diff --git a/.config/ansible-lint.yml b/.config/ansible-lint.yml index 22ba92532..0ff5748cb 100644 --- a/.config/ansible-lint.yml +++ b/.config/ansible-lint.yml @@ -9,8 +9,9 @@ skip_list: - schema - command-instead-of-shell - role-name + - var-naming[no-role-prefix] # We frequently load configuration from a template (into a variable), then merge that with another variable (configuration extension) # before finally dumping it to a file. - template-instead-of-copy -offline: false +offline: true diff --git a/.editorconfig b/.editorconfig index 6d5dc09a1..dc97b48dd 100644 --- a/.editorconfig +++ b/.editorconfig @@ -19,6 +19,14 @@ trim_trailing_whitespace = true indent_style = space indent_size = 2 +[group_vars/matrix_servers] +indent_style = space +indent_size = 2 + +[justfile] +indent_style = space +indent_size = 4 + # Markdown Files # # Two spaces at the end of a line in Markdown mean "new line", diff --git a/.envrc b/.envrc new file mode 100644 index 000000000..8392d159f --- /dev/null +++ b/.envrc @@ -0,0 +1 @@ +use flake \ No newline at end of file diff --git a/.github/workflows/matrix.yml b/.github/workflows/matrix.yml index 8da5b9690..f38ae3525 100644 --- a/.github/workflows/matrix.yml +++ b/.github/workflows/matrix.yml @@ -13,7 +13,7 @@ jobs: - name: Check out uses: actions/checkout@v3 - name: Run yamllint - uses: frenck/action-yamllint@v1.3.1 + uses: frenck/action-yamllint@v1.4.1 ansible-lint: name: ansible-lint runs-on: ubuntu-latest @@ -21,4 +21,6 @@ jobs: - name: Check out uses: actions/checkout@v3 - name: Run ansible-lint - uses: ansible-community/ansible-lint-action@main + uses: ansible-community/ansible-lint-action@v6.17.0 + with: + path: roles/custom diff --git a/.gitignore b/.gitignore index 0b64b8594..6b56900a8 100644 --- a/.gitignore +++ b/.gitignore @@ -5,6 +5,8 @@ /roles/**/files/scratchpad .DS_Store .python-version +.idea/ +flake.lock # ignore roles pulled by ansible-galaxy /roles/galaxy/* diff --git a/CHANGELOG.md b/CHANGELOG.md index 209e99459..3db319afe 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,14 +1,638 @@ +# 2023-07-24 + +## matrix-registration-bot usage changed + +[matrix-registration-bot](docs/configuring-playbook-bot-matrix-registration-bot.md) got some updates and now supports password-only-based login. Therefore the bot now doesn't need any manual configuration except setting a password in your `vars.yml`. The bot will be registered as admin and access tokens will be obtained automatically by the bot. + +**For existing users** You need to set `matrix_bot_matrix_registration_bot_bot_password` if you previously only used `matrix_bot_matrix_registration_bot_bot_access_token`. Please also remove the following deprecated settings + +* `matrix_bot_matrix_registration_bot_bot_access_token` +* `matrix_bot_matrix_registration_bot_api_token` + +# 2023-07-21 + +## mautrix-gmessages support + +Thanks to [Shreyas Ajjarapu](https://github.com/shreyasajj)'s efforts, the playbook now supports bridging to [Google Messages](https://messages.google.com/) via the [mautrix-gmessages](https://github.com/mautrix/gmessages) bridge. See our [Setting up Mautrix Google Messages bridging](docs/configuring-playbook-bridge-mautrix-gmessages.md) documentation page for getting started. + +# 2023-07-17 + +## matrix-media-repo support + +Thanks to [Michael Hollister](https://github.com/Michael-Hollister) from [FUTO](https://www.futo.org/), the creators of the [Circles app](https://circu.li/), the playbook can now set up [matrix-media-repo](https://github.com/turt2live/matrix-media-repo) - an alternative way to store homeserver media files, powered by a homeserver-independent implementation which supports S3 storage, IPFS, deduplication and other advanced features. + +To learn more see our [Storing Matrix media files using matrix-media-repo](docs/configuring-playbook-matrix-media-repo.md) documentation page. + + +# 2023-05-25 + +## Enabling `forget_rooms_on_leave` by default for Synapse + +With the [Synapse v1.84.0 update](https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/2698), we've also **changed the default value** of the `forget_rooms_on_leave` setting of Synapse to a value of `true`. +This way, **when you leave a room, Synapse will now forget it automatically**. + +The upstream Synapse default is `false` (disabled), so that you must forget rooms manually after leaving. + +**We go against the upstream default** ([somewhat controversially](https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/2700)) in an effort to make Synapse leaner and potentially do what we believe most users would expect their homeserver to be doing. + +If you'd like to go back to the old behavior, add the following to your configuration: `matrix_synapse_forget_rooms_on_leave: false` + + +# 2023-04-03 + +## The matrix-jitsi role lives independently now + +**TLDR**: the `matrix-jitsi` role is now included from the [ansible-role-jitsi](https://github.com/mother-of-all-self-hosting/ansible-role-jitsi) repository, part of the [MASH playbook](https://github.com/mother-of-all-self-hosting/mash-playbook). Some variables have been renamed. All functionality remains intact. + +The `matrix-jitsi` role has been relocated in its own repository, part of the [MASH playbook](https://github.com/mother-of-all-self-hosting/mash-playbook) project - an Ansible playbook for self-hosting [a growing list of FOSS software](https://github.com/mother-of-all-self-hosting/mash-playbook/blob/main/docs/supported-services.md). If hosting a Jitsi stack on the Matrix server itself did not stand right with you or you always wanted to host most stuff, you can now use this new playbook to do so. + +As part of the extraction process of this role out of the Matrix playbook, a few other things improved: + +- **native Traefik support** has been added +- **support for hosting under a subpath** has been added, although it suffers from a few minor issues listed [here](https://github.com/mother-of-all-self-hosting/mash-playbook/blob/main/docs/services/jitsi.md#url) + +You need to **update your roles** (`just roles` or `make roles`) regardless of whether you're using Jitsi or not. + +If you're making use of Jitsi via this playbook, you will need to update variable references in your `vars.yml` file: + + - `matrix_jitsi_*_docker_image_` -> `matrix_jitsi_*_container_image_` + - `matrix_jitsi_` -> `jitsi_` + - some other internal variables have changed, but the playbook will tell you about them + +# 2023-03-22 + +## ntfy Web App is disabled by default + +ntfy provides a web app, which is now disabled by default, because it may be unknown to and unused by most users of this playbook. You can enable it by setting `ntfy_web_root: "app"` (see [ntfy documentation](docs/configuring-playbook-ntfy.md)). + +This change was already applied a while before this entry, but as some users were reporting the missing web app, this entry was added (see [#2529](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/2529)). + + +# 2023-03-21 + +## The matrix-prometheus role lives independently now + +**TLDR**: the `matrix-prometheus` role is now included from the [ansible-role-prometheus](https://github.com/mother-of-all-self-hosting/ansible-role-prometheus) repository, part of the [MASH playbook](https://github.com/mother-of-all-self-hosting/mash-playbook). Some variables have been renamed. All functionality remains intact. + +The `matrix-prometheus` role has been relocated in its own repository, part of the [MASH playbook](https://github.com/mother-of-all-self-hosting/mash-playbook) project - an Ansible playbook for self-hosting [a growing list of FOSS software](https://github.com/mother-of-all-self-hosting/mash-playbook/blob/main/docs/supported-services.md). If hosting a Prometheus stack on the Matrix server itself did not stand right with you or you always wanted to host most stuff, you can now use this new playbook to do so. + +Extracting the Prometheus role out of this Matrix playbook required huge internal refactoring to the way the Prometheus configuration (scraping jobs) is generated. If you notice any breakage after upgrading, let us know. + +You need to **update your roles** (`just roles` or `make roles`) regardless of whether you're using Prometheus or not. + +If you're making use of Prometheus via this playbook, you will need to update variable references in your `vars.yml` file: + + - `matrix_prometheus_docker_image_` -> `matrix_prometheus_container_image_` + - `matrix_prometheus_` -> `prometheus_` + - some other internal variables have changed, but the playbook will tell you about them + + +# 2023-03-12 + +## synapse-auto-compressor support + +Thanks to [Aine](https://gitlab.com/etke.cc) of [etke.cc](https://etke.cc/), the playbook can now set up [rust-synapse-compress-state](https://github.com/matrix-org/rust-synapse-compress-state)'s `synapse_auto_compressor` tool to run periodically. + +If enabled, `synapse_auto_compressor` runs on a schedule and compresses your Synapse database's `state_groups` table. It was possible to run `rust-synapse-compress-state` manually via the playbook even before - see [Compressing state with rust-synapse-compress-state](docs/maintenance-synapse.md#compressing-state-with-rust-synapse-compress-state). However, using `synapse_auto_compressor` is better, because: + +- it runs on a more up-to-date version of `rust-synapse-compress-state` +- it's a set-it-and-forget-it tool that you can enable and never have to deal with manual compression anymore + +This tool needs to be enabled manually, for now. In the future, we're considering enabling it by default for all Synapse installations. + +See our [Setting up synapse-auto-compressor](docs/configuring-playbook-synapse-auto-compressor.md) documentation to get started. + + +# 2023-03-07 + +## Sliding Sync Proxy (Element X) support + +Thanks to [Benjamin Kampmann](https://github.com/gnunicorn) for [getting it started](https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/2515), [FSG-Cat](https://github.com/FSG-Cat) for fixing it up and me ([Slavi](https://github.com/spantaleev)) for polishing it up, the playbook can now install and configure the [sliding-sync proxy](https://github.com/matrix-org/sliding-sync). + +The upcoming Element X clients ([Element X iOS](https://github.com/vector-im/element-x-ios) and [Element X Android](https://github.com/vector-im/element-x-android)) require the `sliding-sync` proxy to do their job. **These clients are still in beta** (especially Element X Android, which requires manual compilation to get it working with a non-`matrix.org` homeseserver). Playbook users can now easily give these clients a try and help test them thanks to us having `sliding-sync` support. + +To get started, see our [Setting up Sliding Sync Proxy](docs/configuring-playbook-sliding-sync-proxy.md) documentation page. + + +# 2023-03-02 + +## The matrix-etherpad role lives independently now + +**TLDR**: the `matrix-etherpad` role is now included from [another repository](https://gitlab.com/etke.cc/roles/etherpad). Some variables have been renamed. All functionality remains intact. + +You need to **update your roles** (`just roles` or `make roles`) regardless of whether you're using Etherpad or not. + +If you're making use of Etherpad via this playbook, you will need to update variable references in your `vars.yml` file: + +- Rename `matrix_etherpad_public_endpoint` to `etherpad_path_prefix` + +- Replace `matrix_etherpad_mode: dimension` with: + - for `matrix-nginx-proxy` users: + - `etherpad_nginx_proxy_dimension_integration_enabled: true` + - `etherpad_hostname: "{{ matrix_server_fqn_dimension }}"` + - for Traefik users: + - define your own `etherpad_hostname` and `etherpad_path_prefix` as you see fit + +- Rename all other variables: + - `matrix_etherpad_docker_image_` -> `matrix_etherpad_container_image_` + - `matrix_etherpad_` -> `etherpad_` + +Along with this relocation, the new role also: + +- supports [self-building](docs/self-building.md), so it should work on `arm32` and `arm64` architectures +- has native Traefik reverse-proxy support (Etherpad requests no longer go through `matrix-nginx-proxy` when using Traefik) + + +# 2023-02-26 + +## Traefik is the default reverse-proxy now + +**TLDR**: new installations will now default to Traefik as their reverse-proxy. Existing users need to explicitly choose their reverse-proxy type. [Switching to Traefik](#how-do-i-switch-my-existing-setup-to-traefik) is strongly encouraged. `matrix-nginx-proxy` may break over time and will ultimately be removed. + +As mentioned 2 weeks ago in [(Backward Compatibility) Reverse-proxy configuration changes and initial Traefik support](#backward-compatibility-reverse-proxy-configuration-changes-and-initial-traefik-support), the playbook is moving to Traefik as its default SSL-terminating reverse-proxy. + +Until now, we've been doing the migration gradually and keeping full backward compatibility. New installations were defaulting to `matrix-nginx-proxy` (just like before), while existing installations were allowed to remain on `matrix-nginx-proxy` as well. This makes things very difficult for us, because we need to maintain and think about lots of different setups: + +- Traefik managed by the playbook +- Traefik managed by the user in another way +- another reverse-proxy on the same host (`127.0.0.1` port exposure) +- another reverse-proxy on another host (`0.0.0.0` port exposure) +- `matrix-nginx-proxy` - an `nginx` container managed by the playbook +- `nginx` webserver operated by the user, running without a container on the same server + +Each change we do and each new feature that comes in needs to support all these different ways of reverse-proxying. Because `matrix-nginx-proxy` was the default and pretty much everyone was (and still is) using it, means that new PRs also come with `matrix-nginx-proxy` as their main focus and Traefik as an afterthought, which means we need to spend hours fixing up Traefik support. + +We can't spend all this time maintaining so many different configurations anymore. Traefik support has been an option for 2 weeks and lots of people have already migrated their server and have tested things out. Traefik is what we use and preferentially test for. + +It's time for the **next step in our migration process** to Traefik and elimination of `matrix-nginx-proxy`: + +- Traefik is now the default reverse-proxy for new installations +- All existing users need to explicitly choose their reverse-proxy type by defining the `matrix_playbook_reverse_proxy_type` variable in their `vars.yml` configuration file. We strongly encourage existing users to [switch the Traefik](#how-to-switch-an-existing-setup-to-traefik), as the nginx setup is bound to become more and more broken over time until it's ultimately removed + +### How do I switch my existing setup to Traefik? + +**For users who are on `matrix-nginx-proxy`** (the default reverse-proxy provided by the playbook), switching to Traefik can happen with a simple configuration change. Follow this section from 2 weeks ago: [How do I explicitly switch to Traefik right now?](#how-do-i-explicitly-switch-to-traefik-right-now). + +If you experience trouble: + +1. Follow [How do I remain on matrix-nginx-proxy?](#how-do-i-remain-on-matrix-nginx-proxy) to bring your server back online using the old reverse-proxy +2. Ask for help in our [support channels](README.md#support) +3. Try switching to Traefik again later + +**For users with a more special reverse-proxying setup** (another nginx server, Apache, Caddy, etc.), the migration may not be so smooth. Follow the [Using your own webserver](docs/configuring-playbook-own-webserver.md) guide. Ideally, your custom reverse-proxy will be configured in such a way that it **fronts the Traefik reverse-proxy** provided by the playbook. Other means of reverse-proxying are more fragile and may be deprecated in the future. + +### I already use my own Traefik server. How do I plug that in? + +See the [Traefik managed by the playbook](docs/configuring-playbook-own-webserver.md#traefik-managed-by-the-playbook) section. + +### Why is matrix-nginx-proxy used even after switching to Traefik? + +This playbook manages many different services. All these services were initially integrated with `matrix-nginx-proxy`. + +While we migrate all these components to have native Traefik support, some still go through nginx internally (Traefik -> local `matrix-nginx-proxy` -> component). +As time goes on, internal reliance on `matrix-nginx-proxy` will gradually decrease until it's completely removed. + +### How do I remain on matrix-nginx-proxy? + +Most new work and testing targets Traefik, so remaining on nginx is **not** "the good old stable" option, but rather the "still available, but largely untested and likely to be broken very soon" option. + +To proceed regardless of this warning, add `matrix_playbook_reverse_proxy_type: playbook-managed-nginx` to your configuration. + +At some point in the **near** future (days, or even weeks at most), we hope to completely get rid of `matrix-nginx-proxy` (or break it enough to make it unusable), so you **will soon be forced to migrate** anyway. Plan your migration accordingly. + +### How do I keep using my own other reverse-proxy? + +We recommend that you follow the guide for [Fronting the integrated reverse-proxy webserver with another reverse-proxy](docs/configuring-playbook-own-webserver.md#fronting-the-integrated-reverse-proxy-webserver-with-another-reverse-proxy). + + +# 2023-02-25 + +## Rageshake support + +Thanks to [Benjamin Kampmann](https://github.com/gnunicorn), the playbook can now install and configure the [Rageshake](https://github.com/matrix-org/rageshake) bug report server. + +Additional details are available in [Setting up Rageshake](docs/configuring-playbook-rageshake.md). + + +# 2023-02-17 + +## Synapse templates customization support + +The playbook can now help you customize Synapse's templates. + +Additional details are available in the [Customizing templates](docs/configuring-playbook-synapse.md#customizing-templates) section of our Synapse documentation. + +## The matrix-redis role lives independently now + +**TLDR**: the `matrix-redis` role is now included from another repository. Some variables have been renamed. All functionality remains intact. + +The `matrix-redis` role (which configures [Redis](https://redis.io/)) has been extracted from the playbook and now lives in its [own repository](https://gitlab.com/etke.cc/roles/redis). This makes it possible to easily use it in other Ansible playbooks. + +You need to **update your roles** (`just roles` or `make roles`) regardless of whether you're enabling Ntfy or not. If you're making use of Ntfy via this playbook, you will need to update variable references in your `vars.yml` file (`matrix_redis_` -> `redis_`). + +## The matrix-ntfy role lives independently now + +**TLDR**: the `matrix-ntfy` role is now included from another repository. Some variables have been renamed. All functionality remains intact. + +The `matrix-ntfy` role (which configures [Ntfy](https://ntfy.sh/)) has been extracted from the playbook and now lives in its [own repository](https://gitlab.com/etke.cc/roles/ntfy). This makes it possible to easily use it in other Ansible playbooks. + +You need to **update your roles** (`just roles` or `make roles`) regardless of whether you're enabling Ntfy or not. If you're making use of Ntfy via this playbook, you will need to update variable references in your `vars.yml` file (`matrix_ntfy_` -> `ntfy_`). + + +# 2023-02-15 + +## The matrix-grafana role lives independently now + +**TLDR**: the `matrix-grafana` role is now included from another repository. Some variables have been renamed. All functionality remains intact. + +The `matrix-grafana` role (which configures [Grafana](docs/configuring-playbook-prometheus-grafana.md)) has been extracted from the playbook and now lives in its [own repository](https://gitlab.com/etke.cc/roles/grafana). This makes it possible to easily use it in other Ansible playbooks. + +You need to **update your roles** (`just roles` or `make roles`) regardless of whether you're enabling Grafana or not. If you're making use of Grafana via this playbook, you will need to update variable references in your `vars.yml` file (`matrix_grafana_` -> `grafana_`). + + +# 2023-02-13 + +## The matrix-backup-borg role lives independently now + +**TLDR**: the `matrix-backup-borg` role is now included from another repository. Some variables have been renamed. All functionality remains intact. + +Thanks to [moan0s](https://github.com/moan0s), the `matrix-backup-borg` role (which configures [Borg backups](docs/configuring-playbook-backup-borg.md)) has been extracted from the playbook and now lives in its [own repository](https://gitlab.com/etke.cc/roles/backup_borg). This makes it possible to easily use it in other Ansible playbooks and will become part of [nextcloud-docker-ansible-deploy](https://github.com/spantaleev/nextcloud-docker-ansible-deploy) soon. + +You need to **update your roles** (`just roles` or `make roles`) regardless of whether you're enabling Borg backup functionality or not. If you're making use of Borg backups via this playbook, you will need to update variable references in your `vars.yml` file (`matrix_backup_borg_` -> `backup_borg_`). + + +# 2023-02-12 + +## (Backward Compatibility) Reverse-proxy configuration changes and initial Traefik support + +**TLDR**: + +- there's a new `matrix_playbook_reverse_proxy_type` variable (see [roles/custom/matrix-base/defaults/main.yml](roles/custom/matrix-base/defaults/main.yml)), which lets you tell the playbook what reverse-proxy setup you'd like to have. This makes it easier for people who want to do reverse-proxying in other ways. +- the default reverse-proxy (`matrix_playbook_reverse_proxy_type`) is still `playbook-managed-nginx` (via `matrix-nginx-proxy`), for now. **Existing `matrix-nginx-proxy` users should not observe any changes** and can stay on this for now. +- **Users who use their [own other webserver](docs/configuring-playbook-own-webserver.md) (e.g. Apache, etc.) need to change** `matrix_playbook_reverse_proxy_type` to something like `other-on-same-host`, `other-on-another-host` or `other-nginx-non-container` +- we now have **optional [Traefik](https://traefik.io/) support**, so you could easily host Matrix and other Traefik-native services in containers on the same server. Traefik support is still experimental (albeit, good enough) and will improve over time. It does work, but certain esoteric features may not be there yet. +- **Traefik will become the default reverse-proxy in the near future**. `matrix-nginx-proxy` will either remain as an option, or be completely removed to simplify the playbook + +### Motivation for redoing our reverse-proxy setup + +The playbook has supported various reverse-proxy setups for a long time. +We have various configuration variables (`matrix_nginx_proxy_enabled`, various `_host_bind_port` variables, etc.) which allow the playbook to adapt to these different setups. The whole situation was messy though - hard to figure out and with lots of variables to toggle to make things work as you'd expect - huge **operational complexity**. + +We love containers, proven by the fact that **everything** that this playbook manages runs in a container. Yet, we weren't allowing people to easily host other web-exposed containers alongside Matrix services on the same server. We were using `matrix-nginx-proxy` (our integrated [nginx](https://nginx.org/) server), which was handling web-exposure and SSL termination for our own services, but we **weren't helping you with all your other containers**. + +People who were **using `matrix-nginx-proxy`** were on the happy path on which everything worked well by default (Matrix-wise), **but** could not easily run other web-exposed services on their Matrix server because `matrix-nginx-proxy` was occupying ports `80` and `443`. Other services which wanted to get web exposure either had to be plugged into `matrix-nginx-proxy` (somewhat difficult) or people had to forgo using `matrix-nginx-proxy` in favor of something else. + +Of those that decided to forgo `matrix-nginx-proxy`, many were **using nginx** on the same server without a container. This was likely some ancient nginx version, depending on your choice of distro. The Matrix playbook was trying to be helpful and even with `matrix_nginx_proxy_enabled: false` was still generating nginx configuration in `/matrix/nginx-proxy/conf.d`. Those configuration files were adapted for inclusion into an nginx server running locally. Disabling the `matrix-nginx-proxy` role like this, yet still having it produce files is a bit disgusting, but it's what we've had since the early beginnings of this playbook. + +Others still, wanted to run Matrix locally (no SSL certificates), regardless of which web server technology this relied on, and then **reverse-proxy from another machine on the network** which was doing SSL termination. These people were: + +- *either* relying on `matrix_nginx_proxy_enabled: false` as well, combined with exposing services manually (setting `_bind_port` variables) +- *or* better yet, they were keeping `matrix-nginx-proxy` enabled, but in `http`-only mode (no SSL certificate retrieval). + +Despite this operational complexity, things worked and were reasonably flexible to adapt to all these situations. + +When using `matrix-nginx-proxy` as is, we still had another problem - one of **internal playbook complexity**. Too many services need to be web-exposed (port 80/443, SSL certificates). Because of this, they all had to integrate with the `matrix-nginx-proxy` role. Tens of different roles explicitly integrating with `matrix-nginx-proxy` is not what we call clean. The `matrix-nginx-proxy` role contains variables for many of these roles (yikes). Other roles were more decoupled from it and were injecting configuration into `matrix-nginx-proxy` at runtime - see all the `inject_into_nginx_proxy.yml` task files in this playbook (more decoupled, but still.. yikes). + +The next problem is one of **efficiency, interoperability and cost-saving**. We're working on other playbooks: + +- [vaultwarden-docker-ansible-deploy](https://github.com/spantaleev/vaultwarden-docker-ansible-deploy) for hosting the [Vaultwarden](https://github.com/dani-garcia/vaultwarden) server - an alternative implementation of the [Bitwarden](https://bitwarden.com/) password manager +- [gitea-docker-ansible-deploy](https://github.com/spantaleev/gitea-docker-ansible-deploy) - for hosting the [Gitea](https://gitea.io/) git source code hosting service +- [nextcloud-docker-ansible-deploy](https://github.com/spantaleev/nextcloud-docker-ansible-deploy) - for hosting the [Nextcloud](https://nextcloud.com/) groupware platform + +We'd love for users to be able to **seamlessly use all these playbooks (and others, even) against a single server**. We don't want `matrix-nginx-proxy` to have a monopoly on port `80`/`443` and make it hard for other services to join in on the party. Such a thing forces people into running multiple servers (one for each service), which does provide nice security benefits, but is costly and ineffiecient. We'd like to make self-hosting these services cheap and easy. + +These other playbooks have been using [Traefik](https://traefik.io/) as their default reverse-proxy for a long time. They can all coexist nicely together (as an example, see the [Interoperability](https://github.com/spantaleev/nextcloud-docker-ansible-deploy/blob/master/docs/configuring-playbook-interoperability.md) documentation for the [Nextcloud playbook](https://github.com/spantaleev/nextcloud-docker-ansible-deploy)). Now that this playbook is gaining Traefik support, it will be able to interoperate with them. If you're going this way, make sure to have the Matrix playbook install Traefik and have the others use `*_reverse_proxy_type: other-traefik-container`. + +Finally, at [etke.cc - a managed Matrix server hosting service](https://etke.cc) (built on top of this playbook, and coincidentally [turning 2 years old today](https://etke.cc/news/upsyw4ykbtgmwhz8k7ukldx0zbbfq-fh0iqi3llixi0/) 🎉), we're allowing people to host some additional services besides Matrix components. Exposing these services to the web requires ugly hacks and configuration files being dropped into `/matrix/nginx-proxy/conf.d`. We believe that everything should run in independent containers and be exposed to the web via a Traefik server, without a huge Ansible role like `matrix-nginx-proxy` that everything else needs to integrate with. + +### How do these changes fix all these problems? + +The new `matrix_playbook_reverse_proxy_type` lets you easily specify your preferred reverse-proxy type, including `other-on-same-host`, `other-on-another-host` and `none`, so people who'd like to reverse-proxy with their own web server have more options now. + +Using Traefik greatly simplifies things, so going forward we'll have a simpler and easier to maintain playbook, which is also interoperable with other services. + +Traefik is a web server, which has been specifically **designed for reverse-proxying to services running in containers**. It's ideal for usage in an Ansible playbook which runs everything in containers. + +**Traefik obtains SSL certificates automatically**, so there's no need for plugging additional tools like [Certbot](https://certbot.eff.org/) into your web server (like we were doing in the `matrix-nginx-proxy` role). No more certificate renewal timers, web server reloading timers, etc. It's just simpler. + +Traefik is a **modern web server**. [HTTP/3](https://doc.traefik.io/traefik/routing/entrypoints/#http3) is supported already (experimentally) and will move to stable soon, in the upcoming Traefik v3 release. + +Traefik does not lock important functionality we'd like to use into [plus packages like nginx does](https://www.nginx.com/products/nginx/), leading us to resolve to configuration workarounds. The default Traefik package is good enough as it is. + +### Where we're at right now? + +`matrix_playbook_reverse_proxy_type` still defaults to a value of `playbook-managed-nginx`. + +Unless we have some regression, **existing `matrix-nginx-proxy` users should be able to update their Matrix server and not observe any changes**. Their setup should still remain on nginx and everything should still work as expected. + +**Users using [their own webservers](docs/configuring-playbook-own-webserver.md) will need to change `matrix_playbook_reverse_proxy_type`** to something like `other-on-same-host`, `other-on-another-host` or `other-nginx-non-container`. Previously, they could toggle `matrix_nginx_proxy_enabled` to `false`, and that made the playbook automatically expose services locally. Currently, we only do this if you change the reverse-proxy type to `other-on-same-host`, `other-on-another-host` or `other-nginx-non-container`. + +#### How do I explicitly switch to Traefik right now? + +**Users who wish to migrate to Traefik** today, can do so by **adding** this to their configuration: + +```yaml +matrix_playbook_reverse_proxy_type: playbook-managed-traefik + +devture_traefik_config_certificatesResolvers_acme_email: YOUR_EMAIL_ADDRESS +``` + +You may still need to keep certain old `matrix_nginx_proxy_*` variables (like `matrix_nginx_proxy_base_domain_serving_enabled`), even when using Traefik. For now, we recommend keeping all `matrix_nginx_proxy_*` variables just in case. In the future, reliance on `matrix-nginx-proxy` will be removed. + +Switching to Traefik will obtain new SSL certificates from Let's Encrypt (stored in `/matrix/traefik/ssl/acme.json`). **The switch is reversible**. You can always go back to `playbook-managed-nginx` if Traefik is causing you trouble. + +**Note**: toggling `matrix_playbook_reverse_proxy_type` between Traefik and nginx will uninstall the Traefik role and all of its data (under `/matrix/traefik`), so you may run into a Let's Encrypt rate limit if you do it often. + +Treafik directly reverse-proxies to **some** services right now, but for most other services it goes through `matrix-nginx-proxy` (e.g. Traefik -> `matrix-nginx-proxy` -> [Ntfy](docs/configuring-playbook-ntfy.md)). So, even if you opt into Traefik, you'll still see `matrix-nginx-proxy` being installed in local-only mode. This will improve with time. + +Some services (like [Coturn](docs/configuring-playbook-turn.md) and [Postmoogle](docs/configuring-playbook-bot-postmoogle.md)) cannot be reverse-proxied to directly from Traefik, so they require direct access to SSL certificate files extracted out of Traefik. The playbook does this automatically thanks to a new [com.devture.ansible.role.traefik_certs_dumper](https://github.com/devture/com.devture.ansible.role.traefik_certs_dumper) role utilizing the [traefik-certs-dumper](https://github.com/ldez/traefik-certs-dumper) tool. + +Our Traefik setup mostly works, but certain esoteric features may not work. If you have a default setup, we expect you to have a good experience. + + +### Where we're going in the near future? + +The `matrix-nginx-proxy` role is quite messy. It manages both nginx and Certbot and its certificate renewal scripts and timers. It generates configuration even when the role is disabled (weird). Although it doesn't directly reach into variables from other roles, it has explicit awareness of various other services that it reverse-proxies to (`roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-ntfy.conf.j2`, etc.). We'd like to clean this up. The only way is probably to just get rid of the whole thing at some point. + +For now, `matrix-nginx-proxy` will stay around. + +As mentioned above, Traefik still reverse-proxies to some (most) services by going through a local-only `matrix-nginx-proxy` server. This has allowed us to add Traefik support to the playbook early on (without having to rework all services), but is not the final goal. We'll **work on making each service support Traefik natively**, so that traffic will not need to go through `matrix-nginx-proxy` anymore. In the end, choosing Traefik should only give you a pure Traefik installation with no `matrix-nginx-proxy` in sight. + +As Traefik support becomes complete and proves to be stable for a while, especially as a playbook default, we will **most likely remove `matrix-nginx-proxy` completely**. It will likely be some months before this happens though. Keeping support for both Traefik and nginx in the playbook will be a burden, especially with most of us running Traefik in the future. The Traefik role should do everything nginx does in a better and cleaner way. Users who use their own `nginx` server on the Matrix server will be inconvenienced, as nothing will generate ready-to-include nginx configuration for them. Still, we hope it won't be too hard to migrate their setup to another way of doing things, like: + +- not using nginx anymore. A common reason for using nginx until now was that you were running other containers and you need your own nginx to reverse-proxy to all of them. Just switch them to Traefik as well. +- running Traefik in local-only mode (`devture_traefik_config_entrypoint_web_secure_enabled: false`) and using some nginx configuration which reverse-proxies to Traefik (we should introduce examples for this in `examples/nginx`). + +### How do I help? + +You can help by: + +- **explicitly switching your server to Traefik** right now (see example configuration in [How do I explicitly switch to Traefik right now?](#how-do-i-explicitly-switch-to-traefik-right-now) above), testing, reporting troubles + +- **adding native Traefik support to a role** (requires adding Traefik labels, etc.) - for inspiration, see these roles ([prometheus_node_exporter](https://gitlab.com/etke.cc/roles/prometheus_node_exporter), [prometheus_postgres_exporter](https://gitlab.com/etke.cc/roles/prometheus_postgres_exporter)) and how they're hooked into the playbook via [group_vars/matrix_servers](group_vars/matrix_servers). + +- **adding reverse-proxying examples for nginx users** in `examples/nginx`. People who insist on using their own `nginx` server on the same Matrix host, can run Traefik in local-only mode (`devture_traefik_config_entrypoint_web_secure_enabled: false`) and reverse-proxy to the Traefik server + + +# 2023-02-10 + +## Matrix Authentication Support for Jitsi + +Thanks to [Jakob S.](https://github.com/jakicoll) ([zakk gGmbH](https://github.com/zakk-it)), Jitsi can now use Matrix for authentication (via [Matrix User Verification Service](https://github.com/matrix-org/matrix-user-verification-service)). + +Additional details are available in the [Authenticate using Matrix OpenID (Auth-Type 'matrix')](docs/configuring-playbook-jitsi.md#authenticate-using-matrix-openid-auth-type-matrix). + + +## Draupnir moderation tool (bot) support + +Thanks to [FSG-Cat](https://github.com/FSG-Cat), the playbook can now install and configure the [Draupnir](https://github.com/Gnuxie/Draupnir) moderation tool (bot). Draupnir is a fork of [Mjolnir](docs/configuring-playbook-bot-mjolnir.md) (which the playbook has supported for a long time) maintained by Mjolnir's former lead developer. + +Additional details are available in [Setting up Draupnir](docs/configuring-playbook-bot-draupnir.md). + + +# 2023-02-05 + +## The matrix-prometheus-postgres-exporter role lives independently now + +**TLDR**: the `matrix-prometheus-postgres-exporter` role is now included from another repository. Some variables have been renamed. All functionality remains intact. + +The `matrix-prometheus-postgres-exporter` role (which configures [Prometheus Postgres Exporter](https://github.com/prometheus-community/postgres_exporter)) has been extracted from the playbook and now lives in its own repository at https://gitlab.com/etke.cc/roles/prometheus_postgres_exporter + +It's still part of the playbook, but is now installed via `ansible-galaxy` (by running `just roles` / `make roles`). Some variables have been renamed (`matrix_prometheus_postgres_exporter_` -> `prometheus_postgres_exporter_`, etc.). The playbook will report all variables that you need to rename to get upgraded. All functionality remains intact. + +The `matrix-prometheus-services-proxy-connect` role has bee adjusted to help integrate the new `prometheus_postgres_exporter` role with our own services (`matrix-nginx-proxy`) + +Other roles which aren't strictly related to Matrix are likely to follow this fate of moving to their own repositories. Extracting them out allows other Ansible playbooks to make use of these roles easily. + + +# 2023-01-26 + +## Coturn can now use host-networking + +Large Coturn deployments (with a huge range of ports specified via `matrix_coturn_turn_udp_min_port` and `matrix_coturn_turn_udp_max_port`) experience a huge slowdown with how Docker publishes all these ports (setting up firewall forwarding rules), which leads to a very slow Coturn service startup and shutdown. + +Such deployments don't need to run Coturn within a private container network anymore. Coturn can now run with host-networking by using configuration like this: + +```yaml +matrix_coturn_docker_network: host +``` + +With such a configuration, **Docker no longer needs to configure thousands of firewall forwarding rules** each time Coturn starts and stops. +This, however, means that **you will need to ensure these ports are open** in your firewall yourself. + +Thanks to us [tightening Coturn security](#backward-compatibility-tightening-coturn-security-can-lead-to-connectivity-issues), running Coturn with host-networking should be safe and not expose neither other services running on the host, nor other services running on the local network. + + +## (Backward Compatibility) Tightening Coturn security can lead to connectivity issues + +**TLDR**: users who run and access their Matrix server on a private network (likely a small minority of users) may experience connectivity issues with our new default Coturn blocklists. They may need to override `matrix_coturn_denied_peer_ips` and remove some IP ranges from it. + +Inspired by [this security article](https://www.rtcsec.com/article/cve-2020-26262-bypass-of-coturns-access-control-protection/), we've decided to make use of Coturn's `denied-peer-ip` functionality to prevent relaying network traffic to certain private IP subnets. This ensures that your Coturn server won't accidentally try to forward traffic to certain services running on your local networks. We run Coturn in a container and in a private container network by default, which should prevent such access anyway, but having additional block layers in place is better. + +If you access your Matrix server from a local network and need Coturn to relay to private IP addresses, you may observe that relaying is now blocked due to our new default `denied-peer-ip` lists (specified in `matrix_coturn_denied_peer_ips`). If you experience such connectivity problems, consider overriding this setting in your `vars.yml` file and removing certain networks from it. + +We've also added `no-multicast-peers` to the default Coturn configuration, but we don't expect this to cause trouble for most people. + + +# 2023-01-21 + +## The matrix-prometheus-node-exporter role lives independently now + +**TLDR**: the `matrix-prometheus-node-exporter` role is now included from another repository. Some variables have been renamed. All functionality remains intact. + +The `matrix-prometheus-node-exporter` role (which configures [Prometheus node exporter](https://github.com/prometheus/node_exporter)) has been extracted from the playbook and now lives in its own repository at https://gitlab.com/etke.cc/roles/prometheus_node_exporter + +It's still part of the playbook, but is now installed via `ansible-galaxy` (by running `just roles` / `make roles`). Some variables have been renamed (`matrix_prometheus_node_exporter_` -> `prometheus_node_exporter_`, etc.). The playbook will report all variables that you need to rename to get upgraded. All functionality remains intact. + +A new `matrix-prometheus-services-proxy-connect` role was added to the playbook to help integrate the new `prometheus_node_exporter` role with our own services (`matrix-nginx-proxy`) + +Other roles which aren't strictly related to Matrix are likely to follow this fate of moving to their own repositories. Extracting them out allows other Ansible playbooks to make use of these roles easily. + + +# 2023-01-13 + +## Support for running commands via just + +We've previously used [make](https://www.gnu.org/software/make/) for easily running some playbook commands (e.g. `make roles` which triggers `ansible-galaxy`, see [Makefile](Makefile)). +Our `Makefile` is still around and you can still run these commands. + +In addition, we've added support for running commands via [just](https://github.com/casey/just) - a more modern command-runner alternative to `make`. Instead of `make roles`, you can now run `just roles` to accomplish the same. + +Our [justfile](justfile) already defines some additional helpful **shortcut** commands that weren't part of our `Makefile`. Here are some examples: + +- `just install-all` to trigger the much longer `ansible-playbook -i inventory/hosts setup.yml --tags=install-all,ensure-matrix-users-created,start` command +- `just install-all --ask-vault-pass` - commands also support additional arguments (`--ask-vault-pass` will be appended to the above installation command) +- `just run-tags install-mautrix-slack,start` - to run specific playbook tags +- `just start-all` - (re-)starts all services +- `just stop-group postgres` - to stop only the Postgres service +- `just register-user john secret-password yes` - registers a `john` user with the `secret-password` password and admin access (admin = `yes`) + +Additional helpful commands and shortcuts may be defined in the future. + +This is all completely optional. If you find it difficult to [install `just`](https://github.com/casey/just#installation) or don't find any of this convenient, feel free to run all commands manually. + + +# 2023-01-11 + +## mautrix-slack support + +Thanks to [Cody Neiman](https://github.com/xangelix)'s efforts, the playbook now supports bridging to [Slack](https://slack.com/) via the [mautrix-slack](https://mau.dev/mautrix/slack) bridge. See our [Setting up Mautrix Slack bridging](docs/configuring-playbook-bridge-mautrix-slack.md) documentation page for getting started. + +**Note**: this is a new Slack bridge. The playbook still retains Slack bridging via [matrix-appservice-slack](docs/configuring-playbook-bridge-appservice-slack.md) and [mx-puppet-slack](docs/configuring-playbook-bridge-mx-puppet-slack.md). You're free to use the bridge that serves you better, or even all three of them (for different users and use-cases). + + +# 2023-01-10 + +## ChatGPT support + +Thanks to [@bertybuttface](https://github.com/bertybuttface), the playbook can now help you set up [matrix-chatgpt-bot](https://github.com/matrixgpt/matrix-chatgpt-bot) - a bot through which you can talk to the [ChatGPT](https://openai.com/blog/chatgpt/) model. + +See our [Setting up matrix-bot-chatgpt](docs/configuring-playbook-bot-chatgpt.md) documentation to get started. + + +# 2022-11-30 + +## matrix-postgres-backup has been replaced by the com.devture.ansible.role.postgres_backup external role + +Just like we've [replaced Postgres with an external role](#matrix-postgres-has-been-replaced-by-the-comdevtureansiblerolepostgres-external-role) on 2022-11-28, we're now replacing `matrix-postgres-backup` with an external role - [com.devture.ansible.role.postgres_backup](https://github.com/devture/com.devture.ansible.role.postgres_backup). + +You'll need to rename your `matrix_postgres_backup`-prefixed variables such that they use a `devture_postgres_backup` prefix. + + +# 2022-11-28 + +## matrix-postgres has been replaced by the com.devture.ansible.role.postgres external role + +**TLDR**: the tasks that install the integrated Postgres server now live in an external role - [com.devture.ansible.role.postgres](https://github.com/devture/com.devture.ansible.role.postgres). You'll need to run `make roles` to install it, and to also rename your `matrix_postgres`-prefixed variables to use a `devture_postgres` prefix (e.g. `matrix_postgres_connection_password` -> `devture_postgres_connection_password`). All your data will still be there! Some scripts have moved (`/usr/local/bin/matrix-postgres-cli` -> `/matrix/postgres/bin/cli`). + +The `matrix-postgres` role that has been part of the playbook for a long time has been replaced with the [com.devture.ansible.role.postgres](https://github.com/devture/com.devture.ansible.role.postgres) role. This was done as part of our work to [use external roles for some things](#the-playbook-now-uses-external-roles-for-some-things) for better code re-use and maintainability. + +The new role is an upgraded version of the old `matrix-postgres` role with these notable differences: + +- it uses different names for its variables (`matrix_postgres` -> `devture_postgres`) +- when [Vacuuming PostgreSQL](docs/maintenance-postgres.md#vacuuming-postgresql), it will vacuum all your databases, not just the Synapse one + +You'll need to run `make roles` to install the new role. You would also need to rename your `matrix_postgres`-prefixed variables to use a `devture_postgres` prefix. + +Note: the systemd service still remains the same - `matrix-postgres.service`. Your data will still be in `/matrix/postgres`, etc. +Postgres-related scripts will be moved to `/matrix/postgres/bin` (`/usr/local/bin/matrix-postgres-cli` -> `/matrix/postgres/bin/cli`, etc). Also see [The playbook no longer installs scripts in /usr/local/bin](#the-playbook-no-longer-installs-scripts-in-usrlocalbin). + +## The playbook no longer installs scripts to /usr/local/bin + +The locations of various scripts installed by the playbook have changed. + +The playbook no longer contaminates your `/usr/local/bin` directory. +All scripts installed by the playbook now live in `bin/` directories under `/matrix`. Some examples are below: + +- `/usr/local/bin/matrix-remove-all` -> `/matrix/bin/remove-all` +- `/usr/local/bin/matrix-postgres-cli` -> `/matrix/postgres/bin/cli` +- `/usr/local/bin/matrix-ssl-lets-encrypt-certificates-renew` -> `/matrix/ssl/bin/lets-encrypt-certificates-renew` +- `/usr/local/bin/matrix-synapse-register-user` -> `/matrix/synapse/bin/register-user` + + +# 2022-11-25 + +## 2x-5x performance improvements in playbook runtime + +**TLDR**: the playbook is 2x faster for running `--tags=setup-all` (and various other tags). It also has new `--tags=install-*` tags (like `--tags=install-all`), which skip uninstallation tasks and bring an additional 2.5x speedup. In total, the playbook can maintain your server 5 times faster. + +Our [etke.cc managed Matrix hosting service](https://etke.cc) runs maintenance against hundreds of servers, so the playbook being fast means a lot. +The [etke.cc Ansible playbook](https://gitlab.com/etke.cc/ansible) (which is an extension of this one) is growing to support more and more services (besides just Matrix), so the Matrix playbook being leaner prevents runtimes from becoming too slow and improves the customer experience. + +Even when running `ansible-playbook` manually (as most of us here do), it's beneficial not to waste time and CPU resources. + +Recently, a few large optimizations have been done to this playbook and its external roles (see [The playbook now uses external roles for some things](#the-playbook-now-uses-external-roles-for-some-things) and don't forget to run `make roles`): + +1. Replacing Ansible `import_tasks` calls with `include_tasks`, which decreased runtime in half. Using `import_tasks` is slower and causes Ansible to go through and skip way too many tasks (tasks which could have been skipped altogether by not having Ansible include them in the first place). On an experimental VM, **deployment time was decreased from ~530 seconds to ~250 seconds**. + +2. Introducing new `install-*` tags (`install-all` and `install-COMPONENT`, e.g. `install-synapse`, `install-bot-postmoogle`), which only run Ansible tasks pertaining to installation, while skipping uninstallation tasks. In most cases, people are maintaining the same setup or they're *adding* new components. Removing components is rare. Running thousands of uninstallation tasks each time is wasteful. On an experimental VM, **deployment time was decreased from ~250 seconds (`--tags=setup-all`) to ~100 seconds (`--tags=install-all`)**. + +You can still use `--tags=setup-all`. In fact, that's the best way to ensure your server is reconciled with the `vars.yml` configuration. + +If you know you haven't uninstalled any services since the last time you ran the playbook, you could run `--tags=install-all` instead and benefit from quicker runtimes. +It should be noted that a service may become "eligible for uninstallation" even if your `vars.yml` file remains the same. In rare cases, we toggle services from being auto-installed to being optional, like we did on the 17th of March 2022 when we made [ma1sd not get installed by default](https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/CHANGELOG.md#compatibility-break-ma1sd-identity-server-no-longer-installed-by-default). In such rare cases, you'd also need to run `--tags=setup-all`. + + +# 2022-11-22 + +# Automatic `matrix_architecture` determination + +From now on, the playbook automatically determines your server's architecture and sets the `matrix_architecture` variable accordingly. +You no longer need to set this variable manually in your `vars.yml` file. + +# Docker and the Docker SDK for Python are now installed via external roles + +We're continuing our effort to make [the playbook use external roles for some things](#the-playbook-now-uses-external-roles-for-some-things), so as to avoid doing everything ourselves and to facilitate code re-use. + +Docker will now be installed on the server via the [geerlingguy.docker](https://github.com/geerlingguy/ansible-role-docker) Ansible role. +If you'd like to manage the Docker installation yourself, you can disable the playbook's installation of Docker by setting `matrix_playbook_docker_installation_enabled: false`. + +The Docker SDK for Python (named `docker-python`, `python-docker`, etc. on the different platforms) is now also installed by another role ([com.devture.ansible.role.docker_sdk_for_python](https://github.com/devture/com.devture.ansible.role.docker_sdk_for_python)). To disable this role and install the necessary tools yourself, use `devture_docker_sdk_for_python_installation_enabled: false`. + +If you're hitting issues with Docker installation or Docker SDK for Python installation, consider reporting bugs or contributing to these other projects. + +These additional roles are downloaded into the playbook directory (to `roles/galaxy`) via an `ansible-galaxy ..