.http.routers.matrix-element-admin.entrypoints={{ matrix_element_admin_container_labels_traefik_entrypoints }} +traefik.http.routers.matrix-element-admin.tls={{ matrix_element_admin_container_labels_traefik_tls | to_json }} +{% if matrix_element_admin_container_labels_traefik_tls %} +traefik.http.routers.matrix-element-admin.tls.certResolver={{ matrix_element_admin_container_labels_traefik_tls_certResolver }} +{% endif %} + +{% endif %} + +{{ matrix_element_admin_container_labels_additional_labels }} diff --git a/roles/custom/matrix-element-admin/templates/systemd/matrix-element-admin.service.j2 b/roles/custom/matrix-element-admin/templates/systemd/matrix-element-admin.service.j2 new file mode 100644 index 000000000..35e64d9e6 --- /dev/null +++ b/roles/custom/matrix-element-admin/templates/systemd/matrix-element-admin.service.j2 @@ -0,0 +1,52 @@ +#jinja2: lstrip_blocks: True +[Unit] +Description=Element Admin +{% for service in matrix_element_admin_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +{% for service in matrix_element_admin_systemd_wanted_services_list %} +Wants={{ service }} +{% endfor %} +DefaultDependencies=no + +[Service] +Type=simple +Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" +ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop -t {{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-element-admin 2>/dev/null || true' +ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-element-admin 2>/dev/null || true' + +{# + We mount a tmpfs at /tmp, because `/docker-entrypoint.d/replace-config.sh` writes temporary files there. +#} +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ + --rm \ + --name=matrix-element-admin \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --read-only \ + --network={{ matrix_element_admin_container_network }} \ + --env-file={{ matrix_element_admin_base_path }}/env \ + --label-file={{ matrix_element_admin_base_path }}/labels \ + --tmpfs=/tmp:rw,noexec,nosuid,size=1024m \ + {% for arg in matrix_element_admin_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_element_admin_container_image }} {{ matrix_element_admin_container_process_extra_arguments | join(' ') }} + +{% for network in matrix_element_admin_container_additional_networks %} +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-element-admin +{% endfor %} + +ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-element-admin + +ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop -t {{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-element-admin 2>/dev/null || true' +ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-element-admin 2>/dev/null || true' + +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-element-admin + +[Install] +WantedBy=multi-user.target diff --git a/roles/custom/matrix-element-admin/templates/systemd/matrix-element-admin.service.j2.license b/roles/custom/matrix-element-admin/templates/systemd/matrix-element-admin.service.j2.license new file mode 100644 index 000000000..e18b238ea --- /dev/null +++ b/roles/custom/matrix-element-admin/templates/systemd/matrix-element-admin.service.j2.license @@ -0,0 +1,3 @@ +SPDX-FileCopyrightText: 2024 - 2025 Slavi Pantaleev + +SPDX-License-Identifier: AGPL-3.0-or-later diff --git a/roles/custom/matrix-element-call/tasks/validate_config.yml b/roles/custom/matrix-element-call/tasks/validate_config.yml index fcc4f4bb8..86fb84705 100644 --- a/roles/custom/matrix-element-call/tasks/validate_config.yml +++ b/roles/custom/matrix-element-call/tasks/validate_config.yml @@ -28,7 +28,7 @@ # the hardcoded URLs in the Element Call are pointing people to the wrong place, which is a problem. - name: Fail if Element Call path prefix is different than / ansible.builtin.fail: - msg: > + msg: >- Element Call with a path prefix other than '/' is not supported yet. You have configured matrix_element_call_path_prefix to '{{ matrix_element_call_path_prefix }}'. when: "matrix_element_call_path_prefix != '/'" diff --git a/setup.yml b/setup.yml index c83fade82..7e4168440 100644 --- a/setup.yml +++ b/setup.yml @@ -135,6 +135,7 @@ - custom/matrix-media-repo - custom/matrix-pantalaimon + - custom/matrix-element-admin - custom/matrix-element-call - galaxy/livekit_server - custom/matrix-livekit-jwt-service From 677b1ea55b26d497b890c398af5ff79dba15c543 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 2 Oct 2025 15:00:42 +0300 Subject: [PATCH 20/21] Make yamllint happy --- roles/custom/matrix-element-admin/defaults/main.yml | 2 +- roles/custom/matrix-element-admin/tasks/validate_config.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/custom/matrix-element-admin/defaults/main.yml b/roles/custom/matrix-element-admin/defaults/main.yml index ea76aa97a..982d5072c 100644 --- a/roles/custom/matrix-element-admin/defaults/main.yml +++ b/roles/custom/matrix-element-admin/defaults/main.yml @@ -94,4 +94,4 @@ matrix_element_admin_environment_variable_server_name: "{{ matrix_domain }}" # matrix_element_admin_environment_variables_additional_variables: | # SOMETHING=1 # ANOTHER="here" -matrix_element_admin_environment_variables_additional_variables: '' \ No newline at end of file +matrix_element_admin_environment_variables_additional_variables: '' diff --git a/roles/custom/matrix-element-admin/tasks/validate_config.yml b/roles/custom/matrix-element-admin/tasks/validate_config.yml index f531af567..72f01e1af 100644 --- a/roles/custom/matrix-element-admin/tasks/validate_config.yml +++ b/roles/custom/matrix-element-admin/tasks/validate_config.yml @@ -23,4 +23,4 @@ msg: >- Element Admin with a path prefix other than '/' is not supported yet. You have configured matrix_element_admin_path_prefix to '{{ matrix_element_admin_path_prefix }}'. - when: "matrix_element_admin_path_prefix != '/'" \ No newline at end of file + when: "matrix_element_admin_path_prefix != '/'" From 931056a1dc7078102c354aab3eb65e759a43fb3d Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 2 Oct 2025 15:06:16 +0300 Subject: [PATCH 21/21] Make pre-commit happy --- roles/custom/matrix-element-admin/templates/env.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-element-admin/templates/env.j2 b/roles/custom/matrix-element-admin/templates/env.j2 index b02e99c64..cf0038a3d 100644 --- a/roles/custom/matrix-element-admin/templates/env.j2 +++ b/roles/custom/matrix-element-admin/templates/env.j2 @@ -6,4 +6,4 @@ SPDX-License-Identifier: AGPL-3.0-or-later SERVER_NAME={{ matrix_element_admin_environment_variable_server_name }} -{{ matrix_element_admin_environment_variables_additional_variables }} \ No newline at end of file +{{ matrix_element_admin_environment_variables_additional_variables }}