` command. `make roles` is an easy shortcut for invoking the `ansible-galaxy` command to download these roles. + + +# 2022-11-20 + +## (Backward Compatibility Break) Changing how reverse-proxying to Synapse works - now via a `matrix-synapse-reverse-proxy-companion` service + +**TLDR**: There's now a `matrix-synapse-reverse-proxy-companion` nginx service, which helps with reverse-proxying to Synapse and its various worker processes (if workers are enabled), so that `matrix-nginx-proxy` can be relieved of this role. `matrix-nginx-proxy` still remains as the public SSL-terminating reverse-proxy in the playbook. `matrix-synapse-reverse-proxy-companion` is just one more reverse-proxy thrown into the mix for convenience. People with a more custom reverse-proxying configuration may be affected - see [Webserver configuration](#webserver-configuration) below. + +### Background + +Previously, `matrix-nginx-proxy` forwarded requests to Synapse directly. When Synapse is running in worker mode, the reverse-proxying configuration is more complicated (different requests need to go to different Synapse worker processes). `matrix-nginx-proxy` had configuration for sending each URL endpoint to the correct Synapse worker responsible for handling it. However, sometimes people like to disable `matrix-nginx-proxy` (for whatever reason) as detailed in [Using your own webserver, instead of this playbook's nginx proxy](docs/configuring-playbook-own-webserver.md). + +Because `matrix-nginx-proxy` was so central to request forwarding, when it was disabled and Synapse was running with workers enabled, there was nothing which could forward requests to the correct place anymore.. which caused [problems such as this one affecting Dimension](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/2090). + +### Solution + +From now on, `matrix-nginx-proxy` is relieved of its function of reverse-proxying to Synapse and its various worker processes. +This role is now handled by the new `matrix-synapse-reverse-proxy-companion` nginx service and works even if `matrix-nginx-proxy` is disabled. +The purpose of the new `matrix-synapse-reverse-proxy-companion` service is to: + +- serve as a companion to Synapse and know how to reverse-proxy to Synapse correctly (no matter if workers are enabled or not) + +- provide a unified container address for reaching Synapse (no matter if workers are enabled or not) + - `matrix-synapse-reverse-proxy-companion:8008` for Synapse Client-Server API traffic + - `matrix-synapse-reverse-proxy-companion:8048` for Synapse Server-Server (Federation) API traffic + +- simplify `matrix-nginx-proxy` configuration - it now only needs to send requests to `matrix-synapse-reverse-proxy-companion` or `matrix-dendrite`, etc., without having to worry about workers + +- allow reverse-proxying to Synapse, even if `matrix-nginx-proxy` is disabled + +`matrix-nginx-proxy` still remains as the public SSL-terminating reverse-proxy in the playbook. All traffic goes through it before reaching any of the services. +It's just that now the Synapse traffic is routed through `matrix-synapse-reverse-proxy-companion` like this: + +(`matrix-nginx-proxy` -> `matrix-synapse-reverse-proxy-companion` -> (`matrix-synapse` or some Synapse worker)). + +Various services (like Dimension, etc.) still talk to Synapse via `matrix-nginx-proxy` (e.g. `http://matrix-nginx-proxy:12080`) preferentially. They only talk to Synapse via the reverse-proxy companion (e.g. `http://matrix-synapse-reverse-proxy-companion:8008`) if `matrix-nginx-proxy` is disabled. Services should not be talking to Synapse (e.g. `https://matrix-synapse:8008` directly anymore), because when workers are enabled, that's the Synapse `master` process and may not be serving all URL endpoints needed by the service. + +### Webserver configuration + +- if you're using `matrix-nginx-proxy` (`matrix_nginx_proxy_enabled: true`, which is the default for the playbook), you don't need to do anything + +- if you're using your own `nginx` webserver running on the server, you shouldn't be affected. The `/matrix/nginx/conf.d` configuration and exposed ports that you're relying on will automatically be updated in a way that should work + +- if you're using another local webserver (e.g. Apache, etc.) and haven't changed any ports (`matrix_*_host_bind_port` definitions), you shouldn't be affected. You're likely sending Matrix traffic to `127.0.0.1:8008` and `127.0.0.1:8048`. These ports (`8008` and `8048`) will still be exposed on `127.0.0.1` by default - just not by the `matrix-synapse` container from now on, but by the `matrix-synapse-reverse-proxy-companion` container instead + +- if you've been exposing `matrix-synapse` ports (`matrix_synapse_container_client_api_host_bind_port`, etc.) manually, you should consider exposing `matrix-synapse-reverse-proxy-companion` ports instead + +- if you're running Traefik and reverse-proxying directly to the `matrix-synapse` container, you should start reverse-proxying to the `matrix-synapse-reverse-proxy-companion` container instead. See [our updated Traefik example configuration](docs/configuring-playbook-own-webserver.md#sample-configuration-for-running-behind-traefik-20). Note: we now recommend calling the federation entry point `federation` (instead of `synapse`) and reverse-proxying the federation traffic via `matrix-nginx-proxy`, instead of sending it directly to Synapse (or `matrix-synapse-reverse-proxy-companion`). This makes the configuration simpler. + + # 2022-11-05 ## (Backward Compatibility Break) A new default standalone mode for Etherpad Until now, [Etherpad](https://etherpad.org/) (which [the playbook could install for you](docs/configuring-playbook-etherpad.md)) required the [Dimension integration manager](docs/configuring-playbook-dimension.md) to also be installed, because Etherpad was hosted on the Dimension domain (at `dimension.DOMAIN/etherpad`). -From now on, Etherpad can be installed in `standalone` mode on `etherpad.DOMAIN` and used even without Dimension. This is much more versatile, so the playbook now defaults to this new mode (`matrix_etherpad_mode: standalone`). +From now on, Etherpad can be installed in `standalone` mode on `etherpad.DOMAIN` and used even without Dimension. This is much more versatile, so the playbook now defaults to this new mode (`etherpad_mode: standalone`). If you've already got both Etherpad and Dimension in use you could: -- **either** keep hosting Etherpad under the Dimension domain by adding `matrix_etherpad_mode: dimension` to your `vars.yml` file. All your existing room widgets will continue working at the same URLs and no other changes will be necessary. +- **either** keep hosting Etherpad under the Dimension domain by adding `etherpad_mode: dimension` to your `vars.yml` file. All your existing room widgets will continue working at the same URLs and no other changes will be necessary. - **or**, you could change to hosting Etherpad separately on `etherpad.DOMAIN`. You will need to [configure a DNS record](docs/configuring-dns.md) for this new domain. You will also need to reconfigure Dimension to use the new pad URLs (`https://etherpad.DOMAIN/...`) going forward (refer to our [configuring Etherpad documentation](docs/configuring-playbook-etherpad.md)). All your existing room widgets (which still use `https://dimension.DOMAIN/etherpad/...`) will break as Etherpad is not hosted there anymore. You will need to re-add them or to consider not using `standalone` mode @@ -221,7 +845,7 @@ matrix_homeserver_implementation: conduit Thanks to [MdotAmaan](https://github.com/MdotAmaan)'s efforts, the playbook now supports bridging to [Discord](https://discordapp.com/) via the [mautrix-discord](https://mau.dev/mautrix/discord) bridge. See our [Setting up Mautrix Discord bridging](docs/configuring-playbook-bridge-mautrix-discord.md) documentation page for getting started. -**Note**: this is a new Discord bridge. The playbook still retains Discord bridging via [matrix-appservice-discord](docs/configuring-playbook-bridge-appservice-discord.md) and [mx-puppet-discord](docs/configuring-playbook-bridge-mx-puppet-discord.md). You're free too use the bridge that serves you better, or even all three of them (for different users and use-cases). +**Note**: this is a new Discord bridge. The playbook still retains Discord bridging via [matrix-appservice-discord](docs/configuring-playbook-bridge-appservice-discord.md) and [mx-puppet-discord](docs/configuring-playbook-bridge-mx-puppet-discord.md). You're free to use the bridge that serves you better, or even all three of them (for different users and use-cases). # 2022-07-27 @@ -295,14 +919,14 @@ See our [Setting up the ntfy push notifications server](docs/configuring-playboo **If you are using the [Hookshot bridge](docs/configuring-playbook-bridge-hookshot.md)**, you may find that: 1. **Metrics may not be enabled by default anymore**: - - If Prometheus is enabled (`matrix_prometheus_enabled: true`), then Hookshot metrics will be enabled automatically (`matrix_hookshot_metrics_enabled: true`). These metrics will be collected from the local (in-container) Prometheus over the container network. + - If Prometheus is enabled (`prometheus_enabled: true`), then Hookshot metrics will be enabled automatically (`matrix_hookshot_metrics_enabled: true`). These metrics will be collected from the local (in-container) Prometheus over the container network. - **If Prometheus is not enabled** (you are either not using Prometheus or are using an external one), **Hookshot metrics will not be enabled by default anymore**. Feel free to enable them by setting `matrix_hookshot_metrics_enabled: true`. Also, see below. 2. When metrics are meant to be **consumed by an external Prometheus server**, `matrix_hookshot_metrics_proxying_enabled` needs to be set to `true`, so that metrics would be exposed (proxied) "publicly" on `https://matrix.DOMAIN/metrics/hookshot`. To make use of this, you'll also need to enable the new `https://matrix.DOMAIN/metrics/*` endpoints mentioned above, using `matrix_nginx_proxy_proxy_matrix_metrics_enabled`. Learn more in our [Collecting metrics to an external Prometheus server](docs/configuring-playbook-prometheus-grafana.md#collecting-metrics-to-an-external-prometheus-server) documentation. 3. **We've changed the URL we're exposing Hookshot metrics at** for external Prometheus servers. Until now, you were advised to consume Hookshot metrics from `https://stats.DOMAIN/hookshot/metrics` (working in conjunction with `matrix_nginx_proxy_proxy_synapse_metrics`). From now on, **this no longer works**. As described above, you need to start consuming metrics from `https://matrix.DOMAIN/metrics/hookshot`. **If you're using node-exporter** (`matrix_prometheus_node_exporter_enabled: true`) and would like to collect its metrics from an external Prometheus server, see `matrix_prometheus_node_exporter_metrics_proxying_enabled` described in our [Collecting metrics to an external Prometheus server](docs/configuring-playbook-prometheus-grafana.md#collecting-metrics-to-an-external-prometheus-server) documentation. You will be able to collect its metrics from `https://matrix.DOMAIN/metrics/node-exporter`. -**If you're using [postgres-exporter](docs/configuring-playbook-prometheus-postgres.md)** (`matrix_prometheus_postgres_exporter_enabled: true`) and would like to collect its metrics from an external Prometheus server, see `matrix_prometheus_postgres_exporter_metrics_proxying_enabled` described in our [Collecting metrics to an external Prometheus server](docs/configuring-playbook-prometheus-grafana.md#collecting-metrics-to-an-external-prometheus-server) documentation. You will be able to collect its metrics from `https://matrix.DOMAIN/metrics/postgres-exporter`. +**If you're using [postgres-exporter](docs/configuring-playbook-prometheus-postgres.md)** (`prometheus_postgres_exporter_enabled: true`) and would like to collect its metrics from an external Prometheus server, see `matrix_prometheus_services_proxy_connect_prometheus_postgres_exporter_metrics_proxying_enabled` described in our [Collecting metrics to an external Prometheus server](docs/configuring-playbook-prometheus-grafana.md#collecting-metrics-to-an-external-prometheus-server) documentation. You will be able to collect its metrics from `https://matrix.DOMAIN/metrics/postgres-exporter`. **If you're using Synapse** and would like to collect its metrics from an external Prometheus server, you may find that: @@ -993,7 +1617,7 @@ People who have [fine-tuned Jitsi](docs/configuring-playbook-jitsi.md#optional-f The next time you run the playbook [installation](docs/installing.md) command, our validation logic will tell you if you're using some variables like that and will recommend a migration path for each one. -Additionally, we've recently disabled transcriptions (`matrix_jitsi_enable_transcriptions: false`) and recording (`matrix_jitsi_enable_recording: false`) by default. These features did not work anyway, because we don't install the required dependencies for them (Jigasi and Jibri, respectively). If you've been somehow pointing your Jitsi installation to some manually installed Jigasi/Jibri service, you may need to toggle these flags back to enabled to have transcriptions and recordings working. +Additionally, we've recently disabled transcriptions (`jitsi_enable_transcriptions: false`) and recording (`jitsi_enable_recording: false`) by default. These features did not work anyway, because we don't install the required dependencies for them (Jigasi and Jibri, respectively). If you've been somehow pointing your Jitsi installation to some manually installed Jigasi/Jibri service, you may need to toggle these flags back to enabled to have transcriptions and recordings working. # 2020-11-23 diff --git a/Makefile b/Makefile index b7fc41bd7..3379b8fff 100644 --- a/Makefile +++ b/Makefile @@ -8,4 +8,4 @@ roles: ## Pull roles ansible-galaxy install -r requirements.yml -p roles/galaxy/ --force lint: ## Runs ansible-lint against all roles in the playbook - ansible-lint + ansible-lint roles/custom diff --git a/README.md b/README.md index 569dbb3f8..71d46f822 100644 --- a/README.md +++ b/README.md @@ -13,139 +13,164 @@ We run all services in [Docker](https://www.docker.com/) containers (see [the co [Installation](docs/README.md) (upgrades) and some maintenance tasks are automated using [Ansible](https://www.ansible.com/) (see [our Ansible guide](docs/ansible.md)). -## Supported services - -Using this playbook, you can get the following services configured on your server: - -- (optional, default) a [Synapse](https://github.com/matrix-org/synapse) homeserver - storing your data and managing your presence in the [Matrix](http://matrix.org/) network - -- (optional) a [Conduit](https://conduit.rs) homeserver - storing your data and managing your presence in the [Matrix](http://matrix.org/) network. Conduit is a lightweight open-source server implementation of the Matrix Specification with a focus on easy setup and low system requirements - -- (optional) a [Dendrite](https://github.com/matrix-org/dendrite) homeserver - storing your data and managing your presence in the [Matrix](http://matrix.org/) network. Dendrite is a second-generation Matrix homeserver written in Go, an alternative to Synapse. - -- (optional) [Amazon S3](https://aws.amazon.com/s3/) (or other S3-compatible object store) storage for Synapse's content repository (`media_store`) files using [Goofys](https://github.com/kahing/goofys) or [`synapse-s3-storage-provider`](https://github.com/matrix-org/synapse-s3-storage-provider) - -- (optional, default) [PostgreSQL](https://www.postgresql.org/) database for Synapse. [Using an external PostgreSQL server](docs/configuring-playbook-external-postgres.md) is also possible. - -- (optional, default) a [coturn](https://github.com/coturn/coturn) STUN/TURN server for WebRTC audio/video calls - -- (optional, default) free [Let's Encrypt](https://letsencrypt.org/) SSL certificate, which secures the connection to the Synapse server and the Element web UI - -- (optional, default) an [Element](https://app.element.io/) ([formerly Riot](https://element.io/previously-riot)) web UI, which is configured to connect to your own Synapse server by default - -- (optional) a [ma1sd](https://github.com/ma1uta/ma1sd) Matrix Identity server - -- (optional, default) an [Exim](https://www.exim.org/) mail server, through which all Matrix services send outgoing email (can be configured to relay through another SMTP server) - -- (optional, default) an [nginx](http://nginx.org/) web server, listening on ports 80 and 443 - standing in front of all the other services. Using your own webserver [is possible](docs/configuring-playbook-own-webserver.md) - -- (optional, advanced) the [matrix-synapse-rest-auth](https://github.com/ma1uta/matrix-synapse-rest-password-provider) REST authentication password provider module - -- (optional, advanced) the [matrix-synapse-shared-secret-auth](https://github.com/devture/matrix-synapse-shared-secret-auth) password provider module - -- (optional, advanced) the [matrix-synapse-ldap3](https://github.com/matrix-org/matrix-synapse-ldap3) LDAP Auth password provider module - -- (optional, advanced) the [matrix-ldap-registration-proxy](https://gitlab.com/activism.international/matrix_ldap_registration_proxy) a proxy that handles Matrix registration requests and forwards them to LDAP. - -- (optional, advanced) the [synapse-simple-antispam](https://github.com/t2bot/synapse-simple-antispam) spam checker module - -- (optional, advanced) the [Matrix Corporal](https://github.com/devture/matrix-corporal) reconciliator and gateway for a managed Matrix server - -- (optional) the [mautrix-discord](https://github.com/mautrix/discord) bridge for bridging your Matrix server to [Discord](https://discord.com/) - see [docs/configuring-playbook-bridge-mautrix-discord.md](docs/configuring-playbook-bridge-mautrix-discord.md) for setup documentation - -- (optional) the [mautrix-telegram](https://github.com/mautrix/telegram) bridge for bridging your Matrix server to [Telegram](https://telegram.org/) - -- (optional) the [mautrix-whatsapp](https://github.com/mautrix/whatsapp) bridge for bridging your Matrix server to [WhatsApp](https://www.whatsapp.com/) - -- (optional) the [mautrix-facebook](https://github.com/mautrix/facebook) bridge for bridging your Matrix server to [Facebook](https://facebook.com/) - -- (optional) the [mautrix-twitter](https://github.com/mautrix/twitter) bridge for bridging your Matrix server to [Twitter](https://twitter.com/) - -- (optional) the [mautrix-hangouts](https://github.com/mautrix/hangouts) bridge for bridging your Matrix server to [Google Hangouts](https://en.wikipedia.org/wiki/Google_Hangouts) +## Self-hosting or SaaS -- (optional) the [mautrix-googlechat](https://github.com/mautrix/googlechat) bridge for bridging your Matrix server to [Google Chat](https://en.wikipedia.org/wiki/Google_Chat) +This Ansible playbook tries to make self-hosting and maintaining a Matrix server fairly easy. Still, running any service smoothly requires knowledge, time and effort. -- (optional) the [mautrix-instagram](https://github.com/mautrix/instagram) bridge for bridging your Matrix server to [Instagram](https://instagram.com/) +If you like the [FOSS](https://en.wikipedia.org/wiki/Free_and_open-source_software) spirit of this Ansible playbook, but prefer to put the responsibility on someone else, you can also [get a managed Matrix server from etke.cc](https://etke.cc/) - a service built on top of this Ansible playbook, which can help you run a Matrix server with ease. -- (optional) the [mautrix-signal](https://github.com/mautrix/signal) bridge for bridging your Matrix server to [Signal](https://www.signal.org/) +If you like learning and experimentation, but would rather reduce future maintenance effort, you can even go for a hybrid approach - self-hosting manually using this Ansible playbook at first and then transferring server maintenance to etke.cc at a later time. -- (optional) the [beeper-linkedin](https://github.com/beeper/linkedin) bridge for bridging your Matrix server to [LinkedIn](https://www.linkedin.com/) -- (optional) the [matrix-appservice-irc](https://github.com/matrix-org/matrix-appservice-irc) bridge for bridging your Matrix server to [IRC](https://wikipedia.org/wiki/Internet_Relay_Chat) - -- (optional) the [matrix-appservice-discord](https://github.com/Half-Shot/matrix-appservice-discord) bridge for bridging your Matrix server to [Discord](https://discordapp.com/) - -- (optional) the [matrix-appservice-slack](https://github.com/matrix-org/matrix-appservice-slack) bridge for bridging your Matrix server to [Slack](https://slack.com/) - -- (optional) the [matrix-appservice-webhooks](https://github.com/turt2live/matrix-appservice-webhooks) bridge for slack compatible webhooks ([ConcourseCI](https://concourse-ci.org/), [Slack](https://slack.com/) etc. pp.) - -- (optional) the [matrix-hookshot](https://github.com/Half-Shot/matrix-hookshot) bridge for bridging Matrix to generic webhooks and multiple project management services, such as GitHub, GitLab, Figma, and Jira in particular - -- (optional) the [matrix-sms-bridge](https://github.com/benkuly/matrix-sms-bridge) for bridging your Matrix server to SMS - see [docs/configuring-playbook-bridge-matrix-bridge-sms.md](docs/configuring-playbook-bridge-matrix-bridge-sms.md) for setup documentation - -- (optional) the [Heisenbridge](https://github.com/hifi/heisenbridge) for bridging your Matrix server to IRC bouncer-style - see [docs/configuring-playbook-bridge-heisenbridge.md](docs/configuring-playbook-bridge-heisenbridge.md) for setup documentation - -- (optional) the [go-skype-bridge](https://github.com/kelaresg/go-skype-bridge) for bridging your Matrix server to [Skype](https://www.skype.com) - see [docs/configuring-playbook-bridge-go-skype-bridge.md](docs/configuring-playbook-bridge-go-skype-bridge.md) for setup documentation - -- (optional) the [mx-puppet-slack](https://hub.docker.com/r/sorunome/mx-puppet-slack) for bridging your Matrix server to [Slack](https://slack.com) - see [docs/configuring-playbook-bridge-mx-puppet-slack.md](docs/configuring-playbook-bridge-mx-puppet-slack.md) for setup documentation - -- (optional) the [mx-puppet-instagram](https://github.com/Sorunome/mx-puppet-instagram) bridge for Instagram-DMs ([Instagram](https://www.instagram.com/)) - see [docs/configuring-playbook-bridge-mx-puppet-instagram.md](docs/configuring-playbook-bridge-mx-puppet-instagram.md) for setup documentation - -- (optional) the [mx-puppet-twitter](https://github.com/Sorunome/mx-puppet-twitter) bridge for Twitter-DMs ([Twitter](https://twitter.com/)) - see [docs/configuring-playbook-bridge-mx-puppet-twitter.md](docs/configuring-playbook-bridge-mx-puppet-twitter.md) for setup documentation - -- (optional) the [mx-puppet-discord](https://github.com/matrix-discord/mx-puppet-discord) bridge for [Discord](https://discordapp.com/) - see [docs/configuring-playbook-bridge-mx-puppet-discord.md](docs/configuring-playbook-bridge-mx-puppet-discord.md) for setup documentation - -- (optional) the [mx-puppet-groupme](https://gitlab.com/xangelix-pub/matrix/mx-puppet-groupme) bridge for [GroupMe](https://groupme.com/) - see [docs/configuring-playbook-bridge-mx-puppet-groupme.md](docs/configuring-playbook-bridge-mx-puppet-groupme.md) for setup documentation - -- (optional) the [mx-puppet-steam](https://github.com/icewind1991/mx-puppet-steam) bridge for [Steam](https://steamapp.com/) - see [docs/configuring-playbook-bridge-mx-puppet-steam.md](docs/configuring-playbook-bridge-mx-puppet-steam.md) for setup documentation - -- (optional) [Email2Matrix](https://github.com/devture/email2matrix) for relaying email messages to Matrix rooms - see [docs/configuring-playbook-email2matrix.md](docs/configuring-playbook-email2matrix.md) for setup documentation +## Supported services -- (optional) [Dimension](https://github.com/turt2live/matrix-dimension), an open source integrations manager for matrix clients - see [docs/configuring-playbook-dimension.md](docs/configuring-playbook-dimension.md) for setup documentation +Using this playbook, you can get the following list of services configured on your server. Basically, this playbook aims to get you up-and-running with all the necessities around Matrix, without you having to do anything else. -- (optional) [Etherpad](https://etherpad.org), an open source collaborative text editor - see [docs/configuring-playbook-etherpad.md](docs/configuring-playbook-etherpad.md) for setup documentation +**Note**: the list below is exhaustive. It includes optional or even some advanced components that you will most likely not need. +Sticking with the defaults (which install a subset of the above components) is the best choice, especially for a new installation. +You can always re-run the playbook later to add or remove components. -- (optional) [Jitsi](https://jitsi.org/), an open source video-conferencing platform - see [docs/configuring-playbook-jitsi.md](docs/configuring-playbook-jitsi.md) for setup documentation -- (optional) [matrix-reminder-bot](https://github.com/anoadragon453/matrix-reminder-bot) for scheduling one-off & recurring reminders and alarms - see [docs/configuring-playbook-bot-matrix-reminder-bot.md](docs/configuring-playbook-bot-matrix-reminder-bot.md) for setup documentation +### Homeserver -- (optional) [matrix-registration-bot](https://github.com/moan0s/matrix-registration-bot) for invitations by creating and managing registration tokens - see [docs/configuring-playbook-bot-matrix-registration-bot.md](docs/configuring-playbook-bot-matrix-registration-bot.md) for setup documentation +The homeserver is the backbone of your matrix system. Choose one from the following list. -- (optional) [maubot](https://github.com/maubot/maubot) a plugin-based Matrix bot system - see [docs/configuring-playbook-bot-maubot.md](docs/configuring-playbook-bot-maubot.md) for setup documentation +| Name | Default? | Description | Documentation | +| ---- | -------- | ----------- | ------------- | +| [Synapse](https://github.com/matrix-org/synapse) | ✓ | Storing your data and managing your presence in the [Matrix](http://matrix.org/) network | [Link](docs/configuring-playbook-synapse.md) | +| [Conduit](https://conduit.rs) | x | Storing your data and managing your presence in the [Matrix](http://matrix.org/) network. Conduit is a lightweight open-source server implementation of the Matrix Specification with a focus on easy setup and low system requirements | [Link](docs/configuring-playbook-conduit.md) | +| [Dendrite](https://github.com/matrix-org/dendrite) | x | Storing your data and managing your presence in the [Matrix](http://matrix.org/) network. Dendrite is a second-generation Matrix homeserver written in Go, an alternative to Synapse. | [Link](docs/configuring-playbook-dendrite.md) | + +### Clients + +Web clients for matrix that you can host on your own domains. + +| Name | Default? | Description | Documentation | +| ---- | -------- | ----------- | ------------- | +[Element](https://app.element.io/) | ✓ | Web UI, which is configured to connect to your own Synapse server by default | [Link](docs/configuring-playbook-client-element.md) | +| [Hydrogen](https://github.com/vector-im/hydrogen-web) | x | Web client | [Link](docs/configuring-playbook-client-hydrogen.md) | +| [Cinny](https://github.com/ajbura/cinny) | x | Web client | [Link](docs/configuring-playbook-client-cinny.md) | -- (optional) [honoroit](https://gitlab.com/etke.cc/honoroit) helpdesk bot - see [docs/configuring-playbook-bot-honoroit.md](docs/configuring-playbook-bot-honoroit.md) for setup documentation -- (optional) [Postmoogle](https://gitlab.com/etke.cc/postmoogle) email to matrix bot - see [docs/configuring-playbook-bot-postmoogle.md](docs/configuring-playbook-bot-postmoogle.md) for setup documentation -- (optional) [Go-NEB](https://github.com/matrix-org/go-neb) multi functional bot written in Go - see [docs/configuring-playbook-bot-go-neb.md](docs/configuring-playbook-bot-go-neb.md) for setup documentation +### Server Components -- (optional) [Mjolnir](https://github.com/matrix-org/mjolnir), a moderation tool for Matrix - see [docs/configuring-playbook-bot-mjolnir.md](docs/configuring-playbook-bot-mjolnir.md) for setup documentation +Services that run on the server to make the various parts of your installation work. + +| Name | Default? | Description | Documentation | +| ---- | -------- | ----------- | ------------- | +| [PostgreSQL](https://www.postgresql.org/)| ✓ | Database for Synapse. [Using an external PostgreSQL server](docs/configuring-playbook-external-postgres.md) is also possible. | [Link](docs/configuring-playbook-external-postgres.md) | +| [Coturn](https://github.com/coturn/coturn) | ✓ | STUN/TURN server for WebRTC audio/video calls | [Link](docs/configuring-playbook-turn.md) | +| [Traefik](https://doc.traefik.io/traefik/) | ✓ | Web server, listening on ports 80, 443 and 8448 - standing in front of all the other services. Using your own webserver [is possible](docs/configuring-playbook-own-webserver.md) | [Link](docs/configuring-playbook-traefik.md) | +| [nginx](http://nginx.org/) | x | (Deprecated) Web server, listening on ports 80, 443 and 8448 - standing in front of all the other services. Deprecated in favor of Traefik | [Link](docs/configuring-playbook-nginx.md) | +| [Let's Encrypt](https://letsencrypt.org/) | ✓ | Free SSL certificate, which secures the connection to all components | [Link](docs/configuring-playbook-ssl-certificates.md) | +| [ma1sd](https://github.com/ma1uta/ma1sd) | x | Matrix Identity Server | [Link](docs/configuring-playbook-ma1sd.md) +| [Exim](https://www.exim.org/) | ✓ | Mail server, through which all Matrix services send outgoing email (can be configured to relay through another SMTP server) | [Link](docs/configuring-playbook-email.md) | +| [Dimension](https://github.com/turt2live/matrix-dimension) | x | An open source integrations manager for matrix clients | [Link](docs/configuring-playbook-dimension.md) | +| [Sygnal](https://github.com/matrix-org/sygnal) | x | Push gateway | [Link](docs/configuring-playbook-sygnal.md) | +| [ntfy](https://ntfy.sh) | x | Push notifications server | [Link](docs/configuring-playbook-ntfy.md) | + + +### Authentication -- (optional) [synapse-admin](https://github.com/Awesome-Technologies/synapse-admin), a web UI tool for administrating users and rooms on your Matrix server - see [docs/configuring-playbook-synapse-admin.md](docs/configuring-playbook-synapse-admin.md) for setup documentation +Extend and modify how users are authenticated on your homeserver. -- (optional) [matrix-registration](https://github.com/ZerataX/matrix-registration), a simple python application to have a token based matrix registration - see [docs/configuring-playbook-matrix-registration.md](docs/configuring-playbook-matrix-registration.md) for setup documentation +| Name | Default? | Description | Documentation | +| ---- | -------- | ----------- | ------------- | +| [matrix-synapse-rest-auth](https://github.com/ma1uta/matrix-synapse-rest-password-provider) (advanced) | x | REST authentication password provider module | [Link](docs/configuring-playbook-rest-auth.md) | +|[matrix-synapse-shared-secret-auth](https://github.com/devture/matrix-synapse-shared-secret-auth) (advanced) | x | Password provider module | [Link](docs/configuring-playbook-shared-secret-auth.md) | +| [matrix-synapse-ldap3](https://github.com/matrix-org/matrix-synapse-ldap3) (advanced) | x | LDAP Auth password provider module | [Link](docs/configuring-playbook-ldap-auth.md) | +| [matrix-ldap-registration-proxy](https://gitlab.com/activism.international/matrix_ldap_registration_proxy) (advanced) | x | A proxy that handles Matrix registration requests and forwards them to LDAP. | [Link](docs/configuring-playbook-matrix-ldap-registration-proxy.md) | +| [matrix-registration](https://github.com/ZerataX/matrix-registration) | x | A simple python application to have a token based matrix registration | [Link](docs/configuring-playbook-matrix-registration.md) | -- (optional) the [Prometheus](https://prometheus.io) time-series database server, the Prometheus [node-exporter](https://prometheus.io/docs/guides/node-exporter/) host metrics exporter, and the [Grafana](https://grafana.com/) web UI - see [Enabling metrics and graphs (Prometheus, Grafana) for your Matrix server](docs/configuring-playbook-prometheus-grafana.md) for setup documentation -- (optional) the [Sygnal](https://github.com/matrix-org/sygnal) push gateway - see [Setting up the Sygnal push gateway](docs/configuring-playbook-sygnal.md) for setup documentation +### File Storage -- (optional) the [ntfy](https://ntfy.sh) push notifications server - see [docs/configuring-playbook-ntfy.md](docs/configuring-playbook-ntfy.md) for setup documentation +Use alternative file storage to the default `media_store` folder. -- (optional) the [Hydrogen](https://github.com/vector-im/hydrogen-web) web client - see [docs/configuring-playbook-client-hydrogen.md](docs/configuring-playbook-client-hydrogen.md) for setup documentation +| Name | Default? | Description | Documentation | +| ---- | -------- | ----------- | ------------- | +| [Goofys](https://github.com/kahing/goofys) | x | [Amazon S3](https://aws.amazon.com/s3/) (or other S3-compatible object store) storage for Synapse's content repository (`media_store`) files | [Link](docs/configuring-playbook-s3-goofys.md) | +| [synapse-s3-storage-provider](https://github.com/matrix-org/synapse-s3-storage-provider) | x | [Amazon S3](https://aws.amazon.com/s3/) (or other S3-compatible object store) storage for Synapse's content repository (`media_store`) files | [Link](docs/configuring-playbook-s3.md) | +| [matrix-media-repo](https://github.com/turt2live/matrix-media-repo) | x | matrix-media-repo is a highly customizable multi-domain media repository for Matrix. Intended for medium to large deployments, this media repo de-duplicates media while being fully compliant with the specification. | [Link](docs/configuring-playbook-media-repo.md) | -- (optional) the [Cinny](https://github.com/ajbura/cinny) web client - see [docs/configuring-playbook-client-cinny.md](docs/configuring-playbook-client-cinny.md) for setup documentation +### Bridges -- (optional) the [Borg](https://borgbackup.org) backup - see [docs/configuring-playbook-backup-borg.md](docs/configuring-playbook-backup-borg.md) for setup documentation +Bridges can be used to connect your matrix installation with third-party communication networks. -- (optional) the [Buscarron](https://gitlab.com/etke.cc/buscarron) bot - see [docs/configuring-playbook-bot-buscarron.md](docs/configuring-playbook-bot-buscarron.md) for setup documentation +| Name | Default? | Description | Documentation | +| ---- | -------- | ----------- | ------------- | +| [mautrix-discord](https://github.com/mautrix/discord) | x | Bridge for bridging your Matrix server to [Discord](https://discord.com/) | [Link](docs/configuring-playbook-bridge-mautrix-discord.md) | +| [mautrix-slack](https://github.com/mautrix/slack) | x | Bridge for bridging your Matrix server to [Slack](https://slack.com/) | [Link](docs/configuring-playbook-bridge-mautrix-slack.md) | +| [mautrix-telegram](https://github.com/mautrix/telegram) | x | Bridge for bridging your Matrix server to [Telegram](https://telegram.org/) | [Link](docs/configuring-playbook-bridge-mautrix-telegram.md) | +| [mautrix-gmessages](https://github.com/mautrix/gmessages) | x | Bridge for bridging your Matrix server to [Google Messages](https://messages.google.com/) | [Link](docs/configuring-playbook-bridge-mautrix-gmessages.md) | +| [mautrix-whatsapp](https://github.com/mautrix/whatsapp) | x | Bridge for bridging your Matrix server to [WhatsApp](https://www.whatsapp.com/) | [Link](docs/configuring-playbook-bridge-mautrix-whatsapp.md) | +| [mautrix-facebook](https://github.com/mautrix/facebook) | x | Bridge for bridging your Matrix server to [Facebook](https://facebook.com/) | [Link](docs/configuring-playbook-bridge-mautrix-facebook.md) | +| [mautrix-twitter](https://github.com/mautrix/twitter) | x | Bridge for bridging your Matrix server to [Twitter](https://twitter.com/) | [Link](docs/configuring-playbook-bridge-mautrix-twitter.md) | +| [mautrix-hangouts](https://github.com/mautrix/hangouts) | x | Bridge for bridging your Matrix server to [Google Hangouts](https://en.wikipedia.org/wiki/Google_Hangouts) | [Link](docs/configuring-playbook-bridge-mautrix-hangouts.md) | +| [mautrix-googlechat](https://github.com/mautrix/googlechat) | x | Bridge for bridging your Matrix server to [Google Chat](https://en.wikipedia.org/wiki/Google_Chat) | [Link](docs/configuring-playbook-bridge-mautrix-googlechat.md) | +| [mautrix-instagram](https://github.com/mautrix/instagram) | x | Bridge for bridging your Matrix server to [Instagram](https://instagram.com/) | [Link](docs/configuring-playbook-bridge-mautrix-instagram.md) | +| [mautrix-signal](https://github.com/mautrix/signal) | x | Bridge for bridging your Matrix server to [Signal](https://www.signal.org/) | [Link](docs/configuring-playbook-bridge-mautrix-signal.md) | +| [beeper-linkedin](https://github.com/beeper/linkedin) | x | Bridge for bridging your Matrix server to [LinkedIn](https://www.linkedin.com/) | [Link](docs/configuring-playbook-bridge-beeper-linkedin.md) | +| [matrix-appservice-irc](https://github.com/matrix-org/matrix-appservice-irc) | x | Bridge for bridging your Matrix server to [IRC](https://wikipedia.org/wiki/Internet_Relay_Chat) | [Link](docs/configuring-playbook-bridge-appservice-irc.md) | +| [matrix-appservice-discord](https://github.com/Half-Shot/matrix-appservice-discord) | x | Bridge for bridging your Matrix server to [Discord](https://discordapp.com/) | [Link](docs/configuring-playbook-bridge-appservice-discord.md) | +| [matrix-appservice-slack](https://github.com/matrix-org/matrix-appservice-slack) | x | Bridge for bridging your Matrix server to [Slack](https://slack.com/) | [Link](docs/configuring-playbook-bridge-appservice-slack.md) | +| [matrix-appservice-webhooks](https://github.com/turt2live/matrix-appservice-webhooks) | x | Bridge for slack compatible webhooks ([ConcourseCI](https://concourse-ci.org/), [Slack](https://slack.com/) etc. pp.) | [Link](docs/configuring-playbook-bridge-appservice-webhooks.md) | +| [matrix-hookshot](https://github.com/Half-Shot/matrix-hookshot) | x | Bridge for bridging Matrix to generic webhooks and multiple project management services, such as GitHub, GitLab, Figma, and Jira in particular | [Link](docs/configuring-playbook-bridge-hookshot.md) | +| [matrix-sms-bridge](https://github.com/benkuly/matrix-sms-bridge) | x | Bridge for bridging your Matrix server to SMS | [Link](docs/configuring-playbook-bridge-matrix-bridge-sms.md) | +| [Heisenbridge](https://github.com/hifi/heisenbridge) | x | Bridge for bridging your Matrix server to IRC bouncer-style | [Link](docs/configuring-playbook-bridge-heisenbridge.md) | +| [go-skype-bridge](https://github.com/kelaresg/go-skype-bridge) | x | Bridge for bridging your Matrix server to [Skype](https://www.skype.com) | [Link](docs/configuring-playbook-bridge-go-skype-bridge.md) | +| [mx-puppet-slack](https://hub.docker.com/r/sorunome/mx-puppet-slack) | x | Bridge for bridging your Matrix server to [Slack](https://slack.com) | [Link](docs/configuring-playbook-bridge-mx-puppet-slack.md) | +| [mx-puppet-instagram](https://github.com/Sorunome/mx-puppet-instagram) | x | Bridge for Instagram-DMs ([Instagram](https://www.instagram.com/)) | [Link](docs/configuring-playbook-bridge-mx-puppet-instagram.md) | +| [mx-puppet-twitter](https://github.com/Sorunome/mx-puppet-twitter) | x | Bridge for Twitter-DMs ([Twitter](https://twitter.com/)) | [Link](docs/configuring-playbook-bridge-mx-puppet-twitter.md) | +| [mx-puppet-discord](https://github.com/matrix-discord/mx-puppet-discord) | x | Bridge for [Discord](https://discordapp.com/) | [Link](docs/configuring-playbook-bridge-mx-puppet-discord.md) | +| [mx-puppet-groupme](https://gitlab.com/xangelix-pub/matrix/mx-puppet-groupme) | x | Bridge for [GroupMe](https://groupme.com/) | [Link](docs/configuring-playbook-bridge-mx-puppet-groupme.md) | +| [mx-puppet-steam](https://github.com/icewind1991/mx-puppet-steam) | x | Bridge for [Steam](https://steamapp.com/) | [Link](docs/configuring-playbook-bridge-mx-puppet-steam.md) | +| [Email2Matrix](https://github.com/devture/email2matrix) | x | Bridge for relaying email messages to Matrix rooms | [Link](docs/configuring-playbook-email2matrix.md) | -- (optional) [Cactus Comments](https://cactus.chat), a federated comment system built on matrix - see [docs/configuring-playbook-cactus-comments.md](docs/configuring-playbook-cactus-comments.md) for setup documentation -Basically, this playbook aims to get you up-and-running with all the necessities around Matrix, without you having to do anything else. +### Bots -**Note**: the list above is exhaustive. It includes optional or even some advanced components that you will most likely not need. -Sticking with the defaults (which install a subset of the above components) is the best choice, especially for a new installation. -You can always re-run the playbook later to add or remove components. +Bots provide various additional functionality to your installation. + +| Name | Default? | Description | Documentation | +| ---- | -------- | ----------- | ------------- | +| [matrix-reminder-bot](https://github.com/anoadragon453/matrix-reminder-bot) | x | Bot for scheduling one-off & recurring reminders and alarms | [Link](docs/configuring-playbook-bot-matrix-reminder-bot.md) | +| [matrix-registration-bot](https://github.com/moan0s/matrix-registration-bot) | x | Bot for invitations by creating and managing registration tokens | [Link](docs/configuring-playbook-bot-matrix-registration-bot.md) | +| [maubot](https://github.com/maubot/maubot) | x | A plugin-based Matrix bot system | [Link](docs/configuring-playbook-bot-maubot.md) | +| [honoroit](https://gitlab.com/etke.cc/honoroit) | x | A helpdesk bot | [Link](docs/configuring-playbook-bot-honoroit.md) | +| [Postmoogle](https://gitlab.com/etke.cc/postmoogle) | x | Email to matrix bot | [Link](docs/configuring-playbook-bot-postmoogle.md) | +| [Go-NEB](https://github.com/matrix-org/go-neb) | x | A multi functional bot written in Go | [Link](docs/configuring-playbook-bot-go-neb.md) | +| [Mjolnir](https://github.com/matrix-org/mjolnir) | x | A moderation tool for Matrix | [Link](docs/configuring-playbook-bot-mjolnir.md) | +| [Draupnir](https://github.com/Gnuxie/Draupnir) | x | A moderation tool for Matrix (Fork of Mjolnir) | [Link](docs/configuring-playbook-bot-draupnir.md) | +| [Buscarron](https://gitlab.com/etke.cc/buscarron) | x | Web forms (HTTP POST) to matrix | [Link](docs/configuring-playbook-bot-buscarron.md) | +| [matrix-chatgpt-bot](https://github.com/matrixgpt/matrix-chatgpt-bot) | x | ChatGPT from matrix | [Link](docs/configuring-playbook-bot-chatgpt.md) | + +### Administration + +Services that help you in administrating and monitoring your matrix installation. + + +| Name | Default? | Description | Documentation | +| ---- | -------- | ----------- | ------------- | +| [synapse-admin](https://github.com/Awesome-Technologies/synapse-admin) | x | A web UI tool for administrating users and rooms on your Matrix server | [Link](docs/configuring-playbook-synapse-admin.md) | +| Metrics and Graphs | x | Consists of the [Prometheus](https://prometheus.io) time-series database server, the Prometheus [node-exporter](https://prometheus.io/docs/guides/node-exporter/) host metrics exporter, and the [Grafana](https://grafana.com/) web UI | [Link](docs/configuring-playbook-prometheus-grafana.md) | +| [Borg](https://borgbackup.org) | x | Backups | [Link](docs/configuring-playbook-backup-borg.md) | +| [Rageshake](https://github.com/matrix-org/rageshake) | x | Bug report server | [Link](docs/configuring-playbook-rageshake.md) | + +### Misc + +Various services that don't fit any other category. + +| Name | Default? | Description | Documentation | +| ---- | -------- | ----------- | ------------- | +| [sliding-sync](https://github.com/matrix-org/sliding-sync)| x | Sliding Sync support for clients which require it (e.g. Element X) | [Link](docs/configuring-playbook-sliding-sync-proxy.md) | +| [synapse_auto_compressor](https://github.com/matrix-org/rust-synapse-compress-state/#automated-tool-synapse_auto_compressor) | x | A cli tool that automatically compresses `state_groups` database table in background. | [Link](docs/configuring-playbook-synapse-auto-compressor.md) | +| [synapse-simple-antispam](https://github.com/t2bot/synapse-simple-antispam) (advanced) | x | A spam checker module | [Link](docs/configuring-playbook-synapse-simple-antispam.md) | +| [Matrix Corporal](https://github.com/devture/matrix-corporal) (advanced) | x | Reconciliator and gateway for a managed Matrix server | [Link](docs/configuring-playbook-matrix-corporal.md) | +| [Etherpad](https://etherpad.org) | x | An open source collaborative text editor | [Link](docs/configuring-playbook-etherpad.md) | +| [Jitsi](https://jitsi.org/) | x | An open source video-conferencing platform | [Link](docs/configuring-playbook-jitsi.md) | +| [Cactus Comments](https://cactus.chat) | x | A federated comment system built on matrix | [Link](docs/configuring-playbook-cactus-comments.md) | ## Installation @@ -169,6 +194,16 @@ When updating the playbook, refer to [the changelog](CHANGELOG.md) to catch up w - GitHub issues: [spantaleev/matrix-docker-ansible-deploy/issues](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues) -## Services by the community +## Related + +You may also be interested in these other Ansible playbooks: + +- [gitea-docker-ansible-deploy](https://github.com/spantaleev/gitea-docker-ansible-deploy) - for deploying a [Gitea](https://gitea.io/) git version-control server + +- [nextcloud-docker-ansible-deploy](https://github.com/spantaleev/nextcloud-docker-ansible-deploy) - for deploying a [Nextcloud](https://nextcloud.com/) server + +- [peertube-docker-ansible-deploy](https://github.com/spantaleev/peertube-docker-ansible-deploy) - for deploying a [PeerTube](https://joinpeertube.org/) video-platform server + +- [vaultwarden-docker-ansible-deploy](https://github.com/spantaleev/vaultwarden-docker-ansible-deploy) - for deploying a [Vaultwarden](https://github.com/dani-garcia/vaultwarden) password manager server (unofficial [Bitwarden](https://bitwarden.com/) compatible server) -- [etke.cc](https://etke.cc) - matrix-docker-ansible-deploy and system stuff "as a service". That service will create your matrix homeserver on your domain and server (doesn't matter if it's cloud provider or on an old laptop in the corner of your room), (optional) maintains it (server's system updates, cleanup, security adjustments, tuning, etc.; matrix homeserver updates & maintenance) and (optional) provide full-featured email service for your domain +They're all making use of Traefik as their reverse-proxy, so it should be easy to host all these services on the same server. Follow the `docs/configuring-playbook-interoperability.md` documentation in each playbook. diff --git a/docs/alternative-architectures.md b/docs/alternative-architectures.md index c8097b60b..0865de1f0 100644 --- a/docs/alternative-architectures.md +++ b/docs/alternative-architectures.md @@ -1,26 +1,18 @@ # Alternative architectures -As stated in the [Prerequisites](prerequisites.md), currently only `x86_64` is fully supported. However, it is possible to set the target architecture, and some tools can be built on the host or other measures can be used. +As stated in the [Prerequisites](prerequisites.md), currently only `amd64` (`x86_64`) is fully supported. -To that end add the following variable to your `vars.yml` file (see [Configuring playbook](configuring-playbook.md)): +The playbook automatically determines the target server's architecture (the `matrix_architecture` variable) to be one of the following: -```yaml -matrix_architecture: -``` - -Currently supported architectures are the following: -- `amd64` (the default) -- `arm64` +- `amd64` (`x86_64`) - `arm32` +- `arm64` -so for the Raspberry Pi, the following should be in your `vars.yml` file: +Some tools and container images can be built on the host or other measures can be used to install on that architecture. -```yaml -matrix_architecture: "arm32" -``` ## Implementation details For `amd64`, prebuilt container images (see the [container images we use](container-images.md)) are used for all components (except [Hydrogen](configuring-playbook-client-hydrogen.md), which goes through self-building). -For other architectures, components which have a prebuilt image make use of it. If the component is not available for the specific architecture, [self-building](self-building.md) will be used. Not all components support self-building though, so your mileage may vary. +For other architecture (`arm64`, `arm32`), components which have a prebuilt image make use of it. If the component is not available for the specific architecture, [self-building](self-building.md) will be used. Not all components support self-building though, so your mileage may vary. diff --git a/docs/ansible.md b/docs/ansible.md index e8a0ddb21..6018860e3 100644 --- a/docs/ansible.md +++ b/docs/ansible.md @@ -9,19 +9,14 @@ If your local computer cannot run Ansible, you can also run Ansible on some serv ## Supported Ansible versions -Ansible 2.7.1 or newer is required ([last discussion about Ansible versions](https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/743)). - -Note: Ubuntu 20.04 ships with Ansible 2.9.6 which is a buggy version (see this [bug](https://bugs.launchpad.net/ubuntu/+source/ansible/+bug/1880359)), which can't be used in combination with a host running new systemd (more details in [#517](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/517), [#669](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/669)). If this problem affects you, you can: avoid running Ubuntu 20.04 on your host; run Ansible from another machine targeting your host; or try to upgrade to a newer Ansible version (see below). - - -## Checking your Ansible version +To manually check which version of Ansible you're on, run: `ansible --version`. -In most cases, you won't need to worry about the Ansible version. -The playbook will try to detect it and tell you if you're on an unsupported version. +For the **best experience**, we recommend getting the **latest version of Ansible available**. -To manually check which version of Ansible you're on, run: `ansible --version`. +We're not sure what's the minimum version of Ansible that can run this playbook successfully. +The lowest version that we've confirmed (on 2022-11-26) to be working fine is: `ansible-core` (`2.11.7`) combined with `ansible` (`4.10.0`). -If you're on an old version of Ansible, you should [upgrade Ansible to a newer version](#upgrading-ansible) or [use Ansible via Docker](#using-ansible-via-docker). +If your distro ships with an Ansible version older than this, you may run into issues. Consider [Upgrading Ansible](#upgrading-ansible) or [using Ansible via Docker](#using-ansible-via-docker). ## Upgrading Ansible @@ -53,7 +48,7 @@ You can either [run Ansible in a container on the Matrix server itself](#running To run Ansible in a (Docker) container on the Matrix server itself, you need to have a working Docker installation. Docker is normally installed by the playbook, so this may be a bit of a chicken and egg problem. To solve it: -- you **either** need to install Docker manually first. Follow [the upstream instructions](https://docs.docker.com/engine/install/) for your distribution and consider setting `matrix_docker_installation_enabled: false` in your `vars.yml` file, to prevent the playbook from installing Docker +- you **either** need to install Docker manually first. Follow [the upstream instructions](https://docs.docker.com/engine/install/) for your distribution and consider setting `matrix_playbook_docker_installation_enabled: false` in your `vars.yml` file, to prevent the playbook from installing Docker - **or** you need to run the playbook in another way (e.g. [Running Ansible in a container on another computer (not the Matrix server)](#running-ansible-in-a-container-on-another-computer-not-the-matrix-server)) at least the first time around Once you have a working Docker installation on the server, **clone the playbook** somewhere on the server and configure it as per usual (`inventory/hosts`, `inventory/host_vars/..`, etc.), as described in [configuring the playbook](configuring-playbook.md). @@ -70,7 +65,7 @@ docker run -it --rm \ -w /work \ -v `pwd`:/work \ --entrypoint=/bin/sh \ -docker.io/devture/ansible:2.13.6-r0 +docker.io/devture/ansible:2.13.6-r0-3 ``` Once you execute the above command, you'll be dropped into a `/work` directory inside a Docker container. @@ -91,7 +86,7 @@ docker run -it --rm \ -v `pwd`:/work \ -v $HOME/.ssh/id_rsa:/root/.ssh/id_rsa:ro \ --entrypoint=/bin/sh \ -docker.io/devture/ansible:2.13.6-r0 +docker.io/devture/ansible:2.13.6-r0-3 ``` The above command tries to mount an SSH key (`$HOME/.ssh/id_rsa`) into the container (at `/root/.ssh/id_rsa`). diff --git a/docs/configuring-captcha.md b/docs/configuring-captcha.md index d137cf99e..173b34fe7 100644 --- a/docs/configuring-captcha.md +++ b/docs/configuring-captcha.md @@ -2,9 +2,11 @@ # Overview Captcha can be enabled for this home server. This file explains how to do that. -The captcha mechanism used is Google's [ReCaptcha](https://www.google.com/recaptcha/). This requires API keys from Google. +The captcha mechanism used is Google's [ReCaptcha](https://www.google.com/recaptcha/). This requires API keys from Google. If your homeserver is Dendrite then [hCapcha](https://www.hcaptcha.com) can be used instead. -## Getting keys +## ReCaptcha + +### Getting keys Requires a site/secret key pair from: @@ -12,12 +14,39 @@ Requires a site/secret key pair from: Must be a reCAPTCHA **v2** key using the "I'm not a robot" Checkbox option -## Setting ReCaptcha Keys +### Setting ReCaptcha keys Once registered as above, set the following values: ```yaml +# for Synapse matrix_synapse_enable_registration_captcha: true matrix_synapse_recaptcha_public_key: 'YOUR_SITE_KEY' matrix_synapse_recaptcha_private_key: 'YOUR_SECRET_KEY' + +# for Dendrite +matrix_dendrite_client_api_enable_registration_captcha: true +matrix_dendrite_client_api_recaptcha_public_key: 'YOUR_SITE_KEY' +matrix_dendrite_client_api_recaptcha_private_key: 'YOUR_SECRET_KEY' +``` + +## hCaptcha + +### Getting keys + +Requires a site/secret key pair from: + + + +### Setting hCaptcha keys + +```yaml +matrix_dendrite_client_api_enable_registration_captcha: true +matrix_dendrite_client_api_recaptcha_public_key: 'YOUR_SITE_KEY' +matrix_dendrite_client_api_recaptcha_private_key: 'YOUR_SECRET_KEY' + +matrix_dendrite_client_api_recaptcha_siteverify_api: 'https://hcaptcha.com/siteverify' +matrix_dendrite_client_api_recaptcha_api_js_url: 'https://js.hcaptcha.com/1/api.js' +matrix_dendrite_client_api_recaptcha_form_field: 'h-captcha-response' +matrix_dendrite_client_api_recaptcha_sitekey_class: 'h-captcha' ``` diff --git a/docs/configuring-playbook-backup-borg.md b/docs/configuring-playbook-backup-borg.md index f3cfc6def..6c9e7f808 100644 --- a/docs/configuring-playbook-backup-borg.md +++ b/docs/configuring-playbook-backup-borg.md @@ -6,9 +6,9 @@ That means your daily incremental backups can be stored in a fraction of the spa You will need a remote server where borg will store the backups. There are hosted, borg compatible solutions available, such as [BorgBase](https://www.borgbase.com). -The backup will run based on `matrix_backup_borg_schedule` var (systemd timer calendar), default: 4am every day. +The backup will run based on `backup_borg_schedule` var (systemd timer calendar), default: 4am every day. -By default, if you're using the integrated Postgres database server (as opposed to [an external Postgres server](configuring-playbook-external-postgres.md)), Borg backups will also include dumps of your Postgres database. An alternative solution for backing up the Postgres database is [postgres backup](configuring-playbook-postgres-backup.md). If you decide to go with another solution, you can disable Postgres-backup support for Borg using the `matrix_backup_borg_postgresql_enabled` variable. +By default, if you're using the integrated Postgres database server (as opposed to [an external Postgres server](configuring-playbook-external-postgres.md)), Borg backups will also include dumps of your Postgres database. An alternative solution for backing up the Postgres database is [postgres backup](configuring-playbook-postgres-backup.md). If you decide to go with another solution, you can disable Postgres-backup support for Borg using the `backup_borg_postgresql_enabled` variable. ## Prerequisites @@ -38,11 +38,11 @@ cat PUBKEY | ssh USER@HOST 'dd of=.ssh/authorized_keys oflag=append conv=notrunc Minimal working configuration (`inventory/host_vars/matrix.DOMAIN/vars.yml`) to enable borg backup: ```yaml -matrix_backup_borg_enabled: true -matrix_backup_borg_location_repositories: - - USER@HOST:REPO -matrix_backup_borg_storage_encryption_passphrase: "PASSPHRASE" -matrix_backup_borg_ssh_key_private: | +backup_borg_enabled: true +backup_borg_location_repositories: + - ssh://USER@HOST/./REPO +backup_borg_storage_encryption_passphrase: "PASSPHRASE" +backup_borg_ssh_key_private: | -----BEGIN OPENSSH PRIVATE KEY----- TG9yZW0gaXBzdW0gZG9sb3Igc2l0IGFtZXQsIGNvbnNlY3RldHVyIGFkaXBpc2NpbmcgZW xpdCwgc2VkIGRvIGVpdXNtb2QgdGVtcG9yIGluY2lkaWR1bnQgdXQgbGFib3JlIGV0IGRv @@ -58,13 +58,13 @@ where: * HOST - SSH host of a provider/server * REPO - borg repository name, it will be initialized on backup start, eg: `matrix`, regarding Syntax see [Remote repositories](https://borgbackup.readthedocs.io/en/stable/usage/general.html#repository-urls) * PASSPHRASE - passphrase used for encrypting backups, you may generate it with `pwgen -s 64 1` or use any password manager -* PRIVATE KEY - the content of the **private** part of the SSH key you created before. The whole key (all of its belonging lines) under `matrix_backup_borg_ssh_key_private` needs to be indented with 2 spaces +* PRIVATE KEY - the content of the **private** part of the SSH key you created before. The whole key (all of its belonging lines) under `backup_borg_ssh_key_private` needs to be indented with 2 spaces -To backup without encryption, add `matrix_backup_borg_encryption: 'none'` to your vars. This will also enable the `matrix_backup_borg_unknown_unencrypted_repo_access_is_ok` variable. +To backup without encryption, add `backup_borg_encryption: 'none'` to your vars. This will also enable the `backup_borg_unknown_unencrypted_repo_access_is_ok` variable. -`matrix_backup_borg_location_source_directories` defines the list of directories to back up: it's set to `{{ matrix_base_data_path }}` by default, which is the base directory for every service's data, such as Synapse, Postgres and the bridges. You might want to exclude certain directories or file patterns from the backup using the `matrix_backup_borg_location_exclude_patterns` variable. +`backup_borg_location_source_directories` defines the list of directories to back up: it's set to `{{ matrix_base_data_path }}` by default, which is the base directory for every service's data, such as Synapse, Postgres and the bridges. You might want to exclude certain directories or file patterns from the backup using the `backup_borg_location_exclude_patterns` variable. -Check the `roles/custom/matrix-backup-borg/defaults/main.yml` file for the full list of available options. +Check the [backup_borg role](https://gitlab.com/etke.cc/roles/backup_borg)'s [defaults/main.yml](https://gitlab.com/etke.cc/roles/backup_borg/-/blob/main/defaults/main.yml) file for the full list of available options. ## Installing diff --git a/docs/configuring-playbook-bot-buscarron.md b/docs/configuring-playbook-bot-buscarron.md index 0b80ba403..b21dceef0 100644 --- a/docs/configuring-playbook-bot-buscarron.md +++ b/docs/configuring-playbook-bot-buscarron.md @@ -2,8 +2,32 @@ The playbook can install and configure [buscarron](https://gitlab.com/etke.cc/buscarron) for you. -It's a bot you can use to setup **your own helpdesk on matrix** -It's a bot you can use to send any form (HTTP POST, HTML) to a (encrypted) matrix room +Buscarron is bot that receives HTTP POST submissions of web forms and forwards them to a Matrix room. + + +## Decide on a domain and path + +By default, Buscarron is configured to use its own dedicated domain (`buscarron.DOMAIN`) and requires you to [adjust your DNS records](#adjusting-dns-records). + +You can override the domain and path like this: + +```yaml +# Switch to the domain used for Matrix services (`matrix.DOMAIN`), +# so we won't need to add additional DNS records for Buscarron. +matrix_bot_buscarron_hostname: "{{ matrix_server_fqn_matrix }}" + +# Expose under the /buscarron subpath +matrix_bot_buscarron_path_prefix: /buscarron +``` + +**NOTE**: When using `matrix-nginx-proxy` instead of Traefik, you won't be able to override the path prefix. You can only override the domain, but that needs to happen using another variable: `matrix_server_fqn_buscarron` (e.g. `matrix_server_fqn_buscarron: "form.{{ matrix_domain }}"`). + + +## Adjusting DNS records + +Once you've decided on the domain and path, **you may need to adjust your DNS** records to point the Buscarron domain to the Matrix server. + +If you've decided to reuse the `matrix.` domain, you won't need to do any extra DNS configuration. ## Adjusting the playbook configuration @@ -31,16 +55,6 @@ matrix_bot_buscarron_forms: matrix_bot_buscarron_spamlist: [] # (optional) list of emails/domains/hosts (with wildcards support) that should be rejected automatically ``` -You will also need to add a DNS record so that buscarron can be accessed. -By default buscarron will use https://buscarron.DOMAIN so you will need to create an CNAME record for `buscarron`. -See [Configuring DNS](configuring-dns.md). - -If you would like to use a different domain, add the following to your configuration file (changing it to use your preferred domain): - -```yaml -matrix_server_fqn_buscarron: "form.{{ matrix_domain }}" -``` - ## Installing @@ -67,4 +81,12 @@ To use the bot, invite the `@bot.buscarron:DOMAIN` to the room you specified in ``` +**NOTE**: to fight against spam, Buscarron is **very aggressive when it comes to banning** and will ban you if: + +- if you hit the homepage (HTTP `GET` request to `/`) +- if you submit a form to the wrong URL (`POST` request to `/non-existing-form`) +- if `hasemail` is enabled for the form (like in the example above) and you don't submit an `email` field + +If you get banned, you'd need to restart the process by running the playbook with `--tags=start` or running `systemctl restart matrix-bot-buscarron` on the server. + You can also refer to the upstream [documentation](https://gitlab.com/etke.cc/buscarron). diff --git a/docs/configuring-playbook-bot-chatgpt.md b/docs/configuring-playbook-bot-chatgpt.md new file mode 100644 index 000000000..fa7972cae --- /dev/null +++ b/docs/configuring-playbook-bot-chatgpt.md @@ -0,0 +1,64 @@ +# Setting up ChatGPT (optional) + +The playbook can install and configure [matrix-chatgpt-bot](https://github.com/matrixgpt/matrix-chatgpt-bot) for you. + +Talk to [ChatGPT](https://openai.com/blog/chatgpt/) via your favourite Matrix client! + + +## 1. Register the bot account + +The playbook does not automatically create users for you. The bot requires an access token to be able to connect to your homeserver. + +You **need to register the bot user manually** before setting up the bot. + +Choose a strong password for the bot. You can generate a good password with a command like this: `pwgen -s 64 1`. + +You can use the playbook to [register a new user](registering-users.md): + +``` +ansible-playbook -i inventory/hosts setup.yml --extra-vars='username=bot.chatgpt password=PASSWORD_FOR_THE_BOT admin=no' --tags=register-user +``` + + +## 2. Get an access token and create encryption keys + +Refer to the documentation on [how to obtain an access token](obtaining-access-tokens.md). + +To make sure the bot can read encrypted messages, it will need an encryption key, just like any other new user. While obtaining the access token, follow the prompts to setup a backup key. More information can be found in the [element documentation](https://element.io/help#encryption6). + + +## 3. Adjusting the playbook configuration + +Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file (adapt to your needs): + +```yaml +matrix_bot_chatgpt_enabled: true + +# Obtain a new API key from https://platform.openai.com/account/api-keys +matrix_bot_chatgpt_openai_api_key: '' + +# This is the default username +# matrix_bot_chatgpt_matrix_bot_username_localpart: 'bot.chatgpt' + +# Matrix access token (from bot user above) +# see: https://webapps.stackexchange.com/questions/131056/how-to-get-an-access-token-for-element-riot-matrix +matrix_bot_chatgpt_matrix_access_token: '' +``` + +You will need to get tokens for ChatGPT. + + +## 4. Installing + +After configuring the playbook, run the [installation](installing.md) command again: + +```sh +ansible-playbook -i inventory/hosts setup.yml --tags=install-all,start +``` + + +## Usage + +To use the bot, invite the `@bot.chatgpt:DOMAIN` to the room you specified in a config, after that start speaking to it, use the prefix if you configured one or mention the bot. + +You can also refer to the upstream [documentation](https://github.com/matrixgpt/matrix-chatgpt-bot). diff --git a/docs/configuring-playbook-bot-draupnir.md b/docs/configuring-playbook-bot-draupnir.md new file mode 100644 index 000000000..23fa644f1 --- /dev/null +++ b/docs/configuring-playbook-bot-draupnir.md @@ -0,0 +1,96 @@ +# Setting up draupnir (optional) + +The playbook can install and configure the [draupnir](https://github.com/Gnuxie/Draupnir) moderation bot for you. + +See the project's [documentation](https://github.com/Gnuxie/Draupnir) to learn what it does and why it might be useful to you. + +If your migrating from Mjolnir skip to step 5b. + +## 1. Register the bot account + +The playbook does not automatically create users for you. The bot requires an access token to be able to connect to your homeserver. + +You **need to register the bot user manually** before setting up the bot. + +Choose a strong password for the bot. You can generate a good password with a command like this: `pwgen -s 64 1`. + +You can use the playbook to [register a new user](registering-users.md): + +``` +ansible-playbook -i inventory/hosts setup.yml --extra-vars='username=bot.draupnir password=PASSWORD_FOR_THE_BOT admin=no' --tags=register-user +``` + +If you would like draupnir to be able to deactivate users, move aliases, shutdown rooms, etc then it must be a server admin so you need to change `admin=no` to `admin=yes` in the command above. + + +## 2. Get an access token + +Refer to the documentation on [how to obtain an access token](obtaining-access-tokens.md). + + +## 3. Make sure the account is free from rate limiting + +You will need to prevent Synapse from rate limiting the bot's account. This is not an optional step. If you do not do this step draupnir will crash. This can be done using Synapse's [admin API](https://matrix-org.github.io/synapse/latest/admin_api/user_admin_api.html#override-ratelimiting-for-users). Please ask for help if you are uncomfortable with these steps or run into issues. + +If your Synapse Admin API is exposed to the internet for some reason like running the Synapse Admin Role [Link](docs/configuring-playbook-synapse-admin.md) or running `matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled: true` in your playbook config. If your API is not externally exposed you should still be able to on the local host for your synapse run these commands. + +The following command works on semi up to date Windows 10 installs and All Windows 11 installations and other systems that ship curl. `curl --header "Authorization: Bearer " -X DELETE https://matrix.example.com/_synapse/admin/v1/users/@example:example.com/override_ratelimit` Replace `@example:example.com` with the MXID of your Draupnir and example.com with your homeserver domain. You can easily obtain an access token for a homeserver admin account the same way you can obtain an access token for Draupnir it self. If you made Draupnir Admin you can just use the Draupnir token. + + + +## 4. Create a management room + +Using your own account, create a new invite only room that you will use to manage the bot. This is the room where you will see the status of the bot and where you will send commands to the bot, such as the command to ban a user from another room. Anyone in this room can control the bot so it is important that you only invite trusted users to this room. The room must be unencrypted since the playbook does not support installing Pantalaimon yet. + +Once you have created the room you need to copy the room ID so you can tell the bot to use that room. In Element you can do this by going to the room's settings, clicking Advanced, and then coping the internal room ID. The room ID will look something like `!QvgVuKq0ha8glOLGMG:DOMAIN`. + +Finally invite the `@bot.draupnir:DOMAIN` account you created earlier into the room. + + +## 5a. Adjusting the playbook configuration + +Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file (adapt to your needs): + +You must replace `ACCESS_TOKEN_FROM_STEP_2_GOES_HERE` and `ROOM_ID_FROM_STEP_4_GOES_HERE` with the your own values. + +```yaml +matrix_bot_draupnir_enabled: true + +matrix_bot_draupnir_access_token: "ACCESS_TOKEN_FROM_STEP_2_GOES_HERE" + +matrix_bot_draupnir_management_room: "ROOM_ID_FROM_STEP_4_GOES_HERE" +``` + +## 5b. Migrating from Mjolnir (Only required if migrating.) + +Replace your `matrix_bot_mjolnir` config with `matrix_bot_draupnir` config. Also disable mjolnir if you're doing migration. +That is all you need to do due to that Draupnir can complete migration on its own. + +## 6. Installing + +After configuring the playbook, run the [installation](installing.md) command: + +``` +ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start +``` + + +## Usage + +You can refer to the upstream [documentation](https://github.com/Gnuxie/Draupnir) for additional ways to use and configure draupnir. Check out their [quickstart guide](https://github.com/matrix-org/draupnir/blob/main/docs/moderators.md#quick-usage) for some basic commands you can give to the bot. + +You can configure additional options by adding the `matrix_bot_draupnir_configuration_extension_yaml` variable to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file. + +For example to change draupnir's `recordIgnoredInvites` option to `true` you would add the following to your `vars.yml` file. + +```yaml +matrix_bot_draupnir_configuration_extension_yaml: | + # Your custom YAML configuration goes here. + # This configuration extends the default starting configuration (`matrix_bot_draupnir_configuration_yaml`). + # + # You can override individual variables from the default configuration, or introduce new ones. + # + # If you need something more special, you can take full control by + # completely redefining `matrix_bot_draupnir_configuration_yaml`. + recordIgnoredInvites: true +``` diff --git a/docs/configuring-playbook-bot-go-neb.md b/docs/configuring-playbook-bot-go-neb.md index 6ec2056c0..77351de26 100644 --- a/docs/configuring-playbook-bot-go-neb.md +++ b/docs/configuring-playbook-bot-go-neb.md @@ -24,6 +24,31 @@ ansible-playbook -i inventory/hosts setup.yml --extra-vars='username=bot.go-neb Once the user is created you can [obtain an access token](obtaining-access-tokens.md). +## Decide on a domain and path + +By default, Go-NEB is configured to use its own dedicated domain (`goneb.DOMAIN`) and requires you to [adjust your DNS records](#adjusting-dns-records). + +You can override the domain and path like this: + +```yaml +# Switch to the domain used for Matrix services (`matrix.DOMAIN`), +# so we won't need to add additional DNS records for Go-NEB. +matrix_bot_go_neb_hostname: "{{ matrix_server_fqn_matrix }}" + +# Expose under the /go-neb subpath +matrix_bot_go_neb_path_prefix: /go-neb +``` + +**NOTE**: When using `matrix-nginx-proxy` instead of Traefik, you won't be able to override the path prefix. You can only override the domain, but that needs to happen using another variable: `matrix_server_fqn_go_neb` (e.g. `matrix_server_fqn_go_neb: "mybot.{{ matrix_domain }}"`). + + +## Adjusting DNS records + +Once you've decided on the domain and path, **you may need to adjust your DNS** records to point the Go-NEB domain to the Matrix server. + +If you've decided to reuse the `matrix.` domain, you won't need to do any extra DNS configuration. + + ## Adjusting the playbook configuration Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file (adapt to your needs): @@ -193,9 +218,7 @@ matrix_bot_go_neb_services: ## Installing -Don't forget to add `goneb.` to DNS as described in [Configuring DNS](configuring-dns.md) before running the playbook. - -After configuring the playbook, run the [installation](installing.md) command again: +After potentially [adjusting DNS records](#adjusting-dns-records) and configuring the playbook, run the [installation](installing.md) command again: ``` ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start diff --git a/docs/configuring-playbook-bot-honoroit.md b/docs/configuring-playbook-bot-honoroit.md index 42f31d49a..2a711fb83 100644 --- a/docs/configuring-playbook-bot-honoroit.md +++ b/docs/configuring-playbook-bot-honoroit.md @@ -14,6 +14,10 @@ Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars. ```yaml matrix_bot_honoroit_enabled: true +# Uncomment and adjust if you'd like to change the hostname or path +# matrix_bot_honoroit_hostname: "{{ matrix_server_fqn_matrix }}" +# matrix_bot_honoroit_path_prefix: /honoroit + # Uncomment and adjust this part if you'd like to use a username different than the default # matrix_bot_honoroit_login: honoroit diff --git a/docs/configuring-playbook-bot-matrix-registration-bot.md b/docs/configuring-playbook-bot-matrix-registration-bot.md index b1e3fdc6c..babfd2689 100644 --- a/docs/configuring-playbook-bot-matrix-registration-bot.md +++ b/docs/configuring-playbook-bot-matrix-registration-bot.md @@ -2,40 +2,30 @@ The playbook can install and configure [matrix-registration-bot](https://github.com/moan0s/matrix-registration-bot) for you. -The bot allows you to easily **create and manage registration tokens**. It can be used for an invitation-based server, -where you invite someone by sending them a registration token. They can register as normal but have to provide a valid -registration token in a final step of the registration. +The bot allows you to easily **create and manage registration tokens** aka. invitation codes. +It can be used for an invitation-based server, +where you invite someone by sending them a registration token (loook like this: `rbalQ0zkaDSRQCOp`). They can register as normal but have to provide a valid registration token in a final step of the registration. See the project's [documentation](https://github.com/moan0s/matrix-registration-bot#supported-commands) to learn what it does and why it might be useful to you. -## Registering the bot user +## Configuration -By default, the playbook will set use the bot with a username like this: `@bot.matrix-registration-bot:DOMAIN`. +To enable the bot, add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file: -(to use a different username, adjust the `matrix_bot_matrix_registration_bot_matrix_user_id_localpart` variable). - -For [other bots supported by the playbook](configuring-playbook.md#bots), Matrix bot user accounts are created and put to use automatically. For `matrix-registration-bot`, however, this is not the case - you **need to register the bot user manually** before setting up the bot. You can use the playbook to [register a new user](registering-users.md): - -``` -ansible-playbook -i inventory/hosts setup.yml --extra-vars='username=bot.matrix-registration-bot password=PASSWORD_FOR_THE_BOT admin=yes' --tags=register-user -``` - -Choose a strong password for the bot. You can generate a good password with a command like this: `pwgen -s 64 1`. - -## Obtaining an admin access token - -In order to use the bot you need to add an admin user's access token token to the configuration. Refer to the documentation on [how to obtain an access token](obtaining-access-tokens.md). - -## Adjusting the playbook configuration - -Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file: +For `matrix_bot_matrix_registration_bot_api_token`you need an access token with the permission to access the admin api. Access to the API is needed for all restricted actions of the bot (list, create etc..). Refer to the documentation on [how to obtain an access token](obtaining-access-tokens.md). ```yaml matrix_bot_matrix_registration_bot_enabled: true -# Token obtained via logging into the bot account (see above) -matrix_bot_matrix_registration_bot_bot_access_token: "syt_bW9hbm9z_XXXXXXXXXXXXXr_2kuzbE" + +#By default, the playbook will set use the bot with a username like +## this: `@bot.matrix-registration-bot:DOMAIN`. +# To use a different username, uncomment & adjust the variable. +# matrix_bot_matrix_registration_bot_matrix_user_id_localpart: bot.matrix-registration-bot + +# Generate a strong password here. Consider generating it with `pwgen -s 64 1` +matrix_bot_matrix_registration_bot_bot_password: PASSWORD_FOR_THE_BOT # Enables registration matrix_synapse_enable_registration: true @@ -44,6 +34,7 @@ matrix_synapse_enable_registration: true matrix_synapse_registration_requires_token: true ``` +The bot account will be automatically created. ## Installing @@ -56,10 +47,16 @@ ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start ## Usage -To use the bot, create a **non-encrypted** room and invite `@bot.matrix-registration-bot:DOMAIN` (where `DOMAIN` is your base domain, not the `matrix.` domain). +To use the bot, message `@bot.matrix-registration-bot:DOMAIN` (where `DOMAIN` is your base domain, not the `matrix.` domain). In this room send `help` and the bot will reply with all options. You can also refer to the upstream [Usage documentation](https://github.com/moan0s/matrix-registration-bot#supported-commands). If you have any questions, or if you need help setting it up, read the [troublshooting guide](https://github.com/moan0s/matrix-registration-bot/blob/main/docs/troubleshooting.md) or join [#matrix-registration-bot:hyteck.de](https://matrix.to/#/#matrix-registration-bot:hyteck.de). + +To clean the cache (session&encryption data) after you changed the bot's username, changed the login methon form access_token to password etc.. you can use + +```bash +just run-tags bot-matrix-registration-bot-clean-cache +``` diff --git a/docs/configuring-playbook-bot-mjolnir.md b/docs/configuring-playbook-bot-mjolnir.md index 5fc6331e3..e69655aa5 100644 --- a/docs/configuring-playbook-bot-mjolnir.md +++ b/docs/configuring-playbook-bot-mjolnir.md @@ -29,31 +29,11 @@ Refer to the documentation on [how to obtain an access token](obtaining-access-t ## 3. Make sure the account is free from rate limiting -You will need to prevent Synapse from rate limiting the bot's account. This is not an optional step. If you do not do this step Mjolnir will crash. This can be done using Synapse's [admin API](https://matrix-org.github.io/synapse/latest/admin_api/user_admin_api.html#override-ratelimiting-for-users). This can also be manually done by editing the Synapse database. Manually editing the Synapse database is rarely a good idea. Please ask for help if you are uncomfortable with these steps. +You will need to prevent Synapse from rate limiting the bot's account. This is not an optional step. If you do not do this step Mjolnir will crash. This can be done using Synapse's [admin API](https://matrix-org.github.io/synapse/latest/admin_api/user_admin_api.html#override-ratelimiting-for-users). Please ask for help if you are uncomfortable with these steps or run into issues. -1. Copy the statement below into a text editor. - - ``` - INSERT INTO ratelimit_override VALUES ('@bot.mjolnir:DOMAIN', 0, 0); - ``` - -1. Change the username (`@bot.mjolnir:DOMAIN`) to the username you used when you registered the bot's account. You must change `DOMAIN` to your server's domain. - -1. Get a database terminal by following these steps: [maintenance-postgres.md#getting-a-database-terminal](maintenance-postgres.md#getting-a-database-terminal) - -1. Connect to Synapse's database by typing `\connect synapse` into the database terminal - -1. Paste in the `INSERT INTO` command that you edited and press enter. - -You can run `SELECT * FROM ratelimit_override;` to see if it worked. If the output looks like this: - -``` - user_id | messages_per_second | burst_count ------------------------+---------------------+------------- - @bot.mjolnir:raim.ist | 0 | 0` -``` -then you did it correctly. +If your Synapse Admin API is exposed to the internet for some reason like running the Synapse Admin Role [Link](docs/configuring-playbook-synapse-admin.md) or running `matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled: true` in your playbook config. If your API is not externally exposed you should still be able to on the local host for your synapse run these commands. +The following command works on semi up to date Windows 10 installs and All Windows 11 installations and other systems that ship curl. `curl --header "Authorization: Bearer " -X DELETE https://matrix.example.com/_synapse/admin/v1/users/@example:example.com/override_ratelimit` Replace `@example:example.com` with the MXID of your Mjolnir and example.com with your homeserver domain. You can easily obtain an access token for a homeserver admin account the same way you can obtain an access token for Mjolnir it self. If you made Mjolnir Admin you can just use the Mjolnir token. ## 4. Create a management room diff --git a/docs/configuring-playbook-bot-postmoogle.md b/docs/configuring-playbook-bot-postmoogle.md index 0fa366935..b66285a51 100644 --- a/docs/configuring-playbook-bot-postmoogle.md +++ b/docs/configuring-playbook-bot-postmoogle.md @@ -4,12 +4,26 @@ The playbook can install and configure [Postmoogle](https://gitlab.com/etke.cc/postmoogle) for you. -It's a bot/bridge you can use to forward emails to Matrix rooms +It's a bot/bridge you can use to forward emails to Matrix rooms. +Postmoogle runs an SMTP email server and allows you to assign mailbox addresses to Matrix rooms. See the project's [documentation](https://gitlab.com/etke.cc/postmoogle) to learn what it does and why it might be useful to you. +## Prerequisites -## Adjusting the playbook configuration +### Networking + +Open the following ports on your server to be able to receive incoming emails: + + - `25/tcp`: SMTP + - `587/tcp`: Submission (TLS-encrypted SMTP) + +If you don't open these ports, you will still be able to send emails, but not receive any. + +These port numbers are configurable via the `matrix_bot_postmoogle_smtp_host_bind_port` and `matrix_bot_postmoogle_submission_host_bind_port` variables, but other email servers will try to deliver on these default (standard) ports, so changing them is of little use. + + +### Adjusting the playbook configuration Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file: @@ -21,9 +35,20 @@ matrix_bot_postmoogle_enabled: true # Generate a strong password here. Consider generating it with `pwgen -s 64 1` matrix_bot_postmoogle_password: PASSWORD_FOR_THE_BOT + +# Uncomment to add one or more admins to this bridge: +# +# matrix_bot_postmoogle_admins: +# - '@yourAdminAccount:domain.com' +# +# .. unless you've made yourself an admin of all bridges like this: +# +# matrix_admin: '@yourAdminAccount:domain.com' ``` -You will also need to add several DNS records so that postmoogle can send emails. +### DNS + +You will also need to add several DNS records so that Postmoogle can send emails. See [Configuring DNS](configuring-dns.md). @@ -51,3 +76,13 @@ Then send `!pm mailbox NAME` to expose this Matrix room as an inbox with the ema Send `!pm help` to the room to see the bot's help menu for additional commands. You can also refer to the upstream [documentation](https://gitlab.com/etke.cc/postmoogle). + +### Debug/Logs + +As with all other services, you can find their logs in [systemd-journald](https://www.freedesktop.org/software/systemd/man/systemd-journald.service.html) by running something like `journalctl -fu matrix-bot-postmoogle` + +The default logging level for this bridge is `INFO`, but you can increase it to `DEBUG` with the following additional configuration: + +```yaml +matrix_bot_postmoogle_loglevel: 'DEBUG' +``` diff --git a/docs/configuring-playbook-bridge-appservice-slack.md b/docs/configuring-playbook-bridge-appservice-slack.md index fc2bf1662..3e6f798e4 100644 --- a/docs/configuring-playbook-bridge-appservice-slack.md +++ b/docs/configuring-playbook-bridge-appservice-slack.md @@ -1,6 +1,6 @@ # Setting up Appservice Slack (optional) -**Note**: bridging to [Slack](https://slack.com) can also happen via the [mx-puppet-slack](configuring-playbook-bridge-mx-puppet-slack.md) bridge supported by the playbook. +**Note**: bridging to [Slack](https://slack.com) can also happen via the [mx-puppet-slack](configuring-playbook-bridge-mx-puppet-slack.md) and [mautrix-slack](configuring-playbook-bridge-mautrix-slack.md) bridges supported by the playbook. The playbook can install and configure [matrix-appservice-slack](https://github.com/matrix-org/matrix-appservice-slack) for you. diff --git a/docs/configuring-playbook-bridge-hookshot.md b/docs/configuring-playbook-bridge-hookshot.md index 5cd4dd4c0..48a66a8ea 100644 --- a/docs/configuring-playbook-bridge-hookshot.md +++ b/docs/configuring-playbook-bridge-hookshot.md @@ -16,7 +16,7 @@ Refer to the [official instructions](https://matrix-org.github.io/matrix-hooksho 1. Enable the bridge by adding `matrix_hookshot_enabled: true` to your `vars.yml` file 2. For each of the services (GitHub, GitLab, Jira, Figma, generic webhooks) fill in the respective variables `matrix_hookshot_service_*` listed in [main.yml](/roles/custom/matrix-bridge-hookshot/defaults/main.yml) as required. 3. Take special note of the `matrix_hookshot_*_enabled` variables. Services that need no further configuration are enabled by default (GitLab, Generic), while you must first add the required configuration and enable the others (GitHub, Jira, Figma). -4. If you're setting up the GitHub bridge, you'll need to generate and download a private key file after you created your GitHub app. Copy the contents of that file to the variable `matrix_hookshot_github_private_key` so the playbook can install it for you, or use one of the [other methods](#manage-github-private-key-with-matrix-aux-role) explained below. +4. If you're setting up the GitHub bridge, you'll need to generate and download a private key file after you created your GitHub app. Copy the contents of that file to the variable `matrix_hookshot_github_private_key` so the playbook can install it for you, or use one of the [other methods](#manage-github-private-key-with-aux-role) explained below. 5. If you've already installed Matrix services using the playbook before, you'll need to re-run it (`--tags=setup-all,start`). If not, proceed with [configuring other playbook services](configuring-playbook.md) and then with [Installing](installing.md). Get back to this guide once ready. Hookshot can be set up individually using the tag `setup-hookshot`. Other configuration options are available via the `matrix_hookshot_configuration_extension_yaml` and `matrix_hookshot_registration_extension_yaml` variables, see the comments in [main.yml](/roles/custom/matrix-bridge-hookshot/defaults/main.yml) for how to use them. @@ -54,27 +54,27 @@ Unless indicated otherwise, the following endpoints are reachable on your `matri | widgets | `/hookshot/widgetapi/` | `matrix_hookshot_widgets_endpoint` | Widgets | | metrics | `/metrics/hookshot` | `matrix_hookshot_metrics_enabled` and `matrix_hookshot_metrics_proxying_enabled`. Requires `/metrics/*` endpoints to also be enabled via `matrix_nginx_proxy_proxy_matrix_metrics_enabled` (see the `matrix-nginx-proxy` role). Read more in the [Metrics section](#metrics) below. | Prometheus | -See also `matrix_hookshot_matrix_nginx_proxy_configuration` in [init.yml](/roles/custom/matrix-bridge-hookshot/tasks/init.yml). +See also `matrix_hookshot_matrix_nginx_proxy_configuration` in [init.yml](/roles/custom/matrix-bridge-hookshot/tasks/inject_into_nginx_proxy.yml). The different listeners are also reachable *internally* in the docker-network via the container's name (configured by `matrix_hookshot_container_url`) and on different ports (e.g. `matrix_hookshot_appservice_port`). Read [main.yml](/roles/custom/matrix-bridge-hookshot/defaults/main.yml) in detail for more info. -### Manage GitHub Private Key with matrix-aux role +### Manage GitHub Private Key with aux role The GitHub bridge requires you to install a private key file. This can be done in multiple ways: - copy the *contents* of the downloaded file and set the variable `matrix_hookshot_github_private_key` to the contents (see example in [main.yml](/roles/custom/matrix-bridge-hookshot/defaults/main.yml)). - somehow copy the file to the path `{{ matrix_hookshot_base_path }}/{{ matrix_hookshot_github_private_key_file }}` (default: `/matrix/hookshot/private-key.pem`) on the server manually. -- use the `matrix-aux` role to copy the file from an arbitrary path on your ansible client to the correct path on the server. +- use the [`aux` role](https://github.com/mother-of-all-self-hosting/ansible-role-aux) to copy the file from an arbitrary path on your ansible client to the correct path on the server. -To use `matrix-aux`, make sure the `matrix_hookshot_github_private_key` variable is empty. Then add to `matrix-aux` configuration like this: +To use the `aux` role, make sure the `matrix_hookshot_github_private_key` variable is empty. Then add the following additional configuration: ```yaml -matrix_aux_file_definitions: +aux_file_definitions: - dest: "{{ matrix_hookshot_base_path }}/{{ matrix_hookshot_github_private_key_file }}" content: "{{ lookup('file', '/path/to/your-github-private-key.pem') }}" mode: '0400' owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" ``` -For more info see the documentation in the [matrix-aux base configuration file](/roles/custom/matrix-aux/defaults/main.yml). +For more information, see the documentation in the [default configuration of the aux role](https://github.com/mother-of-all-self-hosting/ansible-role-aux/blob/main/defaults/main.yml). ### Provisioning API @@ -93,4 +93,4 @@ To explicitly enable metrics, use `matrix_hookshot_metrics_enabled: true`. This ### Collision with matrix-appservice-webhooks -If you are also running [matrix-appservice-webhooks](configuring-playbook-bridge-appservice-webhooks.md), it reserves its namespace by the default setting `matrix_appservice_webhooks_user_prefix: '_webhook_'`. You should take care if you modify its or hookshot's prefix that they do not collide with each other's namespace (default `matrix_hookshot_generic_user_id_prefix: '_webhooks_'`). +If you are also running [matrix-appservice-webhooks](configuring-playbook-bridge-appservice-webhooks.md), it reserves its namespace by the default setting `matrix_appservice_webhooks_user_prefix: '_webhook_'`. You should take care if you modify its or hookshot's prefix that they do not collide with each other's namespace (default `matrix_hookshot_generic_userIdPrefix: '_webhooks_'`). diff --git a/docs/configuring-playbook-bridge-mautrix-gmessages.md b/docs/configuring-playbook-bridge-mautrix-gmessages.md new file mode 100644 index 000000000..10981bf16 --- /dev/null +++ b/docs/configuring-playbook-bridge-mautrix-gmessages.md @@ -0,0 +1,38 @@ +# Setting up Mautrix gmessages (optional) + +The playbook can install and configure [mautrix-gmessages](https://github.com/mautrix/gmessages) for you, for bridging to [Google Messages](https://messages.google.com/). + +See the project's [documentation](https://docs.mau.fi/bridges/go/gmessages/index.html) to learn what it does and why it might be useful to you. + +Use the following playbook configuration: + +```yaml +matrix_mautrix_gmessages_enabled: true +``` + +## Set up Double Puppeting + +If you'd like to use [Double Puppeting](https://docs.mau.fi/bridges/general/double-puppeting.html) (hint: you most likely do), you have 2 ways of going about it. + +### Method 1: automatically, by enabling Shared Secret Auth + +The bridge will automatically perform Double Puppeting if you enable [Shared Secret Auth](configuring-playbook-shared-secret-auth.md) for this playbook. + +This is the recommended way of setting up Double Puppeting, as it's easier to accomplish, works for all your users automatically, and has less of a chance of breaking in the future. + +### Method 2: manually, by asking each user to provide a working access token + +**Note**: This method for enabling Double Puppeting can be configured only after you've already set up bridging (see [Usage](#usage)). + +When using this method, **each user** that wishes to enable Double Puppeting needs to follow the following steps: + +- retrieve a Matrix access token for yourself. Refer to the documentation on [how to do that](obtaining-access-tokens.md). + +- send the access token to the bot. Example: `login-matrix MATRIX_ACCESS_TOKEN_HERE` + +- make sure you don't log out the `Mautrix-gmessages` device some time in the future, as that would break the Double Puppeting feature + + +## Usage + +You then need to start a chat with `@gmessagesbot:YOUR_DOMAIN` (where `YOUR_DOMAIN` is your base domain, not the `matrix.` domain). diff --git a/docs/configuring-playbook-bridge-mautrix-slack.md b/docs/configuring-playbook-bridge-mautrix-slack.md new file mode 100644 index 000000000..f53fbd104 --- /dev/null +++ b/docs/configuring-playbook-bridge-mautrix-slack.md @@ -0,0 +1,75 @@ +# Setting up Mautrix Slack (optional) + +**Note**: bridging to [Slack](https://slack.com/) can also happen via the [mx-puppet-slack](configuring-playbook-bridge-mx-puppet-slack.md) and [matrix-appservice-slack](configuring-playbook-bridge-appservice-slack.md) bridges supported by the playbook. +- For using as a Bot we recommend the [Appservice Slack](configuring-playbook-bridge-appservice-slack.md), because it supports plumbing. +- For personal use with a slack account we recommend the `mautrix-slack` bridge (the one being discussed here), because it is the most fully-featured and stable of the 3 Slack bridges supported by the playbook. + +The playbook can install and configure [mautrix-slack](https://github.com/mautrix/slack) for you. + +See the project's [documentation](https://docs.mau.fi/bridges/go/slack/index.html) to learn what it does and why it might be useful to you. + +See the [features and roadmap](https://github.com/mautrix/slack/blob/main/ROADMAP.md) for more information. + + +## Prerequisites + +For using this bridge, you would need to authenticate by **providing your username and password** (legacy) or by using a **token login**. See more information in the [docs](https://docs.mau.fi/bridges/go/slack/authentication.html). + +Note that neither of these methods are officially supported by Slack. [matrix-appservice-slack](configuring-playbook-bridge-appservice-slack.md) uses a Slack bot account which is the only officially supported method for bridging a Slack channel. + + +## Installing + +To enable the bridge, add this to your `vars.yml` file: + +```yaml +matrix_mautrix_slack_enabled: true +``` + +You may optionally wish to add some [Additional configuration](#additional-configuration), or to [prepare for double-puppeting](#set-up-double-puppeting) before the initial installation. + +After adjusting your `vars.yml` file, re-run the playbook and restart all services: `ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start` + +To make use of the bridge, see [Usage](#usage) below. + + +### Additional configuration + +There are some additional options you may wish to configure with the bridge. + +Take a look at: + +- `roles/custom/matrix-bridge-mautrix-slack/defaults/main.yml` for some variables that you can customize via your `vars.yml` file +- `roles/custom/matrix-bridge-mautrix-slack/templates/config.yaml.j2` for the bridge's default configuration. You can override settings (even those that don't have dedicated playbook variables) using the `matrix_mautrix_slack_configuration_extension_yaml` variable + + +### Set up Double Puppeting + +If you'd like to use [Double Puppeting](https://docs.mau.fi/bridges/general/double-puppeting.html) (hint: you most likely do), you have 2 ways of going about it. + +#### Method 1: automatically, by enabling Shared Secret Auth + +The bridge will automatically perform Double Puppeting if you enable [Shared Secret Auth](configuring-playbook-shared-secret-auth.md) for this playbook. + +This is the recommended way of setting up Double Puppeting, as it's easier to accomplish, works for all your users automatically, and has less of a chance of breaking in the future. + +#### Method 2: manually, by asking each user to provide a working access token + +**Note**: This method for enabling Double Puppeting can be configured only after you've already set up bridging (see [Usage](#usage)). + +When using this method, **each user** that wishes to enable Double Puppeting needs to follow the following steps: + +- retrieve a Matrix access token for yourself. Refer to the documentation on [how to do that](obtaining-access-tokens.md). + +- send the access token to the bot. Example: `login-matrix MATRIX_ACCESS_TOKEN_HERE` + +- make sure you don't log out the `Mautrix-Slack` device some time in the future, as that would break the Double Puppeting feature + + +## Usage + +1. Start a chat with `@slackbot:YOUR_DOMAIN` (where `YOUR_DOMAIN` is your base domain, not the `matrix.` domain). +2. If you would like to login to Slack using a token, send the `login-token` command, otherwise, send the `login-password` command. Read [here](https://docs.mau.fi/bridges/go/slack/authentication.html) on how to retrieve your token and cookie token. +3. The bot should respond with "Successfully logged into for team " +4. Now that you're logged in, you can send a `help` command to the bot again, to see additional commands you have access to. +5. Slack channels should automatically begin bridging if you authenticated using a token. Otherwise, you must wait to receive a message in the channel if you used password authentication. diff --git a/docs/configuring-playbook-bridge-mautrix-whatsapp.md b/docs/configuring-playbook-bridge-mautrix-whatsapp.md index 8ae6e5a04..b08556fe7 100644 --- a/docs/configuring-playbook-bridge-mautrix-whatsapp.md +++ b/docs/configuring-playbook-bridge-mautrix-whatsapp.md @@ -11,6 +11,19 @@ matrix_mautrix_whatsapp_enabled: true ``` Whatsapp multidevice beta is required, now it is enough if Whatsapp is connected to the Internet every 2 weeks. +The relay bot functionality is off by default. If you would like to enable the relay bot, add the following to your `vars.yml` file: +```yaml +matrix_mautrix_whatsapp_bridge_relay_enabled: true +``` + +By default, only admins are allowed to set themselves as relay users. To allow anyone on your homeserver to set themselves as relay users add this to your `vars.yml` file: +```yaml +matrix_mautrix_whatsapp_bridge_relay_admin_only: false +``` + +If you want to activate the relay bot in a room, use `!whatsapp set-relay`. +Use `!whatsapp unset-relay` to deactivate. + ## Enable backfilling history This requires a server with MSC2716 support, which is currently an experimental feature in synapse. Note that as of Synapse 1.46, there are still some bugs with the implementation, especially if using event persistence workers. diff --git a/docs/configuring-playbook-bridge-mx-puppet-slack.md b/docs/configuring-playbook-bridge-mx-puppet-slack.md index 8db159d70..c195b8b50 100644 --- a/docs/configuring-playbook-bridge-mx-puppet-slack.md +++ b/docs/configuring-playbook-bridge-mx-puppet-slack.md @@ -1,8 +1,7 @@ # Setting up MX Puppet Slack (optional) **Note**: bridging to [Slack](https://slack.com) can also happen via the -[matrix-appservice-slack](configuring-playbook-bridge-appservice-slack.md) -bridge supported by the playbook. +[matrix-appservice-slack](configuring-playbook-bridge-appservice-slack.md) and [mautrix-slack](configuring-playbook-bridge-mautrix-slack.md) bridges supported by the playbook. The playbook can install and configure [Beeper](https://www.beeper.com/)-maintained fork of [mx-puppet-slack](https://gitlab.com/beeper/mx-puppet-monorepo) for you. diff --git a/docs/configuring-playbook-cactus-comments.md b/docs/configuring-playbook-cactus-comments.md index 00c76f543..4d75c02e0 100644 --- a/docs/configuring-playbook-cactus-comments.md +++ b/docs/configuring-playbook-cactus-comments.md @@ -24,7 +24,7 @@ matrix_cactus_comments_enabled: true # To do this you need to uncomment one of the following lines (depending if you are using synapse or dentrite as a homeserver) # If you don't know which one you use: The default is synapse ;) # matrix_synapse_allow_guest_access: true -# matrix_dentrite_allow_guest_access +# matrix_dentrite_allow_guest_access: true ``` ## Installing diff --git a/docs/configuring-playbook-dendrite.md b/docs/configuring-playbook-dendrite.md new file mode 100644 index 000000000..fcd5693de --- /dev/null +++ b/docs/configuring-playbook-dendrite.md @@ -0,0 +1,32 @@ +# Configuring Dendrite (optional) + +By default, this playbook configures the [Synapse](https://github.com/matrix-org/synapse) Matrix server, but you can also use [Dendrite](https://github.com/matrix-org/dendrite). + +**NOTES**: + +- **You can't switch an existing Matrix server's implementation** (e.g. Synapse -> Dendrite). Proceed below only if you're OK with losing data or you're dealing with a server on a new domain name, which hasn't participated in the Matrix federation yet. + +- **homeserver implementations other than Synapse may not be fully functional**. The playbook may also not assist you in an optimal way (like it does with Synapse). Make yourself familiar with the downsides before proceeding + +The playbook provided settings for Dendrite are defined in [`roles/custom/matrix-dendrite/defaults/main.yml`](../roles/custom/matrix-dendrite/defaults/main.yml) and they ultimately end up in the generated `/matrix/dendrite/config/dendrite.yaml` file (on the server). This file is generated from the [`roles/custom/matrix-dendrite/templates/dendrite/dendrite.yaml.j2`](../roles/custom/matrix-dendrite/templates/dendrite/dendrite.yaml.j2) template. + +**If there's an existing variable** which controls a setting you wish to change, you can simply define that variable in your configuration file (`inventory/host_vars/matrix./vars.yml`) and [re-run the playbook](installing.md) to apply the changes. + +Alternatively, **if there is no pre-defined variable** for a Dendrite setting you wish to change: + +- you can either **request a variable to be created** (or you can submit such a contribution yourself). Keep in mind that it's **probably not a good idea** to create variables for each one of Dendrite's various settings that rarely get used. + +- or, you can **extend and override the default configuration** ([`dendrite.yaml.j2`](../roles/custom/matrix-dendrite/templates/dendrite/dendrite.yaml.j2)) by making use of the `matrix_dendrite_configuration_extension_yaml` variable. You can find information about this in [`roles/custom/matrix-dendrite/defaults/main.yml`](../roles/custom/matrix-dendrite/defaults/main.yml). + +- or, if extending the configuration is still not powerful enough for your needs, you can **override the configuration completely** using `matrix_dendrite_configuration` (or `matrix_dendrite_configuration_yaml`). You can find information about this in [`roles/custom/matrix-dendrite/defaults/main.yml`](../roles/custom/matrix-dendrite/defaults/main.yml). + + + +## Installation + +To use Dendrite, you **generally** need the following additional `vars.yml` configuration: + +```yaml +matrix_homeserver_implementation: dendrite +``` + diff --git a/docs/configuring-playbook-dimension.md b/docs/configuring-playbook-dimension.md index e201785a1..4472e103e 100644 --- a/docs/configuring-playbook-dimension.md +++ b/docs/configuring-playbook-dimension.md @@ -6,14 +6,29 @@ If you're just installing Matrix services for the first time, please continue wi **Note**: This playbook now supports running [Dimension](https://dimension.t2bot.io) in both a federated and [unfederated](https://github.com/turt2live/matrix-dimension/blob/master/docs/unfederated.md) environments. This is handled automatically based on the value of `matrix_synapse_federation_enabled`. Enabling Dimension, means that the `openid` API endpoints will be exposed on the Matrix Federation port (usually `8448`), even if [federation](configuring-playbook-federation.md) is disabled. It's something to be aware of, especially in terms of firewall whitelisting (make sure port `8448` is accessible). -## Prerequisites +## Decide on a domain and path -The `dimension.` DNS record must be created. See [Configuring your DNS server](configuring-dns.md) on how to set up DNS record correctly. +By default, Dimension is configured to use its own dedicated domain (`dimension.DOMAIN`) and requires you to [adjust your DNS records](#adjusting-dns-records). + +You can override the domain and path like this: + +```yaml +# Switch to another hostname compared to the default (`dimension.{{ matrix_domain }}`) +matrix_dimension_hostname: "integrations.{{ matrix_domain }}" + +``` + +While there is a `matrix_dimension_path_prefix` variable for changing the path where Dimension is served, overriding it is not possible right now due to [this Dimension issue](https://github.com/turt2live/matrix-dimension/issues/510). You must serve Dimension at a dedicated subdomain until this issue is solved. + + +## Adjusting DNS records + +Once you've decided on the domain and path, **you may need to adjust your DNS** records to point the Dimension domain to the Matrix server. ## Enable -[Dimension integrations manager](https://dimension.t2bot.io) installation is disabled by default. You can enable it in your configuration file (`inventory/host_vars/matrix./vars.yml`): +To enable Dimension, add this to your configuration file (`inventory/host_vars/matrix./vars.yml`): ```yaml matrix_dimension_enabled: true @@ -54,7 +69,7 @@ For more information on how to acquire an access token, visit [https://t2bot.io/ ## Installation -After these variables have been set, please run the following command to re-run setup and to restart Dimension: +After these variables have been set and you have potentially [adjusted your DNS records](#adjusting-dns-records), please run the following command to re-run setup and to restart Dimension: ``` ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start diff --git a/docs/configuring-playbook-email2matrix.md b/docs/configuring-playbook-email2matrix.md index 56e181f1d..d65d2ccdb 100644 --- a/docs/configuring-playbook-email2matrix.md +++ b/docs/configuring-playbook-email2matrix.md @@ -70,7 +70,7 @@ matrix_email2matrix_matrix_mappings: SkipMarkdown: true ``` -You can also set `MatrixHomeserverUrl` to `http://matrix-synapse:8008`, instead of the public `https://matrix.DOMAIN`. +You can also set `MatrixHomeserverUrl` to `http://matrix-synapse-reverse-proxy-companion:8008`, instead of the public `https://matrix.DOMAIN`. However, that's more likely to break in the future if you switch to another server implementation than Synapse. Re-run the playbook (`--tags=setup-email2matrix,start`) and try sending an email to `my-mailbox@matrix.DOMAIN`. diff --git a/docs/configuring-playbook-etherpad.md b/docs/configuring-playbook-etherpad.md index 2ea423ef7..76ad2f59c 100644 --- a/docs/configuring-playbook-etherpad.md +++ b/docs/configuring-playbook-etherpad.md @@ -1,19 +1,41 @@ # Setting up Etherpad (optional) -[Etherpad](https://etherpad.org) is is an open source collaborative text editor that can be embedded in a Matrix chat room using the [Dimension integrations manager](https://dimension.t2bot.io) or used as standalone web app. +[Etherpad](https://etherpad.org) is an open source collaborative text editor that can be embedded in a Matrix chat room using the [Dimension integrations manager](https://dimension.t2bot.io) or used as standalone web app. When enabled together with the Jitsi audio/video conferencing system (see [our docs on Jitsi](configuring-playbook-jitsi.md)), it will be made available as an option during the conferences. -## Prerequisites +## Decide on a domain and path -Etherpad can be installed in 2 modes: +By default, Etherpad is configured to use its own dedicated domain (`etherpad.DOMAIN`) and requires you to [adjust your DNS records](#adjusting-dns-records). -- (default) `standalone` mode (`matrix_etherpad_mode: standalone`) - Etherpad will be hosted on `etherpad.` (`matrix_server_fqn_etherpad`), so the DNS record for this domian must be created. See [Configuring your DNS server](configuring-dns.md) on how to set up the `etherpad` DNS record correctly +You can override the domain and path like this: -- `dimension` mode (`matrix_etherpad_mode: dimension`) - Etherpad will be hosted on `dimension./etherpad` (`matrix_server_fqn_dimension`). This requires that you **first** configure the **Dimension integrations manager** as described in [the playbook documentation](configuring-playbook-dimension.md) +```yaml +# Switch to the domain used for Matrix services (`matrix.DOMAIN`), +# so we won't need to add additional DNS records for Etherpad. +etherpad_hostname: "{{ matrix_server_fqn_matrix }}" + +# Expose under the /etherpad subpath +etherpad_path_prefix: /etherpad +``` + +**NOTE**: When using the old `matrix-nginx-proxy` reverse-proxy instead of Traefik, you have only 2 choices: + +- serving Etherpad at its own dedicated domain: + - you need to set the domain using the `matrix_server_fqn_etherpad` variable (not `etherpad_hostname`) + - you must use `etherpad_path_prefix: /` +- serving Etherpad at the [Dimension](configuring-playbook-dimension.md) integration manager's domain (`matrix_server_fqn_dimension`) + - you need to have Dimension enabled + - you need to add `etherpad_path_prefix: /etherpad` or another prefix (different than `/`) + - you need to add `etherpad_nginx_proxy_dimension_integration_enabled: true` to enable this integration -We recomend that you go with the default (`standalone`) mode, which makes Etherpad independent and allows it to be used with or without Dimension. + +## Adjusting DNS records + +Once you've decided on the domain and path, **you may need to adjust your DNS** records to point the Etherpad domain to the Matrix server. + +If you've decided to reuse the `matrix.` domain, you won't need to do any extra DNS configuration. ## Installing @@ -21,41 +43,51 @@ We recomend that you go with the default (`standalone`) mode, which makes Etherp [Etherpad](https://etherpad.org) installation is disabled by default. You can enable it in your configuration file (`inventory/host_vars/matrix./vars.yml`): ```yaml -matrix_etherpad_enabled: true - -# Uncomment below if you'd like to install Etherpad on the Dimension domain (not recommended) -# matrix_etherpad_mode: dimension +etherpad_enabled: true # Uncomment below to enable the admin web UI -# matrix_etherpad_admin_username: admin -# matrix_etherpad_admin_password: some-password +# etherpad_admin_username: admin +# etherpad_admin_password: some-password ``` -If enabled, the admin web-UI should then be available on `https://etherpad./admin` (or `https://dimension./etherpad/admin`, if `matrix_etherpad_mode: dimension`) +Then, [run the installation process](installing.md) again (e.g. `just install-all`). -## Managing / Deleting old pads +## Usage + +The Etherpad UI should be available at `https://etherpad.`, while the admin UI (if enabled) should then be available at `https://etherpad./admin`. + +If you've [decided on another hostname or path-prefix](#decide-on-a-domain-and-path) (e.g. `https://matrix.DOMAIN/etherpad`), adjust these URLs accordingly before usage. + + +### Managing / Deleting old pads If you want to manage and remove old unused pads from Etherpad, you will first need to able Admin access as described above. -Then from the plugin manager page (`https://etherpad./admin/plugins` or `https://dimension./etherpad/admin/plugins`), install the `adminpads2` plugin. Once installed, you should have a "Manage pads" section in the Admin web-UI. +Then from the plugin manager page (`https://etherpad./admin/plugins`, install the `adminpads2` plugin. Once installed, you should have a "Manage pads" section in the Admin web-UI. + + +### How to use Etherpad widgets without an Integration Manager (like Dimension) + +This is how it works in Element, it might work quite similar with other clients: + +To integrate a standalone etherpad in a room, create your pad by visiting `https://etherpad.DOMAIN`. When the pad opens, copy the URL and send a command like this to the room: `/addwidget URL`. You will then find your integrated Etherpad within the right sidebar in the `Widgets` section. -## Set Dimension default to the self-hosted Etherpad (optional) +### Set Dimension default to the self-hosted Etherpad (optional) If you decided to install [Dimension integration manager](configuring-playbook-dimension.md) alongside Etherpad, the Dimension administrator users can configure the default URL template. The Dimension configuration menu can be accessed with the sprocket icon as you begin to add a widget to a room in Element. There you will find the Etherpad Widget Configuration action beneath the _Widgets_ tab. -### Removing the integrated Etherpad chat +#### Removing the integrated Etherpad chat -If you wish to disable the Etherpad chat button, you can do it by appending `?showChat=false` to the end of the pad URL, or the template. Examples: -- `https://etherpad./p/$roomId_$padName?showChat=false` (for the default - `matrix_etherpad_mode: standalone`) +If you wish to disable the Etherpad chat button, you can do it by appending `?showChat=false` to the end of the pad URL, or the template. -- `https://dimension./etherpad/p/$roomId_$padName?showChat=false` (for `matrix_etherpad_mode: dimension`) +Example: `https://etherpad./p/$roomId_$padName?showChat=false` -### Known issues +## Known issues If your Etherpad widget fails to load, this might be due to Dimension generating a Pad name so long, the Etherpad app rejects it. `$roomId_$padName` can end up being longer than 50 characters. You can avoid having this problem by altering the template so it only contains the three word random identifier `$padName`. diff --git a/docs/configuring-playbook-external-postgres.md b/docs/configuring-playbook-external-postgres.md index 1f1a30e49..d3c16cd97 100644 --- a/docs/configuring-playbook-external-postgres.md +++ b/docs/configuring-playbook-external-postgres.md @@ -10,7 +10,7 @@ If you'd like to use an external PostgreSQL server that you manage, you can edit If you'd like to use an external Postgres server, use a custom `vars.yml` configuration like this: ```yaml -matrix_postgres_enabled: false +devture_postgres_enabled: false # Rewire Synapse to use your external Postgres server matrix_synapse_database_host: "your-postgres-server-hostname" diff --git a/docs/configuring-playbook-federation.md b/docs/configuring-playbook-federation.md index 4650b5e2c..5a1e76e5d 100644 --- a/docs/configuring-playbook-federation.md +++ b/docs/configuring-playbook-federation.md @@ -46,6 +46,9 @@ matrix_synapse_federation_port_enabled: false # This removes the `8448` virtual host from the matrix-nginx-proxy reverse-proxy server. matrix_nginx_proxy_proxy_matrix_federation_api_enabled: false + +# This stops the federation port on the synapse-reverse-proxy-companion side (normally `matrix-synapse-reverse-proxy-companion:8048` on the container network). +matrix_synapse_reverse_proxy_companion_federation_api_enabled: false ``` ## Changing the federation port from 8448 to a different port to use a CDN that only accepts 443/80 ports diff --git a/docs/configuring-playbook-jitsi.md b/docs/configuring-playbook-jitsi.md index f278e54ec..1213f46a7 100644 --- a/docs/configuring-playbook-jitsi.md +++ b/docs/configuring-playbook-jitsi.md @@ -9,12 +9,12 @@ The setup done by the playbook is very similar to [docker-jitsi-meet](https://gi ## Prerequisites -Before installing Jitsi, make sure you've created the `jitsi.DOMAIN` DNS record. See [Configuring DNS](configuring-dns.md). +Before installing Jitsi, make sure you've created the `jitsi.DOMAIN` DNS record (unless you've changed `jitsi_hostname`, as described below). See [Configuring DNS](configuring-dns.md) for details about DNS changes. You may also need to open the following ports to your server: - `4443/tcp` - RTP media fallback over TCP -- `10000/udp` - RTP media over UDP. Depending on your firewall/NAT setup, incoming RTP packets on port `10000` may have the external IP of your firewall as destination address, due to the usage of STUN in JVB (see [`matrix_jitsi_jvb_stun_servers`](../roles/custom/matrix-jitsi/defaults/main.yml)). +- `10000/udp` - RTP media over UDP. Depending on your firewall/NAT setup, incoming RTP packets on port `10000` may have the external IP of your firewall as destination address, due to the usage of STUN in JVB (see [`jitsi_jvb_stun_servers`](https://github.com/mother-of-all-self-hosting/ansible-role-jitsi/blob/main/defaults/main.yml)). ## Installation @@ -22,16 +22,14 @@ You may also need to open the following ports to your server: Add this to your `inventory/host_vars/matrix.DOMAIN/vars.yml` configuration: ```yaml -matrix_jitsi_enabled: true +jitsi_enabled: true -# Run `bash inventory/scripts/jitsi-generate-passwords.sh` to generate these passwords, -# or define your own strong passwords manually. -matrix_jitsi_jicofo_auth_password: "" -matrix_jitsi_jvb_auth_password: "" -matrix_jitsi_jibri_recorder_password: "" -matrix_jitsi_jibri_xmpp_password: "" -``` +# Uncomment and adjust if you need to use another hostname +# jitsi_hostname: "jitsi.{{ matrix_domain }}" +# Uncomment and possible adjust if you'd like to host under a subpath +# jitsi_path_prefix: /jitsi +``` ## (Optional) Configure Jitsi authentication and guests mode @@ -39,45 +37,71 @@ By default the Jitsi Meet instance does not require any kind of login and is ope If you're fine with such an open Jitsi instance, please skip to [Apply changes](#apply-changes). -If you would like to control who is allowed to open meetings on your new Jitsi instance, then please follow this step to enable Jitsi's authentication and guests mode. With authentication enabled, all meeting rooms have to be opened by a registered user, after which guests are free to join. If a registered host is not yet present, guests are put on hold in individual waiting rooms. +If you would like to control who is allowed to open meetings on your new Jitsi instance, then please follow the following steps to enable Jitsi's authentication and optionally guests mode. +Currently, there are three supported authentication modes: 'internal' (default), 'matrix' and 'ldap'. + +**Note:** Authentication is not tested via the playbook's self-checks. +We therefore recommend that you manually verify if authentication is required by jitsi. +For this, try to manually create a conference on jitsi.DOMAIN in your browser. + +### Authenticate using Jitsi accounts (Auth-Type 'internal') +The default authentication mechanism is 'internal' auth, which requires jitsi-accounts to be setup and is the recommended setup, as it also works in federated rooms. +With authentication enabled, all meeting rooms have to be opened by a registered user, after which guests are free to join. +If a registered host is not yet present, guests are put on hold in individual waiting rooms. Add these lines to your `inventory/host_vars/matrix.DOMAIN/vars.yml` configuration: ```yaml -matrix_jitsi_enable_auth: true -matrix_jitsi_enable_guests: true -matrix_jitsi_prosody_auth_internal_accounts: +jitsi_enable_auth: true +jitsi_enable_guests: true +jitsi_prosody_auth_internal_accounts: - username: "jitsi-moderator" password: "secret-password" - username: "another-user" password: "another-password" ``` -**Caution:** Accounts added here and subsquently removed will not be automatically removed from the Prosody server until user account cleaning is integrated into the playbook. +**Caution:** Accounts added here and subsequently removed will not be automatically removed from the Prosody server until user account cleaning is integrated into the playbook. **If you get an error** like this: "Error: Account creation/modification not supported.", it's likely that you had previously installed Jitsi without auth/guest support. In such a case, you should look into [Rebuilding your Jitsi installation](#rebuilding-your-jitsi-installation). +### Authenticate using Matrix OpenID (Auth-Type 'matrix') -### (Optional) LDAP authentication +**Attention: Probably breaks Jitsi in federated rooms and does not allow sharing conference links with guests.** -The default authentication mode of Jitsi is `internal`, however LDAP is also supported. An example LDAP configuration could be: +Using this authentication type require a [Matrix User Verification Service](https://github.com/matrix-org/matrix-user-verification-service). +By default, this playbook creates and configures a user-verification-service to run locally, see [configuring-user-verification-service](configuring-playbook-user-verification-service.md). + +To enable set this configuration at host level: ```yaml -matrix_jitsi_enable_auth: true -matrix_jitsi_auth_type: ldap -matrix_jitsi_ldap_url: "ldap://ldap.DOMAIN" -matrix_jitsi_ldap_base: "OU=People,DC=DOMAIN -#matrix_jitsi_ldap_binddn: "" -#matrix_jitsi_ldap_bindpw: "" -matrix_jitsi_ldap_filter: "uid=%u" -matrix_jitsi_ldap_auth_method: "bind" -matrix_jitsi_ldap_version: "3" -matrix_jitsi_ldap_use_tls: true -matrix_jitsi_ldap_tls_ciphers: "" -matrix_jitsi_ldap_tls_check_peer: true -matrix_jitsi_ldap_tls_cacert_file: "/etc/ssl/certs/ca-certificates.crt" -matrix_jitsi_ldap_tls_cacert_dir: "/etc/ssl/certs" -matrix_jitsi_ldap_start_tls: false +jitsi_enable_auth: true +jitsi_auth_type: matrix +matrix_user_verification_service_enabled: true +``` + +For more information see also [https://github.com/matrix-org/prosody-mod-auth-matrix-user-verification](https://github.com/matrix-org/prosody-mod-auth-matrix-user-verification). + +### Authenticate using LDAP (Auth-Type 'ldap') + +An example LDAP configuration could be: + +```yaml +jitsi_enable_auth: true +jitsi_auth_type: ldap +jitsi_ldap_url: "ldap://ldap.DOMAIN" +jitsi_ldap_base: "OU=People,DC=DOMAIN" +#jitsi_ldap_binddn: "" +#jitsi_ldap_bindpw: "" +jitsi_ldap_filter: "uid=%u" +jitsi_ldap_auth_method: "bind" +jitsi_ldap_version: "3" +jitsi_ldap_use_tls: true +jitsi_ldap_tls_ciphers: "" +jitsi_ldap_tls_check_peer: true +jitsi_ldap_tls_cacert_file: "/etc/ssl/certs/ca-certificates.crt" +jitsi_ldap_tls_cacert_dir: "/etc/ssl/certs" +jitsi_ldap_start_tls: false ``` For more information refer to the [docker-jitsi-meet](https://github.com/jitsi/docker-jitsi-meet#authentication-using-ldap) and the [saslauthd `LDAP_SASLAUTHD`](https://github.com/winlibs/cyrus-sasl/blob/master/saslauthd/LDAP_SASLAUTHD) documentation. @@ -94,7 +118,7 @@ Here is how to do it in the playbook. Add these two lines to your `inventory/host_vars/matrix.DOMAIN/vars.yml` configuration: ```yaml -matrix_jitsi_jvb_container_extra_arguments: +jitsi_jvb_container_extra_arguments: - '--env "JVB_ADVERTISE_IPS="' ``` @@ -103,7 +127,7 @@ matrix_jitsi_jvb_container_extra_arguments: Sample **additional** `inventory/host_vars/matrix.DOMAIN/vars.yml` configuration to save up resources (explained below): ```yaml -matrix_jitsi_web_custom_config_extension: | +jitsi_web_custom_config_extension: | config.enableLayerSuspension = true; config.disableAudioLevels = true; @@ -111,13 +135,12 @@ matrix_jitsi_web_custom_config_extension: | // Limit the number of video feeds forwarded to each client config.channelLastN = 4; -matrix_jitsi_web_config_resolution_width_ideal_and_max: 480 -matrix_jitsi_web_config_resolution_height_ideal_and_max: 240 +jitsi_web_config_resolution_width_ideal_and_max: 480 +jitsi_web_config_resolution_height_ideal_and_max: 240 ``` You may want to **suspend unused video layers** until they are requested again, to save up resources on both server and clients. Read more on this feature [here](https://jitsi.org/blog/new-off-stage-layer-suppression-feature/) -For this add this line to your `inventory/host_vars/matrix.DOMAIN/vars.yml` configuration: You may wish to **disable audio levels** to avoid excessive refresh of the client-side page and decrease the CPU consumption involved. @@ -127,6 +150,102 @@ Read how it works [here](https://github.com/jitsi/jitsi-videobridge/blob/master/ You may want to **limit the maximum video resolution**, to save up resources on both server and clients. +## (Optional) Specify a Max number of participants on a Jitsi conference + +The playbook allows a user to set a max number of participants allowed to join a Jitsi conference. By default there is no limit. + +In order to set the max number of participants use the following **additional** configuration: + +```yaml +jitsi_prosody_max_participants: 4 # example value +``` + +## (Optional) Additional JVBs + +By default, a single JVB ([Jitsi VideoBridge](https://github.com/jitsi/jitsi-videobridge)) is deployed on the same host as the Matrix server. To allow more video-conferences to happen at the same time, you may need to provision additional JVB services on other hosts. + +There is an ansible playbook that can be run with the following tag: +`ansible-playbook -i inventory/hosts --limit jitsi_jvb_servers jitsi_jvb.yml --tags=common,setup-additional-jitsi-jvb,start` + +For this role to work you will need an additional section in the ansible hosts file with the details of the JVB hosts, for example: +``` +[jitsi_jvb_servers] + ansible_host= +``` + +Each JVB will require a server id to be set so that it can be uniquely identified and this allows Jitsi to keep track of which conferences are on which JVB. +The server id is set with the variable `jitsi_jvb_server_id` which ends up as the JVB_WS_SERVER_ID environment variables in the JVB docker container. +This variable can be set via the host file, a parameter to the ansible command or in the `vars.yaml` for the host which will have the additional JVB. For example: + +``` yaml +jitsi_jvb_server_id: 'jvb-2' +``` + +``` INI +[jitsi_jvb_servers] +jvb-2.example.com ansible_host=192.168.0.2 jitsi_jvb_server_id=jvb-2 +jvb-3.example.com ansible_host=192.168.0.3 jitsi_jvb_server_id=jvb-2 +``` + +Note that the server id `jvb-1` is reserved for the JVB instance running on the Matrix host and therefore should not be used as the id of an additional jvb host. + +The additional JVB will also need to expose the colibri web socket port and this can be done with the following variable: + +```yaml +jitsi_jvb_container_colibri_ws_host_bind_port: 9090 +``` + +The JVB will also need to know where the prosody xmpp server is located, similar to the server id this can be set in the vars for the JVB by using the variable +`jitsi_xmpp_server`. The Jitsi prosody container is deployed on the matrix server by default so the value can be set to the matrix domain. For example: + +```yaml +jitsi_xmpp_server: "{{ matrix_domain }}" +``` + +However, it can also be set the ip address of the matrix server. This can be useful if you wish to use a private ip. For example: + +```yaml +jitsi_xmpp_server: "192.168.0.1" +``` + +For the JVB to be able to contact the XMPP server, the latter must expose the XMPP port (5222). By default, the Matrix server does not expose the +port; only the XMPP container exposes it internally inside the host, which means that the first JVB (which runs on the Matrix server) can reach it but +the additional JVB cannot. The port is exposed by setting `jitsi_prosody_container_jvb_host_bind_port` like this: + +```yaml +jitsi_prosody_container_jvb_host_bind_port: 5222 +``` + +(The default is empty; if it's set then docker forwards the port.) + +The nginx configuration will also need to be updated in order to deal with the additional JVB servers. This is achieved via its own configuration variable +`matrix_nginx_proxy_proxy_jitsi_additional_jvbs`, which contains a dictionary of server ids to ip addresses. + +For example, + +``` yaml +matrix_nginx_proxy_proxy_jitsi_additional_jvbs: + jvb-2: 192.168.0.2 + jvb-3: 192.168.0.3 +``` + + +Applied together this will allow you to provision extra JVB instances which will register themselves with the prosody service and be available for jicofo +to route conferences too. + +## (Optional) Enable Gravatar + +In the default Jisti Meet configuration, gravatar.com is enabled as an avatar service. This results in third party request leaking data to gravatar. +Since element already sends the url of configured Matrix avatars to Jitsi, we disabled gravatar. + +To enable Gravatar set: + +```yaml +jitsi_disable_gravatar: false +``` + +**Beware:** This leaks information to a third party, namely the Gravatar-Service (unless configured otherwise: gravatar.com). +Besides metadata, this includes the matrix user_id and possibly the room identifier (via `referrer` header). ## Apply changes @@ -150,7 +269,7 @@ You can use the self-hosted Jitsi server in multiple ways: ### Rebuilding your Jitsi installation -**If you ever run into any trouble** or **if you change configuration (`matrix_jitsi_*` variables) too much**, we urge you to rebuild your Jitsi setup. +**If you ever run into any trouble** or **if you change configuration (`jitsi_*` variables) too much**, we urge you to rebuild your Jitsi setup. We normally don't require such manual intervention for other services, but Jitsi services generate a lot of configuration files on their own. @@ -158,7 +277,6 @@ These files are not all managed by Ansible (at least not yet), so you may someti To rebuild your Jitsi configuration: -- SSH into the server and do this: - - stop all Jitsi services (`systemctl stop matrix-jitsi-*`). - - remove all Jitsi configuration & data (`rm -rf /matrix/jitsi`) -- ask Ansible to set up Jitsi anew and restart services (`ansible-playbook -i inventory/hosts setup.yml --tags=setup-jitsi,start`) +- ask Ansible to stop all Jitsi services: `just run-tags stop-group --extra-vars=group=jitsi` +- SSH into the server and do this and remove all Jitsi configuration & data (`rm -rf /matrix/jitsi`) +- ask Ansible to set up Jitsi anew and restart services (`just install-service jitsi`) diff --git a/docs/configuring-playbook-ldap-auth.md b/docs/configuring-playbook-ldap-auth.md index ecc0f2579..dabc25219 100644 --- a/docs/configuring-playbook-ldap-auth.md +++ b/docs/configuring-playbook-ldap-auth.md @@ -8,7 +8,9 @@ If you decide that you'd like to let this playbook install it for you, you need ```yaml matrix_synapse_ext_password_provider_ldap_enabled: true -matrix_synapse_ext_password_provider_ldap_uri: "ldap://ldap.mydomain.tld:389" +matrix_synapse_ext_password_provider_ldap_uri: + - "ldap://ldap-01.mydomain.tld:389" + - "ldap://ldap-02.mydomain.tld:389" matrix_synapse_ext_password_provider_ldap_start_tls: true matrix_synapse_ext_password_provider_ldap_base: "ou=users,dc=example,dc=com" matrix_synapse_ext_password_provider_ldap_attributes_uid: "uid" diff --git a/docs/configuring-playbook-matrix-corporal.md b/docs/configuring-playbook-matrix-corporal.md index eb635c641..2000cfd99 100644 --- a/docs/configuring-playbook-matrix-corporal.md +++ b/docs/configuring-playbook-matrix-corporal.md @@ -91,7 +91,7 @@ matrix_corporal_policy_provider_config: | } # Modify the policy below as you see fit -matrix_aux_file_definitions: +aux_file_definitions: - dest: "{{ matrix_corporal_config_dir_path }}/policy.json" content: | { diff --git a/docs/configuring-playbook-matrix-media-repo.md b/docs/configuring-playbook-matrix-media-repo.md new file mode 100644 index 000000000..d5d6eda37 --- /dev/null +++ b/docs/configuring-playbook-matrix-media-repo.md @@ -0,0 +1,106 @@ +# Setting up matrix-media-repo (optional) + +[matrix-media-repo](https://docs.t2bot.io/matrix-media-repo/) is a highly customizable multi-domain media repository for Matrix. Intended for medium to large environments consisting of several homeservers, this media repo de-duplicates media (including remote media) while being fully compliant with the specification. + +Smaller/individual homeservers can still make use of this project's features, though it may be difficult to set up or have higher than expected resource consumption. Please do your research before deploying this as this project may not be useful for your environment. + +For a simpler alternative (which allows you to offload your media repository storage to S3, etc.), you can [configure S3 storage](configuring-playbook-s3.md) instead of setting up matrix-media-repo. + +## Quickstart + +Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file: + +```yaml +matrix_media_repo_enabled: true + +# (optional) Turned off by default +# matrix_media_repo_metrics_enabled: true +``` + +The repo is pre-configured for integrating with the Postgres database, NGINX proxy and [Prometheus/Grafana](configuring-playbook-prometheus-grafana.md) (if metrics enabled) from this playbook for all the available homeserver roles. When the media repo is enabled, other media store roles should be disabled (if using Synapse with other media store roles). + +By default, the media-repo will use the local filesystem for data storage. Additional options include `s3` and `IPFS` (experimental). Access token caching is also enabled by default since the logout endpoints are proxied through the media repo. + +## Configuring the media-repo + +Additional common configuration options: +```yaml + +# The postgres database pooling options + +# The maximum number of connects to hold open. More of these allow for more concurrent +# processes to happen. +matrix_media_repo_database_max_connections: 25 + +# The maximum number of connects to leave idle. More of these reduces the time it takes +# to serve requests in low-traffic scenarios. +matrix_media_repo_database_max_idle_connections: 5 + +# These users have full access to the administrative functions of the media repository. +# See https://github.com/turt2live/matrix-media-repo/blob/release-v1.2.8/docs/admin.md for information on what these people can do. They must belong to one of the +# configured homeservers above. +matrix_media_repo_admins: + admins: [] +# admins: +# - "@your_username:example.org" + +# Datastores are places where media should be persisted. This isn't dedicated for just uploads: +# thumbnails and other misc data is also stored in these places. The media repo, when looking +# for a datastore to use, will always use the smallest datastore first. +matrix_media_repo_datastores: + datastores: + - type: file + enabled: true # Enable this to set up data storage. + # Datastores can be split into many areas when handling uploads. Media is still de-duplicated + # across all datastores (local content which duplicates remote content will re-use the remote + # content's location). This option is useful if your datastore is becoming very large, or if + # you want faster storage for a particular kind of media. + # + # The kinds available are: + # thumbnails - Used to store thumbnails of media (local and remote). + # remote_media - Original copies of remote media (servers not configured by this repo). + # local_media - Original uploads for local media. + # archives - Archives of content (GDPR and similar requests). + forKinds: ["thumbnails", "remote_media", "local_media", "archives"] + opts: + path: /data/media + + - type: s3 + enabled: false # Enable this to set up s3 uploads + forKinds: ["thumbnails", "remote_media", "local_media", "archives"] + opts: + # The s3 uploader needs a temporary location to buffer files to reduce memory usage on + # small file uploads. If the file size is unknown, the file is written to this location + # before being uploaded to s3 (then the file is deleted). If you aren't concerned about + # memory usage, set this to an empty string. + tempPath: "/tmp/mediarepo_s3_upload" + endpoint: sfo2.digitaloceanspaces.com + accessKeyId: "" + accessSecret: "" + ssl: true + bucketName: "your-media-bucket" + # An optional region for where this S3 endpoint is located. Typically not needed, though + # some providers will need this (like Scaleway). Uncomment to use. + #region: "sfo2" + # An optional storage class for tuning how the media is stored at s3. + # See https://aws.amazon.com/s3/storage-classes/ for details; uncomment to use. + #storageClass: STANDARD + + # The media repo does support an IPFS datastore, but only if the IPFS feature is enabled. If + # the feature is not enabled, this will not work. Note that IPFS support is experimental at + # the moment and not recommended for general use. + # + # NOTE: Everything you upload to IPFS will be publicly accessible, even when the media repo + # puts authentication on the download endpoints. Only use this option for cases where you + # expect your media to be publicly accessible. + - type: ipfs + enabled: false # Enable this to use IPFS support + forKinds: ["local_media"] + # The IPFS datastore currently has no options. It will use the daemon or HTTP API configured + # in the IPFS section of your main config. + opts: {} + +``` + +Full list of configuration options with documentation can be found in `roles/custom/matrix-media-repo/templates/defaults/main.yml` + diff --git a/docs/configuring-playbook-matrix-registration.md b/docs/configuring-playbook-matrix-registration.md index 2b4b07ff2..491d94e23 100644 --- a/docs/configuring-playbook-matrix-registration.md +++ b/docs/configuring-playbook-matrix-registration.md @@ -4,6 +4,8 @@ The playbook can install and configure [matrix-registration](https://github.com/ **WARNING**: this is a poorly maintained and buggy project. It's better to avoid using it. +**WARNING**: this is not related to [matrix-registration-bot](configuring-playbook-bot-matrix-registration-bot.md) + > matrix-registration is a simple python application to have a token based matrix registration. Use matrix-registration to **create unique registration links**, which people can use to register on your Matrix server. It allows you to **keep your server's registration closed (private)**, but still allow certain people (these having a special link) to register a user account. diff --git a/docs/configuring-playbook-mautrix-bridges.md b/docs/configuring-playbook-mautrix-bridges.md index abc6b0f18..c6e78d02d 100644 --- a/docs/configuring-playbook-mautrix-bridges.md +++ b/docs/configuring-playbook-mautrix-bridges.md @@ -32,7 +32,18 @@ matrix_mautrix_SERVICENAME_configuration_extension_yaml: | '@YOUR_USERNAME:{{ matrix_domain }}': admin ``` +## encryption + Encryption support is off by default. If you would like to enable encryption, add the following to your `vars.yml` file: + +**for all bridges with encryption support**: + +```yaml +matrix_bridges_encryption_enabled: true +``` + +**Alternatively**, for a specific bridge: + ```yaml matrix_mautrix_SERVICENAME_configuration_extension_yaml: | bridge: @@ -41,6 +52,24 @@ matrix_mautrix_SERVICENAME_configuration_extension_yaml: | default: true ``` +## relay mode + +Relay mode is off by default. If you would like to enable relay mode, add the following to your `vars.yml` file: + +**for all bridges with relay mode support**: + +```yaml +matrix_bridges_relay_enabled: true +``` + +**Alternatively**, for a specific bridge: + +```yaml +matrix_mautrix_SERVICENAME_configuration_extension_yaml: | + bridge: + relay: + enabled: true +``` You can only have one `matrix_mautrix_SERVICENAME_configuration_extension_yaml` definition in `vars.yml` per bridge, so if you need multiple pieces of configuration there, just merge them like this: diff --git a/docs/configuring-playbook-nginx.md b/docs/configuring-playbook-nginx.md index 96f854d0e..43cff4a83 100644 --- a/docs/configuring-playbook-nginx.md +++ b/docs/configuring-playbook-nginx.md @@ -1,7 +1,6 @@ # Configure Nginx (optional, advanced) -By default, this playbook installs its own nginx webserver (in a Docker container) which listens on ports 80 and 443. -If that's alright, you can skip this. +**Note**: the playbook is [in the process of moving to Traefik](../CHANGELOG.md#reverse-proxy-configuration-changes-and-initial-traefik-support). Traefik is already the default reverse-proxy for new installations and existing users are also strongly encouraged to switch to Traefik. As such, this **nginx documentation below may be incomplete or misleading**. ## Using Nginx status diff --git a/docs/configuring-playbook-ntfy.md b/docs/configuring-playbook-ntfy.md index a5aec60b4..c5549dbf4 100644 --- a/docs/configuring-playbook-ntfy.md +++ b/docs/configuring-playbook-ntfy.md @@ -15,17 +15,23 @@ Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars. ```yaml # Enabling it is the only required setting -matrix_ntfy_enabled: true +ntfy_enabled: true -# Some other options -matrix_server_fqn_ntfy: "ntfy.{{ matrix_domain }}" -matrix_ntfy_configuration_extension_yaml: | - log_level: DEBUG +# This is the default hostname. +# Uncomment the line below and change it, if you'd like. +# matrix_server_fqn_ntfy: "ntfy.{{ matrix_domain }}" + +# Uncomment to enable the ntfy web app (disabled by default) +# ntfy_web_root: app # defaults to "disable" + +# Uncomment and change to inject additional configuration options. +# ntfy_configuration_extension_yaml: | +# log_level: DEBUG ``` -For a more complete list of variables that you could override, see `roles/custom/matrix-ntfy/defaults/main.yml`. +For a more complete list of variables that you could override, see the [`defaults/main.yml` file](https://gitlab.com/etke.cc/roles/ntfy/-/blob/main/defaults/main.yml) of the ntfy Ansible role. -For a complete list of ntfy config options that you could put in `matrix_ntfy_configuration_extension_yaml`, see the [ntfy config documentation](https://ntfy.sh/docs/config/#config-options). +For a complete list of ntfy config options that you could put in `ntfy_configuration_extension_yaml`, see the [ntfy config documentation](https://ntfy.sh/docs/config/#config-options). ## Installing @@ -78,6 +84,12 @@ If the matrix app asks, "Choose a distributor: FCM Fallback or ntfy", then choos If the matrix app doesn't seem to pick it up, try restarting it and try the Troubleshooting section below. +### Web App + +ntfy also has a web app to subscribe to and push to topics from the browser. This may be helpful to further troubleshoot UnifiedPush problems or to use ntfy for other purposes. The web app only runs in the browser locally (after downloading the JavaScript). + +The web app is disabled in this playbook by default as the expectation is that most users won't use it. You can either use the [official hosted one](https://ntfy.sh/app) (it supports using other public reachable ntfy instances) or host it yourself by setting `ntfy_web_root: "app"` and re-running Ansible. + ## Troubleshooting diff --git a/docs/configuring-playbook-own-webserver.md b/docs/configuring-playbook-own-webserver.md index 9fd51086b..f276a554d 100644 --- a/docs/configuring-playbook-own-webserver.md +++ b/docs/configuring-playbook-own-webserver.md @@ -1,205 +1,49 @@ -# Using your own webserver, instead of this playbook's nginx proxy (optional, advanced) +# Using your own webserver, instead of this playbook's Traefik reverse-proxy (optional, advanced) + +**Note**: the playbook is [in the process of moving to Traefik](../CHANGELOG.md#reverse-proxy-configuration-changes-and-initial-traefik-support). The **documentation below may be incomplete or misleading**. By default, this playbook installs its own nginx webserver (called `matrix-nginx-proxy`, in a Docker container) which listens on ports 80 and 443. If that's alright, you can skip this. -If you don't want this playbook's nginx webserver to take over your server's 80/443 ports like that, -and you'd like to use your own webserver (be it nginx, Apache, Varnish Cache, etc.), you can. - -You should note, however, that the playbook's services work best when you keep using the integrated `matrix-nginx-proxy` webserver. -For example, disabling `matrix-nginx-proxy` when running a [Synapse worker setup for load-balancing](configuring-playbook-synapse.md#load-balancing-with-workers) (a more advanced, non-default configuration) is likely to cause various troubles (see [this issue](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/2090)). If you need a such more scalable setup, disabling `matrix-nginx-proxy` will be a bad idea. If yours will be a simple (default, non-worker-load-balancing) deployment, disabling `matrix-nginx-proxy` may be fine. - -There are **2 ways you can go about it**, if you'd like to use your own webserver: - -- [Method 1: Disabling the integrated nginx reverse-proxy webserver](#method-1-disabling-the-integrated-nginx-reverse-proxy-webserver) - -- [Method 2: Fronting the integrated nginx reverse-proxy webserver with another reverse-proxy](#method-2-fronting-the-integrated-nginx-reverse-proxy-webserver-with-another-reverse-proxy) - - -## Method 1: Disabling the integrated nginx reverse-proxy webserver +Soon, this default will change and the playbook will install its own [Traefik](https://traefik.io/) reverse-proxy instead. -This method is about completely disabling the integrated nginx reverse-proxy webserver and replicating its behavior using another webserver. -For an alternative, make sure to check Method #2 as well. +## Traefik -### Preparation +[Traefik](https://traefik.io/) will be the default reverse-proxy for the playbook in the near future. -No matter which external webserver you decide to go with, you'll need to: +There are 2 ways to use Traefik with this playbook, as described below. -1) Make sure your web server user (something like `http`, `apache`, `www-data`, `nginx`) is part of the `matrix` group. You should run something like this: `usermod -a -G matrix nginx`. This allows your webserver user to access files owned by the `matrix` group. When using an external nginx webserver, this allows it to read configuration files from `/matrix/nginx-proxy/conf.d`. When using another server, it would make other files, such as `/matrix/static-files/.well-known`, accessible to it. +### Traefik managed by the playbook -2) Edit your configuration file (`inventory/host_vars/matrix./vars.yml`) - - to disable the integrated nginx server: - - ```yaml - matrix_nginx_proxy_enabled: false - ``` - - if using an external server on another host, add the `_http_host_bind_port` or `_http_bind_port` variables for the services that will be exposed by the external server on the other host. The actual name of the variable is listed in the `roles//defaults/vars.yml` file for each service. Most variables follow the `_http_host_bind_port` format. - - These variables will make Docker expose the ports on all network interfaces instead of localhost only. - [Keep in mind that there are some security concerns if you simply proxy everything.](https://github.com/matrix-org/synapse/blob/master/docs/reverse_proxy.md#synapse-administration-endpoints) - - Here are the variables required for the default configuration (Synapse and Element) - ``` - matrix_synapse_container_client_api_host_bind_port: '0.0.0.0:8008' - matrix_synapse_container_federation_api_plain_host_bind_port: '0.0.0.0:8048' - matrix_client_element_container_http_host_bind_port: "0.0.0.0:8765" - ``` - -3) **If you'll manage SSL certificates by yourself**, edit your configuration file (`inventory/host_vars/matrix./vars.yml`) to disable SSL certificate retrieval: +To switch to Traefik now, use configuration like this: ```yaml -matrix_ssl_retrieval_method: none -``` - -**Note**: During [installation](installing.md), unless you've disabled SSL certificate management (`matrix_ssl_retrieval_method: none`), the playbook would need 80 to be available, in order to retrieve SSL certificates. **Please manually stop your other webserver while installing**. You can start it back up afterwards. +matrix_playbook_reverse_proxy_type: playbook-managed-traefik -### Using your own external nginx webserver - -Once you've followed the [Preparation](#preparation) guide above, it's time to set up your external nginx server. - -Even with `matrix_nginx_proxy_enabled: false`, the playbook still generates some helpful files for you in `/matrix/nginx-proxy/conf.d`. -Those configuration files are adapted for use with an external web server (one not running in the container network). - -You can most likely directly use the config files installed by this playbook at: `/matrix/nginx-proxy/conf.d`. Just include them in your own `nginx.conf` like this: `include /matrix/nginx-proxy/conf.d/*.conf;` - -Note that if your nginx version is old, it might not like our default choice of SSL protocols (particularly the fact that the brand new `TLSv1.3` protocol is enabled). You can override the protocol list by redefining the `matrix_nginx_proxy_ssl_protocols` variable. Example: - -```yaml -# Custom protocol list (removing `TLSv1.3`) to suit your nginx version. -matrix_nginx_proxy_ssl_protocols: "TLSv1.2" +devture_traefik_config_certificatesResolvers_acme_email: YOUR_EMAIL_ADDRESS ``` -If you are experiencing issues, try updating to a newer version of Nginx. As a data point in May 2021 a user reported that Nginx 1.14.2 was not working for them. They were getting errors about socket leaks. Updating to Nginx 1.19 fixed their issue. - -### Using your own external Apache webserver - -Once you've followed the [Preparation](#preparation) guide above, you can take a look at the [examples/apache](../examples/apache) directory for a sample configuration. - -### Using your own external caddy webserver - -After following the [Preparation](#preparation) guide above, you can take a look at the [examples/caddy](../examples/caddy) directory and [examples/caddy2](../examples/caddy2) directory for a sample configuration for Caddy v1 and v2, respectively. - -### Using your own HAproxy reverse proxy -After following the [Preparation](#preparation) guide above, you can take a look at the [examples/haproxy](../examples/haproxy) directory for a sample configuration. In this case HAproxy is used as a reverse proxy and a simple Nginx container is used to serve statically `.well-known` files. +This will install Traefik in the place of `matrix-nginx-proxy`. Traefik will manage SSL certificates for all services seamlessly. -### Using another external webserver +**Note**: during the transition period, `matrix-nginx-proxy` will still be installed in local-only mode. Do not be alarmed to see `matrix-nginx-proxy` running even when you've chosen Traefik as your reverse-proxy. In the future, we'll be able to run without nginx, but we're not there yet. -Feel free to look at the [examples/apache](../examples/apache) directory, or the [template files in the matrix-nginx-proxy role](../roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/). - - -## Method 2: Fronting the integrated nginx reverse-proxy webserver with another reverse-proxy - -This method is about leaving the integrated nginx reverse-proxy webserver be, but making it not get in the way (using up important ports, trying to retrieve SSL certificates, etc.). - -If you wish to use another webserver, the integrated nginx reverse-proxy webserver usually gets in the way because it attempts to fetch SSL certificates and binds to ports 80, 443 and 8448 (if Matrix Federation is enabled). - -You can disable such behavior and make the integrated nginx reverse-proxy webserver only serve traffic locally (or over a local network). - -You would need some configuration like this: - -```yaml -# Do not retrieve SSL certificates. This shall be managed by another webserver or other means. -matrix_ssl_retrieval_method: none - -# Do not try to serve HTTPS, since we have no SSL certificates. -# Disabling this also means services will be served on the HTTP port -# (`matrix_nginx_proxy_container_http_host_bind_port`). -matrix_nginx_proxy_https_enabled: false - -# Do not listen for HTTP on port 80 globally (default), listen on the loopback interface. -# If you'd like, you can make it use the local network as well and reverse-proxy from another local machine. -matrix_nginx_proxy_container_http_host_bind_port: '127.0.0.1:81' - -# Likewise, expose the Matrix Federation port on the loopback interface. -# Since `matrix_nginx_proxy_https_enabled` is set to `false`, this federation port will serve HTTP traffic. -# If you'd like, you can make it use the local network as well and reverse-proxy from another local machine. -# -# You'd most likely need to expose it publicly on port 8448 (8449 was chosen for the local port to prevent overlap). -matrix_nginx_proxy_container_federation_host_bind_port: '127.0.0.1:8449' - -# Coturn relies on SSL certificates that have already been obtained. -# Since we don't obtain any certificates (`matrix_ssl_retrieval_method: none` above), it won't work by default. -# An alternative is to tweak some of: `matrix_coturn_tls_enabled`, `matrix_coturn_tls_cert_path` and `matrix_coturn_tls_key_path`. -matrix_coturn_enabled: false - -# Trust the reverse proxy to send the correct `X-Forwarded-Proto` header as it is handling the SSL connection. -matrix_nginx_proxy_trust_forwarded_proto: true - -# Trust and use the other reverse proxy's `X-Forwarded-For` header. -matrix_nginx_proxy_x_forwarded_for: '$proxy_add_x_forwarded_for' -``` - -With this, nginx would still be in use, but it would not bother with anything SSL related or with taking up public ports. - -All services would be served locally on `127.0.0.1:81` and `127.0.0.1:8449` (as per the example configuration above). - -You can then set up another reverse-proxy server on ports 80/443/8448 for all of the expected domains and make traffic go to these local ports. -The expected domains vary depending on the services you have enabled (`matrix.DOMAIN` for sure; `element.DOMAIN`, `dimension.DOMAIN` and `jitsi.DOMAIN` are optional). - -### Sample configuration for running behind Traefik 2.0 - -Below is a sample configuration for using this playbook with a [Traefik](https://traefik.io/) 2.0 reverse proxy. +### Traefik managed by you ```yaml -# Disable generation and retrieval of SSL certs -matrix_ssl_retrieval_method: none - -# Configure Nginx to only use plain HTTP -matrix_nginx_proxy_https_enabled: false - -# Don't bind any HTTP or federation port to the host -# (Traefik will proxy directly into the containers) -matrix_nginx_proxy_container_http_host_bind_port: '' -matrix_nginx_proxy_container_federation_host_bind_port: '' - -# Trust the reverse proxy to send the correct `X-Forwarded-Proto` header as it is handling the SSL connection. -matrix_nginx_proxy_trust_forwarded_proto: true - -# Trust and use the other reverse proxy's `X-Forwarded-For` header. -matrix_nginx_proxy_x_forwarded_for: '$proxy_add_x_forwarded_for' - -# Disable Coturn because it needs SSL certs -# (Clients can, though exposing IP address, use Matrix.org TURN) -matrix_coturn_enabled: false - -# All containers need to be on the same Docker network as Traefik -# (This network should already exist and Traefik should be using this network) -matrix_docker_network: 'traefik' - -matrix_nginx_proxy_container_extra_arguments: - # May be unnecessary depending on Traefik config, but can't hurt - - '--label "traefik.enable=true"' - - # The Nginx proxy container will receive traffic from these subdomains - - '--label "traefik.http.routers.matrix-nginx-proxy.rule=Host(`{{ matrix_server_fqn_matrix }}`,`{{ matrix_server_fqn_element }}`,`{{ matrix_server_fqn_dimension }}`,`{{ matrix_server_fqn_jitsi }}`)"' - - # (The 'web-secure' entrypoint must bind to port 443 in Traefik config) - - '--label "traefik.http.routers.matrix-nginx-proxy.entrypoints=web-secure"' - - # (The 'default' certificate resolver must be defined in Traefik config) - - '--label "traefik.http.routers.matrix-nginx-proxy.tls.certResolver=default"' +matrix_playbook_reverse_proxy_type: other-traefik-container - # The Nginx proxy container uses port 8080 internally - - '--label "traefik.http.services.matrix-nginx-proxy.loadbalancer.server.port=8080"' +matrix_playbook_reverse_proxyable_services_additional_network: your-traefik-network -matrix_synapse_container_extra_arguments: - # May be unnecessary depending on Traefik config, but can't hurt - - '--label "traefik.enable=true"' - - # The Synapse container will receive traffic from this subdomain - - '--label "traefik.http.routers.matrix-synapse.rule=Host(`{{ matrix_server_fqn_matrix }}`)"' +devture_traefik_certs_dumper_ssl_dir_path: "/path/to/your/traefiks/acme.json/directory" +``` - # (The 'synapse' entrypoint must bind to port 8448 in Traefik config) - - '--label "traefik.http.routers.matrix-synapse.entrypoints=synapse"' +In this mode all roles will still have Traefik labels attached. You will, however, need to configure your Traefik instance and its entrypoints. - # (The 'default' certificate resolver must be defined in Traefik config) - - '--label "traefik.http.routers.matrix-synapse.tls.certResolver=default"' +By default, the playbook congiures services use a `web-secure` (443) and `matrix-federation` (8448) entrypoints, as well as a `default` certificate resolver. - # The Synapse container uses port 8048 internally - - '--label "traefik.http.services.matrix-synapse.loadbalancer.server.port=8048"' -``` +You need to configure 3 entrypoints for your Traefik server: `web` (TCP port `80`), `web-secure` (TCP port `443`) and `matrix-federation` (TCP port `8448`). -This method uses labels attached to the Nginx and Synapse containers to provide the Traefik Docker provider with the information it needs to proxy `matrix.DOMAIN`, `element.DOMAIN`, `dimension.DOMAIN` and `jitsi.DOMAIN`. Some [static configuration](https://docs.traefik.io/v2.0/reference/static-configuration/file/) is required in Traefik; namely, having endpoints on ports 443 and 8448 and having a certificate resolver. +Below is some configuration for running Traefik yourself, although we recommend using [Traefik managed by the playbook](#traefik-managed-by-the-playbook). Note that this configuration on its own does **not** redirect traffic on port 80 (plain HTTP) to port 443 for HTTPS, which may cause some issues, since the built-in Nginx proxy usually does this. If you are not already doing this in Traefik, it can be added to Traefik in a [file provider](https://docs.traefik.io/v2.0/providers/file/) as follows: @@ -229,7 +73,7 @@ version: "3.3" services: traefik: - image: "traefik:v2.3" + image: "docker.io/traefik:v2.9.6" restart: always container_name: "traefik" networks: @@ -240,7 +84,7 @@ services: - "--providers.docker.network=traefik" - "--providers.docker.exposedbydefault=false" - "--entrypoints.web-secure.address=:443" - - "--entrypoints.synapse.address=:8448" + - "--entrypoints.federation.address=:8448" - "--certificatesresolvers.default.acme.tlschallenge=true" - "--certificatesresolvers.default.acme.email=YOUR EMAIL" - "--certificatesresolvers.default.acme.storage=/letsencrypt/acme.json" @@ -255,3 +99,128 @@ networks: traefik: external: true ``` + +## Another webserver + +If you don't wish to use Traefik or `matrix-nginx-proxy`, you can also use your own webserver. + +Doing this is possible, but requires manual work. + +There are 2 ways to go about it: + +- (recommended) [Fronting the integrated reverse-proxy webserver with another reverse-proxy](#fronting-the-integrated-reverse-proxy-webserver-with-another-reverse-proxy) - using a playbook-managed reverse-proxy (either `matrix-nginx-proxy` or Traefik), disabling SSL termination for it, exposing this reverse-proxy on a few local ports (e.g. `127.0.0.1:81`, etc.) and forwarding traffic from your own webserver to those few ports + +- (difficult) [Using no reverse-proxy on the Matrix side at all](#using-no-reverse-proxy-on-the-matrix-side-at-all) disabling all playbook-managed reverse-proxies (no `matrix-nginx-proxy`, no Traefik) + + +### Fronting the integrated reverse-proxy webserver with another reverse-proxy + +This method is about leaving the integrated reverse-proxy webserver be, but making it not get in the way (using up important ports, trying to retrieve SSL certificates, etc.). + +If you wish to use another webserver, the integrated reverse-proxy webserver usually gets in the way because it attempts to fetch SSL certificates and binds to ports 80, 443 and 8448 (if Matrix Federation is enabled). + +You can disable such behavior and make the integrated reverse-proxy webserver only serve traffic locally (or over a local network). + +This is the recommended way for using another reverse-proxy, because the integrated one would act as a black box and wire all Matrix services correctly. You would only need to reverse-proxy a few individual domains and ports over to it. + +To front Traefik with another reverse-proxy, you would need some configuration like this: + +```yaml +matrix_playbook_reverse_proxy_type: playbook-managed-traefik + +# Ensure that public urls use https +matrix_playbook_ssl_enabled: true + +# Disable the web-secure (port 443) endpoint, which also disables SSL certificate retrieval +devture_traefik_config_entrypoint_web_secure_enabled: false + +# If your reverse-proxy runs on another machine, consider using `0.0.0.0:81`, just `81` or `SOME_IP_ADDRESS_OF_THIS_MACHINE:81` +devture_traefik_container_web_host_bind_port: '127.0.0.1:81' + +# We bind to `127.0.0.1` by default (see above), so trusting `X-Forwarded-*` headers from +# a reverse-proxy running on the local machine is safe enough. +devture_traefik_config_entrypoint_web_forwardedHeaders_insecure: true + +# Or, if you're publishing the port (`devture_traefik_container_web_host_bind_port` above) to a public network interfaces: +# - remove the `devture_traefik_config_entrypoint_web_forwardedHeaders_insecure` variable definition above +# - uncomment and adjust the line below +# devture_traefik_config_entrypoint_web_forwardedHeaders_trustedIPs: ['IP-ADDRESS-OF-YOUR-REVERSE-PROXY'] + +# Likewise (to `devture_traefik_container_web_host_bind_port` above), +# if your reverse-proxy runs on another machine, consider changing the `host_bind_port` setting below. +devture_traefik_additional_entrypoints_auto: + - name: matrix-federation + port: 8449 + host_bind_port: '127.0.0.1:8449' + config: {} + # If your reverse-proxy runs on another machine, remove the config above and use this config instead: + # config: + # forwardedHeaders: + # insecure: true + # # trustedIPs: ['IP-ADDRESS-OF-YOUR-REVERSE-PROXY'] +``` + +For an example where the playbook's Traefik reverse-proxy is fronted by another reverse-proxy running on the same server, see [Nginx reverse-proxy fronting the playbook's Traefik](../examples/nginx/README.md) or [Caddy reverse-proxy fronting the playbook's Traefik](../examples/caddy2/README.md). + + +### Using no reverse-proxy on the Matrix side at all + +Instead of [Fronting the integrated reverse-proxy webserver with another reverse-proxy](#fronting-the-integrated-reverse-proxy-webserver-with-another-reverse-proxy), you can also go another way -- completely disabling the playbook-managed reverse-proxy. You would then need to reverse-proxy from your own webserver directly to Matrix services. + +This is more difficult, as you would need to handle the configuration for each service manually. Enabling additional services would come with extra manual work you need to do. + +If your webserver is on the same machine, sure your web server user (something like `http`, `apache`, `www-data`, `nginx`) is part of the `matrix` group. You should run something like this: `usermod -a -G matrix nginx`. This allows your webserver user to access files owned by the `matrix` group. When using an external nginx webserver, this allows it to read configuration files from `/matrix/nginx-proxy/conf.d`. When using another server, it would make other files, such as `/matrix/static-files/.well-known`, accessible to it. + +#### Using your own nginx reverse-proxy running on the same machine + +**WARNING**: this type of setup is not maintained and will be removed in the future. We recommend that you go for [Fronting the integrated reverse-proxy webserver with another reverse-proxy](#fronting-the-integrated-reverse-proxy-webserver-with-another-reverse-proxy) instead. + +If you'll be using `nginx` running on the same machine (not in a container), you can make the playbook help you generate configuration for `nginx` with this configuration: + +```yaml +matrix_playbook_reverse_proxy_type: other-nginx-non-container + +# If you want https configured in /matrix/nginx-proxy/conf.d/ +matrix_nginx_proxy_https_enabled: true + +# If you will manage SSL certificates yourself, uncomment the line below +# matrix_ssl_retrieval_method: none + +# If you're using an old nginx version, consider using a custom protocol list +# (removing `TLSv1.3` that is enabled by default) to suit your nginx version. +# matrix_nginx_proxy_ssl_protocols: "TLSv1.2" +``` + +You can most likely directly use the config files installed by this playbook at: `/matrix/nginx-proxy/conf.d`. Just include them in your own `nginx.conf` like this: `include /matrix/nginx-proxy/conf.d/*.conf;` + +#### Using your own reverse-proxy running on the same machine or elsewhere + +**WARNING**: this is difficult to set up, likely not very well supported and will be removed in the future. We recommend that you go for [Fronting the integrated reverse-proxy webserver with another reverse-proxy](#fronting-the-integrated-reverse-proxy-webserver-with-another-reverse-proxy) instead. + +To reverse-proxy manually for each service, use configuration like this: + +```yaml +# If your reverse-proxy runs on the same machine: +matrix_playbook_reverse_proxy_type: other-on-same-host + +# Or, if it runs on another machine: +# matrix_playbook_reverse_proxy_type: other-on-another-host + +# Or, optionally customize the network interface prefix (note the trailing `:` character). +# For other-on-same-host, the interface defaults to `127.0.0.1:`. +# For other-on-another-host, the interface defaults to `0.0.0.0:`. +# matrix_playbook_service_host_bind_interface_prefix: '192.168.30.4:' +``` + +With this configuration, each service will be exposed on a custom port. Example: + +- Synapse will be exposed on port `8008` +- [Grafana](configuring-playbook-prometheus-grafana.md) will be exposed on port `3000` +- [synapse-admin](configuring-playbook-synapse-admin.md) will be exposed on port `8766` + +You can capture traffic for these services and forward it to their port. +Some of these services are configured with certain default expecations with regard to hostname, path, etc., so it's not completely arbitrary where you can host them (unless you change the defaults). + +For each new playbook service that you enable, you'll need special handling. + +The [`examples/`](../examples/) directory contains examples for various servers: Caddy, Apache, HAproxy, Nginx, etc. diff --git a/docs/configuring-playbook-postgres-backup.md b/docs/configuring-playbook-postgres-backup.md index 75b599c88..9ea3c60eb 100644 --- a/docs/configuring-playbook-postgres-backup.md +++ b/docs/configuring-playbook-postgres-backup.md @@ -1,6 +1,6 @@ # Setting up postgres backup (optional) -The playbook can install and configure [docker-postgres-backup-local](https://github.com/prodrigestivill/docker-postgres-backup-local) for you. +The playbook can install and configure [docker-postgres-backup-local](https://github.com/prodrigestivill/docker-postgres-backup-local) for you via the [com.devture.ansible.role.postgres_backup](https://github.com/devture/com.devture.ansible.role.postgres_backup) Ansible role. For a more complete backup solution (one that includes not only Postgres, but also other configuration/data files), you may wish to look into [borg backup](configuring-playbook-backup-borg.md) instead. @@ -10,7 +10,7 @@ For a more complete backup solution (one that includes not only Postgres, but al Minimal working configuration (`inventory/host_vars/matrix.DOMAIN/vars.yml`) to enable Postgres backup: ```yaml -matrix_postgres_backup_enabled: true +devture_postgres_backup_enabled: true ``` Refer to the table below for additional configuration variables and their default values. @@ -18,12 +18,13 @@ Refer to the table below for additional configuration variables and their defaul | Name | Default value | Description | | :-------------------------------- | :--------------------------- | :--------------------------------------------------------------- | -|`matrix_postgres_backup_enabled`|`false`|Set to true to use [docker-postgres-backup-local](https://github.com/prodrigestivill/docker-postgres-backup-local) to create automatic database backups| -|`matrix_postgres_backup_schedule`| `'@daily'` |Cron-schedule specifying the interval between postgres backups.| -|`matrix_postgres_backup_keep_days`|`7`|Number of daily backups to keep| -|`matrix_postgres_backup_keep_weeks`|`4`|Number of weekly backups to keep| -|`matrix_postgres_backup_keep_months`|`12`|Number of monthly backups to keep| -|`matrix_postgres_backup_path` | `"{{ matrix_base_data_path }}/postgres-backup"` | Storagepath for the database backups| +|`devture_postgres_backup_enabled`|`false`|Set to true to use [docker-postgres-backup-local](https://github.com/prodrigestivill/docker-postgres-backup-local) to create automatic database backups| +|`devture_postgres_backup_schedule`| `'@daily'` |Cron-schedule specifying the interval between postgres backups.| +|`devture_postgres_backup_keep_days`|`7`|Number of daily backups to keep| +|`devture_postgres_backup_keep_weeks`|`4`|Number of weekly backups to keep| +|`devture_postgres_backup_keep_months`|`12`|Number of monthly backups to keep| +|`devture_postgres_backup_base_path` | `"{{ matrix_base_data_path }}/postgres-backup"` | Base path for postgres-backup. Also see `devture_postgres_backup_data_path` | +|`devture_postgres_backup_data_path` | `"{{ devture_postgres_backup_base_path }}/data"` | Storage path for postgres-backup database backups | ## Installing diff --git a/docs/configuring-playbook-prometheus-grafana.md b/docs/configuring-playbook-prometheus-grafana.md index f86566a94..49a47f1a5 100644 --- a/docs/configuring-playbook-prometheus-grafana.md +++ b/docs/configuring-playbook-prometheus-grafana.md @@ -7,24 +7,27 @@ You can enable this with the following settings in your configuration file (`inv Remember to add `stats.` to DNS as described in [Configuring DNS](configuring-dns.md) before running the playbook. ```yaml -matrix_prometheus_enabled: true +prometheus_enabled: true # You can remove this, if unnecessary. -matrix_prometheus_node_exporter_enabled: true +prometheus_node_exporter_enabled: true # You can remove this, if unnecessary. -matrix_prometheus_postgres_exporter_enabled: true +prometheus_postgres_exporter_enabled: true -matrix_grafana_enabled: true +# You can remove this, if unnecessary. +matrix_prometheus_nginxlog_exporter_enabled: true + +grafana_enabled: true -matrix_grafana_anonymous_access: false +grafana_anonymous_access: false # This has no relation to your Matrix user id. It can be any username you'd like. # Changing the username subsequently won't work. -matrix_grafana_default_admin_user: "some_username_chosen_by_you" +grafana_default_admin_user: "some_username_chosen_by_you" # Changing the password subsequently won't work. -matrix_grafana_default_admin_password: "some_strong_password_chosen_by_you" +grafana_default_admin_password: "some_strong_password_chosen_by_you" ``` By default, a [Grafana](https://grafana.com/) web user-interface will be available at `https://stats.`. @@ -36,24 +39,25 @@ The retention policy of Prometheus metrics is [15 days by default](https://prome Name | Description -----|---------- -`matrix_prometheus_enabled`|[Prometheus](https://prometheus.io) is a time series database. It holds all the data we're going to talk about. -`matrix_prometheus_node_exporter_enabled`|[Node Exporter](https://prometheus.io/docs/guides/node-exporter/) is an addon of sorts to Prometheus that collects generic system information such as CPU, memory, filesystem, and even system temperatures -`matrix_prometheus_postgres_exporter_enabled`|[Postgres Exporter](configuring-playbook-prometheus-postgres.md) is an addon of sorts to expose Postgres database metrics to Prometheus. -`matrix_grafana_enabled`|[Grafana](https://grafana.com/) is the visual component. It shows (on the `stats.` subdomain) the dashboards with the graphs that we're interested in -`matrix_grafana_anonymous_access`|By default you need to log in to see graphs. If you want to publicly share your graphs (e.g. when asking for help in [`#synapse:matrix.org`](https://matrix.to/#/#synapse:matrix.org?via=matrix.org&via=privacytools.io&via=mozilla.org)) you'll want to enable this option. -`matrix_grafana_default_admin_user`
`matrix_grafana_default_admin_password`|By default Grafana creates a user with `admin` as the username and password. If you feel this is insecure and you want to change it beforehand, you can do that here +`prometheus_enabled`|[Prometheus](https://prometheus.io) is a time series database. It holds all the data we're going to talk about. +`prometheus_node_exporter_enabled`|[Node Exporter](https://prometheus.io/docs/guides/node-exporter/) is an addon of sorts to Prometheus that collects generic system information such as CPU, memory, filesystem, and even system temperatures +`prometheus_postgres_exporter_enabled`|[Postgres Exporter](configuring-playbook-prometheus-postgres.md) is an addon of sorts to expose Postgres database metrics to Prometheus. +`matrix_prometheus_nginxlog_exporter_enabled`|[NGINX Log Exporter](configuring-playbook-prometheus-nginxlog.md) is an addon of sorts to expose NGINX logs to Prometheus. +`grafana_enabled`|[Grafana](https://grafana.com/) is the visual component. It shows (on the `stats.` subdomain) the dashboards with the graphs that we're interested in +`grafana_anonymous_access`|By default you need to log in to see graphs. If you want to publicly share your graphs (e.g. when asking for help in [`#synapse:matrix.org`](https://matrix.to/#/#synapse:matrix.org?via=matrix.org&via=privacytools.io&via=mozilla.org)) you'll want to enable this option. +`grafana_default_admin_user`
`grafana_default_admin_password`|By default Grafana creates a user with `admin` as the username and password. If you feel this is insecure and you want to change it beforehand, you can do that here ## Security and privacy Metrics and resulting graphs can contain a lot of information. This includes system specs but also usage patterns. This applies especially to small personal/family scale homeservers. Someone might be able to figure out when you wake up and go to sleep by looking at the graphs over time. Think about this before enabling anonymous access. And you should really not forget to change your Grafana password. -Most of our docker containers run with limited system access, but the `prometheus-node-exporter` has access to the host network stack and (readonly) root filesystem. This is required to report on them. If you don't like that, you can set `matrix_prometheus_node_exporter_enabled: false` (which is actually the default). You will still get Synapse metrics with this container disabled. Both of the dashboards will always be enabled, so you can still look at historical data after disabling either source. +Most of our docker containers run with limited system access, but the `prometheus-node-exporter` has access to the host network stack and (readonly) root filesystem. This is required to report on them. If you don't like that, you can set `prometheus_node_exporter_enabled: false` (which is actually the default). You will still get Synapse metrics with this container disabled. Both of the dashboards will always be enabled, so you can still look at historical data after disabling either source. ## Collecting metrics to an external Prometheus server -**If the integrated Prometheus server is enabled** (`matrix_prometheus_enabled: true`), metrics are collected by it from each service via communication that happens over the container network. Each service does not need to expose its metrics "publicly". +**If the integrated Prometheus server is enabled** (`prometheus_enabled: true`), metrics are collected by it from each service via communication that happens over the container network. Each service does not need to expose its metrics "publicly". When you'd like **to collect metrics from an external Prometheus server**, you need to expose service metrics outside of the container network. @@ -70,14 +74,16 @@ Name | Description `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_raw_content`|Set this to the Basic Authentication credentials (raw `htpasswd` file content) used to protect `/metrics/*`. This htpasswd-file needs to be generated with the `htpasswd` tool and can include multiple username/password pairs. If you only need one credential, use `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_username` and `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_password` instead. `matrix_synapse_metrics_enabled`|Set this to `true` to make Synapse expose metrics (locally, on the container network) `matrix_synapse_metrics_proxying_enabled`|Set this to `true` to expose Synapse's metrics on `https://matrix.DOMAIN/metrics/synapse/main-process` and `https://matrix.DOMAIN/metrics/synapse/worker/TYPE-ID` (only takes effect if `matrix_nginx_proxy_proxy_matrix_metrics_enabled: true`). Read [below](#collecting-synapse-worker-metrics-to-an-external-prometheus-server) if you're running a Synapse worker setup (`matrix_synapse_workers_enabled: true`). -`matrix_prometheus_node_exporter_enabled`|Set this to `true` to enable the node (general system stats) exporter (locally, on the container network) -`matrix_prometheus_node_exporter_metrics_proxying_enabled`|Set this to `true` to expose the node (general system stats) metrics on `https://matrix.DOMAIN/metrics/node-exporter` (only takes effect if `matrix_nginx_proxy_proxy_matrix_metrics_enabled: true`) -`matrix_prometheus_postgres_exporter_enabled`|Set this to `true` to enable the [Postgres exporter](configuring-playbook-prometheus-postgres.md) (locally, on the container network) -`matrix_prometheus_postgres_exporter_metrics_proxying_enabled`|Set this to `true` to expose the [Postgres exporter](configuring-playbook-prometheus-postgres.md) metrics on `https://matrix.DOMAIN/metrics/postgres-exporter` (only takes effect if `matrix_nginx_proxy_proxy_matrix_metrics_enabled: true`) +`prometheus_node_exporter_enabled`|Set this to `true` to enable the node (general system stats) exporter (locally, on the container network) +`matrix_prometheus_services_proxy_connect_prometheus_node_exporter_metrics_proxying_enabled`|Set this to `true` to expose the node (general system stats) metrics on `https://matrix.DOMAIN/metrics/node-exporter` (only takes effect if `matrix_nginx_proxy_proxy_matrix_metrics_enabled: true`) +`prometheus_postgres_exporter_enabled`|Set this to `true` to enable the [Postgres exporter](configuring-playbook-prometheus-postgres.md) (locally, on the container network) +`matrix_prometheus_nginxlog_exporter_enabled`|Set this to `true` to enable the [NGINX Log exporter](configuring-playbook-prometheus-nginxlog.md) (locally, on the container network) +`matrix_prometheus_services_proxy_connect_prometheus_postgres_exporter_metrics_proxying_enabled`|Set this to `true` to expose the [Postgres exporter](configuring-playbook-prometheus-postgres.md) metrics on `https://matrix.DOMAIN/metrics/postgres-exporter` (only takes effect if `matrix_nginx_proxy_proxy_matrix_metrics_enabled: true`) `matrix_bridge_hookshot_metrics_enabled`|Set this to `true` to make [Hookshot](configuring-playbook-bridge-hookshot.md) expose metrics (locally, on the container network) `matrix_bridge_hookshot_metrics_proxying_enabled`|Set this to `true` to expose the [Hookshot](configuring-playbook-bridge-hookshot.md) metrics on `https://matrix.DOMAIN/metrics/hookshot` (only takes effect if `matrix_nginx_proxy_proxy_matrix_metrics_enabled: true`) `matrix_SERVICE_metrics_proxying_enabled`|Various other services/roles may provide similar `_metrics_enabled` and `_metrics_proxying_enabled` variables for exposing their metrics. Refer to each role for details. Only takes effect if `matrix_nginx_proxy_proxy_matrix_metrics_enabled: true` `matrix_nginx_proxy_proxy_matrix_metrics_additional_user_location_configuration_blocks`|Add nginx `location` blocks to this list if you'd like to expose additional exporters manually (see below) +`matrix_media_repo_metrics_enabled`|Set this to `true` to make media-repo expose metrics (locally, on the container network) Example for how to make use of `matrix_nginx_proxy_proxy_matrix_metrics_additional_user_location_configuration_blocks` for exposing additional metrics locations: ```nginx diff --git a/docs/configuring-playbook-prometheus-nginxlog.md b/docs/configuring-playbook-prometheus-nginxlog.md new file mode 100644 index 000000000..55272de40 --- /dev/null +++ b/docs/configuring-playbook-prometheus-nginxlog.md @@ -0,0 +1,59 @@ +# Enabling metrics and graphs for NginX logs (optional) + +It can be useful to have some (visual) insight into NignX logs. + +This adds [prometheus-nginxlog-exporter](https://github.com/martin-helmich/prometheus-nginxlog-exporter/) to your matrix deployment. +It will provide a prometheus 'metrics' endpoint exposing data from both the `matrix-nginx-proxy` and `matrix-synapse-reverse-proxy-companion` logs and automatically aggregates the data with prometheus. +Optionally it visualizes the data, if [`matrix-grafana`](configuring-playbook-prometheus-grafana.md) is enabled, by means of a dedicated Grafana dashboard named `NGINX PROXY` + +You can enable this role by adding the following settings in your configuration file (`inventory/host_vars/matrix./vars.yml`): + +```yaml +matrix_prometheus_nginxlog_exporter_enabled: true + +# required depency +prometheus_enabled: true + +# optional for visualization +grafana_enabled: true +``` + +x | Prerequisites | Variable | Description +|:--:|:--:|:--:|:--| +**REQUIRED** | `matrix-prometheus`| `prometheus_enabled`|[Prometheus](https://prometheus.io) is a time series database. It holds all the data we're going to talk about. +_Optional_ | [`matrix-grafana`](configuring-playbook-prometheus-grafana.md) | [`grafana_enabled`](configuring-playbook-prometheus-grafana.md)|[Grafana](https://grafana.com) is the visual component. It shows (on the `stats.` subdomain) graphs that we're interested in. When enabled the `NGINX PROXY` dashboard is automatically added. + +## Docker Image Compatibility + +At the moment of writing only images for `amd64` and `arm64` architectures are available + +The playbook currently does not support building an image. +You can however use a custom-build image by setting +```yaml +matrix_prometheus_nginxlog_exporter_docker_image_arch_check_enabled: false +matrix_prometheus_nginxlog_exporter_docker_image: path/to/docker/image:tag +``` + +## Security and privacy + +Metrics and resulting graphs can contain a lot of information. NginX logs contain information like IP address, URLs, UserAgents and more. This information can reveal usage patterns and could be considered Personally Identifiable Information (PII). Think about this before enabling (anonymous) access. +Please make sure you change the default Grafana password. + +## Save metrics on an external Prometheus server + +The playbook will automatically integrate the metrics into the Prometheus server provided with this playbook. You can choose to save data on an external Prometheus instance. + +The metrics of this role will be exposed on `https://matrix.DOMAIN/metrics/nginxlog` when setting +```yaml +matrix_prometheus_nginxlog_exporter_metrics_proxying_enabled: true + +# required dependency +matrix_nginx_proxy_proxy_matrix_metrics_enabled: true +``` +The playbook can provide a single endpoint (`https://matrix.DOMAIN/metrics/*`), under which various services may expose their metrics (e.g. `/metrics/node-exporter`, `/metrics/postgres-exporter`, `/metrics/nginxlog`, etc). To enable this `/metrics/*` feature, use `matrix_nginx_proxy_proxy_matrix_metrics_enabled`. To protect access using [Basic Authentication](https://en.wikipedia.org/wiki/Basic_access_authentication), see `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_enabled`. + +The following variables may be of interest: + +Name | Description +-----|---------- +`matrix_nginx_proxy_proxy_matrix_metrics_enabled`|Set this to `true` to enable metrics exposure for various services on `https://matrix.DOMAIN/metrics/*`. Refer to the individual `matrix_SERVICE_metrics_proxying_enabled` variables below for exposing metrics for each individual service. diff --git a/docs/configuring-playbook-prometheus-postgres.md b/docs/configuring-playbook-prometheus-postgres.md index 6fd13a9e9..c3c8e0bfb 100644 --- a/docs/configuring-playbook-prometheus-postgres.md +++ b/docs/configuring-playbook-prometheus-postgres.md @@ -6,17 +6,17 @@ You can enable this with the following settings in your configuration file (`inv ```yaml -matrix_prometheus_postgres_exporter_enabled: true +prometheus_postgres_exporter_enabled: true ``` ## What does it do? Name | Description -----|---------- -`matrix_prometheus_postgres_exporter_enabled`|Enable the postgres prometheus exporter. This sets up the docker container, connects it to the database and adds a 'job' to the prometheus config which tells prometheus about this new exporter. The default is 'false' -`matrix_prometheus_postgres_exporter_database_username`| The 'username' for the user that the exporter uses to connect to the database. The default is 'matrix_prometheus_postgres_exporter' -`matrix_prometheus_postgres_exporter_database_password`| The 'password' for the user that the exporter uses to connect to the database. By default, this is auto-generated by the playbook -`matrix_prometheus_postgres_exporter_metrics_proxying_enabled`|If set to `true`, exposes the Postgres exporter metrics on `https://matrix.DOMAIN/metrics/postgres-exporter` for usage with an [external Prometheus server](configuring-playbook-prometheus-grafana.md#collecting-metrics-to-an-external-prometheus-server) (only takes effect if `matrix_nginx_proxy_proxy_matrix_metrics_enabled: true`) +`prometheus_postgres_exporter_enabled`|Enable the postgres prometheus exporter. This sets up the docker container, connects it to the database and adds a 'job' to the prometheus config which tells prometheus about this new exporter. The default is 'false' +`prometheus_postgres_exporter_database_username`| The 'username' for the user that the exporter uses to connect to the database. The default is 'matrix_prometheus_postgres_exporter' +`prometheus_postgres_exporter_database_password`| The 'password' for the user that the exporter uses to connect to the database. By default, this is auto-generated by the playbook +`matrix_prometheus_services_proxy_connect_prometheus_postgres_exporter_metrics_proxying_enabled`|If set to `true`, exposes the Postgres exporter metrics on `https://matrix.DOMAIN/metrics/postgres-exporter` for usage with an [external Prometheus server](configuring-playbook-prometheus-grafana.md#collecting-metrics-to-an-external-prometheus-server) (only takes effect if `matrix_nginx_proxy_proxy_matrix_metrics_enabled: true`) ## More information diff --git a/docs/configuring-playbook-rageshake.md b/docs/configuring-playbook-rageshake.md new file mode 100644 index 000000000..fe45db260 --- /dev/null +++ b/docs/configuring-playbook-rageshake.md @@ -0,0 +1,65 @@ +# Setting up Rageshake (optional) + +The playbook can install and configure the [rageshake](https://github.com/matrix-org/rageshake) bug report server for you. + +This is useful if you're developing your own applications and would like to collect bug reports for them. + + +## Decide on a domain and path + +By default, Rageshake is configured to use its own dedicated domain (`rageshake.DOMAIN`) and requires you to [adjust your DNS records](#adjusting-dns-records). + +You can override the domain and path like this: + +```yaml +# Switch to the domain used for Matrix services (`matrix.DOMAIN`), +# so we won't need to add additional DNS records for Rageshake. +matrix_rageshake_hostname: "{{ matrix_server_fqn_matrix }}" + +# Expose under the /rageshake subpath +matrix_rageshake_path_prefix: /rageshake +``` + +**NOTE**: When using `matrix-nginx-proxy` instead of Traefik, you won't be able to override the path prefix. You can only override the domain, but that needs to happen using another variable: `matrix_server_fqn_rageshake` (e.g. `matrix_server_fqn_rageshake: "some-domain.{{ matrix_domain }}"`). + + +## Adjusting DNS records + +Once you've decided on the domain and path, **you may need to adjust your DNS** records to point the Rageshake domain to the Matrix server. + +If you've decided to reuse the `matrix.` domain, you won't need to do any extra DNS configuration. + + +## Enabling the Rageshake service + +Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file (adapt to your needs): + +```yaml +matrix_rageshake_enabled: true +``` + +Rageshake has various options which don't have dedicated Ansible variables. You can see the full list of options in the [`rageshake.sample.yaml` file](https://github.com/matrix-org/rageshake/blob/master/rageshake.sample.yaml). + +To set these, you can make use of the `matrix_rageshake_configuration_extension_yaml` variable like this: + +```yaml +matrix_rageshake_configuration_extension_yaml: | + github_token: secrettoken + + github_project_mappings: + my-app: octocat/HelloWorld +``` + + +## Installing + +After configuring the playbook, run the [installation](installing.md) command again: + +``` +ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start +``` + + +## Usage + +Refer to the [rageshake documentation](https://github.com/matrix-org/rageshake) for available APIs, etc. diff --git a/docs/configuring-playbook-s3.md b/docs/configuring-playbook-s3.md index 539f96d32..f5a182840 100644 --- a/docs/configuring-playbook-s3.md +++ b/docs/configuring-playbook-s3.md @@ -5,11 +5,13 @@ If that's alright, you can skip this. As an alternative to storing media files on the local filesystem, you can store them on [Amazon S3](https://aws.amazon.com/s3/) or another S3-compatible object store. +You can do this either by sticking to Synapse's media repository and making that use S3 (read below for this method), or by switching to an external media storage implementation like [matrix-media-repo](configuring-playbook-matrix-media-repo.md). + First, [choose an Object Storage provider](#choosing-an-object-storage-provider). Then, [create the S3 bucket](#bucket-creation-and-security-configuration). -Finally, [set up S3 storage for Synapse](#setting-up) (with [Goofys](configuring-playbook-s3-goofys.md) or [synapse-s3-storage-provider](configuring-playbook-synapse-s3-storage-provider.md)). +Finally, [set up S3 storage for Synapse](#setting-up) (with [Goofys](configuring-playbook-s3-goofys.md), [synapse-s3-storage-provider](configuring-playbook-synapse-s3-storage-provider.md), or use s3 datastore with the [matrix-media-repo](https://docs.t2bot.io/matrix-media-repo/configuration/s3-datastore.html)). ## Choosing an Object Storage provider @@ -105,3 +107,4 @@ To set up Synapse to store files in S3, follow the instructions for the method o - using [synapse-s3-storage-provider](configuring-playbook-synapse-s3-storage-provider.md) (recommended) - using [Goofys to mount the S3 store to the local filesystem](configuring-playbook-s3-goofys.md) +- using [matrix-media-repo](https://docs.t2bot.io/matrix-media-repo/configuration/s3-datastore.html) diff --git a/docs/configuring-playbook-sliding-sync-proxy.md b/docs/configuring-playbook-sliding-sync-proxy.md new file mode 100644 index 000000000..a0eb36ba4 --- /dev/null +++ b/docs/configuring-playbook-sliding-sync-proxy.md @@ -0,0 +1,62 @@ +# Setting up Sliding Sync Proxy (optional) + +The playbook can install and configure [sliding-sync](https://github.com/matrix-org/sliding-sync) proxy for you. + +Sliding Sync is an implementation of [MSC3575](https://github.com/matrix-org/matrix-spec-proposals/blob/kegan/sync-v3/proposals/3575-sync.md) and a prerequisite for running the new (**still beta**) Element X clients ([Element X iOS](https://github.com/vector-im/element-x-ios) and [Element X Android](https://github.com/vector-im/element-x-android)). + +See the project's [documentation](https://github.com/matrix-org/sliding-sync) to learn more. + +Element X iOS is [available on TestFlight](https://testflight.apple.com/join/uZbeZCOi). + +Element X Android requires manual compilation to get it working with a non-`matrix.org` homeseserver. It's also less feature-complete than the iOS version. + +**NOTE**: The Sliding Sync proxy **only works with the Traefik reverse-proxy**. If you have an old server installation (from the time `matrix-nginx-proxy` was our default reverse-proxy - `matrix_playbook_reverse_proxy_type: playbook-managed-nginx`), you won't be able to use Sliding Sync. + + +## Decide on a domain and path + +By default, the Sliding Sync proxy is configured to be served on the Matrix domain (`matrix.DOMAIN`, controlled by `matrix_server_fqn_matrix`), under the `/sliding-sync` path. + +This makes it easy to set it up, **without** having to [adjust your DNS records](#adjusting-dns-records). + +If you'd like to run the Sliding Sync proxy on another hostname or path, use the `matrix_sliding_sync_hostname` and `matrix_sliding_sync_path_prefix` variables. + + +## Adjusting DNS records + +If you've changed the default hostame, **you may need to adjust your DNS** records. + + +## Adjusting the playbook configuration + +Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file: + +```yaml +matrix_sliding_sync_enabled: true +``` + + +## Installing + +After potentially [adjusting DNS records](#adjusting-dns-records) and configuring the playbook, run the [installation](installing.md) command again: `just install-all`. + +### External databases + +Please note that, if your setup utilizes an external database, you must also establish configuration for the sliding sync proxy. Alter the defaults below to suit your configuration: + +```yaml +matrix_sliding_sync_database_username: 'matrix_sliding_sync' +matrix_sliding_sync_database_password: '' +matrix_sliding_sync_database_hostname: '' +matrix_sliding_sync_database_port: 5432 +matrix_sliding_sync_database_name: 'matrix_sliding_sync' +``` + +## Usage + +You **don't need to do anything special** to make use of the Sliding Sync Proxy. +Simply open your client which supports Sliding Sync (like Element X) and log in. + +When the Sliding Sync proxy is [installed](#installing), your `/.well-known/matrix/client` file is also updated. A new `org.matrix.msc3575.proxy` section and `url` property are added there and made to point to your Sliding Sync proxy's base URL (e.g. `https://matrix.DOMAIN/sliding-sync`). + +This allows clients which support Sliding Sync to detect the Sliding Sync Proxy's URL and make use of it. diff --git a/docs/configuring-playbook-ssl-certificates.md b/docs/configuring-playbook-ssl-certificates.md index 606160da4..6a215973b 100644 --- a/docs/configuring-playbook-ssl-certificates.md +++ b/docs/configuring-playbook-ssl-certificates.md @@ -1,112 +1,100 @@ # Adjusting SSL certificate retrieval (optional, advanced) -By default, this playbook retrieves and auto-renews free SSL certificates from [Let's Encrypt](https://letsencrypt.org/) for the domains it needs (`matrix.` and possibly `element.`) +By default, this playbook retrieves and auto-renews free SSL certificates from [Let's Encrypt](https://letsencrypt.org/) for the domains it needs (e.g. `matrix.` and others) -Those certificates are used when configuring the nginx reverse proxy installed by this playbook. -They can also be used for configuring [your own webserver](configuring-playbook-own-webserver.md), in case you're not using the integrated nginx server provided by the playbook. +This guide is about using the integrated Traefik server and doesn't apply if you're using [your own webserver](configuring-playbook-own-webserver.md). -If you need to retrieve certificates for other domains (e.g. your base domain) or more control over certificate retrieval, read below. -Things discussed in this document: +## Using staging Let's Encrypt certificates instead of real ones -- [Using self-signed SSL certificates](#using-self-signed-ssl-certificates), if you can't use Let's Encrypt or just need a test setup +For testing purposes, you may wish to use staging certificates provide by Let's Encrypt. -- [Using your own SSL certificates](#using-your-own-ssl-certificates), if you don't want to or can't use Let's Encrypt certificates, but are still interested in using the integrated nginx reverse proxy server - -- [Not bothering with SSL certificates](#not-bothering-with-ssl-certificates), if you're using [your own webserver](configuring-playbook-own-webserver.md) and would rather this playbook leaves SSL certificate management to you - -- [Obtaining SSL certificates for additional domains](#obtaining-ssl-certificates-for-additional-domains), if you'd like to host additional domains on the Matrix server and would like the playbook to help you obtain and renew certificates for those domains automatically - - -## Using self-signed SSL certificates - -For private deployments (not publicly accessible from the internet), you may not be able to use Let's Encrypt certificates. - -If self-signed certificates are alright with you, you can ask the playbook to generate such for you with the following configuration: +You can do this with the following configuration: ```yaml -matrix_ssl_retrieval_method: self-signed +devture_traefik_config_certificatesResolvers_acme_use_staging: true ``` -If you get a `Cannot reach homeserver` error in Element, you will have to visit `https://matrix.` in your browser and agree to the certificate exception before you can login. +## Disabling SSL termination -## Using your own SSL certificates +For testing or other purposes, you may wish to install services without SSL termination and have services exposed to `http://` instead of `https://`. -If you'd like to manage SSL certificates by yourself and have the playbook use your certificate files, you can use the following configuration: +You can do this with the following configuration: ```yaml -matrix_ssl_retrieval_method: manually-managed +devture_traefik_config_entrypoint_web_secure_enabled: false ``` -With such a configuration, the playbook would expect you to drop the SSL certificate files in the directory specified by `matrix_ssl_config_dir_path` (`/matrix/ssl/config` by default) obeying the following hierarchy: -- `/live//fullchain.pem` -- `/live//privkey.pem` -- `/live//chain.pem` - -where `` refers to the domains that you need (usually `matrix.` and `element.`). - - -## Not bothering with SSL certificates - -If you're [using an external web server](configuring-playbook-own-webserver.md) which is not nginx, or you would otherwise want to manage its certificates without this playbook getting in the way, you can completely disable SSL certificate management with the following configuration: - -```yaml -matrix_ssl_retrieval_method: none -``` - -With such a configuration, no certificates will be retrieved at all. You're free to manage them however you want. - - -## Obtaining SSL certificates for additional domains - -The playbook tries to be smart about the certificates it will obtain for you. - -By default, it obtains certificates for: -- `matrix.` (`matrix_server_fqn_matrix`) -- possibly for `element.`, unless you have disabled the [Element client component](configuring-playbook-client-element.md) using `matrix_client_element_enabled: false` -- possibly for `riot.`, if you have explicitly enabled Riot to Element redirection (for background compatibility) using `matrix_nginx_proxy_proxy_riot_compat_redirect_enabled: true` -- possibly for `hydrogen.`, if you have explicitly [set up Hydrogen client](configuring-playbook-client-hydrogen.md). -- possibly for `cinny.`, if you have explicitly [set up Cinny client](configuring-playbook-client-cinny.md). -- possibly for `dimension.`, if you have explicitly [set up Dimension](configuring-playbook-dimension.md). -- possibly for `goneb.`, if you have explicitly [set up Go-NEB bot](configuring-playbook-bot-go-neb.md). -- possibly for `jitsi.`, if you have explicitly [set up Jitsi](configuring-playbook-jitsi.md). -- possibly for `stats.`, if you have explicitly [set up Grafana](configuring-playbook-prometheus-grafana.md). -- possibly for `sygnal.`, if you have explicitly [set up Sygnal](configuring-playbook-sygnal.md). -- possibly for `ntfy.`, if you have explicitly [set up ntfy](configuring-playbook-ntfy.md). -- possibly for your base domain (``), if you have explicitly configured [Serving the base domain](configuring-playbook-base-domain-serving.md) - -If you are hosting other domains on the Matrix machine, you can make the playbook obtain and renew certificates for those other domains too. -To do that, simply define your own custom configuration like this: - -```yaml -# In this example, we retrieve 2 extra certificates, -# one for the base domain (in the `matrix_domain` variable) and one for a hardcoded domain. -# Adding any other additional domains (hosted on the same machine) is possible. -matrix_ssl_additional_domains_to_obtain_certificates_for: - - '{{ matrix_domain }}' - - 'another.domain.example.com' -``` - -After redefining `matrix_ssl_domains_to_obtain_certificates_for`, to actually obtain certificates you should: - -- make sure the web server occupying port 80 is stopped. If you are using matrix-nginx-proxy server (which is the default for this playbook), you need to stop it temporarily by running `systemctl stop matrix-nginx-proxy` on the server. - -- re-run the SSL part of the playbook and restart all services: `ansible-playbook -i inventory/hosts setup.yml --tags=setup-ssl,start` +## Using self-signed SSL certificates -The certificate files would be made available in `/matrix/ssl/config/live//...`. +If you'd like to use your own SSL certificates, instead of the default (SSL certificates obtained automatically via [ACME](https://en.wikipedia.org/wiki/Automatic_Certificate_Management_Environment) from [Let's Encrypt](https://letsencrypt.org/)): -For automated certificate renewal to work, each port `80` vhost for each domain you are obtaining certificates for needs to forward requests for `/.well-known/acme-challenge` to the certbot container we use for renewal. +- generate your self-signed certificate files +- follow the [Using your own SSL certificates](#using-your-own-ssl-certificates) documentation below -See how this is configured for the `matrix.` subdomain in `/matrix/nginx-proxy/conf.d/matrix-domain.conf` -Don't be alarmed if the above configuration file says port `8080`, instead of port `80`. It's due to port mapping due to our use of containers. +## Using your own SSL certificates -## Specify the SSL private key algorithm +To use your own SSL certificates with Traefik, you need to: -If you'd like to [specify the private key type](https://eff-certbot.readthedocs.io/en/stable/using.html#using-ecdsa-keys) used with Let's Encrypt, define your own custom configuration like this: +- disable [ACME](https://en.wikipedia.org/wiki/Automatic_Certificate_Management_Environment) / [Let's Encrypt](https://letsencrypt.org/) support +- put a custom Traefik configuration file on the server, with the help of this Ansible playbook (via the [`aux` role](https://github.com/mother-of-all-self-hosting/ansible-role-aux)) or manually +- register your custom configuration file with Traefik, by adding an extra provider of type [file](https://doc.traefik.io/traefik/providers/file/) +- put the SSL files on the server, with the help of this Ansible playbook (via the [`aux` role](https://github.com/mother-of-all-self-hosting/ansible-role-aux)) or manually ```yaml -matrix_ssl_lets_encrypt_key_type: ecdsa +# Disable ACME / Let's Encrypt support. +devture_traefik_config_certificatesResolvers_acme_enabled: false + +# Disabling ACME support (above) automatically disables the creation of the SSL directory. +# Force-enable it here, because we'll add our certificate files there. +devture_traefik_ssl_dir_enabled: true + +# Tell Traefik to load our custom configuration file (certificates.yml). +# The file is created below, in `aux_file_definitions`. +# The `/config/..` path is an in-container path, not a path on the host (like `/matrix/traefik/config`). Do not change it! +devture_traefik_configuration_extension_yaml: | + providers: + file: + filename: /config/certificates.yml + watch: true + +# Use the aux role to create our custom files on the server. +# If you'd like to do this manually, you remove this `aux_file_definitions` variable. +aux_file_definitions: + # Create the privkey.pem file on the server by + # uploading a file from the computer where Ansible is running. + - dest: "{{ devture_traefik_ssl_dir_path }}/privkey.pem" + src: /path/on/your/Ansible/computer/to/privkey.pem + # Alternatively, comment out `src` above and uncomment the lines below to provide the certificate content inline. + # Note the indentation level. + # content: | + # FILE CONTENT + # HERE + + # Create the cert.pem file on the server + # uploading a file from the computer where Ansible is running. + - dest: "{{ devture_traefik_ssl_dir_path }}/cert.pem" + src: /path/on/your/Ansible/computer/to/cert.pem + # Alternatively, comment out `src` above and uncomment the lines below to provide the certificate content inline. + # Note the indentation level. + # content: | + # FILE CONTENT + # HERE + + # Create the custom Traefik configuration. + # The `/ssl/..` paths below are in-container paths, not paths on the host (/`matrix/traefik/ssl/..`). Do not change them! + - dest: "{{ devture_traefik_config_dir_path }}/certificates.yml" + content: | + tls: + certificates: + - certFile: /ssl/cert.pem + keyFile: /ssl/privkey.pem + stores: + default: + defaultCertificate: + certFile: /ssl/cert.pem + keyFile: /ssl/privkey.pem ``` diff --git a/docs/configuring-playbook-sygnal.md b/docs/configuring-playbook-sygnal.md index 1a344530c..2fbad04c2 100644 --- a/docs/configuring-playbook-sygnal.md +++ b/docs/configuring-playbook-sygnal.md @@ -11,6 +11,31 @@ See the project's [documentation](https://github.com/matrix-org/sygnal) to learn This optional playbook component is only useful to people who develop/build their own Matrix client applications themselves. +## Decide on a domain and path + +By default, Sygnal is configured to use its own dedicated domain (`sygnal.DOMAIN`) and requires you to [adjust your DNS records](#adjusting-dns-records). + +You can override the domain and path like this: + +```yaml +# Switch to the domain used for Matrix services (`matrix.DOMAIN`), +# so we won't need to add additional DNS records for Sygnal. +matrix_sygnal_hostname: "{{ matrix_server_fqn_matrix }}" + +# Expose under the /sygnal subpath +matrix_sygnal_path_prefix: /sygnal +``` + +**NOTE**: When using `matrix-nginx-proxy` instead of Traefik, you won't be able to override the path prefix. You can only override the domain, but that needs to happen using another variable: `matrix_server_fqn_sygnal` (e.g. `matrix_server_fqn_sygnal: "push.{{ matrix_domain }}"`). + + +## Adjusting DNS records + +Once you've decided on the domain and path, **you may need to adjust your DNS** records to point the Sygnal domain to the Matrix server. + +If you've decided to reuse the `matrix.` domain, you won't need to do any extra DNS configuration. + + ## Adjusting the playbook configuration Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file (adapt to your needs): @@ -30,7 +55,7 @@ matrix_sygnal_apps: api_key: your_api_key_for_gcm # .. more configuration .. -matrix_aux_file_definitions: +aux_file_definitions: - dest: "{{ matrix_sygnal_data_path }}/my_key.p8" content: | some @@ -48,16 +73,14 @@ Configuring [GCM/FCM](https://firebase.google.com/docs/cloud-messaging/) is easi To configure [APNS](https://developer.apple.com/notifications/) (Apple Push Notification Service), you'd need to provide one or more certificate files. To do that, the above example configuration: -- makes use of the `matrix-aux` role (and its `matrix_aux_file_definitions` variable) to make the playbook install files into `/matrix/sygnal/data` (the `matrix_sygnal_data_path` variable). See `roles/custom/matrix-aux/defaults/main.yml` for usage examples. It also makes sure the files are owned by `matrix:matrix`, so that Sygnal can read them. Of course, you can also install these files manually yourself, if you'd rather not use `matrix-aux`. +- makes use of the [`aux` role](https://github.com/mother-of-all-self-hosting/ansible-role-aux) (and its `aux_file_definitions` variable) to make the playbook install files into `/matrix/sygnal/data` (the `matrix_sygnal_data_path` variable). See [`defaults/main.yml` file](https://github.com/mother-of-all-self-hosting/ansible-role-aux/blob/main/defaults/main.yml) of the `aux` role for usage examples. It also makes sure the files are owned by `matrix:matrix`, so that Sygnal can read them. Of course, you can also install these files manually yourself, if you'd rather not use `aux`. - references these files in the Sygnal configuration (`matrix_sygnal_apps`) using a path like `/data/..` (the `/matrix/sygnal/data` directory on the host system is mounted into the `/data` directory inside the container) ## Installing -Don't forget to add `sygnal.` to DNS as described in [Configuring DNS](configuring-dns.md) before running the playbook. - -After configuring the playbook, run the [installation](installing.md) command again: +After configuring the playbook and potentially [adjusting your DNS records](#adjusting-dns-records), run the [installation](installing.md) command: ``` ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start @@ -66,6 +89,6 @@ ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start ## Usage -To make use of your Sygnal installation, you'd need to build your own Matrix client application, which uses the same API keys (for [GCM/FCM](https://firebase.google.com/docs/cloud-messaging/)) and certificates (for [APNS](https://developer.apple.com/notifications/)) and is also pointed to `https://sygnal.DOMAIN` as the configured push server. +To make use of your Sygnal installation, you'd need to build your own Matrix client application, which uses the same API keys (for [GCM/FCM](https://firebase.google.com/docs/cloud-messaging/)) and certificates (for [APNS](https://developer.apple.com/notifications/)) and is to your Sygnal URL endpoint (e.g. `https://sygnal.DOMAIN`). Refer to Sygnal's [Notes for application developers](https://github.com/matrix-org/sygnal/blob/master/docs/applications.md) document. diff --git a/docs/configuring-playbook-synapse-admin.md b/docs/configuring-playbook-synapse-admin.md index ad1bda028..1099553bf 100644 --- a/docs/configuring-playbook-synapse-admin.md +++ b/docs/configuring-playbook-synapse-admin.md @@ -35,34 +35,6 @@ To use Synapse Admin, you need to have [registered at least one administrator ac The Homeserver URL to use on Synapse Admin's login page is: `https://matrix.DOMAIN` -### Sample configuration for running behind Traefik 2.0 - -Below is a sample configuration for using this playbook with a [Traefik](https://traefik.io/) 2.0 reverse proxy. - -This an extension to Traefik config sample in [own-webserver-documentation](./configuring-playbook-own-webserver.md). - -```yaml -# Don't bind any HTTP or federation port to the host -# (Traefik will proxy directly into the containers) -matrix_synapse_admin_container_http_host_bind_port: "" - -matrix_synapse_admin_container_extra_arguments: - # May be unnecessary depending on Traefik config, but can't hurt - - '--label "traefik.enable=true"' - - # The Synapse Admin container will only receive traffic from this subdomain and path - - '--label "traefik.http.routers.matrix-synapse-admin.rule=(Host(`{{ matrix_server_fqn_matrix }}`) && Path(`{{matrix_synapse_admin_public_endpoint}}`))"' - - # (Define your entrypoint) - - '--label "traefik.http.routers.matrix-synapse-admin.entrypoints=web-secure"' - - # (The 'default' certificate resolver must be defined in Traefik config) - - '--label "traefik.http.routers.matrix-synapse-admin.tls.certResolver=default"' - - # The Synapse Admin container uses port 80 by default - - '--label "traefik.http.services.matrix-synapse-admin.loadbalancer.server.port=80"' -``` - ### Sample configuration for running behind Caddy v2 Below is a sample configuration for using this playbook with a [Caddy](https://caddyserver.com/v2) 2.0 reverse proxy (non-default configuration where `matrix-nginx-proxy` is disabled - `matrix_nginx_proxy_enabled: false`). diff --git a/docs/configuring-playbook-synapse-auto-compressor.md b/docs/configuring-playbook-synapse-auto-compressor.md new file mode 100644 index 000000000..108b6a114 --- /dev/null +++ b/docs/configuring-playbook-synapse-auto-compressor.md @@ -0,0 +1,36 @@ +# Setting up synapse_auto_compressor + +The playbook can install and configure [synapse_auto_compressor](https://github.com/matrix-org/rust-synapse-compress-state/#automated-tool-synapse_auto_compressor) for you. + +It's a CLI tool that automatically compresses Synapse's `state_groups` database table in the background. + +See the project's [documentation](https://github.com/matrix-org/rust-synapse-compress-state/#automated-tool-synapse_auto_compressor) to learn what it does and why it might be useful to you. + + +## Adjusting the playbook configuration + +Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file: + +```yaml +matrix_synapse_auto_compressor_enabled: true +``` + + +## Installing + +After configuring the playbook, run the [installation](installing.md) command again: + +``` +ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start +``` + + +## Usage + +After installation, `synapse_auto_compressor` will run automatically every day at `00:00:00` (as defined in `matrix_synapse_auto_compressor_calendar` by default). + +## Manually start the tool + +For testing your setup it can be helpful to not wait until 00:00. If you want to run the tool immediately, log onto the server +and run `systemctl start matrix-synapse-auto-compressor`. Running this command will not return control to your terminal until the compression run is done, which may take a long time. +Consider using [tmux](https://en.wikipedia.org/wiki/Tmux) if your SSH connection is unstable. diff --git a/docs/configuring-playbook-synapse-s3-storage-provider.md b/docs/configuring-playbook-synapse-s3-storage-provider.md index 2dba264be..9fb26212a 100644 --- a/docs/configuring-playbook-synapse-s3-storage-provider.md +++ b/docs/configuring-playbook-synapse-s3-storage-provider.md @@ -3,8 +3,6 @@ If you'd like to store Synapse's content repository (`media_store`) files on Amazon S3 (or other S3-compatible service), you can use the [synapse-s3-storage-provider](https://github.com/matrix-org/synapse-s3-storage-provider) media provider module for Synapse. -**`synapse-s3-storage-provider` support is very new and still relatively untested. Using it may cause data loss.** - An alternative (which has worse performance) is to use [Goofys to mount the S3 store to the local filesystem](configuring-playbook-s3-goofys.md). @@ -28,17 +26,27 @@ While you will need some local disk space around, it's only to accommodate usage ## Installing -After [creating the S3 bucket and configuring it](configuring-playbook-s3.md#bucket-creation-and-security-configuration), you can proceed to configure Goofys in your configuration file (`inventory/host_vars/matrix./vars.yml`): +After [creating the S3 bucket and configuring it](configuring-playbook-s3.md#bucket-creation-and-security-configuration), you can proceed to configure `s3-storage-provider` in your configuration file (`inventory/host_vars/matrix./vars.yml`): ```yaml matrix_synapse_ext_synapse_s3_storage_provider_enabled: true + matrix_synapse_ext_synapse_s3_storage_provider_config_bucket: your-bucket-name matrix_synapse_ext_synapse_s3_storage_provider_config_region_name: some-region-name # e.g. eu-central-1 -matrix_synapse_ext_synapse_s3_storage_provider_config_endpoint_url: https://.. # delete this whole line for Amazon S3 -matrix_synapse_ext_synapse_s3_storage_provider_config_access_key_id: access-key-goes-here -matrix_synapse_ext_synapse_s3_storage_provider_config_secret_access_key: secret-key-goes-here +matrix_synapse_ext_synapse_s3_storage_provider_config_endpoint_url: https://s3.REGION_NAME.amazonaws.com # adjust this matrix_synapse_ext_synapse_s3_storage_provider_config_storage_class: STANDARD # or STANDARD_IA, etc. +# Authentication Method 1 - (access key id + secret) +# This works on all providers (AWS and other compatible systems). +# Uncomment the variables below to use it. +# matrix_synapse_ext_synapse_s3_storage_provider_config_access_key_id: access-key-goes-here +# matrix_synapse_ext_synapse_s3_storage_provider_config_secret_access_key: secret-key-goes-here + +# Authentication Method 2 - EC2 instance profile which grants permission to access S3 +# This only works on AWS when your server is hosted on an EC2 instance with the correct instance profile set. +# Uncomment the variable below to use it. +# matrix_synapse_ext_synapse_s3_storage_provider_config_ec2_instance_profile: true + # For additional advanced settings, take a look at `roles/custom/matrix-synapse/defaults/main.yml` ``` @@ -62,26 +70,26 @@ Migrating your existing data can happen in multiple ways: Instead of using `s3_media_upload` directly, which is very slow and painful for an initial data migration, we recommend [using another tool in combination with `s3_media_upload`](#using-another-tool-in-combination-with-s3_media_upload). -To copy your existing files, SSH into the server and run `/usr/local/bin/matrix-synapse-s3-storage-provider-shell`. +To copy your existing files, SSH into the server and run `/matrix/synapse/ext/s3-storage-provider/bin/shell`. This launches a Synapse container, which has access to the local media store, Postgres database, S3 store and has some convenient environment variables configured for you to use (`MEDIA_PATH`, `BUCKET`, `ENDPOINT`, `UPDATE_DB_DAYS`, etc). Then use the following commands (`$` values come from environment variables - they're **not placeholders** that you need to substitute): -- `s3_media_upload update-db $UPDATE_DB_DURATION` - create a local SQLite database (`cache.db`) with a list of media repository files (from the `synapse` Postgres database) eligible for operating on +1. `s3_media_upload update-db $UPDATE_DB_DURATION` - create a local SQLite database (`cache.db`) with a list of media repository files (from the `synapse` Postgres database) eligible for operating on - `$UPDATE_DB_DURATION` is influenced by the `matrix_synapse_ext_synapse_s3_storage_provider_update_db_day_count` variable (defaults to `0`) - `$UPDATE_DB_DURATION` defaults to `0d` (0 days), which means **include files which haven't been accessed for more than 0 days** (that is, **all files will be included**). -- `s3_media_upload check-deleted $MEDIA_PATH` - check whether files in the local cache still exist in the local media repository directory -- `s3_media_upload upload $MEDIA_PATH $BUCKET --delete --storage-class $STORAGE_CLASS --endpoint-url $ENDPOINT` - uploads locally-stored files to S3 and deletes them from the local media repository directory +2. `s3_media_upload check-deleted $MEDIA_PATH` - check whether files in the local cache still exist in the local media repository directory +3. `s3_media_upload upload $MEDIA_PATH $BUCKET --delete --storage-class $STORAGE_CLASS --endpoint-url $ENDPOINT` - uploads locally-stored files to S3 and deletes them from the local media repository directory The `s3_media_upload upload` command may take a lot of time to complete. -Instead of running the above commands manually in the shell, you can also run the `/usr/local/bin/matrix-synapse-s3-storage-provider-migrate` script which will run the same commands automatically. We demonstrate how to do it manually, because: +Instead of running the above commands manually in the shell, you can also run the `/matrix/synapse/ext/s3-storage-provider/bin/migrate` script which will run the same commands automatically. We demonstrate how to do it manually, because: - it's what the upstream project demonstrates and it teaches you how to use the `s3_media_upload` tool - allows you to check and verify the output of each command, to catch mistakes - includes progress bars and detailed output for each command -- allows you to easily interrupt slow-running commands, etc. (the `/usr/local/bin/matrix-synapse-s3-storage-provider-migrate` starts a container without interactive TTY support, so `Ctrl+C` may not work and you and require killing via `docker kill ..`) +- allows you to easily interrupt slow-running commands, etc. (the `/matrix/synapse/ext/s3-storage-provider/bin/migrate` starts a container without interactive TTY support, so `Ctrl+C` may not work and you and require killing via `docker kill ..`) ### Using another tool in combination with `s3_media_upload` @@ -93,13 +101,29 @@ To migrate your existing local data to S3, we recommend to: #### Copying data to Amazon S3 -Generally, you need to use the `aws s3` tool. +To copy to AWS S3, start a container on the Matrix server like this: + +```sh +docker run -it --rm \ +-w /work \ +--env-file=/matrix/synapse/ext/s3-storage-provider/env \ +--mount type=bind,src=/matrix/synapse/storage/media-store,dst=/work,ro \ +--entrypoint=/bin/sh \ +docker.io/amazon/aws-cli:2.9.16 \ +-c 'aws s3 sync /work/. s3://$BUCKET/' +``` + +#### Copying data to an S3 alternative using the aws-s3 tool + +To copy to a provider other than AWS S3 (e.g. Wasabi, Digital Ocean Spaces, etc.), you can use the command for [Copying data to Amazon S3](#copying-data-to-amazon-s3) with an added `--endpoint-url=$ENDPOINT` argument. -This documentation section could use an improvement. Ideally, we'd come up with a guide like the one used in [Copying data to Backblaze B2](#copying-data-to-backblaze-b2) - running `aws s3` in a container, etc. +Add this argument to the command **as-is** (`$ENDPOINT` is an environment variable corresponding to `matrix_synapse_ext_synapse_s3_storage_provider_config_endpoint_url`, so you don't need to touch it). Make sure to add the argument **before** the final quote (`'`) of the command. #### Copying data to Backblaze B2 -To copy to Backblaze B2, start a container like this: +You can copy files to Backblaze B2 either by following the [Copying data to an S3 alternative using the aws-s3 tool](#copying-data-to-an-s3-alternative-using-the-aws-s3-tool) or by using the B2-specific [b2 command-line tool](https://www.backblaze.com/b2/docs/quick_command_line.html) as described below. + +To copy the data using the `b2` tool, start a container on the Matrix server like this: ```sh docker run -it --rm \ @@ -109,7 +133,7 @@ docker run -it --rm \ --env='B2_BUCKET_NAME=YOUR_BUCKET_NAME_GOES_HERE' \ --mount type=bind,src=/matrix/synapse/storage/media-store,dst=/work,ro \ --entrypoint=/bin/sh \ -tianon/backblaze-b2:3.6.0 \ +docker.io/tianon/backblaze-b2:3.6.0 \ -c 'b2 authorize-account $B2_KEY_ID $B2_KEY_SECRET && b2 sync /work b2://$B2_BUCKET_NAME --skipNewer' ``` @@ -119,7 +143,7 @@ As described in [How it works?](#how-it-works) above, when new media is uploaded By default, we periodically ensure that all local files are uploaded to S3 and are then removed from the local filesystem. This is done automatically using: -- the `/usr/local/bin/matrix-synapse-s3-storage-provider-migrate` script +- the `/matrix/synapse/ext/s3-storage-provider/bin/migrate` script - .. invoked via the `matrix-synapse-s3-storage-provider-migrate.service` service - .. triggered by the `matrix-synapse-s3-storage-provider-migrate.timer` timer, every day at 05:00 diff --git a/docs/configuring-playbook-synapse.md b/docs/configuring-playbook-synapse.md index 2e14f1ad4..4823c88d5 100644 --- a/docs/configuring-playbook-synapse.md +++ b/docs/configuring-playbook-synapse.md @@ -37,13 +37,11 @@ If you'd like more customization power, you can start with one of the presets an If you increase worker counts too much, you may need to increase the maximum number of Postgres connections too (example): ```yaml -matrix_postgres_process_extra_arguments: [ +devture_postgres_process_extra_arguments: [ "-c 'max_connections=200'" ] ``` -**NOTE**: Disabling `matrix-nginx-proxy` (`matrix_nginx_proxy_enabled: false`) (that is, [using your own other webserver](configuring-playbook-own-webserver.md) when running a Synapse worker setup is likely to cause various troubles (see [this issue](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/2090)). - In case any problems occur, make sure to have a look at the [list of synapse issues about workers](https://github.com/matrix-org/synapse/issues?q=workers+in%3Atitle) and your `journalctl --unit 'matrix-*'`. @@ -56,21 +54,73 @@ Certain Synapse administration tasks (managing users and rooms, etc.) can be per If you'd like to use OpenID Connect authentication with Synapse, you'll need some additional reverse-proxy configuration (see [our nginx reverse-proxy doc page](configuring-playbook-nginx.md#synapse-openid-connect-for-single-sign-on)). +This example configuration is for [keycloak](https://www.keycloak.org/), an opensource Identity Provider maintained by Red Hat. + +For more detailed documentation on available options and how to setup keycloak, see the [Synapse documentation on OpenID Connect with keycloak](https://github.com/matrix-org/synapse/blob/develop/docs/openid.md#keycloak). + In case you encounter errors regarding the parsing of the variables, you can try to add `{% raw %}` and `{% endraw %}` blocks around them. For example ; ``` - - idp_id: keycloak - idp_name: "Keycloak" - issuer: "https://url.ix/auth/realms/x" - client_id: "matrix" - client_secret: "{{ vault_synapse_keycloak }}" - scopes: ["openid", "profile"] - authorization_endpoint: "https://url.ix/auth/realms/x/protocol/openid-connect/auth" - token_endpoint: "https://url.ix/auth/realms/x/protocol/openid-connect/token" - userinfo_endpoint: "https://url.ix/auth/realms/x/protocol/openid-connect/userinfo" - user_mapping_provider: - config: - display_name_template: "{% raw %}{{ user.given_name }}{% endraw %} {% raw %}{{ user.family_name }}{% endraw %}" - email_template: "{% raw %}{{ user.email }}{% endraw %}" +matrix_synapse_configuration_extension_yaml: | + oidc_providers: + - idp_id: keycloak + idp_name: "My KeyCloak server" + issuer: "https://url.ix/auth/realms/{realm_name}" + client_id: "matrix" + client_secret: "{{ vault_synapse_keycloak }}" + scopes: ["openid", "profile"] + user_mapping_provider: + config: + localpart_template: "{% raw %}{{ user.preferred_username }}{% endraw %}" + display_name_template: "{% raw %}{{ user.name }}{% endraw %}" + email_template: "{% raw %}{{ user.email }}{% endraw %}" + allow_existing_users: true # Optional + backchannel_logout_enabled: true # Optional +``` + + +## Customizing templates + +[Templates](https://github.com/matrix-org/synapse/blob/develop/docs/templates.md) are used by Synapse for showing **certain web pages** handled by the server, as well as for **email notifications**. + +This playbook allows you to customize the default templates (see the [`synapse/res/templates` directory](https://github.com/matrix-org/synapse/tree/develop/synapse/res/templates)). + +If template customization is enabled, the playbook will build a custom container image based on the official one. + +Your custom templates need to live in a public or private git repository. This repository will be cloned during Synapse image customization (during the playbook run). + +To enable template customizations, use a configuration (`inventory/host_vars/matrix.DOMAIN/vars.yml`) like this: + +```yaml +# If you'd like to ensure that the customized image is built each time the playbook runs, enable this. +# Otherwise, the customized image will only be rebuilt whenever the Synapse version changes (once every ~2 weeks). +# matrix_synapse_docker_image_customized_build_nocache: true + +matrix_synapse_container_image_customizations_templates_enabled: true + +# Our templates live in a templates/ directory within the repository. +# If they're at the root path, delete this line. +matrix_synapse_container_image_customizations_templates_in_container_template_files_relative_path: templates + +matrix_synapse_container_image_customizations_templates_git_repository_url: git@github.com:organization/repository.git +matrix_synapse_container_image_customizations_templates_git_repository_branch: main + +matrix_synapse_container_image_customizations_templates_git_repository_keyscan_enabled: true +matrix_synapse_container_image_customizations_templates_git_repository_keyscan_hostname: github.com + +# If your git repository is public, do not define the private key (remove the variable). +matrix_synapse_container_image_customizations_templates_git_repository_ssh_private_key: | + -----BEGIN OPENSSH PRIVATE KEY----- + .... + -----END OPENSSH PRIVATE KEY----- ``` +As mentioned in Synapse's Templates documentation, Synapse will fall back to its own templates if a template is not found in that directory. +Due to this, it's recommended to only store and maintain template files in your repository if you need to make custom changes. Other files (which you don't need to change), should not be duplicated, so that you don't need to worry about getting out-of-sync with the original Synapse templates. + + +## Monitoring Synapse Metrics with Prometheus and Grafana + +This playbook allows you to enable Synapse metrics, which can provide insight into the performance and activity of Synapse. + +To enable Synapse metrics see [`configuring-playbook-prometheus-grafana.md`](./configuring-playbook-prometheus-grafana.md) diff --git a/docs/configuring-playbook-telemetry.md b/docs/configuring-playbook-telemetry.md index a97fa59c8..74f59dfc8 100644 --- a/docs/configuring-playbook-telemetry.md +++ b/docs/configuring-playbook-telemetry.md @@ -12,15 +12,17 @@ growth of the Matrix community, and helps to make Matrix a success. If you'd like to **help by enabling submission of general usage statistics** for your homeserver, add this to your configuration file (`inventory/host_vars/matrix./vars.yml`): ```yaml -matrix_synapse_report_stats: true +matrix_synapse_report_stats: true # for synapse + +matrix_dendrite_report_stats: true # for dendrite ``` ## Usage statistics being submitted -When enabled, Synapse will regularly upload a few dozen statistics about your server. +When enabled, your homeserver will regularly upload a few dozen statistics about your server. This data includes your homeserver's domain, the total number of users, the number of active users, the total number of rooms, and the number of messages sent per day on your homeserver. -See [Synapse's documentation](https://github.com/matrix-org/synapse/blob/develop/docs/usage/administration/monitoring/reporting_homeserver_usage_statistics.md#available-statistics) +See [Synapse's documentation](https://github.com/matrix-org/synapse/blob/develop/docs/usage/administration/monitoring/reporting_homeserver_usage_statistics.md#available-statistics) or [Dendrite's documentation](https://github.com/matrix-org/dendrite/blob/main/docs/FAQ.md#what-is-being-reported-when-enabling-phone-home-statistics) for the full list of statistics that are reported. diff --git a/docs/configuring-playbook-traefik.md b/docs/configuring-playbook-traefik.md new file mode 100644 index 000000000..0485742da --- /dev/null +++ b/docs/configuring-playbook-traefik.md @@ -0,0 +1,50 @@ +# Configure Traefik (optional, advanced) + +By default, this playbook installs and manages a [Traefik](https://doc.traefik.io/traefik/) reverse-proxy server, powered by the [com.devture.ansible.role.traefik](https://github.com/devture/com.devture.ansible.role.traefik) Ansible role. + +This Ansible role support various configuration options. Feel free to consult its `default/main.yml` variables file. + + +## Adjusting SSL certificate retrieval + +See the dedicated [Adjusting SSL certificate retrieval](configuring-playbook-ssl-certificates.md) documentation page. + +## Increase logging verbosity + +```yaml +devture_traefik_config_log_level: DEBUG +``` + +## Disable access logs + +This will disable access logging. + +```yaml +devture_traefik_config_accessLog_enabled: false +``` + +## Enable Traefik Dashboard + +This will enable a Traefik [Dashboard](https://doc.traefik.io/traefik/operations/dashboard/) UI at `https://matrix.DOMAIN/dashboard/` (note the trailing `/`). + +```yaml +devture_traefik_dashboard_enabled: true +devture_traefik_dashboard_hostname: "{{ matrix_server_fqn_matrix }}" +devture_traefik_dashboard_basicauth_enabled: true +devture_traefik_dashboard_basicauth_user: YOUR_USERNAME_HERE +devture_traefik_dashboard_basicauth_password: YOUR_PASSWORD_HERE +``` + +**WARNING**: enabling the dashboard on a hostname you use for something else (like `matrix_server_fqn_matrix` in the configuration above) may cause conflicts. Enabling the Traefik Dashboard makes Traefik capture all `/dashboard` and `/api` requests and forward them to itself. If any of the services hosted on the same hostname requires any of these 2 URL prefixes, you will experience problems. So far, we're not aware of any playbook services which occupy these endpoints and are likely to cause conflicts. + +## Additional configuration + +Use the `devture_traefik_configuration_extension_yaml` variable provided by the Traefik Ansible role to override or inject additional settings, even when no dedicated variable exists. + +```yaml +# This is a contrived example. +# You can enable and secure the Dashboard using dedicated variables. See above. +devture_traefik_configuration_extension_yaml: | + api: + dashboard: true +``` diff --git a/docs/configuring-playbook-turn.md b/docs/configuring-playbook-turn.md index c1d777a89..365fea4b1 100644 --- a/docs/configuring-playbook-turn.md +++ b/docs/configuring-playbook-turn.md @@ -15,6 +15,13 @@ matrix_coturn_enabled: false In that case, Synapse would not point to any Coturn servers and audio/video call functionality may fail. +## Manually defining your public IP +In the `hosts` file we explicitly ask for your server's external IP address when defining `ansible_host`, because the same value is used for configuring Coturn. +If you'd rather use a local IP for `ansible_host`, make sure to set up `matrix_coturn_turn_external_ip_address` replacing `YOUR_PUBLIC_IP` with the pubic IP used by the server. + +```yaml +matrix_coturn_turn_external_ip_address: "YOUR_PUBLIC_IP" +``` ## Using your own external Coturn server @@ -36,7 +43,10 @@ If you have or want to enable [Jitsi](configuring-playbook-jitsi.md), you might If you do not do it, Jitsi will fall back to an upstream service. ```yaml -matrix_jitsi_web_stun_servers: +jitsi_web_stun_servers: - stun:HOSTNAME_OR_IP:PORT ``` You can put multiple host/port combinations if you like. + +## Further variables and configuration options +To see all the available configuration options, check roles/custom/matrix-coturn/defaults/main.yml diff --git a/docs/configuring-playbook-user-verification-service.md b/docs/configuring-playbook-user-verification-service.md new file mode 100644 index 000000000..d33c7147d --- /dev/null +++ b/docs/configuring-playbook-user-verification-service.md @@ -0,0 +1,125 @@ +# Setting up Matrix User Verification Service (optional) + +**[Matrix User Verification Service](https://github.com/matrix-org/matrix-user-verification-service) (hereafter: UVS) can only be installed after Matrix services are installed and running.** +If you're just installing Matrix services for the first time, please continue with the [Configuration](configuring-playbook.md) / [Installation](installing.md) flow and come back here later. + +Currently, the main purpose of this role is to allow Jitsi to authenticate matrix users and check if they are authorized to join a conference. Please refer to the documentation of the [Matrix User Verification Service](https://github.com/matrix-org/matrix-user-verification-service) to understand how it works. + +**Note**: enabling Matrix User Verification Service, means that the `openid` API endpoints will be exposed on the Matrix Federation port (usually `8448`), even if [federation](configuring-playbook-federation.md) is disabled. + +If the Jitsi server is also configured by this playbook, all plugging of variables and secrets is handled in `group_vars/matrix_servers`. + +__Some general concepts of UVS may be helpful to understand the rest, so here they are:__ + +UVS can be used to verify two claims: + +* (A) Whether a given OpenID token is valid for a given server and +* (B) whether a user is member of a given room and the corresponding PowerLevel + +Verifying an OpenID token id done by finding the corresponding Homeserver via '.well-known/matrix/server' for the given domain. +The configured `matrix_user_verification_service_uvs_homeserver_url` does **not** factor into this. +By default, this playbook only checks against `matrix_server_fqn_matrix`. +Therefore, the request will be made against the public openid API for `matrix_server_fqn_matrix`. + +Verifying RoomMembership and PowerLevel is done against `matrix_user_verification_service_uvs_homeserver_url` which is by default done via the docker network. +UVS will verify the validity of the token beforehand though. + +## Prerequisites + +In order to use UVS, an admin token for the configured homeserver must be supplied. For now this means configuring Synapse and creating the token before installing UVS. + +## Enable + +[Matrix User Verification Service](https://github.com/matrix-org/matrix-user-verification-service) installation is disabled by default. +You can enable it in your configuration file (`inventory/host_vars/matrix./vars.yml`): + +```yaml +matrix_user_verification_service_enabled: true +``` + +## Configuration + +The only required configuration variable is `matrix_user_verification_service_uvs_access_token` (see below). + +For a list of all configuration options see the role defaults [`roles/matrix-user-verification-service/defaults/main.yml`](../roles/custom/matrix-user-verification-service/defaults/main.yml). +But be aware of all the plugging happening in `group_vars/matrix_servers`. + +In the default configuration, the UVS Server is only reachable via the docker network, which is fine if e.g. Jitsi is also running in a container on the host. +However, it is possible to expose UVS via setting `matrix_user_verification_service_container_http_host_bind_port`. + +### Access token + +The Synapse Access Token is used to verify RoomMembership and PowerLevel against `matrix_user_verification_service_uvs_homeserver_url`. + +We recommend that you create a dedicated Matrix user for uvs (`uvs` is a good username). +Follow our [Registering users](registering-users.md) guide to register a user with administration privileges. + +You are required to specify an access token (belonging to this new user) for UVS to work. +To get an access token for the UVS user, you can follow the documentation on [how to do obtain an access token](obtaining-access-tokens.md). + +**Access tokens are sensitive information. Do not include them in any bug reports, messages, or logs. Do not share the access token with anyone.** + +```yaml +matrix_user_verification_service_uvs_access_token: "YOUR ACCESS TOKEN HERE" +``` + +### (Optional) Custom Auth Token + +It is possible to set an API Auth Token to restrict access to the UVS. If this is enabled, anyone making a request to UVS must provide it via the header "Authorization: Bearer TOKEN" + +By default, the token will be derived from `matrix_homeserver_generic_secret_key` in `group_vars/matrix_servers`. +To set your own Token, simply put the following in your host_vars. + +```yaml +matrix_user_verification_service_uvs_auth_token: "TOKEN" +``` + +In case Jitsi is also managed by this playbook and 'matrix' authentication in Jitsi is enabled, this collection will automatically configure Jitsi to use the configured auth token. + +### (Optional) Disable Auth +Authorization is enabled by default. To disable set + +```yaml +matrix_user_verification_service_uvs_require_auth: false +``` + +in your host_vars. + +### (Optional) Federation + +In theory (however currently untested), UVS can handle federation. Simply set: + +```yaml +matrix_user_verification_service_uvs_pin_openid_verify_server_name: false +``` + +in your host_vars. + +This will instruct UVS to verify the OpenID token against any domain given in a request. +Homeserver discovery is done via '.well-known/matrix/server' of the given domain. + +## Installation + +After these variables have been set, please run the following command to re-run setup and to restart UVS: + +``` +ansible-playbook -i inventory/hosts setup.yml --tags=setup-matrix-user-verification-service,start +``` + +## Logging + +The configuration variable `UVS_LOG_LEVEL` can be set to: +- warning +- info +- debug + +## TLS Certificate Checking +If the matrix Homeserver does not provide a valid TLS certificate, UVS will fail with the following error message: + +> message: 'No response received: [object Object]', + +This also applies to self-signed and let's encrypt staging certificates. + +To disable certificate validation altogether (INSECURE! Not suitable for production use!) set: `NODE_TLS_REJECT_UNAUTHORIZED=0` + +Alternatively, it is possible to inject your own CA certificates into the container by mounting a PEM file with additional trusted CAs into the container and pointing the `NODE_EXTRA_CA_CERTS` environment variable to it. diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index 127ab47da..a4746a62c 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -12,7 +12,7 @@ You can then follow these steps inside the playbook directory: 1. copy the sample configuration file (`cp examples/vars.yml inventory/host_vars/matrix./vars.yml`) -1. edit the configuration file (`inventory/host_vars/matrix./vars.yml`) to your liking. You may also take a look at the various `roles/ROLE_NAME_HERE/defaults/main.yml` files and see if there's something you'd like to copy over and override in your `vars.yml` configuration file. +1. edit the configuration file (`inventory/host_vars/matrix./vars.yml`) to your liking. You may also take a look at the various `roles/*/ROLE_NAME_HERE/defaults/main.yml` files and see if there's something you'd like to copy over and override in your `vars.yml` configuration file. 1. copy the sample inventory hosts file (`cp examples/hosts inventory/hosts`) @@ -47,8 +47,12 @@ When you're done with all the configuration you'd like to do, continue with [Ins - [Configuring Conduit](configuring-playbook-conduit.md), if you've switched to the [Conduit](https://conduit.rs) homeserver implementation (optional) + - [Configuring Dendrite](configuring-playbook-dendrite.md), if you've switched to the [Dendrite](https://matrix-org.github.io/dendrite) homeserver implementation (optional) + - [Configuring Element](configuring-playbook-client-element.md) (optional) +- [Storing Matrix media files using matrix-media-repo](configuring-playbook-matrix-media-repo.md) (optional) + - [Storing Matrix media files on Amazon S3](configuring-playbook-s3.md) (optional) - [Using an external PostgreSQL server](configuring-playbook-external-postgres.md) (optional) @@ -57,9 +61,11 @@ When you're done with all the configuration you'd like to do, continue with [Ins - [Serving your base domain using this playbook's nginx server](configuring-playbook-base-domain-serving.md) (optional) -- [Configure Nginx](configuring-playbook-nginx.md) (optional, advanced) +- [Configure the Traefik reverse-proxy](configuring-playbook-traefik.md) (optional, advanced) + +- (Deprecated) [Configure the Nginx reverse-proxy](configuring-playbook-nginx.md) (optional, advanced) -- [Using your own webserver, instead of this playbook's nginx proxy](configuring-playbook-own-webserver.md) (optional, advanced) +- [Using your own webserver, instead of this playbook's default reverse-proxy](configuring-playbook-own-webserver.md) (optional, advanced) - [Adjusting TURN server configuration](configuring-playbook-turn.md) (optional, advanced) @@ -97,6 +103,8 @@ When you're done with all the configuration you'd like to do, continue with [Ins - [Setting up Matrix Corporal](configuring-playbook-matrix-corporal.md) (optional, advanced) +- [Matrix User Verification Service](configuring-playbook-user-verification-service.md) (optional, advanced) + ### Bridging other networks @@ -104,6 +112,10 @@ When you're done with all the configuration you'd like to do, continue with [Ins - [Setting up Mautrix Telegram bridging](configuring-playbook-bridge-mautrix-telegram.md) (optional) +- [Setting up Mautrix Slack bridging](configuring-playbook-bridge-mautrix-slack.md) (optional) + +- [Setting up Mautrix Google Messages bridging](configuring-playbook-bridge-mautrix-gmessages.md) (optional) + - [Setting up Mautrix Whatsapp bridging](configuring-playbook-bridge-mautrix-whatsapp.md) (optional) - [Setting up Mautrix Facebook bridging](configuring-playbook-bridge-mautrix-facebook.md) (optional) @@ -159,6 +171,8 @@ When you're done with all the configuration you'd like to do, continue with [Ins ### Bots +- [Setting up matrix-bot-chatgpt](configuring-playbook-bot-chatgpt.md) - a bot through which you can talk to the [ChatGPT](https://openai.com/blog/chatgpt/) model(optional) + - [Setting up matrix-reminder-bot](configuring-playbook-bot-matrix-reminder-bot.md) - a bot to remind you about stuff (optional) - [Setting up matrix-registration-bot](configuring-playbook-bot-matrix-registration-bot.md) - a bot to create and manage registration tokens to invite users (optional) @@ -171,6 +185,8 @@ When you're done with all the configuration you'd like to do, continue with [Ins - [Setting up Mjolnir](configuring-playbook-bot-mjolnir.md) - a moderation tool/bot (optional) +- [Setting up Draupnir](configuring-playbook-bot-draupnir.md) - a moderation tool/bot, forked from Mjolnir and maintained by its former leader developer (optional) + - [Setting up Buscarron](configuring-playbook-bot-buscarron.md) - a bot you can use to send any form (HTTP POST, HTML) to a (encrypted) Matrix room (optional) @@ -183,8 +199,14 @@ When you're done with all the configuration you'd like to do, continue with [Ins ### Other specialized services +- [Setting up synapse-auto-compressor](configuring-playbook-synapse-auto-compressor.md) for compressing the database on Synapse homeservers (optional) + +- [Setting up the Sliding Sync Proxy](configuring-playbook-sliding-sync-proxy.md) for clients which require Sliding Sync support (like Element X) (optional) + - [Setting up the Sygnal push gateway](configuring-playbook-sygnal.md) (optional) - [Setting up the ntfy push notifications server](configuring-playbook-ntfy.md) (optional) - [Setting up a Cactus Comments server](configuring-playbook-cactus-comments.md) - a federated comment system built on Matrix (optional) + +- [Setting up the Rageshake bug report server](configuring-playbook-rageshake.md) (optional) diff --git a/docs/container-images.md b/docs/container-images.md index 737a44578..e89161f7e 100644 --- a/docs/container-images.md +++ b/docs/container-images.md @@ -46,6 +46,8 @@ These services are not part of our default installation, but can be enabled by [ - [mautrix/telegram](https://mau.dev/mautrix/telegram/container_registry) - the [mautrix-telegram](https://github.com/mautrix/telegram) bridge to [Telegram](https://telegram.org/) (optional) +- [mautrix/gmessages](https://mau.dev/mautrix/gmessages/container_registry) - the [mautrix-gmessages](https://github.com/mautrix/gmessages) bridge to [Google Messages](https://messages.google.com/) (optional) + - [mautrix/whatsapp](https://mau.dev/mautrix/whatsapp/container_registry) - the [mautrix-whatsapp](https://github.com/mautrix/whatsapp) bridge to [Whatsapp](https://www.whatsapp.com/) (optional) - [mautrix/facebook](https://mau.dev/mautrix/facebook/container_registry) - the [mautrix-facebook](https://github.com/mautrix/facebook) bridge to [Facebook](https://facebook.com/) (optional) diff --git a/docs/faq.md b/docs/faq.md index f2df8698b..d47c8b77d 100644 --- a/docs/faq.md +++ b/docs/faq.md @@ -125,7 +125,7 @@ This is similar to the [EMnify/matrix-synapse-auto-deploy](https://github.com/EM - this one installs everything in a single directory (`/matrix` by default) and **doesn't "contaminate" your server** with files all over the place -- this one **doesn't necessarily take over** ports 80 and 443. By default, it sets up nginx for you there, but you can also [use your own webserver](configuring-playbook-own-webserver.md) +- this one **doesn't necessarily take over** ports 80 and 443. By default, it sets up [Traefik](https://doc.traefik.io/traefik/) for you there, but you can also [use your own webserver](configuring-playbook-own-webserver.md) - this one **runs everything in Docker containers**, so it's likely more predictable and less fragile (see [Docker images used by this playbook](container-images.md)) @@ -262,7 +262,7 @@ matrix_server_fqn_element: "element.YOUR_BASE_DOMAIN" # Feel free to use `dimension.matrix.YOUR_BASE_DOMAIN`, if you'd prefer that. matrix_server_fqn_dimension: "dimension.YOUR_BASE_DOMAIN" -# This is where you access Jitsi (if enabled via `matrix_jitsi_enabled: true`; NOT enabled by default). +# This is where you access Jitsi (if enabled via `jitsi_enabled: true`; NOT enabled by default). # # Feel free to use `jitsi.matrix.YOUR_BASE_DOMAIN`, if you'd prefer that. matrix_server_fqn_jitsi: "jitsi.YOUR_BASE_DOMAIN" @@ -317,12 +317,12 @@ If you've installed [Jitsi](configuring-playbook-jitsi.md) (not installed by def Yes, we can stop installing Docker ourselves. Just use this in your `vars.yml` file: ```yaml -matrix_docker_installation_enabled: true +matrix_playbook_docker_installation_enabled: false ``` ### I run another webserver on the same server where I wish to install Matrix. What now? -By default, we install a webserver for you (nginx), but you can also use [your own webserver](configuring-playbook-own-webserver.md). +By default, we install a webserver for you ([Traefik](https://doc.traefik.io/traefik/)), but you can also use [your own webserver](configuring-playbook-own-webserver.md). ### How is the effective configuration determined? @@ -336,12 +336,14 @@ Configuration variables are defined in multiple places in this playbook and are ### What configuration variables are available? -You can discover the variables you can override in each role (`role/matrix*/defaults/main.yml`). +You can discover the variables you can override in each role (`roles/*/*/defaults/main.yml`). As described in [How is the effective configuration determined?](#how-is-the-effective-configuration-determined), these role-defaults may be overriden by values defined in `group_vars/matrix_servers`. Refer to both of these for inspiration. Still, as mentioned in [Configuring the playbook](configuring-playbook.md), you're only ever supposed to edit your own `inventory/host_vars/matrix.DOMAIN/vars.yml` file and nothing else inside the playbook (unless you're meaning to contribute new features). +**Note**: some of the roles (`roles/galaxy/*`) live in separate repositories and are only installed after your run `just roles` (or `make roles`). + ### I'd like to adjust some configuration which doesn't have a corresponding variable. How do I do it? The playbook doesn't aim to expose all configuration settings for all services using variables. @@ -352,7 +354,9 @@ See [What configuration variables are available?](#what-configuration-variables- Besides that, each role (component) aims to provide a `matrix_SOME_COMPONENT_configuration_extension_yaml` (or `matrix_SOME_COMPONENT_configuration_extension_json`) variable, which can be used to override the configuration. -Check each role's `role/matrix*/defaults/main.yml` for the corresponding variable and an example for how use it. +Check each role's `roles/*/*/defaults/main.yml` for the corresponding variable and an example for how use it. + +**Note**: some of the roles (`roles/galaxy/*`) live in separate repositories and are only installed after your run `just roles` (or `make roles`). ## Installation @@ -461,15 +465,8 @@ After verifying that everything still works after the Postgres upgrade, you can ### How do I debug or force SSL certificate renewal? -SSL certificate renewal normally happens automatically via [systemd timers](https://wiki.archlinux.org/index.php/Systemd/Timers). - -If you're having trouble with SSL certificate renewal, you can inspect the renewal logs using: - -- `journalctl -fu matrix-ssl-lets-encrypt-certificates-renew.service` -- *or* by looking at the log files in `/matrix/ssl/log/` - -To trigger renewal, run: `systemctl start matrix-ssl-lets-encrypt-certificates-renew.service`. You can then take a look at the logs again. +SSL certificates are managed automatically by the [Traefik](https://doc.traefik.io/traefik/) reverse-proxy server. -If you're using the integrated webserver (`matrix-nginx-proxy`), you can reload it manually like this: `systemctl reload matrix-nginx-proxy`. Reloading also happens periodically via a systemd timer. +If you're having trouble with SSL certificate renewal, check the Traefik logs (`journalctl -fu matrix-traefik`). -If you're [using your own webserver](configuring-playbook-own-webserver.md) instead of the integrated one (`matrix-nginx-proxy`) you may also need to reload/restart it, to make it pick up the renewed SSL certificate files. +If you're [using your own webserver](configuring-playbook-own-webserver.md) instead of the integrated one (Traefik), you should investigate in another way. diff --git a/docs/howto-server-delegation.md b/docs/howto-server-delegation.md index e9ca5bde6..e9a6b23d8 100644 --- a/docs/howto-server-delegation.md +++ b/docs/howto-server-delegation.md @@ -49,6 +49,7 @@ To use DNS SRV record validation, you need to: - ensure that you are serving the Matrix Federation API (tcp/8448) with a certificate for `` (not `matrix.`!). Getting this certificate to the `matrix.` server may be complicated. The playbook's automatic SSL obtaining/renewal flow will likely not work and you'll need to copy certificates around manually. See below. +For more details on [how to configure the playbook to work with SRV delegation](howto-srv-server-delegation.md) ### Obtaining certificates diff --git a/docs/howto-srv-server-delegation.md b/docs/howto-srv-server-delegation.md new file mode 100644 index 000000000..a1afe59de --- /dev/null +++ b/docs/howto-srv-server-delegation.md @@ -0,0 +1,206 @@ +# Server Delegation via a DNS SRV record (advanced) + +**Reminder** : unless you are affected by the [Downsides of well-known-based Server Delegation](howto-server-delegation.md#downsides-of-well-known-based-server-delegation), we suggest you **stay on the simple/default path**: [Server Delegation](howto-server-delegation.md) by [configuring well-known files](configuring-well-known.md) at the base domain. + +This guide is about configuring Server Delegation using DNS SRV records (for the [Traefik](https://doc.traefik.io/traefik/) webserver). This method has special requirements when it comes to SSL certificates, so various changes are required. + +## Prerequisites + +SRV delegation while still using the playbook provided Traefik to get / renew the certificate requires a wildcard certificate. + +To obtain / renew one from [Let's Encrypt](https://letsencrypt.org/), one needs to use a [DNS-01 challenge](https://letsencrypt.org/docs/challenge-types/#dns-01-challenge) method instead of the default [HTTP-01](https://letsencrypt.org/docs/challenge-types/#http-01-challenge). + +This means that this is **limited to the list of DNS providers supported by Traefik**, unless you bring in your own certificate. + +The up-to-date list can be accessed on [traefik's documentation](https://doc.traefik.io/traefik/https/acme/#providers) + +## The changes + +### Federation Endpoint + +```yaml +# To serve the federation from any domain, as long as the path match +matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_rule: PathPrefix(`/_matrix`) +``` + +This is because with SRV federation, some servers / tools (one of which being the federation tester) try to access the federation API using the resolved IP address instead of the domain name (or they are not using SNI). This change will make Traefik route all traffic for which the path match this rule go to the federation endpoint. + +### Tell Traefik which certificate to serve for the federation endpoint + +Now that the federation endpoint is not bound to a domain anymore we need to explicitely tell Traefik to use a wildcard certificate in addition to one containing the base name. + +This is because the matrix specification expects the federation endpoint to be served using a certificate comatible with the base domain, however, the other resources on the endpoint still need a valid certificate to work. + +```yaml +# To let Traefik know which domains' certificates to serve +matrix_nginx_proxy_container_labels_additional_labels: | + traefik.http.routers.matrix-nginx-proxy-matrix-federation.tls.domains.main="example.com" + traefik.http.routers.matrix-nginx-proxy-matrix-federation.tls.domains.sans="*.example.com" +``` + +### Configure the DNS-01 challenge for let's encrypt + +Since we're now requesting a wildcard certificate, we need to change the ACME challenge method. To request a wildcard certificate from Let's Encrypt we are required to use the DNS-01 challenge. + +This will need 3 changes: +1. Add a new certificate resolver that works with DNS-01 +2. Configure the resolver to allow access to the DNS zone to configure the records to answer the challenge (refer to [Traefik's documentation](https://doc.traefik.io/traefik/https/acme/#providers) to know which environment variables to set) +3. Tell the playbook to use the new resolver as default + +We cannot just disable the default resolver as that would disable SSL in quite a few places in the playbook. + +```yaml +# 1. Add a new ACME configuration without having to disable the default one, since it would have a wide range of side effects +devture_traefik_configuration_extension_yaml: | + certificatesResolvers: + dns: + acme: + # To use a staging endpoint for testing purposes, uncomment the line below. + # caServer: https://acme-staging-v02.api.letsencrypt.org/directory + email: {{ devture_traefik_config_certificatesResolvers_acme_email | to_json }} + dnsChallenge: + provider: cloudflare + resolvers: + - "1.1.1.1:53" + - "8.8.8.8:53" + storage: {{ devture_traefik_config_certificatesResolvers_acme_storage | to_json }} + +# 2. Configure the environment variables needed by Rraefik to automate the ACME DNS Challenge (example for Cloudflare) +devture_traefik_environment_variables: | + CF_API_EMAIL=redacted + CF_ZONE_API_TOKEN=redacted + CF_DNS_API_TOKEN=redacted + LEGO_DISABLE_CNAME_SUPPORT=true + +# 3. Instruct the playbook to use the new ACME configuration +devture_traefik_certResolver_primary: dns +``` + +## Adjust Coturn's configuration + +The last step is to alter the generated Coturn configuration. + +By default, Coturn is configured to wait on the certificate for the `matrix.` subdomain using an [instantiated systemd service](https://www.freedesktop.org/software/systemd/man/systemd.service.html#Service%20Templates) using the domain name as the parameter for this service. However, we need to serve the wildcard certificate, which is incompatible with systemd, it will try to expand the `*`, which will break and prevent Coturn from starting. + +We also need to indicate to Coturn where the wildcard certificate is. + +**⚠ WARNING ⚠** : On first start of the services, Coturn might still fail to start because Traefik is still in the process of obtaining the certificates. If you still get an error, make sure Traefik obtained the certificates and restart the Coturn service (`just start-group coturn`). + +This should not happen again afterwards as Traefik will renew certificates well before their expiry date, and the Coturn service is setup to restart periodically. + +```yaml +# Only depend on docker.service, this removes the dependency on the certificate exporter, might imply the need to manually restart coturn on the first installation once the certificates are obtained, afterwards, the reload service should handle things +matrix_coturn_systemd_required_services_list: ['docker.service'] + +# This changes the path of the loaded certificate, while maintaining the original functionality, we're now loading the wildcard certificate. +matrix_coturn_container_additional_volumes: | + {{ + ( + [ + { + 'src': (matrix_ssl_config_dir_path + '/live/*.' + matrix_domain + '/fullchain.pem'), + 'dst': '/fullchain.pem', + 'options': 'ro', + }, + { + 'src': (matrix_ssl_config_dir_path + '/live/*.' + matrix_domain + '/privkey.pem'), + 'dst': '/privkey.pem', + 'options': 'ro', + }, + ] if matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] and matrix_coturn_tls_enabled else [] + ) + + + ( + [ + { + 'src': (devture_traefik_certs_dumper_dumped_certificates_dir_path + '/*.' + matrix_domain + '/certificate.crt'), + 'dst': '/certificate.crt', + 'options': 'ro', + }, + { + 'src': (devture_traefik_certs_dumper_dumped_certificates_dir_path + '/*.' + matrix_domain + '/privatekey.key'), + 'dst': '/privatekey.key', + 'options': 'ro', + }, + ] if matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] and devture_traefik_certs_dumper_enabled and matrix_coturn_tls_enabled else [] + ) + }} +``` + +## Full example of a working configuration + +```yaml +# Choosing the reverse proxy implementation +matrix_playbook_reverse_proxy_type: playbook-managed-traefik +devture_traefik_config_certificatesResolvers_acme_email: redacted@example.com + +# To serve the federation from any domain, as long as the path match +matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_rule: PathPrefix(`/_matrix`) + +# To let Traefik know which domains' certificates to serve +matrix_nginx_proxy_container_labels_additional_labels: | + traefik.http.routers.matrix-nginx-proxy-matrix-federation.tls.domains.main="example.com" + traefik.http.routers.matrix-nginx-proxy-matrix-federation.tls.domains.sans="*.example.com" + +# Add a new ACME configuration without having to disable the default one, since it would have a wide range of side effects +devture_traefik_configuration_extension_yaml: | + certificatesResolvers: + dns: + acme: + # To use a staging endpoint for testing purposes, uncomment the line below. + # caServer: https://acme-staging-v02.api.letsencrypt.org/directory + email: {{ devture_traefik_config_certificatesResolvers_acme_email | to_json }} + dnsChallenge: + provider: cloudflare + resolvers: + - "1.1.1.1:53" + - "8.8.8.8:53" + storage: {{ devture_traefik_config_certificatesResolvers_acme_storage | to_json }} + +# Instruct thep laybook to use the new ACME configuration +devture_traefik_certResolver_primary: "dns" + +# Configure the environment variables needed by Traefik to automate the ACME DNS Challenge (example for Cloudflare) +devture_traefik_environment_variables: | + CF_API_EMAIL=redacted + CF_ZONE_API_TOKEN=redacted + CF_DNS_API_TOKEN=redacted + LEGO_DISABLE_CNAME_SUPPORT=true + +# Only depend on docker.service, this removes the dependency on the certificate exporter, might imply the need to manually restart Coturn on the first installation once the certificates are obtained, afterwards, the reload service should handle things +matrix_coturn_systemd_required_services_list: ['docker.service'] + +# This changes the path of the loaded certificate, while maintaining the original functionality, we're now loading the wildcard certificate. +matrix_coturn_container_additional_volumes: | + {{ + ( + [ + { + 'src': (matrix_ssl_config_dir_path + '/live/*.' + matrix_domain + '/fullchain.pem'), + 'dst': '/fullchain.pem', + 'options': 'ro', + }, + { + 'src': (matrix_ssl_config_dir_path + '/live/*.' + matrix_domain + '/privkey.pem'), + 'dst': '/privkey.pem', + 'options': 'ro', + }, + ] if matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] and matrix_coturn_tls_enabled else [] + ) + + + ( + [ + { + 'src': (devture_traefik_certs_dumper_dumped_certificates_dir_path + '/*.' + matrix_domain + '/certificate.crt'), + 'dst': '/certificate.crt', + 'options': 'ro', + }, + { + 'src': (devture_traefik_certs_dumper_dumped_certificates_dir_path + '/*.' + matrix_domain + '/privatekey.key'), + 'dst': '/privatekey.key', + 'options': 'ro', + }, + ] if matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] and devture_traefik_certs_dumper_enabled and matrix_coturn_tls_enabled else [] + ) + }} +``` diff --git a/docs/importing-postgres.md b/docs/importing-postgres.md index fe3817f53..3c6935780 100644 --- a/docs/importing-postgres.md +++ b/docs/importing-postgres.md @@ -20,17 +20,17 @@ Before doing the actual import, **you need to upload your Postgres dump file to ## Importing -To import, run this command (make sure to replace `` with a file path on your server): +To import, run this command (make sure to replace `SERVER_PATH_TO_POSTGRES_DUMP_FILE` with a file path on your server): ```sh -ansible-playbook -i inventory/hosts setup.yml \ ---extra-vars='server_path_postgres_dump= postgres_default_import_database=matrix' \ ---tags=import-postgres +just run-tags import-postgres \ +--extra-vars=server_path_postgres_dump=SERVER_PATH_TO_POSTGRES_DUMP_FILE \ +--extra-vars=postgres_default_import_database=matrix ``` **Notes**: -- `` must be a file path to a Postgres dump file on the server (not on your local machine!) +- `SERVER_PATH_TO_POSTGRES_DUMP_FILE` must be a file path to a Postgres dump file on the server (not on your local machine!) - `postgres_default_import_database` defaults to `matrix`, which is useful for importing multiple databases (for dumps made with `pg_dumpall`). If you're importing a single database (e.g. `synapse`), consider changing `postgres_default_import_database` accordingly @@ -86,7 +86,7 @@ In this case you can use the command suggested in the import task to clear the d # systemctl start matrix-postgres ``` -Now on your local machine run `ansible-playbook -i inventory/hosts setup.yml --tags=setup-postgres` to prepare the database roles etc. +Now on your local machine run `just run-tags setup-postgres` to prepare the database roles etc. If not, you probably get this error. `synapse` is the correct table owner, but the role is missing in database. ``` @@ -97,9 +97,9 @@ Once the database is clear and the ownership of the tables has been fixed in the Check, if `--dbname` is set to `synapse` (not `matrix`) and replace paths (or even better, copy this line from your terminal) ``` -/usr/bin/env docker run --rm --name matrix-postgres-import --log-driver=none --user=998:1001 --cap-drop=ALL --network=matrix --env-file=/matrix/postgres/env-postgres-psql --mount type=bind,src=/migration/synapse_dump.sql,dst=/synapse_dump.sql,ro --entrypoint=/bin/sh docker.io/postgres:14.1-alpine -c "cat /synapse_dump.sql | grep -vE '^(CREATE|ALTER) ROLE (matrix)(;| WITH)' | grep -vE '^CREATE DATABASE (matrix)\s' | psql -v ON_ERROR_STOP=1 -h matrix-postgres --dbname=synapse" +/usr/bin/env docker run --rm --name matrix-postgres-import --log-driver=none --user=998:1001 --cap-drop=ALL --network=matrix --env-file=/matrix/postgres/env-postgres-psql --mount type=bind,src=/migration/synapse_dump.sql,dst=/synapse_dump.sql,ro --entrypoint=/bin/sh docker.io/postgres:15.0-alpine -c "cat /synapse_dump.sql | grep -vE '^(CREATE|ALTER) ROLE (matrix)(;| WITH)' | grep -vE '^CREATE DATABASE (matrix)\s' | psql -v ON_ERROR_STOP=1 -h matrix-postgres --dbname=synapse" ``` ### Hints -To open psql terminal run `/usr/local/bin/matrix-postgres-cli` +To open psql terminal run `/matrix/postgres/bin/cli` diff --git a/docs/importing-synapse-sqlite.md b/docs/importing-synapse-sqlite.md index aade22261..b5aa9f218 100644 --- a/docs/importing-synapse-sqlite.md +++ b/docs/importing-synapse-sqlite.md @@ -3,24 +3,28 @@ Run this if you'd like to import your database from a previous default installation of Synapse. (don't forget to import your `media_store` files as well - see [the importing-synapse-media-store guide](importing-synapse-media-store.md)). -While this playbook always sets up PostgreSQL, by default a Synapse installation would run -using an SQLite database. +While this playbook only supports running Synapse in combination with PostgreSQL, a Synapse instance installed manually usually defaults to using an SQLite database. -If you have such a Synapse setup and wish to migrate it here (and over to PostgreSQL), this command is for you. +If you have such a Synapse setup and wish to migrate it to one managed by the playbook (and over to PostgreSQL), this documentation page is for you. ## Prerequisites -Before doing the actual import, **you need to upload your SQLite database file to the server** (any path is okay). +Before doing the actual import: +- **ensure you have NOT started Synapse yet**. That is, make sure you have followed the [Installing step](installing.md), but haven't run the playbook's `start` tag yet. If you had started your new Synapse instance, it may have already initialized your Postgres database and importing onto it may not work. In such cases, you may need to clean up the `synapse` database first. +- **ensure you have uploaded your SQLite database file to the server** (any path is okay) +- if you're using the integrated Postgres server (**by default, you are** using it, unless you've explicitly switched to [Using an external PostgreSQL server](configuring-playbook-external-postgres.md)), **make sure Postgres is started** by running `just start-group postgres` ## Importing Run this command (make sure to replace `` with a file path on your server): - ansible-playbook -i inventory/hosts setup.yml --extra-vars='server_path_homeserver_db=' --tags=import-synapse-sqlite-db +```sh +just run-tags import-synapse-sqlite-db --extra-vars=server_path_homeserver_db= +``` **Notes**: -- `` must be a file path to a `homeserver.db` **file on the server** (not on your local machine!). +- `` must be replaced with a file path to a `homeserver.db` **file on the server** (not on your local machine!). - if the SQLite database is from an older version of Synapse, the **importing procedure may run migrations on it to bring it up to date**. That is, your SQLite database file may get modified and become unusable with your older Synapse version. Keeping a copy of the original is probably wise. diff --git a/docs/installing.md b/docs/installing.md index 53a86585c..c85ce1e63 100644 --- a/docs/installing.md +++ b/docs/installing.md @@ -2,7 +2,7 @@ If you've [configured your DNS](configuring-dns.md) and have [configured the playbook](configuring-playbook.md), you can start the installation procedure. -**Before installing** and each time you update the playbook in the future, you will need to update the Ansible roles in this playbook by running `make roles`. `make roles` is a shortcut (a `roles` target defined in [`Makefile`](Makefile) and executed by the [`make`](https://www.gnu.org/software/make/) utility) which ultimately runs [ansible-galaxy](https://docs.ansible.com/ansible/latest/cli/ansible-galaxy.html) to download Ansible roles. If you don't have `make`, you can also manually run the `roles` commands seen in the `Makefile`. +**Before installing** and each time you update the playbook in the future, you will need to update the Ansible roles in this playbook by running `just roles`. `just roles` is a shortcut (a `roles` target defined in [`justfile`](../justfile) and executed by the [`just`](https://github.com/casey/just) utility) which ultimately runs [ansible-galaxy](https://docs.ansible.com/ansible/latest/cli/ansible-galaxy.html) to download Ansible roles. If you don't have `just`, you can also manually run the `roles` commands seen in the `justfile`. ## Playbook tags introduction @@ -13,9 +13,13 @@ The general command syntax is: `ansible-playbook -i inventory/hosts setup.yml -- Here are some playbook tags that you should be familiar with: -- `setup-all` - runs all setup tasks for all components, but does not start/restart services +- `setup-all` - runs all setup tasks (installation and uninstallation) for all components, but does not start/restart services -- `setup-SERVICE` (e.g. `setup-bot-postmoogle`) - runs the setup tasks only for a given role, but does not start/restart services. You can discover these additional tags in each role (`roles/*/main.yml`). Running per-component setup tasks is **not recommended**, as components sometimes depend on each other and running just the setup tasks for a given component may not be enough. For example, setting up the [mautrix-telegram bridge](configuring-playbook-bridge-mautrix-telegram.md), in addition to the `setup-mautrix-telegram` tag, requires database changes (the `setup-postgres` tag) as well as reverse-proxy changes (the `setup-nginx-proxy` tag). +- `install-all` - like `setup-all`, but skips uninstallation tasks. Useful for maintaining your setup quickly when its components remain unchanged. If you adjust your `vars.yml` to remove components, you'd need to run `setup-all` though, or these components will still remain installed + +- `setup-SERVICE` (e.g. `setup-bot-postmoogle`) - runs the setup tasks only for a given role, but does not start/restart services. You can discover these additional tags in each role (`roles/**/tasks/main.yml`). Running per-component setup tasks is **not recommended**, as components sometimes depend on each other and running just the setup tasks for a given component may not be enough. For example, setting up the [mautrix-telegram bridge](configuring-playbook-bridge-mautrix-telegram.md), in addition to the `setup-mautrix-telegram` tag, requires database changes (the `setup-postgres` tag) as well as reverse-proxy changes (the `setup-nginx-proxy` tag). + +- `install-SERVICE` (e.g. `install-bot-postmoogle`) - like `setup-SERVICE`, but skips uninstallation tasks. See `install-all` above for additional information. - `start` - starts all systemd services and makes them start automatically in the future @@ -23,7 +27,7 @@ Here are some playbook tags that you should be familiar with: - `ensure-matrix-users-created` - a special tag which ensures that all special users needed by the playbook (for bots, etc.) are created -`setup-*` tags **do not start services** automatically, because you may wish to do things before starting services, such as importing a database dump, restoring data from another server, etc. +`setup-*` tags and `install-*` tags **do not start services** automatically, because you may wish to do things before starting services, such as importing a database dump, restoring data from another server, etc. ## 1. Installing Matrix @@ -40,7 +44,7 @@ There 2 ways to start the installation process - depending on whether you're [In If this is **a brand new** Matrix server and you **won't be importing old data into it**, run all these tags: ```sh -ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,ensure-matrix-users-created,start +ansible-playbook -i inventory/hosts setup.yml --tags=install-all,ensure-matrix-users-created,start ``` This will do a full installation and start all Matrix services. @@ -53,10 +57,10 @@ Proceed to [Maintaining your setup in the future](#2-maintaining-your-setup-in-t If you will be importing data into your newly created Matrix server, install it, but **do not** start its services just yet. Starting its services or messing with its database now will affect your data import later on. -To do the installation **without** starting services, run only the `setup-all` tag: +To do the installation **without** starting services, run only the `install-all` tag: ```sh -ansible-playbook -i inventory/hosts setup.yml --tags=setup-all +ansible-playbook -i inventory/hosts setup.yml --tags=install-all ``` When this command completes, services won't be running yet. @@ -82,6 +86,10 @@ Proceed to [Maintaining your setup in the future](#2-maintaining-your-setup-in-t Feel free to **re-run the setup command any time** you think something is off with the server configuration. Ansible will take your configuration and update your server to match. +Note that if you remove components from `vars.yml`, or if we switch some component from being installed by default to not being installed by default anymore, you'd need to run the setup command with `--tags=setup-all` instead of `--tags=install-all`. See [Playbook tags introduction](#playbook-tags-introduction) + +A way to invoke these `ansible-playbook` commands with less typing in the future is to use [just](https://github.com/casey/just) to run them: `just install-all` or `just setup-all`. See [our `justfile`](../justfile) for more information. + ## 3. Finalize the installation diff --git a/docs/maintenance-postgres.md b/docs/maintenance-postgres.md index 52d2d9eed..cc8898a2a 100644 --- a/docs/maintenance-postgres.md +++ b/docs/maintenance-postgres.md @@ -16,7 +16,7 @@ Table of contents: ## Getting a database terminal -You can use the `/usr/local/bin/matrix-postgres-cli` tool to get interactive terminal access ([psql](https://www.postgresql.org/docs/11/app-psql.html)) to the PostgreSQL server. +You can use the `/matrix/postgres/bin/cli` tool to get interactive terminal access ([psql](https://www.postgresql.org/docs/11/app-psql.html)) to the PostgreSQL server. If you are using an [external Postgres server](configuring-playbook-external-postgres.md), the above tool will not be available. @@ -41,7 +41,7 @@ To perform a `FULL` Postgres [VACUUM](https://www.postgresql.org/docs/current/sq Example: ```bash -ansible-playbook -i inventory/hosts setup.yml --tags=run-postgres-vacuum,start +just run-tags run-postgres-vacuum,start ``` **Note**: this will automatically stop Synapse temporarily and restart it later. You'll also need plenty of available disk space in your Postgres data directory (usually `/matrix/postgres/data`). @@ -78,7 +78,11 @@ Upgrades must be performed manually. This playbook can upgrade your existing Postgres setup with the following command: - ansible-playbook -i inventory/hosts setup.yml --tags=upgrade-postgres +```sh +just run-tags upgrade-postgres +``` + +**Warning: If you're using Borg Backup keep in mind that there is no official Postgres 15 support yet.** **The old Postgres data directory is backed up** automatically, by renaming it to `/matrix/postgres/data-auto-upgrade-backup`. To rename to a different path, pass some extra flags to the command above, like this: `--extra-vars="postgres_auto_upgrade_backup_data_path=/another/disk/matrix-postgres-before-upgrade"` @@ -97,7 +101,7 @@ Example: `--extra-vars="postgres_dump_name=matrix-postgres-dump.sql"` ## Tuning PostgreSQL -PostgreSQL can be tuned to make it run faster. This is done by passing extra arguments to Postgres with the `matrix_postgres_process_extra_arguments` variable. You should use a website like https://pgtune.leopard.in.ua/ or information from https://wiki.postgresql.org/wiki/Tuning_Your_PostgreSQL_Server to determine what Postgres settings you should change. +PostgreSQL can be tuned to make it run faster. This is done by passing extra arguments to Postgres with the `devture_postgres_process_extra_arguments` variable. You should use a website like https://pgtune.leopard.in.ua/ or information from https://wiki.postgresql.org/wiki/Tuning_Your_PostgreSQL_Server to determine what Postgres settings you should change. **Note**: the configuration generator at https://pgtune.leopard.in.ua/ adds spaces around the `=` sign, which is invalid. You'll need to remove it manually (`max_connections = 300` -> `max_connections=300`) @@ -107,7 +111,7 @@ These are not recommended values and they may not work well for you. This is jus Here is an example config for a small 2 core server with 4GB of RAM and SSD storage: ``` -matrix_postgres_process_extra_arguments: [ +devture_postgres_process_extra_arguments: [ "-c shared_buffers=128MB", "-c effective_cache_size=2304MB", "-c effective_io_concurrency=100", @@ -118,7 +122,7 @@ matrix_postgres_process_extra_arguments: [ Here is an example config for a 4 core server with 8GB of RAM on a Virtual Private Server (VPS); the paramters have been configured using https://pgtune.leopard.in.ua with the following setup: PostgreSQL version 12, OS Type: Linux, DB Type: Mixed type of application, Data Storage: SSD storage: ``` -matrix_postgres_process_extra_arguments: [ +devture_postgres_process_extra_arguments: [ "-c max_connections=100", "-c shared_buffers=2GB", "-c effective_cache_size=6GB", @@ -140,7 +144,7 @@ matrix_postgres_process_extra_arguments: [ Here is an example config for a large 6 core server with 24GB of RAM: ``` -matrix_postgres_process_extra_arguments: [ +devture_postgres_process_extra_arguments: [ "-c max_connections=40", "-c shared_buffers=1536MB", "-c checkpoint_completion_target=0.7", diff --git a/docs/maintenance-synapse.md b/docs/maintenance-synapse.md index a51811ffa..7c3ecc1b3 100644 --- a/docs/maintenance-synapse.md +++ b/docs/maintenance-synapse.md @@ -29,7 +29,9 @@ After deleting data, you may wish to run a [`FULL` Postgres `VACUUM`](./maintena [rust-synapse-compress-state](https://github.com/matrix-org/rust-synapse-compress-state) can be used to optimize some `_state` tables used by Synapse. If your server participates in large rooms this is the most effective way to reduce the size of your database. -This tool should be safe to use (even when Synapse is running), but it's always a good idea to [make Postgres backups](./maintenance-postgres.md#backing-up-postgresql) first. +**Note**: besides running the `rust-synapse-compress-state` tool manually, you can also enable its `synapse-auto-compressor` tool by [Setting up synapse-auto-compressor](configuring-playbook-synapse-auto-compressor.md). The automatic tool will run on a schedule every day and you won't have to compress state manually ever again. + +`rust-synapse-compress-state` should be safe to use (even when Synapse is running), but it's always a good idea to [make Postgres backups](./maintenance-postgres.md#backing-up-postgresql) first. To ask the playbook to run rust-synapse-compress-state, execute: diff --git a/docs/maintenance-upgrading-services.md b/docs/maintenance-upgrading-services.md index d1c707fd6..b65eadd77 100644 --- a/docs/maintenance-upgrading-services.md +++ b/docs/maintenance-upgrading-services.md @@ -10,8 +10,8 @@ To upgrade services: - take a look at [the changelog](../CHANGELOG.md) to see if there have been any backward-incompatible changes that you need to take care of -- download the upstream Ansible roles used by the playbook by running `make roles` +- download the upstream Ansible roles used by the playbook by running `just roles` -- re-run the [playbook setup](installing.md) and restart all serivces: `ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,ensure-matrix-users-created,start` +- re-run the [playbook setup](installing.md) and restart all services: `just setup-all` **Note**: major version upgrades to the internal PostgreSQL database are not done automatically. To upgrade it, refer to the [upgrading PostgreSQL guide](maintenance-postgres.md#upgrading-postgresql). diff --git a/docs/prerequisites.md b/docs/prerequisites.md index c0a906408..be60a5f45 100644 --- a/docs/prerequisites.md +++ b/docs/prerequisites.md @@ -20,9 +20,11 @@ If your distro runs within an [LXC container](https://linuxcontainers.org/), you - The [Ansible](http://ansible.com/) program being installed on your own computer. It's used to run this playbook and configures your server for you. Take a look at [our guide about Ansible](ansible.md) for more information, as well as [version requirements](ansible.md#supported-ansible-versions) and alternative ways to run Ansible. +- the [passlib](https://passlib.readthedocs.io/en/stable/index.html) Python library installed on the computer you run Ansible. On most distros, you need to install some `python-passlib` or `py3-passlib` package, etc. + - [`git`](https://git-scm.com/) is the recommended way to download the playbook to your computer. `git` may also be required on the server if you will be [self-building](self-building.md) components. -- [`make`](https://www.gnu.org/software/make/) for running `make roles`, etc. (see [`Makefile`](../Makefile)), although you can also run these commands manually (without `make`) +- [`just`](https://github.com/casey/just) for running `just roles`, etc. (see [`justfile`](../justfile)), although you can also run these commands manually - An HTTPS-capable web server at the base domain name (``) which is capable of serving static files. Unless you decide to [Serve the base domain from the Matrix server](configuring-playbook-base-domain-serving.md) or alternatively, to use DNS SRV records for [Server Delegation](howto-server-delegation.md). diff --git a/docs/registering-users.md b/docs/registering-users.md index 90c065bfe..51fdef346 100644 --- a/docs/registering-users.md +++ b/docs/registering-users.md @@ -9,21 +9,29 @@ Table of contents: - [Managing users via a Web UI](#managing-users-via-a-web-ui) - [Letting certain users register on your private server](#letting-certain-users-register-on-your-private-server) - [Enabling public user registration](#enabling-public-user-registration) - - [Adding/Removing Administrator privileges to an existing user](#addingremoving-administrator-privileges-to-an-existing-user) + - [Adding/Removing Administrator privileges to an existing Synapse user](#addingremoving-administrator-privileges-to-an-existing-synapse-user) ## Registering users manually You can do it via this Ansible playbook (make sure to edit the `` and `` part below): +```sh +just register-user + +# Example: `just register-user john secret-password yes` ``` + +**or** by invoking `ansible-playbook` manually: + +```sh ansible-playbook -i inventory/hosts setup.yml --extra-vars='username= password= admin=' --tags=register-user ``` **or** using the command-line after **SSH**-ing to your server (requires that [all services have been started](#starting-the-services)): -``` -/usr/local/bin/matrix-synapse-register-user +```sh +/matrix/synapse/bin/register-user ``` **Note**: `` is just a plain username (like `john`), not your full `@:` identifier. @@ -58,13 +66,24 @@ and running the [installation](installing.md) procedure once again. If you're opening up registrations publicly like this, you might also wish to [configure CAPTCHA protection](configuring-captcha.md). -## Adding/Removing Administrator privileges to an existing user - -The script `/usr/local/bin/matrix-change-user-admin-status` may be used to change a user's admin privileges. +## Adding/Removing Administrator privileges to an existing Synapse user -* log on to your server with ssh -* execute with the username and 0/1 (0 = non-admin | 1 = admin) +To change the admin privileges for a user, you need to run an SQL query like this against the `synapse` database: +```sql +UPDATE users SET admin=ADMIN_VALUE WHERE name = '@USER:DOMAIN' ``` -/usr/local/bin/matrix-change-user-admin-status <0/1> -``` + +where: + +- `ADMIN_VALUE` being either `0` (regular user) or `1` (admin) +- `USER` and `DOMAIN` pointing to a valid user on your server + +If you're using the integrated Postgres server and not an [external Postgres server](configuring-playbook-external-postgres.md), you can launch a Postgres into the `synapse` database by: + +- running `/matrix/postgres/bin/cli` - to launch [`psql`](https://www.postgresql.org/docs/current/app-psql.html) +- running `\c synapse` - to change to the `synapse` database + +You can then proceed to run the query above. + +**Note**: directly modifying the raw data of Synapse (or any other software) could cause the software to break. You've been warned! diff --git a/docs/self-building.md b/docs/self-building.md index 3351a1f8f..3fe826da1 100644 --- a/docs/self-building.md +++ b/docs/self-building.md @@ -6,11 +6,11 @@ The playbook supports self-building of various components, which don't have a co For other architectures (e.g. `arm32`, `arm64`), ready-made container images are used when available. If there's no ready-made image for a specific component and said component supports self-building, an image will be built on the host. Building images like this takes more time and resources (some build tools need to get installed by the playbook to assist building). -To make use of self-building, you don't need to do anything besides change your architecture variable (e.g. `matrix_architecture: arm64`). If a component has an image for the specified architecture, the playbook will use it directly. If not, it will build the image on the server itself. +To make use of self-building, you don't need to do anything. If a component has an image for the specified architecture, the playbook will use it directly. If not, it will build the image on the server itself. Note that **not all components support self-building yet**. -List of roles where self-building the Docker image is currently possible: +Possibly outdated list of roles where self-building the Docker image is currently possible: - `matrix-synapse` - `matrix-synapse-admin` - `matrix-client-element` @@ -32,6 +32,7 @@ List of roles where self-building the Docker image is currently possible: - `matrix-bridge-mautrix-googlechat` - `matrix-bridge-mautrix-telegram` - `matrix-bridge-mautrix-signal` +- `matrix-bridge-mautrix-gmessages` - `matrix-bridge-mautrix-whatsapp` - `matrix-bridge-mx-puppet-steam` - `matrix-bot-mjolnir` diff --git a/docs/uninstalling.md b/docs/uninstalling.md index 73af01d91..73a414ede 100644 --- a/docs/uninstalling.md +++ b/docs/uninstalling.md @@ -12,7 +12,7 @@ ## Uninstalling using a script -Installing places a `/usr/local/bin/matrix-remove-all` script on the server. +Installing places a `/matrix/bin/remove-all` script on the server. You can run it to to have it uninstall things for you automatically (see below). **Use with caution!** @@ -25,8 +25,6 @@ If you prefer to uninstall manually, run these commands (most are meant to be ex - delete the Matrix-related systemd `.service` and `.timer` files (`rm -f /etc/systemd/system/matrix*.{service,timer}`) and reload systemd (`systemctl daemon-reload`) -- delete some helper scripts (`rm -f /usr/local/bin/matrix*`) - - delete some cached Docker images (`docker system prune -a`) or just delete them all (`docker rmi $(docker images -aq)`) - delete the Docker networks: `docker network rm matrix matrix-coturn` (might have been deleted already if you ran the `docker system prune` command) diff --git a/docs/updating-users-passwords.md b/docs/updating-users-passwords.md index 2ea20d2f6..98663c601 100644 --- a/docs/updating-users-passwords.md +++ b/docs/updating-users-passwords.md @@ -1,6 +1,6 @@ # Updating users passwords -## Option 1 (if you are using the default matrix-postgres container): +## Option 1 (if you are using the integrated Postgres database): You can reset a user's password via the Ansible playbook (make sure to edit the `` and `` part below): @@ -36,7 +36,7 @@ Use the Synapse User Admin API as described here: https://github.com/matrix-org/ This requires an [access token](obtaining-access-tokens.md) from a server admin account. *This method will also log the user out of all of their clients while the other options do not.* -If you didn't make your account a server admin when you created it, you can use the `/usr/local/bin/matrix-change-user-admin-status` script as described in [registering-users.md](registering-users.md). +If you didn't make your account a server admin when you created it, you can learn how to switch it now by reading about it in [Adding/Removing Administrator privileges to an existing Synapse user](registering-users.md#addingremoving-administrator-privileges-to-an-existing-synapse-user). ### Example: To set @user:domain.com's password to `correct_horse_battery_staple` you could use this curl command: diff --git a/examples/caddy/matrix-synapse b/examples/caddy/matrix-synapse index c1893ebbf..46c48ab65 100644 --- a/examples/caddy/matrix-synapse +++ b/examples/caddy/matrix-synapse @@ -21,11 +21,11 @@ https://matrix.DOMAIN { } # Synapse Client<>Server API - proxy /_matrix matrix-synapse:8008 { + proxy /_matrix matrix-synapse-reverse-proxy-companion:8008 { transparent except /_matrix/identity/ /_matrix/client/r0/user_directory/search } - proxy /_synapse/client matrix-synapse:8008 { + proxy /_synapse/client matrix-synapse-reverse-proxy-companion:8008 { transparent } } diff --git a/examples/caddy2/Caddyfile b/examples/caddy2/Caddyfile index 43005ca41..2ffcea520 100644 --- a/examples/caddy2/Caddyfile +++ b/examples/caddy2/Caddyfile @@ -1,112 +1,10 @@ -(cors) { - @cors_preflight method OPTIONS - - handle @cors_preflight { - header Access-Control-Allow-Origin "{args.0}" - header Access-Control-Allow-Methods "HEAD, GET, POST, PUT, PATCH, DELETE" - header Access-Control-Allow-Headers "Content-Type, Authorization" - header Access-Control-Max-Age "3600" - } -} - - -matrix.DOMAIN.tld { - - # creates letsencrypt certificate - # tls your@email.com - - @identity { - path /_matrix/identity/* - } - - @noidentity { - not path /_matrix/identity/* - } - - @search { - path /_matrix/client/r0/user_directory/search/* - } - - @nosearch { - not path /_matrix/client/r0/user_directory/search/* - } - - @static { - path /matrix/static-files/* - } - - @nostatic { - not path /matrix/static-files/* - } - - @wellknown { - path /.well-known/matrix/* - } - - header { - # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS - Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" - # Enable cross-site filter (XSS) and tell browser to block detected attacks - X-XSS-Protection "1; mode=block" - # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type - X-Content-Type-Options "nosniff" - # Disallow the site to be rendered within a frame (clickjacking protection) - X-Frame-Options "DENY" - # X-Robots-Tag - X-Robots-Tag "noindex, noarchive, nofollow" - } - - # Cache - header @static { - # Cache - Cache-Control "public, max-age=31536000" - defer - } - - # identity - handle @identity { - reverse_proxy localhost:8090 { - header_up X-Forwarded-Port {http.request.port} - header_up X-Forwarded-Proto {http.request.scheme} - header_up X-Forwarded-TlsProto {tls_protocol} - header_up X-Forwarded-TlsCipher {tls_cipher} - header_up X-Forwarded-HttpsProto {proto} - } - } - - # search - handle @search { - reverse_proxy localhost:8090 { - header_up X-Forwarded-Port {http.request.port} - header_up X-Forwarded-Proto {http.request.scheme} - header_up X-Forwarded-TlsProto {tls_protocol} - header_up X-Forwarded-TlsCipher {tls_cipher} - header_up X-Forwarded-HttpsProto {proto} - } - } - - handle @wellknown { - encode zstd gzip - root * /matrix/static-files - header Cache-Control max-age=14400 - header Content-Type application/json - header Access-Control-Allow-Origin * - file_server - } - - # If you have other well-knowns already handled by your base domain, you can replace the above block by this one, along with the replacement suggested in the base domain - #handle @wellknown { - # # .well-known is handled by base domain - # reverse_proxy https://DOMAIN.tld { - # header_up Host {http.reverse_proxy.upstream.hostport} - #} +matrix.example.tld { handle { encode zstd gzip - reverse_proxy localhost:8008 { + reverse_proxy localhost:81 { header_up X-Forwarded-Port {http.request.port} - header_up X-Forwarded-Proto {http.request.scheme} header_up X-Forwarded-TlsProto {tls_protocol} header_up X-Forwarded-TlsCipher {tls_cipher} header_up X-Forwarded-HttpsProto {proto} @@ -114,13 +12,12 @@ matrix.DOMAIN.tld { } } -matrix.DOMAIN.tld:8448 { +matrix.example.tld:8448 { handle { encode zstd gzip - reverse_proxy 127.0.0.1:8048 { + reverse_proxy 127.0.0.1:8449 { header_up X-Forwarded-Port {http.request.port} - header_up X-Forwarded-Proto {http.request.scheme} header_up X-Forwarded-TlsProto {tls_protocol} header_up X-Forwarded-TlsCipher {tls_cipher} header_up X-Forwarded-HttpsProto {proto} @@ -128,142 +25,16 @@ matrix.DOMAIN.tld:8448 { } } -element.DOMAIN.tld { - # creates letsencrypt certificate - # tls your@email.com - - import cors https://*.DOMAIN.tld - - header { - # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS - Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" - # Enable cross-site filter (XSS) and tell browser to block detected attacks - X-XSS-Protection "1; mode=block" - # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type - X-Content-Type-Options "nosniff" - # Disallow the site to be rendered within a frame (clickjacking protection) - X-Frame-Options "DENY" - # If using integrations that add frames to Element, such as Dimension and its integrations running on the same domain, it can be a good idea to limit sources allowed to be rendered - # Content-Security-Policy frame-src https://*.DOMAIN.tld - # X-Robots-Tag - X-Robots-Tag "noindex, noarchive, nofollow" - } - - handle { - encode zstd gzip +example.tld { +# Uncomment this if you are following "(Option 3): Setting up reverse-proxying of the well-known files from the base domain's server to the Matrix server" of https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/configuring-well-known.md#option-3-setting-up-reverse-proxying-of-the-well-known-files-from-the-base-domains-server-to-the-matrix-server + @wellknown { + path /.well-known/matrix/* + } - reverse_proxy localhost:8765 { - header_up X-Forwarded-Port {http.request.port} - header_up X-Forwarded-Proto {http.request.scheme} - header_up X-Forwarded-TlsProto {tls_protocol} - header_up X-Forwarded-TlsCipher {tls_cipher} - header_up X-Forwarded-HttpsProto {proto} + handle @wellknown { + reverse_proxy https://matrix.example.tld { + header_up Host {http.reverse_proxy.upstream.hostport} } + } } - -#dimension.DOMAIN.tld { -# -# # creates letsencrypt certificate -# # tls your@email.com -# -# import cors https://*.DOMAIN.tld -# -# header { -# # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS -# Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" -# # Enable cross-site filter (XSS) and tell browser to block detected attacks -# X-XSS-Protection "1; mode=block" -# # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type -# X-Content-Type-Options "nosniff" -# # Only allow same base domain to render this website in a frame; Can be removed if the client (Element for example) is hosted on another domain (clickjacking protection) -# Content-Security-Policy frame-ancestors https://*.DOMAIN.tld -# # X-Robots-Tag -# X-Robots-Tag "noindex, noarchive, nofollow" -# } -# -# handle { -# encode zstd gzip -# -# reverse_proxy localhost:8184 { -# header_up X-Forwarded-Port {http.request.port} -# header_up X-Forwarded-Proto {http.request.scheme} -# header_up X-Forwarded-TlsProto {tls_protocol} -# header_up X-Forwarded-TlsCipher {tls_cipher} -# header_up X-Forwarded-HttpsProto {proto} -# } -# } -#} - - -#jitsi.DOMAIN.tld { -# -# creates letsencrypt certificate -# tls your@email.com -# -# import cors https://*.DOMAIN.tld -# -# header { -# # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS -# Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" -# -# # Enable cross-site filter (XSS) and tell browser to block detected attacks -# X-XSS-Protection "1; mode=block" -# -# # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type -# X-Content-Type-Options "nosniff" - -# # Only allow same base domain to render this website in a frame; Can be removed if the client (Element for example) is hosted on another domain -# Content-Security-Policy frame-ancestors https://*.DOMAIN.tld -# -# # Disable some features -# Feature-Policy "accelerometer 'none';ambient-light-sensor 'none'; autoplay 'none';camera 'none';encrypted-media 'none';focus-without-user-activation 'none'; geolocation 'none';gyroscope #'none';magnetometer 'none';microphone 'none';midi 'none';payment 'none';picture-in-picture 'none'; speaker 'none';sync-xhr 'none';usb 'none';vr 'none'" -# -# # Referer -# Referrer-Policy "no-referrer" -# -# # X-Robots-Tag -# X-Robots-Tag "none" -# -# # Remove Server header -# -Server -# } -# -# handle { -# encode zstd gzip -# -# reverse_proxy 127.0.0.1:13080 { -# header_up X-Forwarded-Port {http.request.port} -# header_up X-Forwarded-Proto {http.request.scheme} -# header_up X-Forwarded-TlsProto {tls_protocol} -# header_up X-Forwarded-TlsCipher {tls_cipher} -# header_up X-Forwarded-HttpsProto {proto} -# } -# } -#} -#DOMAIN.com { -# Uncomment this if you are following "(Option 3): Setting up reverse-proxying of the well-known files from the base domain's server to the Matrix server" of https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/configuring-well-known.md#option-3-setting-up-reverse-proxying-of-the-well-known-files-from-the-base-domains-server-to-the-matrix-server -# @wellknown { -# path /.well-known/matrix/* -# } -# -# handle @wellknown { -# reverse_proxy https://matrix.DOMAIN.com { -# header_up Host {http.reverse_proxy.upstream.hostport} -# } -# } -# # If you have other well-knowns already handled by your base domain, you can replace the above block by this one, along with the replacement suggested in the matrix subdomain -# # handle /.well-known/* { -# # encode zstd gzip -# # header Cache-Control max-age=14400 -# # header Content-Type application/json -# # header Access-Control-Allow-Origin * -# #} -# -# # Configration for the base domain goes here -# # handle { -# # header -Server -# # encode zstd gzip -# # reverse_proxy localhost:4020 -# # } -#} diff --git a/examples/caddy2/Caddyfile.deprecated b/examples/caddy2/Caddyfile.deprecated new file mode 100644 index 000000000..43005ca41 --- /dev/null +++ b/examples/caddy2/Caddyfile.deprecated @@ -0,0 +1,269 @@ +(cors) { + @cors_preflight method OPTIONS + + handle @cors_preflight { + header Access-Control-Allow-Origin "{args.0}" + header Access-Control-Allow-Methods "HEAD, GET, POST, PUT, PATCH, DELETE" + header Access-Control-Allow-Headers "Content-Type, Authorization" + header Access-Control-Max-Age "3600" + } +} + + +matrix.DOMAIN.tld { + + # creates letsencrypt certificate + # tls your@email.com + + @identity { + path /_matrix/identity/* + } + + @noidentity { + not path /_matrix/identity/* + } + + @search { + path /_matrix/client/r0/user_directory/search/* + } + + @nosearch { + not path /_matrix/client/r0/user_directory/search/* + } + + @static { + path /matrix/static-files/* + } + + @nostatic { + not path /matrix/static-files/* + } + + @wellknown { + path /.well-known/matrix/* + } + + header { + # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS + Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" + # Enable cross-site filter (XSS) and tell browser to block detected attacks + X-XSS-Protection "1; mode=block" + # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type + X-Content-Type-Options "nosniff" + # Disallow the site to be rendered within a frame (clickjacking protection) + X-Frame-Options "DENY" + # X-Robots-Tag + X-Robots-Tag "noindex, noarchive, nofollow" + } + + # Cache + header @static { + # Cache + Cache-Control "public, max-age=31536000" + defer + } + + # identity + handle @identity { + reverse_proxy localhost:8090 { + header_up X-Forwarded-Port {http.request.port} + header_up X-Forwarded-Proto {http.request.scheme} + header_up X-Forwarded-TlsProto {tls_protocol} + header_up X-Forwarded-TlsCipher {tls_cipher} + header_up X-Forwarded-HttpsProto {proto} + } + } + + # search + handle @search { + reverse_proxy localhost:8090 { + header_up X-Forwarded-Port {http.request.port} + header_up X-Forwarded-Proto {http.request.scheme} + header_up X-Forwarded-TlsProto {tls_protocol} + header_up X-Forwarded-TlsCipher {tls_cipher} + header_up X-Forwarded-HttpsProto {proto} + } + } + + handle @wellknown { + encode zstd gzip + root * /matrix/static-files + header Cache-Control max-age=14400 + header Content-Type application/json + header Access-Control-Allow-Origin * + file_server + } + + # If you have other well-knowns already handled by your base domain, you can replace the above block by this one, along with the replacement suggested in the base domain + #handle @wellknown { + # # .well-known is handled by base domain + # reverse_proxy https://DOMAIN.tld { + # header_up Host {http.reverse_proxy.upstream.hostport} + #} + + handle { + encode zstd gzip + + reverse_proxy localhost:8008 { + header_up X-Forwarded-Port {http.request.port} + header_up X-Forwarded-Proto {http.request.scheme} + header_up X-Forwarded-TlsProto {tls_protocol} + header_up X-Forwarded-TlsCipher {tls_cipher} + header_up X-Forwarded-HttpsProto {proto} + } + } +} + +matrix.DOMAIN.tld:8448 { + handle { + encode zstd gzip + + reverse_proxy 127.0.0.1:8048 { + header_up X-Forwarded-Port {http.request.port} + header_up X-Forwarded-Proto {http.request.scheme} + header_up X-Forwarded-TlsProto {tls_protocol} + header_up X-Forwarded-TlsCipher {tls_cipher} + header_up X-Forwarded-HttpsProto {proto} + } + } +} + +element.DOMAIN.tld { + + # creates letsencrypt certificate + # tls your@email.com + + import cors https://*.DOMAIN.tld + + header { + # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS + Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" + # Enable cross-site filter (XSS) and tell browser to block detected attacks + X-XSS-Protection "1; mode=block" + # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type + X-Content-Type-Options "nosniff" + # Disallow the site to be rendered within a frame (clickjacking protection) + X-Frame-Options "DENY" + # If using integrations that add frames to Element, such as Dimension and its integrations running on the same domain, it can be a good idea to limit sources allowed to be rendered + # Content-Security-Policy frame-src https://*.DOMAIN.tld + # X-Robots-Tag + X-Robots-Tag "noindex, noarchive, nofollow" + } + + handle { + encode zstd gzip + + reverse_proxy localhost:8765 { + header_up X-Forwarded-Port {http.request.port} + header_up X-Forwarded-Proto {http.request.scheme} + header_up X-Forwarded-TlsProto {tls_protocol} + header_up X-Forwarded-TlsCipher {tls_cipher} + header_up X-Forwarded-HttpsProto {proto} + } +} + +#dimension.DOMAIN.tld { +# +# # creates letsencrypt certificate +# # tls your@email.com +# +# import cors https://*.DOMAIN.tld +# +# header { +# # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS +# Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" +# # Enable cross-site filter (XSS) and tell browser to block detected attacks +# X-XSS-Protection "1; mode=block" +# # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type +# X-Content-Type-Options "nosniff" +# # Only allow same base domain to render this website in a frame; Can be removed if the client (Element for example) is hosted on another domain (clickjacking protection) +# Content-Security-Policy frame-ancestors https://*.DOMAIN.tld +# # X-Robots-Tag +# X-Robots-Tag "noindex, noarchive, nofollow" +# } +# +# handle { +# encode zstd gzip +# +# reverse_proxy localhost:8184 { +# header_up X-Forwarded-Port {http.request.port} +# header_up X-Forwarded-Proto {http.request.scheme} +# header_up X-Forwarded-TlsProto {tls_protocol} +# header_up X-Forwarded-TlsCipher {tls_cipher} +# header_up X-Forwarded-HttpsProto {proto} +# } +# } +#} + + +#jitsi.DOMAIN.tld { +# +# creates letsencrypt certificate +# tls your@email.com +# +# import cors https://*.DOMAIN.tld +# +# header { +# # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS +# Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" +# +# # Enable cross-site filter (XSS) and tell browser to block detected attacks +# X-XSS-Protection "1; mode=block" +# +# # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type +# X-Content-Type-Options "nosniff" + +# # Only allow same base domain to render this website in a frame; Can be removed if the client (Element for example) is hosted on another domain +# Content-Security-Policy frame-ancestors https://*.DOMAIN.tld +# +# # Disable some features +# Feature-Policy "accelerometer 'none';ambient-light-sensor 'none'; autoplay 'none';camera 'none';encrypted-media 'none';focus-without-user-activation 'none'; geolocation 'none';gyroscope #'none';magnetometer 'none';microphone 'none';midi 'none';payment 'none';picture-in-picture 'none'; speaker 'none';sync-xhr 'none';usb 'none';vr 'none'" +# +# # Referer +# Referrer-Policy "no-referrer" +# +# # X-Robots-Tag +# X-Robots-Tag "none" +# +# # Remove Server header +# -Server +# } +# +# handle { +# encode zstd gzip +# +# reverse_proxy 127.0.0.1:13080 { +# header_up X-Forwarded-Port {http.request.port} +# header_up X-Forwarded-Proto {http.request.scheme} +# header_up X-Forwarded-TlsProto {tls_protocol} +# header_up X-Forwarded-TlsCipher {tls_cipher} +# header_up X-Forwarded-HttpsProto {proto} +# } +# } +#} +#DOMAIN.com { +# Uncomment this if you are following "(Option 3): Setting up reverse-proxying of the well-known files from the base domain's server to the Matrix server" of https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/configuring-well-known.md#option-3-setting-up-reverse-proxying-of-the-well-known-files-from-the-base-domains-server-to-the-matrix-server +# @wellknown { +# path /.well-known/matrix/* +# } +# +# handle @wellknown { +# reverse_proxy https://matrix.DOMAIN.com { +# header_up Host {http.reverse_proxy.upstream.hostport} +# } +# } +# # If you have other well-knowns already handled by your base domain, you can replace the above block by this one, along with the replacement suggested in the matrix subdomain +# # handle /.well-known/* { +# # encode zstd gzip +# # header Cache-Control max-age=14400 +# # header Content-Type application/json +# # header Access-Control-Allow-Origin * +# #} +# +# # Configration for the base domain goes here +# # handle { +# # header -Server +# # encode zstd gzip +# # reverse_proxy localhost:4020 +# # } +#} diff --git a/examples/caddy2/README.md b/examples/caddy2/README.md index fe8d57637..d4bfb4755 100644 --- a/examples/caddy2/README.md +++ b/examples/caddy2/README.md @@ -1,12 +1,20 @@ -# Caddyfile +# Caddy reverse-proxy fronting the playbook's integrated Traefik reverse-proxy -This directory contains sample files that show you how to do reverse-proxying using Caddy2. +This directory contains a sample config that shows you how to front the integrated [Traefik](https://traefik.io/) reverse-proxy webserver with your own [Caddy](https://caddyserver.com/) reverse-proxy. -## Config -| Variable | Function | -| ------------------ | -------- | -| tls your@email.com | Specify an email address for your [ACME account](https://caddyserver.com/docs/caddyfile/directives/tls) (but if only one email is used for all sites, we recommend the email [global option](https://caddyserver.com/docs/caddyfile/options) instead) | -| tls | To enable [tls](https://caddyserver.com/docs/caddyfile/directives/tls) support uncomment the lines for tls | -| Dimension | To enable Dimension support uncomment the lines for Dimension and set your data | -| Jitsi | To enable Jitsi support uncomment the lines for Jitsi and set your data | +## Prerequisite configuration + +To get started, first follow the [front the integrated reverse-proxy webserver with another reverse-proxy](../../docs/configuring-playbook-own-webserver.md#fronting-the-integrated-reverse-proxy-webserver-with-another-reverse-proxy) instructions and update your playbook's configuration (`inventory/host_vars/matrix./vars.yml`). + + +## Using the Caddyfile + +You can either just use the [Caddyfile](Caddyfile) directly or append its content to your own Caddyfile. +In both cases make sure to replace all the `example.tld` domains with your own domain. + +This example does not include additional services like element, but you should be able copy the first block and replace the matrix subdomain with the additional services subdomain. I have not tested this though. + +# Caddyfile.deprecated + +This can be used as a [Caddy](https://caddyserver.com/) reverse-proxy without intermediary playbook managed reverse proxy. However, this setup is not supported by the playbook anymore. Instead [front the integrated reverse-proxy webserver with another reverse-proxy](../../docs/configuring-playbook-own-webserver.md#fronting-the-integrated-reverse-proxy-webserver-with-another-reverse-proxy) as described above. diff --git a/examples/hosts b/examples/hosts index ba08107b9..cb6459f97 100644 --- a/examples/hosts +++ b/examples/hosts @@ -2,7 +2,9 @@ # If you'd rather use a local IP here, make sure to set up `matrix_coturn_turn_external_ip_address`. # # To connect using a non-root user (and elevate to root with sudo later), -# replace `ansible_ssh_user=root` with something like this: `ansible_ssh_user=username become=true become_user=root` +# replace `ansible_ssh_user=root` with something like this: `ansible_ssh_user=username become=true become_user=root`. +# If sudo requires a password, either add `become_password=PASSWORD_HERE` to the host line +# or tell Ansible to ask you for the password interactively by adding a `--ask-become-pass` (`-K`) flag to all `ansible-playbook` (or `just`) commands. # # For improved Ansible performance, SSH pipelining is enabled by default in `ansible.cfg`. # If this causes SSH connection troubles, disable it by adding `ansible_ssh_pipelining=False` diff --git a/examples/nginx/README.md b/examples/nginx/README.md new file mode 100644 index 000000000..d8698ba6b --- /dev/null +++ b/examples/nginx/README.md @@ -0,0 +1,17 @@ +# Nginx reverse-proxy fronting the playbook's integrated Traefik reverse-proxy + +This directory contains a sample config that shows you how to use the [nginx](https://nginx.org/) webserver to front the integrated [Traefik](https://traefik.io/) reverse-proxy webserver with another reverse-proxy. + + +## Prerequisite configuration + +To get started, first follow the [front the integrated reverse-proxy webserver with another reverse-proxy](../../docs/configuring-playbook-own-webserver.md#fronting-the-integrated-reverse-proxy-webserver-with-another-reverse-proxy) instructions and update your playbook's configuration (`inventory/host_vars/matrix./vars.yml`). + + +## Using the nginx configuration + +Copy the [matrix.conf](matrix.conf) file to your nginx server's filesystem, modify it to your needs and include it in your nginx configuration (e.g. `include /path/to/matrix.conf;`). + +This configuration **disables SSL certificate retrieval**, so you will **need to obtain SSL certificates manually** (e.g. by using [certbot](https://certbot.eff.org/)) and set the appropriate path in `matrix.conf`. In the example nginx configuration, a single certificate is used for all subdomains (`matrix.DOMAIN`, `element.DOMAIN`, etc.). For your setup, may wish to change this and use separate `server` blocks and separate certificate files for each host. + +Also note that your copy of the `matrix.conf` file has to be adapted to whatever services you are using. For example, remove `element.domain.com` from the `server_name` list if you don't use [Element](../../docs/configuring-playbook-client-element.md) web client or add `dimension.domain.com` to it if you do use the [Dimension](../../docs/configuring-playbook-dimension.md) integration manager. diff --git a/examples/nginx/matrix.conf b/examples/nginx/matrix.conf new file mode 100644 index 000000000..366a8a8eb --- /dev/null +++ b/examples/nginx/matrix.conf @@ -0,0 +1,96 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + # TODO: add/remove services and their subdomains if you use/don't use them + # this example is using hosting something on the base domain and an element web client, so example.com and element.example.com are listed in addition to matrix.example.com + # if you don't use those, you can remove them + # if you use e.g. dimension on dimension.example.com, add dimension.example.com to the server_name list + server_name example.com matrix.example.com element.example.com; + + location / { + # note: do not add a path (even a single /) after the port in `proxy_pass`, + # otherwise, nginx will canonicalise the URI and cause signature verification + # errors. + proxy_pass http://localhost:81; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + + access_log /var/log/nginx/matrix.access.log; + error_log /var/log/nginx/matrix.error.log; + + # Nginx by default only allows file uploads up to 1M in size + # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml + client_max_body_size 50M; + } + + # TODO: adapt the path to your ssl certificate for the domains listed on server_name + ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot + # TODO: adapt the path to your ssl certificate for the domains listed on server_name + ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot + include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot +} + +# settings for matrix federation +server { + # For the federation port + listen 8448 ssl http2 default_server; + listen [::]:8448 ssl http2 default_server; + + server_name matrix.example.com; + + location / { + proxy_pass http://localhost:8449; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Host $host; + + access_log /var/log/nginx/matrix.access.log; + error_log /var/log/nginx/matrix.error.log; + + # Nginx by default only allows file uploads up to 1M in size + # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml + client_max_body_size 50M; + } + # TODO: adapt the path to your ssl certificate for the domains listed on server_name + ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot + # TODO: adapt the path to your ssl certificate for the domains listed on server_name + ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot + include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot +} + +# ensure using https +# TODO: remove server blocks that you don't use / add server blocks for domains you do use +server { + if ($host = example.com) { + return 301 https://$host$request_uri; + } # managed by Certbot + + server_name example.com; + listen 80; + return 404; # managed by Certbot +} + +server { + if ($host = matrix.example.com) { + return 301 https://$host$request_uri; + } # managed by Certbot + + server_name matrix.example.com; + listen 80; + return 404; # managed by Certbot +} + +server { + if ($host = element.example.com) { + return 301 https://$host$request_uri; + } # managed by Certbot + + server_name element.example.com; + listen 80; + return 404; # managed by Certbot +} \ No newline at end of file diff --git a/examples/vars.yml b/examples/vars.yml index e1b6cf054..784bf0613 100644 --- a/examples/vars.yml +++ b/examples/vars.yml @@ -21,6 +21,11 @@ matrix_homeserver_implementation: synapse # You can put any string here, but generating a strong one is preferred (e.g. `pwgen -s 64 1`). matrix_homeserver_generic_secret_key: '' +# By default, the playbook manages its own Traefik (https://doc.traefik.io/traefik/) reverse-proxy server. +# It will retrieve SSL certificates for you on-demand and forward requests to all other components. +# For alternatives, see `docs/configuring-playbook-own-webserver.md`. +matrix_playbook_reverse_proxy_type: playbook-managed-traefik + # This is something which is provided to Let's Encrypt when retrieving SSL certificates for domains. # # In case SSL renewal fails at some point, you'll also get an email notification there. @@ -29,10 +34,10 @@ matrix_homeserver_generic_secret_key: '' # you won't be required to define this variable (see `docs/configuring-playbook-ssl-certificates.md`). # # Example value: someone@example.com -matrix_ssl_lets_encrypt_support_email: '' +devture_traefik_config_certificatesResolvers_acme_email: '' # A Postgres password to use for the superuser Postgres user (called `matrix` by default). # # The playbook creates additional Postgres users and databases (one for each enabled service) # using this superuser account. -matrix_postgres_connection_password: '' +devture_postgres_connection_password: '' diff --git a/flake.nix b/flake.nix new file mode 100644 index 000000000..412309a89 --- /dev/null +++ b/flake.nix @@ -0,0 +1,19 @@ +{ + inputs.nixpkgs.url = "github:nixos/nixpkgs/nixpkgs-unstable"; + + outputs = { self, nixpkgs, ... }: + let + pkgs = import nixpkgs { system = "x86_64-linux"; }; + in + { + devShell.x86_64-linux = pkgs.mkShell { + buildInputs = with pkgs; [ + just + python311Packages.ansible-core + python311Packages.passlib + ]; + LC_ALL = "C.UTF-8"; + LC_CTYPE = "C.UTF-8"; + }; + }; +} diff --git a/group_vars/jitsi_jvb_servers b/group_vars/jitsi_jvb_servers new file mode 100644 index 000000000..af927c9f1 --- /dev/null +++ b/group_vars/jitsi_jvb_servers @@ -0,0 +1,11 @@ +jitsi_architecture: "{{ matrix_architecture }}" +jitsi_hostname: "{{ matrix_server_fqn_jitsi }}" +jitsi_uid: "{{ matrix_user_uid }}" +jitsi_gid: "{{ matrix_user_gid }}" + +devture_systemd_service_manager_services_list_auto: | + {{ + ([{'name': (jitsi_identifier + '-jvb.service'), 'priority': 4100, 'groups': ['matrix', 'jitsi', 'jitsi-jvb']}] if jitsi_enabled else []) + }} + +matrix_playbook_docker_installation_enabled: true diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 85e2d6113..d868c8be4 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -9,6 +9,384 @@ # You can also override ANY variable (seen here or in any given role), # by re-defining it in your own configuration file (`inventory/host_vars/matrix.`). +######################################################################## +# # +# Playbook # +# # +######################################################################## + +# Controls whether to install Docker or not +# Also see `devture_docker_sdk_for_python_installation_enabled`. +matrix_playbook_docker_installation_enabled: true + +# Controls whether to attach Traefik labels to services. +# This is separate from `devture_traefik_enabled`, because you may wish to disable Traefik installation by the playbook, +# yet still use Traefik installed in another way. +matrix_playbook_traefik_labels_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}" + +# Controls the additional network that reverse-proxyable services will be connected to. +matrix_playbook_reverse_proxyable_services_additional_network: "{{ devture_traefik_container_network if devture_traefik_enabled else '' }}" + +matrix_playbook_ssl_retrieval_method: "{{ 'lets-encrypt' if devture_traefik_certs_dumper_enabled else matrix_ssl_retrieval_method }}" + +matrix_playbook_ssl_enabled: "{{ matrix_playbook_ssl_retrieval_method in ['lets-encrypt', 'self-signed', 'manually-managed'] }}" + +######################################################################## +# # +# /Playbook # +# # +######################################################################## + + +######################################################################## +# # +# aux # +# # +######################################################################## + +aux_directory_default_owner: "{{ matrix_user_username }}" +aux_directory_default_group: "{{ matrix_user_groupname }}" + +aux_file_default_owner: "{{ matrix_user_username }}" +aux_file_default_group: "{{ matrix_user_groupname }}" + +######################################################################## +# # +# /aux # +# # +######################################################################## + + +######################################################################## +# # +# base # +# # +######################################################################## + +matrix_homeserver_container_extra_arguments_auto: | + {{ + (['--mount type=bind,src=' + matrix_appservice_discord_config_path + '/registration.yaml,dst=/matrix-appservice-discord-registration.yaml,ro'] if matrix_appservice_discord_enabled else []) + + + (['--mount type=bind,src=' + matrix_appservice_irc_config_path + '/registration.yaml,dst=/matrix-appservice-irc-registration.yaml,ro'] if matrix_appservice_irc_enabled else []) + + + (['--mount type=bind,src=' + matrix_appservice_kakaotalk_config_path + '/registration.yaml,dst=/matrix-appservice-kakaotalk-registration.yaml,ro'] if matrix_appservice_kakaotalk_enabled else []) + + + (['--mount type=bind,src=' + matrix_appservice_slack_config_path + '/slack-registration.yaml,dst=/matrix-appservice-slack-registration.yaml,ro'] if matrix_appservice_slack_enabled else []) + + + (['--mount type=bind,src=' + matrix_appservice_webhooks_config_path + '/webhooks-registration.yaml,dst=/matrix-appservice-webhooks-registration.yaml,ro'] if matrix_appservice_webhooks_enabled else []) + + + (['--mount type=bind,src=' + matrix_beeper_linkedin_config_path + '/registration.yaml,dst=/matrix-beeper-linkedin-registration.yaml,ro'] if matrix_beeper_linkedin_enabled else []) + + + (['--mount type=bind,src=' + matrix_go_skype_bridge_config_path + '/registration.yaml,dst=/matrix-go-skype-bridge-registration.yaml,ro'] if matrix_go_skype_bridge_enabled else []) + + + (['--mount type=bind,src=' + matrix_heisenbridge_base_path + '/registration.yaml,dst=/heisenbridge-registration.yaml,ro'] if matrix_heisenbridge_enabled else []) + + + (['--mount type=bind,src=' + matrix_hookshot_base_path + '/registration.yml,dst=/hookshot-registration.yml,ro'] if matrix_hookshot_enabled else []) + + + (['--mount type=bind,src=' + matrix_mautrix_discord_config_path + '/registration.yaml,dst=/matrix-mautrix-discord-registration.yaml,ro'] if matrix_mautrix_discord_enabled else []) + + + (['--mount type=bind,src=' + matrix_mautrix_slack_config_path + '/registration.yaml,dst=/matrix-mautrix-slack-registration.yaml,ro'] if matrix_mautrix_slack_enabled else []) + + + (['--mount type=bind,src=' + matrix_mautrix_facebook_config_path + '/registration.yaml,dst=/matrix-mautrix-facebook-registration.yaml,ro'] if matrix_mautrix_facebook_enabled else []) + + + (['--mount type=bind,src=' + matrix_mautrix_googlechat_config_path + '/registration.yaml,dst=/matrix-mautrix-googlechat-registration.yaml,ro'] if matrix_mautrix_googlechat_enabled else []) + + + (['--mount type=bind,src=' + matrix_mautrix_hangouts_config_path + '/registration.yaml,dst=/matrix-mautrix-hangouts-registration.yaml,ro'] if matrix_mautrix_hangouts_enabled else []) + + + (['--mount type=bind,src=' + matrix_mautrix_instagram_config_path + '/registration.yaml,dst=/matrix-mautrix-instagram-registration.yaml,ro'] if matrix_mautrix_instagram_enabled else []) + + + (['--mount type=bind,src=' + matrix_mautrix_signal_config_path + '/registration.yaml,dst=/matrix-mautrix-signal-registration.yaml,ro'] if matrix_mautrix_signal_enabled else []) + + + (['--mount type=bind,src=' + matrix_mautrix_telegram_config_path + '/registration.yaml,dst=/matrix-mautrix-telegram-registration.yaml,ro'] if matrix_mautrix_telegram_enabled else []) + + + (['--mount type=bind,src=' + matrix_mautrix_twitter_config_path + '/registration.yaml,dst=/matrix-mautrix-twitter-registration.yaml,ro'] if matrix_mautrix_twitter_enabled else []) + + + (['--mount type=bind,src=' + matrix_mautrix_gmessages_config_path + '/registration.yaml,dst=/matrix-mautrix-gmessages-registration.yaml,ro'] if matrix_mautrix_gmessages_enabled else []) + + + (['--mount type=bind,src=' + matrix_mautrix_whatsapp_config_path + '/registration.yaml,dst=/matrix-mautrix-whatsapp-registration.yaml,ro'] if matrix_mautrix_whatsapp_enabled else []) + + + (['--mount type=bind,src=' + matrix_mx_puppet_discord_config_path + '/registration.yaml,dst=/matrix-mx-puppet-discord-registration.yaml,ro'] if matrix_mx_puppet_discord_enabled else []) + + + (['--mount type=bind,src=' + matrix_mx_puppet_groupme_config_path + '/registration.yaml,dst=/matrix-mx-puppet-groupme-registration.yaml,ro'] if matrix_mx_puppet_groupme_enabled else []) + + + (['--mount type=bind,src=' + matrix_mx_puppet_instagram_config_path + '/registration.yaml,dst=/matrix-mx-puppet-instagram-registration.yaml,ro'] if matrix_mx_puppet_instagram_enabled else []) + + + (['--mount type=bind,src=' + matrix_mx_puppet_slack_config_path + '/registration.yaml,dst=/matrix-mx-puppet-slack-registration.yaml,ro'] if matrix_mx_puppet_slack_enabled else []) + + + (['--mount type=bind,src=' + matrix_mx_puppet_steam_config_path + '/registration.yaml,dst=/matrix-mx-puppet-steam-registration.yaml,ro'] if matrix_mx_puppet_steam_enabled else []) + + + (['--mount type=bind,src=' + matrix_mx_puppet_twitter_config_path + '/registration.yaml,dst=/matrix-mx-puppet-twitter-registration.yaml,ro'] if matrix_mx_puppet_twitter_enabled else []) + + + (['--mount type=bind,src=' + matrix_sms_bridge_config_path + '/registration.yaml,dst=/matrix-sms-bridge-registration.yaml,ro'] if matrix_sms_bridge_enabled else []) + + + (['--mount type=bind,src=' + matrix_cactus_comments_app_service_config_file + ',dst=/matrix-cactus-comments.yaml,ro'] if matrix_cactus_comments_enabled else []) + }} + +matrix_homeserver_app_service_config_files_auto: | + {{ + (['/matrix-appservice-discord-registration.yaml'] if matrix_appservice_discord_enabled else []) + + + (['/matrix-appservice-irc-registration.yaml'] if matrix_appservice_irc_enabled else []) + + + (['/matrix-appservice-kakaotalk-registration.yaml'] if matrix_appservice_kakaotalk_enabled else []) + + + (['/matrix-appservice-slack-registration.yaml'] if matrix_appservice_slack_enabled else []) + + + (['/matrix-appservice-webhooks-registration.yaml'] if matrix_appservice_webhooks_enabled else []) + + + (['/matrix-beeper-linkedin-registration.yaml'] if matrix_beeper_linkedin_enabled else []) + + + (['/matrix-go-skype-bridge-registration.yaml'] if matrix_go_skype_bridge_enabled else []) + + + (['/heisenbridge-registration.yaml'] if matrix_heisenbridge_enabled else []) + + + (['/hookshot-registration.yml'] if matrix_hookshot_enabled else []) + + + (['/matrix-mautrix-discord-registration.yaml'] if matrix_mautrix_discord_enabled else []) + + + (['/matrix-mautrix-slack-registration.yaml'] if matrix_mautrix_slack_enabled else []) + + + (['/matrix-mautrix-facebook-registration.yaml'] if matrix_mautrix_facebook_enabled else []) + + + (['/matrix-mautrix-googlechat-registration.yaml'] if matrix_mautrix_googlechat_enabled else []) + + + (['/matrix-mautrix-hangouts-registration.yaml'] if matrix_mautrix_hangouts_enabled else []) + + + (['/matrix-mautrix-instagram-registration.yaml'] if matrix_mautrix_instagram_enabled else []) + + + (['/matrix-mautrix-signal-registration.yaml'] if matrix_mautrix_signal_enabled else []) + + + (['/matrix-mautrix-telegram-registration.yaml'] if matrix_mautrix_telegram_enabled else []) + + + (['/matrix-mautrix-twitter-registration.yaml'] if matrix_mautrix_twitter_enabled else []) + + + (['/matrix-mautrix-gmessages-registration.yaml'] if matrix_mautrix_gmessages_enabled else []) + + + (['/matrix-mautrix-whatsapp-registration.yaml'] if matrix_mautrix_whatsapp_enabled else []) + + + (['/matrix-mx-puppet-discord-registration.yaml'] if matrix_mx_puppet_discord_enabled else []) + + + (['/matrix-mx-puppet-groupme-registration.yaml'] if matrix_mx_puppet_groupme_enabled else []) + + + (['/matrix-mx-puppet-instagram-registration.yaml'] if matrix_mx_puppet_instagram_enabled else []) + + + (['/matrix-mx-puppet-slack-registration.yaml'] if matrix_mx_puppet_slack_enabled else []) + + + (['/matrix-mx-puppet-steam-registration.yaml'] if matrix_mx_puppet_steam_enabled else []) + + + (['/matrix-mx-puppet-twitter-registration.yaml'] if matrix_mx_puppet_twitter_enabled else []) + + + (['/matrix-sms-bridge-registration.yaml'] if matrix_sms_bridge_enabled else []) + + + (['/matrix-cactus-comments.yaml'] if matrix_cactus_comments_enabled else []) + }} + +######################################################################## +# # +# /base # +# # +######################################################################## + + +######################################################################## +# # +# com.devture.ansible.role.systemd_service_manager # +# # +######################################################################## + +# This list is not exhaustive and final. +# Synapse workers are still injected into the list at runtime. +# Additional JVB workers (jitsi_jvb.yml -- roles/galaxy/jitsi/tasks/init_additional_jvb.yml) override this variable at runtime as well. +# +# Priority levels are like this: +# - core services (the homeserver) get a level of ~1000 +# - services that core services depend on (database, Redis, ntfy, etc.) get a lower level - between 500 and 1000 +# - reverse-proxying services get level 3000 +# - Matrix utility services (bridges, bots) get a level of 2000/2200, so that: +# - they can start before the reverse-proxy +# - so that, when the reverse-proxy is up (Matrix is up), all bots and bridges can be interacted with +# - monitoring services (Prometheus, Grafana, ..) get a level of 4000 - they can start later than all-of-Matrix +# - services which aren't time-sensitive (various crons and timers) get a level of 5000 - they can start later than all-of-Matrix +# +# `matrix-bot-postmoogle.service` has a higher priority number (4000), unlike other bots' priority (2200), +# because it requires SSL certificates. If Traefik is used, then Postmoogle needs to start at least after Traefik (3500) and Traefik certs dumper (3500). +devture_systemd_service_manager_services_list_auto: | + {{ + ([{'name': (backup_borg_identifier + '.timer'), 'priority': 5000, 'groups': ['matrix', 'backup', 'borg']}] if backup_borg_enabled else []) + + + ([{'name': 'matrix-bot-buscarron.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'buscarron', 'bot-buscarron']}] if matrix_bot_buscarron_enabled else []) + + + ([{'name': 'matrix-bot-go-neb.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'go-neb', 'bot-go-neb']}] if matrix_bot_go_neb_enabled else []) + + + ([{'name': 'matrix-bot-honoroit.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'honoroit', 'bot-honoroit']}] if matrix_bot_honoroit_enabled else []) + + + ([{'name': 'matrix-bot-matrix-registration-bot.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'registration-bot', 'bot-matrix-registration-bot']}] if matrix_bot_matrix_registration_bot_enabled else []) + + + ([{'name': 'matrix-bot-matrix-reminder-bot.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'reminder-bot', 'bot-matrix-reminder-bot']}] if matrix_bot_matrix_reminder_bot_enabled else []) + + + ([{'name': 'matrix-bot-maubot.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'maubot', 'bot-maubot']}] if matrix_bot_maubot_enabled else []) + + + ([{'name': 'matrix-bot-mjolnir.service', 'priority': 4000, 'groups': ['matrix', 'bots', 'mjolnir', 'bot-mjolnir']}] if matrix_bot_mjolnir_enabled else []) + + + ([{'name': 'matrix-bot-draupnir.service', 'priority': 4000, 'groups': ['matrix', 'bots', 'draupnir', 'bot-draupnir']}] if matrix_bot_draupnir_enabled else []) + + + ([{'name': 'matrix-bot-postmoogle.service', 'priority': 4000, 'groups': ['matrix', 'bots', 'postmoogle', 'bot-postmoogle']}] if matrix_bot_postmoogle_enabled else []) + + + ([{'name': 'matrix-bot-chatgpt.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'chatgpt', 'bot-chatgpt']}] if matrix_bot_chatgpt_enabled else []) + + + ([{'name': 'matrix-appservice-discord.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'appservice-discord']}] if matrix_appservice_discord_enabled else []) + + + ([{'name': 'matrix-appservice-irc.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'appservice-irc']}] if matrix_appservice_irc_enabled else []) + + + ([{'name': 'matrix-appservice-kakaotalk.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'appservice-kakaotalk']}] if matrix_appservice_kakaotalk_enabled else []) + + + ([{'name': 'matrix-appservice-kakaotalk-node.service', 'priority': 1900, 'groups': ['matrix', 'bridges', 'appservice-kakaotalk', 'appservice-kakaotalk-node']}] if matrix_appservice_kakaotalk_enabled else []) + + + ([{'name': 'matrix-appservice-slack.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'appservice-slack']}] if matrix_appservice_slack_enabled else []) + + + ([{'name': 'matrix-appservice-webhooks.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'appservice-webhooks']}] if matrix_appservice_webhooks_enabled else []) + + + ([{'name': 'matrix-beeper-linkedin.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'beeper-linkedin']}] if matrix_beeper_linkedin_enabled else []) + + + ([{'name': 'matrix-go-skype-bridge.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'go-skype']}] if matrix_go_skype_bridge_enabled else []) + + + ([{'name': 'matrix-heisenbridge.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'heisenbridge']}] if matrix_heisenbridge_enabled else []) + + + ([{'name': 'matrix-hookshot.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'hookshot']}] if matrix_hookshot_enabled else []) + + + ([{'name': 'matrix-mautrix-discord.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'mautrix-discord']}] if matrix_mautrix_discord_enabled else []) + + + ([{'name': 'matrix-mautrix-slack.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'mautrix-slack']}] if matrix_mautrix_slack_enabled else []) + + + ([{'name': 'matrix-mautrix-facebook.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'mautrix-facebook']}] if matrix_mautrix_facebook_enabled else []) + + + ([{'name': 'matrix-mautrix-googlechat.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'mautrix-googlechat']}] if matrix_mautrix_googlechat_enabled else []) + + + ([{'name': 'matrix-mautrix-hangouts.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'mautrix-hangouts']}] if matrix_mautrix_hangouts_enabled else []) + + + ([{'name': 'matrix-mautrix-instagram.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'mautrix-instagram']}] if matrix_mautrix_instagram_enabled else []) + + + ([{'name': 'matrix-mautrix-signal.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'mautrix-signal']}] if matrix_mautrix_signal_enabled else []) + + + ([{'name': 'matrix-mautrix-signal-daemon.service', 'priority': 1900, 'groups': ['matrix', 'bridges', 'mautrix-signal', 'mautrix-signal-daemon']}] if matrix_mautrix_signal_enabled else []) + + + ([{'name': 'matrix-mautrix-telegram.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'mautrix-telegram']}] if matrix_mautrix_telegram_enabled else []) + + + ([{'name': 'matrix-mautrix-twitter.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'mautrix-twitter']}] if matrix_mautrix_twitter_enabled else []) + + + ([{'name': 'matrix-mautrix-gmessages.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'mautrix-gmessages']}] if matrix_mautrix_gmessages_enabled else []) + + + ([{'name': 'matrix-mautrix-whatsapp.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'mautrix-whatsapp']}] if matrix_mautrix_whatsapp_enabled else []) + + + ([{'name': 'matrix-mx-puppet-discord.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'mx-puppet-discord']}] if matrix_mx_puppet_discord_enabled else []) + + + ([{'name': 'matrix-mx-puppet-groupme.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'mx-puppet-groupme']}] if matrix_mx_puppet_groupme_enabled else []) + + + ([{'name': 'matrix-mx-puppet-instagram.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'mx-puppet-instagram']}] if matrix_mx_puppet_instagram_enabled else []) + + + ([{'name': 'matrix-mx-puppet-slack.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'mx-puppet-slack']}] if matrix_mx_puppet_slack_enabled else []) + + + ([{'name': 'matrix-mx-puppet-steam.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'mx-puppet-steam']}] if matrix_mx_puppet_steam_enabled else []) + + + ([{'name': 'matrix-mx-puppet-twitter.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'mx-puppet-twitter']}] if matrix_mx_puppet_twitter_enabled else []) + + + ([{'name': 'matrix-sms-bridge.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'sms']}] if matrix_sms_bridge_enabled else []) + + + ([{'name': 'matrix-cactus-comments.service', 'priority': 2000, 'groups': ['matrix', 'cactus-comments']}] if matrix_cactus_comments_enabled else []) + + + ([{'name': 'matrix-client-cinny.service', 'priority': 2000, 'groups': ['matrix', 'clients', 'cinny', 'client-cinny']}] if matrix_client_cinny_enabled else []) + + + ([{'name': 'matrix-client-element.service', 'priority': 2000, 'groups': ['matrix', 'clients', 'element', 'client-element']}] if matrix_client_element_enabled else []) + + + ([{'name': 'matrix-client-hydrogen.service', 'priority': 2000, 'groups': ['matrix', 'clients', 'hydrogen', 'client-hydrogen']}] if matrix_client_hydrogen_enabled else []) + + + ([{'name': ('matrix-' + matrix_homeserver_implementation + '.service'), 'priority': 1000, 'groups': ['matrix', 'homeservers', matrix_homeserver_implementation]}] if matrix_homeserver_enabled else []) + + + ([{'name': 'matrix-corporal.service', 'priority': 1500, 'groups': ['matrix', 'corporal']}] if matrix_corporal_enabled else []) + + + ([{'name': 'matrix-coturn.service', 'priority': 4000, 'groups': ['matrix', 'coturn']}] if matrix_coturn_enabled else []) + + + ([{'name': 'matrix-rageshake.service', 'priority': 4000, 'groups': ['matrix', 'rageshake']}] if matrix_rageshake_enabled else []) + + + ([{'name': 'matrix-coturn-reload.timer', 'priority': 5000, 'groups': ['matrix', 'coturn']}] if (matrix_coturn_enabled and matrix_coturn_tls_enabled) else []) + + + ([{'name': 'matrix-dimension.service', 'priority': 4000, 'groups': ['matrix', 'integration-managers', 'dimension']}] if matrix_dimension_enabled else []) + + + ([{'name': 'matrix-dynamic-dns.service', 'priority': 5000, 'groups': ['matrix', 'dynamic-dns']}] if matrix_dynamic_dns_enabled else []) + + + ([{'name': 'matrix-email2matrix.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'email2matrix']}] if matrix_email2matrix_enabled else []) + + + ([{'name': (etherpad_identifier + '.service'), 'priority': 4000, 'groups': ['matrix', 'etherpad']}] if etherpad_enabled else []) + + + ([{'name': (grafana_identifier + '.service'), 'priority': 4000, 'groups': ['matrix', 'monitoring', 'grafana']}] if grafana_enabled else []) + + + ([{'name': (jitsi_identifier + '-web.service'), 'priority': 4200, 'groups': ['matrix', 'jitsi', 'jitsi-web']}] if jitsi_enabled else []) + + + ([{'name': (jitsi_identifier + '-prosody.service'), 'priority': 4000, 'groups': ['matrix', 'jitsi', 'jitsi-prosody']}] if jitsi_enabled else []) + + + ([{'name': (jitsi_identifier + '-jicofo.service'), 'priority': 4100, 'groups': ['matrix', 'jitsi', 'jitsi-jicofo']}] if jitsi_enabled else []) + + + ([{'name': (jitsi_identifier + '-jvb.service'), 'priority': 4100, 'groups': ['matrix', 'jitsi', 'jitsi-jvb']}] if jitsi_enabled else []) + + + ([{'name': 'matrix-ldap-registration-proxy.service', 'priority': 2000, 'groups': ['matrix', 'ldap-registration-proxy']}] if matrix_ldap_registration_proxy_enabled else []) + + + ([{'name': 'matrix-ma1sd.service', 'priority': 2000, 'groups': ['matrix', 'ma1sd']}] if matrix_ma1sd_enabled else []) + + + ([{'name': (matrix_media_repo_identifier + '.service'), 'priority': 4000, 'groups': ['matrix', 'matrix-media-repo']}] if matrix_media_repo_enabled else []) + + + ([{'name': 'matrix-mailer.service', 'priority': 2000, 'groups': ['matrix', 'mailer']}] if matrix_mailer_enabled else []) + + + ([{'name': 'matrix-nginx-proxy.service', 'priority': 3000, 'groups': ['matrix', 'nginx', 'reverse-proxies']}] if matrix_nginx_proxy_enabled else []) + + + (matrix_ssl_renewal_systemd_units_list | selectattr('applicable') | selectattr('enableable') | list ) + + + ([{'name': (ntfy_identifier + '.service'), 'priority': 800, 'groups': ['matrix', 'ntfy']}] if ntfy_enabled else []) + + + ([{'name': (devture_postgres_identifier + '.service'), 'priority': 500, 'groups': ['matrix', 'postgres']}] if devture_postgres_enabled else []) + + + ([{'name': (devture_postgres_backup_identifier + '.service'), 'priority': 5000, 'groups': ['matrix', 'backup', 'postgres-backup']}] if devture_postgres_backup_enabled else []) + + + ([{'name': (prometheus_identifier + '.service'), 'priority': 4000, 'groups': ['matrix', 'monitoring', 'prometheus']}] if prometheus_enabled else []) + + + ([{'name': (prometheus_node_exporter_identifier + '.service'), 'priority': 3900, 'groups': ['matrix', 'monitoring', 'prometheus-exporters', 'prometheus-node-exporter']}] if prometheus_node_exporter_enabled else []) + + + ([{'name': (prometheus_postgres_exporter_identifier + '.service'), 'priority': 3900, 'groups': ['matrix', 'monitoring', 'prometheus-exporters', 'prometheus-postgres-exporter']}] if prometheus_postgres_exporter_enabled else []) + + + ([{'name': 'matrix-prometheus-nginxlog-exporter.service', 'priority': 3900, 'groups': ['matrix', 'monitoring', 'prometheus-exporters', 'prometheus-nginxlog-exporter']}] if matrix_prometheus_nginxlog_exporter_enabled else []) + + + ([{'name': (redis_identifier + '.service'), 'priority': 750, 'groups': ['matrix', 'redis']}] if redis_enabled else []) + + + ([{'name': 'matrix-registration.service', 'priority': 4000, 'groups': ['matrix', 'registration']}] if matrix_registration_enabled else []) + + + ([{'name': 'matrix-sliding-sync.service', 'priority': 4000, 'groups': ['matrix', 'sliding-sync']}] if matrix_sliding_sync_enabled else []) + + + ([{'name': 'matrix-sygnal.service', 'priority': 800, 'groups': ['matrix', 'sygnal']}] if matrix_sygnal_enabled else []) + + + ([{'name': 'matrix-goofys.service', 'priority': 800, 'groups': ['matrix', 'goofys']}] if matrix_s3_media_store_enabled else []) + + + ([{'name': 'matrix-synapse-s3-storage-provider-migrate.timer', 'priority': 5000, 'groups': ['matrix']}] if matrix_synapse_ext_synapse_s3_storage_provider_enabled else []) + + + ([{'name': 'matrix-synapse-auto-compressor.timer', 'priority': 5000, 'groups': ['matrix', 'synapse-auto-compressor']}] if matrix_synapse_auto_compressor_enabled else []) + + + ([{'name': 'matrix-synapse-admin.service', 'priority': 4000, 'groups': ['matrix', 'synapse-admin']}] if matrix_synapse_admin_enabled else []) + + + ([{'name': 'matrix-synapse-reverse-proxy-companion.service', 'priority': 1500, 'groups': ['matrix', 'homeservers', 'synapse', 'reverse-proxies']}] if matrix_synapse_reverse_proxy_companion_enabled else []) + + + ([{'name': 'matrix-user-verification-service.service', 'priority': 800, 'groups': ['matrix', 'matrix-user-verification-service']}] if matrix_user_verification_service_enabled else []) + + + ([{'name': (devture_container_socket_proxy_identifier + '.service'), 'priority': 2900, 'groups': ['matrix', 'reverse-proxies', 'container-socket-proxy']}] if devture_container_socket_proxy_enabled else []) + + + ([{'name': (devture_traefik_identifier + '.service'), 'priority': 3000, 'groups': ['matrix', 'traefik', 'reverse-proxies']}] if devture_traefik_enabled else []) + + + ([{'name': (devture_traefik_certs_dumper_identifier + '.service'), 'priority': 3500, 'groups': ['matrix', 'traefik-certs-dumper']}] if devture_traefik_certs_dumper_enabled else []) + }} + +######################################################################## +# # +# /com.devture.ansible.role.systemd_service_manager # +# # +######################################################################## + ######################################################################## # # @@ -25,7 +403,6 @@ ######################################################################## - ###################################################################### # # com.devture.ansible.role.playbook_state_preserver @@ -48,7 +425,6 @@ devture_playbook_state_preserver_commit_hash_preservation_dst: "{{ matrix_base_d ###################################################################### - ###################################################################### # # matrix-base @@ -57,12 +433,10 @@ devture_playbook_state_preserver_commit_hash_preservation_dst: "{{ matrix_base_d matrix_identity_server_url: "{{ ('https://' + matrix_server_fqn_matrix) if matrix_ma1sd_enabled else None }}" -# If Synapse workers are enabled and matrix-nginx-proxy is disabled, certain APIs may not work over 'http://matrix-synapse:{{ matrix_synapse_container_client_api_port }}'. -# This is because we explicitly disable them for the main Synapse process. matrix_homeserver_container_url: |- {{ 'http://matrix-nginx-proxy:12080' if matrix_nginx_proxy_enabled else { - 'synapse': ('http://matrix-synapse:'+ matrix_synapse_container_client_api_port|string), + 'synapse': ('http://matrix-synapse-reverse-proxy-companion:8008' if matrix_synapse_reverse_proxy_companion_enabled else 'http://matrix-synapse:'+ matrix_synapse_container_client_api_port|string), 'dendrite': ('http://matrix-dendrite:' + matrix_dendrite_http_bind_port|string), 'conduit': ('http://matrix-conduit:' + matrix_conduit_port_number|string), }[matrix_homeserver_implementation] @@ -71,12 +445,21 @@ matrix_homeserver_container_url: |- matrix_homeserver_container_federation_url: |- {{ 'http://matrix-nginx-proxy:12088' if matrix_nginx_proxy_enabled else { - 'synapse': ('http://matrix-synapse:'+ matrix_synapse_container_federation_api_plain_port|string), + 'synapse': ('http://matrix-synapse-reverse-proxy-companion:8048' if matrix_synapse_reverse_proxy_companion_enabled else 'http://matrix-synapse:'+ matrix_synapse_container_federation_api_plain_port|string), 'dendrite': ('http://matrix-dendrite:' + matrix_dendrite_http_bind_port|string), 'conduit': ('http://matrix-conduit:' + matrix_conduit_port_number|string), }[matrix_homeserver_implementation] }} +matrix_homeserver_container_network: |- + {{ + matrix_nginx_proxy_container_network if matrix_nginx_proxy_enabled else { + 'synapse': matrix_synapse_container_network, + 'dendrite': matrix_dendrite_container_network, + 'conduit': matrix_conduit_container_network, + }[matrix_homeserver_implementation] + }} + matrix_integration_manager_rest_url: "{{ matrix_dimension_integrations_rest_url if matrix_dimension_enabled else None }}" matrix_integration_manager_ui_url: "{{ matrix_dimension_integrations_ui_url if matrix_dimension_enabled else None }}" @@ -99,7 +482,7 @@ matrix_appservice_discord_enabled: false # Normally, matrix-nginx-proxy is enabled and nginx can reach matrix-appservice-discord over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose # matrix-appservice-discord's client-server port to the local host. -matrix_appservice_discord_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9005' }}" +matrix_appservice_discord_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '9005') if matrix_playbook_service_host_bind_interface_prefix else '' }}" # If the homeserver disables presence, it's likely better (less wasteful) to also disable presence on the bridge side. matrix_appservice_discord_bridge_disablePresence: "{{ not matrix_synapse_presence_enabled }}" @@ -110,19 +493,20 @@ matrix_appservice_discord_systemd_required_services_list: | + ['matrix-' + matrix_homeserver_implementation + '.service'] + - (['matrix-postgres.service'] if matrix_postgres_enabled else []) + ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else []) + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_appservice_discord_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'discord.as.token') | to_uuid }}" +matrix_appservice_discord_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'discord.as.token', rounds=655555) | to_uuid }}" -matrix_appservice_discord_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'discord.hs.token') | to_uuid }}" +matrix_appservice_discord_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'discord.hs.token', rounds=655555) | to_uuid }}" # We only make this use Postgres if our own Postgres server is enabled. # It's only then (for now) that we can automatically create the necessary database and user for this service. -matrix_appservice_discord_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_appservice_discord_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'as.discord.db') | to_uuid }}" +matrix_appservice_discord_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}" +matrix_appservice_discord_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" +matrix_appservice_discord_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'as.discord.db', rounds=655555) | to_uuid }}" ###################################################################### # @@ -145,14 +529,14 @@ matrix_appservice_webhooks_container_image_self_build: "{{ matrix_architecture ! # Normally, matrix-nginx-proxy is enabled and nginx can reach matrix-appservice-webhooks over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose # matrix-appservice-webhooks' client-server port to the local host. -matrix_appservice_webhooks_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else ('127.0.0.1:' ~ matrix_appservice_webhooks_matrix_port) }}" +matrix_appservice_webhooks_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ matrix_appservice_webhooks_matrix_port) if matrix_playbook_service_host_bind_interface_prefix else '' }}" -matrix_appservice_webhooks_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'webhook.as.token') | to_uuid }}" +matrix_appservice_webhooks_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'webhook.as.token', rounds=655555) | to_uuid }}" matrix_appservice_webhooks_homeserver_url: "{{ matrix_homeserver_container_url }}" -matrix_appservice_webhooks_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'webhook.hs.token') | to_uuid }}" +matrix_appservice_webhooks_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'webhook.hs.token', rounds=655555) | to_uuid }}" -matrix_appservice_webhooks_id_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'webhook.id.token') | to_uuid }}" +matrix_appservice_webhooks_id_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'webhook.id.token', rounds=655555) | to_uuid }}" matrix_appservice_webhooks_systemd_required_services_list: | {{ @@ -184,14 +568,14 @@ matrix_appservice_slack_container_image_self_build: "{{ matrix_architecture not # Normally, matrix-nginx-proxy is enabled and nginx can reach matrix-appservice-slack over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose # matrix-appservice-slack's client-server port to the local host. -matrix_appservice_slack_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else ('127.0.0.1:' ~ matrix_appservice_slack_slack_port) }}" +matrix_appservice_slack_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ matrix_appservice_slack_slack_port) if matrix_playbook_service_host_bind_interface_prefix else '' }}" -matrix_appservice_slack_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'slack.as.token') | to_uuid }}" +matrix_appservice_slack_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'slack.as.token', rounds=655555) | to_uuid }}" matrix_appservice_slack_homeserver_url: "{{ matrix_homeserver_container_url }}" -matrix_appservice_slack_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'slack.hs.token') | to_uuid }}" +matrix_appservice_slack_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'slack.hs.token', rounds=655555) | to_uuid }}" -matrix_appservice_slack_id_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'slack.id.token') | to_uuid }}" +matrix_appservice_slack_id_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'slack.id.token', rounds=655555) | to_uuid }}" matrix_appservice_slack_systemd_required_services_list: | {{ @@ -202,9 +586,10 @@ matrix_appservice_slack_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -# Postgres is the default, except if not using `matrix_postgres` (internal postgres) -matrix_appservice_slack_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'nedb' }}" -matrix_appservice_slack_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'as.slack.db') | to_uuid }}" +# Postgres is the default, except if not using internal Postgres server +matrix_appservice_slack_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'nedb' }}" +matrix_appservice_slack_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" +matrix_appservice_slack_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'as.slack.db', rounds=655555) | to_uuid }}" ###################################################################### # @@ -226,7 +611,7 @@ matrix_appservice_irc_container_image_self_build: "{{ matrix_architecture != 'am # Normally, matrix-nginx-proxy is enabled and nginx can reach matrix-appservice-irc over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose # matrix-appservice-irc's client-server port to the local host. -matrix_appservice_irc_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9999' }}" +matrix_appservice_irc_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '9999') if matrix_playbook_service_host_bind_interface_prefix else '' }}" # The IRC bridge docs say that if homeserver presence is disabled, it's better to also disable # IRC bridge presence, for performance reasons. @@ -241,12 +626,13 @@ matrix_appservice_irc_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_appservice_irc_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'irc.as.token') | to_uuid }}" +matrix_appservice_irc_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'irc.as.token', rounds=655555) | to_uuid }}" -matrix_appservice_irc_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'irc.hs.token') | to_uuid }}" +matrix_appservice_irc_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'irc.hs.token', rounds=655555) | to_uuid }}" -matrix_appservice_irc_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'nedb' }}" -matrix_appservice_irc_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'as.irc.db') | to_uuid }}" +matrix_appservice_irc_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'nedb' }}" +matrix_appservice_irc_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" +matrix_appservice_irc_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'as.irc.db', rounds=655555) | to_uuid }}" ###################################################################### @@ -274,17 +660,18 @@ matrix_appservice_kakaotalk_systemd_required_services_list: | + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) + - (['matrix-postgres.service'] if matrix_postgres_enabled else []) + ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else []) }} -matrix_appservice_kakaotalk_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'as.kakao.hs') | to_uuid }}" +matrix_appservice_kakaotalk_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'as.kakao.hs', rounds=655555) | to_uuid }}" -matrix_appservice_kakaotalk_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'as.kakao.hs') | to_uuid }}" +matrix_appservice_kakaotalk_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'as.kakao.hs', rounds=655555) | to_uuid }}" matrix_appservice_kakaotalk_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" -matrix_appservice_kakaotalk_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_appservice_kakaotalk_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'as.kakao.db') | to_uuid }}" +matrix_appservice_kakaotalk_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}" +matrix_appservice_kakaotalk_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" +matrix_appservice_kakaotalk_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'as.kakao.db', rounds=655555) | to_uuid }}" ###################################################################### # @@ -310,20 +697,21 @@ matrix_beeper_linkedin_systemd_required_services_list: | + ['matrix-' + matrix_homeserver_implementation + '.service'] + - (['matrix-postgres.service'] if matrix_postgres_enabled else []) + ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else []) + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_beeper_linkedin_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'linked.as.token') | to_uuid }}" +matrix_beeper_linkedin_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'linked.as.token', rounds=655555) | to_uuid }}" -matrix_beeper_linkedin_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'linked.hs.token') | to_uuid }}" +matrix_beeper_linkedin_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'linked.hs.token', rounds=655555) | to_uuid }}" matrix_beeper_linkedin_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" matrix_beeper_linkedin_bridge_presence: "{{ matrix_synapse_presence_enabled if matrix_synapse_enabled else true }}" -matrix_beeper_linkedin_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'maulinkedin.db') | to_uuid }}" +matrix_beeper_linkedin_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" +matrix_beeper_linkedin_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'maulinkedin.db', rounds=655555) | to_uuid }}" ###################################################################### # @@ -348,20 +736,21 @@ matrix_go_skype_bridge_systemd_required_services_list: | + ['matrix-' + matrix_homeserver_implementation + '.service'] + - (['matrix-postgres.service'] if matrix_postgres_enabled else []) + ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else []) + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_go_skype_bridge_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'skype.as.token') | to_uuid }}" +matrix_go_skype_bridge_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'skype.as.token', rounds=655555) | to_uuid }}" -matrix_go_skype_bridge_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'skype.hs.token') | to_uuid }}" +matrix_go_skype_bridge_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'skype.hs.token', rounds=655555) | to_uuid }}" matrix_go_skype_bridge_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" -# Postgres is the default, except if not using `matrix_postgres` (internal postgres) -matrix_go_skype_bridge_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_go_skype_bridge_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'goskype.db') | to_uuid }}" +# Postgres is the default, except if not using internal Postgres server +matrix_go_skype_bridge_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}" +matrix_go_skype_bridge_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" +matrix_go_skype_bridge_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'goskype.db', rounds=655555) | to_uuid }}" ###################################################################### # @@ -369,168 +758,265 @@ matrix_go_skype_bridge_database_password: "{{ '%s' | format(matrix_homeserver_ge # ###################################################################### + ###################################################################### # -# matrix-bridge-mautrix-facebook +# matrix-bridge-mautrix-discord # ###################################################################### # We don't enable bridges by default. -matrix_mautrix_facebook_enabled: false +matrix_mautrix_discord_enabled: false -matrix_mautrix_facebook_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}" +matrix_mautrix_discord_container_image_self_build: "{{ matrix_architecture not in ['arm64', 'amd64'] }}" -matrix_mautrix_facebook_systemd_required_services_list: | +matrix_mautrix_discord_systemd_required_services_list: | {{ ['docker.service'] + ['matrix-' + matrix_homeserver_implementation + '.service'] + - (['matrix-postgres.service'] if matrix_postgres_enabled else []) + ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else []) + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mautrix_facebook_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'fb.as.token') | to_uuid }}" - -matrix_mautrix_facebook_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'fb.hs.token') | to_uuid }}" +matrix_mautrix_discord_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'maudisc.as.tok', rounds=655555) | to_uuid }}" -matrix_mautrix_facebook_public_endpoint: "/{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'facebook') | to_uuid }}" +matrix_mautrix_discord_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'maudisc.hs.tok', rounds=655555) | to_uuid }}" -matrix_mautrix_facebook_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9008' }}" - -matrix_mautrix_facebook_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" - -matrix_mautrix_facebook_bridge_presence: "{{ matrix_synapse_presence_enabled if matrix_synapse_enabled else true }}" +matrix_mautrix_discord_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" -# We'd like to force-set people with external Postgres to SQLite, so the bridge role can complain -# and point them to a migration path. -matrix_mautrix_facebook_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mautrix_facebook_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.fb.db') | to_uuid }}" +# Postgres is the default, except if not using internal Postgres server +matrix_mautrix_discord_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}" +matrix_mautrix_discord_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" +matrix_mautrix_discord_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'maudiscord.db', rounds=655555) | to_uuid }}" ###################################################################### # -# /matrix-bridge-mautrix-facebook +# /matrix-bridge-mautrix-discord # ###################################################################### ###################################################################### # -# matrix-bridge-mautrix-hangouts +# matrix-bridge-mautrix-slack # ###################################################################### # We don't enable bridges by default. -matrix_mautrix_hangouts_enabled: false +matrix_mautrix_slack_enabled: false -matrix_mautrix_hangouts_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}" +matrix_mautrix_slack_container_image_self_build: "{{ matrix_architecture not in ['arm64', 'amd64'] }}" -matrix_mautrix_hangouts_systemd_required_services_list: | +matrix_mautrix_slack_systemd_required_services_list: | {{ ['docker.service'] + ['matrix-' + matrix_homeserver_implementation + '.service'] + - (['matrix-postgres.service'] if matrix_postgres_enabled else []) + ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else []) + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mautrix_hangouts_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'ho.as.token') | to_uuid }}" - -matrix_mautrix_hangouts_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'ho.hs.token') | to_uuid }}" +matrix_mautrix_slack_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mauslack.as.tok', rounds=655555) | to_uuid }}" -matrix_mautrix_hangouts_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9007' }}" +matrix_mautrix_slack_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mauslack.hs.tok', rounds=655555) | to_uuid }}" -matrix_mautrix_hangouts_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" +matrix_mautrix_slack_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" -# Postgres is the default, except if not using `matrix_postgres` (internal postgres) -matrix_mautrix_hangouts_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mautrix_hangouts_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.hangouts.db') | to_uuid }}" +# Postgres is the default, except if not using internal Postgres server +matrix_mautrix_slack_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}" +matrix_mautrix_slack_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" +matrix_mautrix_slack_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mauslack.db', rounds=655555) | to_uuid }}" ###################################################################### # -# /matrix-bridge-mautrix-hangouts +# /matrix-bridge-mautrix-slack # ###################################################################### ###################################################################### # -# matrix-bridge-mautrix-googlechat +# matrix-bridge-mautrix-facebook # ###################################################################### # We don't enable bridges by default. -matrix_mautrix_googlechat_enabled: false +matrix_mautrix_facebook_enabled: false -matrix_mautrix_googlechat_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}" +matrix_mautrix_facebook_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}" -matrix_mautrix_googlechat_systemd_required_services_list: | +matrix_mautrix_facebook_systemd_required_services_list: | {{ ['docker.service'] + ['matrix-' + matrix_homeserver_implementation + '.service'] + - (['matrix-postgres.service'] if matrix_postgres_enabled else []) + ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else []) + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mautrix_googlechat_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'gc.as.token') | to_uuid }}" +matrix_mautrix_facebook_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'fb.as.token', rounds=655555) | to_uuid }}" -matrix_mautrix_googlechat_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'gc.hs.token') | to_uuid }}" +matrix_mautrix_facebook_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'fb.hs.token', rounds=655555) | to_uuid }}" -matrix_mautrix_googlechat_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9007' }}" +matrix_mautrix_facebook_public_endpoint: "/{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'facebook', rounds=655555) | to_uuid }}" -matrix_mautrix_googlechat_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" +matrix_mautrix_facebook_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '9008') if matrix_playbook_service_host_bind_interface_prefix else '' }}" + +matrix_mautrix_facebook_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" + +matrix_mautrix_facebook_bridge_presence: "{{ matrix_synapse_presence_enabled if matrix_synapse_enabled else true }}" + +# People using an external Prometheus server will need to toggle all of these to be able to consume metrics remotely: +# - `matrix_mautrix_facebook_metrics_enabled` +# - `matrix_mautrix_facebook_proxying_metrics_enabled` +# - `matrix_nginx_proxy_proxy_matrix_metrics_enabled` +matrix_mautrix_facebook_metrics_enabled: "{{ prometheus_enabled }}" -# Postgres is the default, except if not using `matrix_postgres` (internal postgres) -matrix_mautrix_googlechat_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mautrix_googlechat_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.gc.db') | to_uuid }}" +# We'd like to force-set people with external Postgres to SQLite, so the bridge role can complain +# and point them to a migration path. +matrix_mautrix_facebook_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}" +matrix_mautrix_facebook_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" +matrix_mautrix_facebook_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.fb.db', rounds=655555) | to_uuid }}" ###################################################################### # -# /matrix-bridge-mautrix-googlechat +# /matrix-bridge-mautrix-facebook # ###################################################################### ###################################################################### # -# matrix-bridge-mautrix-instagram +# matrix-bridge-mautrix-googlechat # ###################################################################### # We don't enable bridges by default. -matrix_mautrix_instagram_enabled: false +matrix_mautrix_googlechat_enabled: false -matrix_mautrix_instagram_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}" +matrix_mautrix_googlechat_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}" -matrix_mautrix_instagram_systemd_required_services_list: | +matrix_mautrix_googlechat_systemd_required_services_list: | {{ ['docker.service'] + ['matrix-' + matrix_homeserver_implementation + '.service'] + - (['matrix-postgres.service'] if matrix_postgres_enabled else []) + ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else []) + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mautrix_instagram_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'ig.as.token') | to_uuid }}" +matrix_mautrix_googlechat_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'gc.as.token', rounds=655555) | to_uuid }}" -matrix_mautrix_instagram_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'ig.hs.token') | to_uuid }}" +matrix_mautrix_googlechat_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'gc.hs.token', rounds=655555) | to_uuid }}" + +matrix_mautrix_googlechat_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '9007') if matrix_playbook_service_host_bind_interface_prefix else '' }}" + +matrix_mautrix_googlechat_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" + +# Postgres is the default, except if not using internal Postgres server +matrix_mautrix_googlechat_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}" +matrix_mautrix_googlechat_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" +matrix_mautrix_googlechat_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.gc.db', rounds=655555) | to_uuid }}" + +###################################################################### +# +# /matrix-bridge-mautrix-googlechat +# +###################################################################### + + +###################################################################### +# +# matrix-bridge-mautrix-hangouts +# +###################################################################### + +# We don't enable bridges by default. +matrix_mautrix_hangouts_enabled: false + +matrix_mautrix_hangouts_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}" + +matrix_mautrix_hangouts_systemd_required_services_list: | + {{ + ['docker.service'] + + + ['matrix-' + matrix_homeserver_implementation + '.service'] + + + ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else []) + + + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) + }} + +matrix_mautrix_hangouts_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'ho.as.token', rounds=655555) | to_uuid }}" + +matrix_mautrix_hangouts_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'ho.hs.token', rounds=655555) | to_uuid }}" + +matrix_mautrix_hangouts_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '9007') if matrix_playbook_service_host_bind_interface_prefix else '' }}" + +matrix_mautrix_hangouts_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" + +# Postgres is the default, except if not using internal Postgres server +matrix_mautrix_hangouts_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}" +matrix_mautrix_hangouts_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" +matrix_mautrix_hangouts_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.hangouts.db', rounds=655555) | to_uuid }}" + +###################################################################### +# +# /matrix-bridge-mautrix-hangouts +# +###################################################################### + + +###################################################################### +# +# matrix-bridge-mautrix-instagram +# +###################################################################### + +# We don't enable bridges by default. +matrix_mautrix_instagram_enabled: false + +matrix_mautrix_instagram_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}" + +matrix_mautrix_instagram_systemd_required_services_list: | + {{ + ['docker.service'] + + + ['matrix-' + matrix_homeserver_implementation + '.service'] + + + ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else []) + + + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) + }} + +matrix_mautrix_instagram_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'ig.as.token', rounds=655555) | to_uuid }}" + +matrix_mautrix_instagram_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'ig.hs.token', rounds=655555) | to_uuid }}" matrix_mautrix_instagram_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" matrix_mautrix_instagram_bridge_presence: "{{ matrix_synapse_presence_enabled if matrix_synapse_enabled else true }}" +# People using an external Prometheus server will need to toggle all of these to be able to consume metrics remotely: +# - `matrix_mautrix_instagram_metrics_enabled` +# - `matrix_mautrix_instagram_proxying_metrics_enabled` +# - `matrix_nginx_proxy_proxy_matrix_metrics_enabled` +matrix_mautrix_instagram_metrics_enabled: "{{ prometheus_enabled }}" + # We'd like to force-set people with external Postgres to SQLite, so the bridge role can complain # and point them to a migration path. -matrix_mautrix_instagram_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mautrix_instagram_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.ig.db') | to_uuid }}" +matrix_mautrix_instagram_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}" +matrix_mautrix_instagram_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" +matrix_mautrix_instagram_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.ig.db', rounds=655555) | to_uuid }}" ###################################################################### # @@ -554,7 +1040,7 @@ matrix_mautrix_signal_systemd_required_services_list: | + ['matrix-' + matrix_homeserver_implementation + '.service'] + - (['matrix-postgres.service'] if matrix_postgres_enabled else []) + ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else []) + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) + @@ -565,14 +1051,21 @@ matrix_mautrix_signal_homeserver_domain: '{{ matrix_domain }}' matrix_mautrix_signal_homeserver_address: "{{ matrix_homeserver_container_url }}" -matrix_mautrix_signal_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'si.hs.token') | to_uuid }}" +matrix_mautrix_signal_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'si.hs.token', rounds=655555) | to_uuid }}" -matrix_mautrix_signal_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'si.as.token') | to_uuid }}" +matrix_mautrix_signal_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'si.as.token', rounds=655555) | to_uuid }}" matrix_mautrix_signal_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" +# People using an external Prometheus server will need to toggle all of these to be able to consume metrics remotely: +# - `matrix_mautrix_signal_metrics_enabled` +# - `matrix_mautrix_signal_proxying_metrics_enabled` +# - `matrix_nginx_proxy_proxy_matrix_metrics_enabled` +matrix_mautrix_signal_metrics_enabled: "{{ prometheus_enabled }}" + matrix_mautrix_signal_database_engine: 'postgres' -matrix_mautrix_signal_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.signal.db') | to_uuid }}" +matrix_mautrix_signal_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" +matrix_mautrix_signal_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.signal.db', rounds=655555) | to_uuid }}" matrix_mautrix_signal_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}" matrix_mautrix_signal_daemon_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}" @@ -603,24 +1096,25 @@ matrix_mautrix_telegram_systemd_required_services_list: | + ['matrix-' + matrix_homeserver_implementation + '.service'] + - (['matrix-postgres.service'] if matrix_postgres_enabled else []) + ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else []) + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mautrix_telegram_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'telegr.as.token') | to_uuid }}" +matrix_mautrix_telegram_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'telegr.as.token', rounds=655555) | to_uuid }}" -matrix_mautrix_telegram_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'telegr.hs.token') | to_uuid }}" +matrix_mautrix_telegram_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'telegr.hs.token', rounds=655555) | to_uuid }}" -matrix_mautrix_telegram_public_endpoint: "/{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'telegram') | to_uuid }}" +matrix_mautrix_telegram_public_endpoint: "/{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'telegram', rounds=655555) | to_uuid }}" -matrix_mautrix_telegram_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9006' }}" +matrix_mautrix_telegram_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '9006') if matrix_playbook_service_host_bind_interface_prefix else '' }}" matrix_mautrix_telegram_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" -# Postgres is the default, except if not using `matrix_postgres` (internal postgres) -matrix_mautrix_telegram_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mautrix_telegram_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.telegram.db') | to_uuid }}" +# Postgres is the default, except if not using internal Postgres server +matrix_mautrix_telegram_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}" +matrix_mautrix_telegram_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" +matrix_mautrix_telegram_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.telegram.db', rounds=655555) | to_uuid }}" ###################################################################### # @@ -645,19 +1139,19 @@ matrix_mautrix_twitter_systemd_required_services_list: | + ['matrix-' + matrix_homeserver_implementation + '.service'] + - (['matrix-postgres.service'] if matrix_postgres_enabled else []) + ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else []) + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mautrix_twitter_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'twt.as.token') | to_uuid }}" +matrix_mautrix_twitter_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'twt.as.token', rounds=655555) | to_uuid }}" -matrix_mautrix_twitter_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'twt.hs.token') | to_uuid }}" +matrix_mautrix_twitter_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'twt.hs.token', rounds=655555) | to_uuid }}" matrix_mautrix_twitter_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" -matrix_mautrix_twitter_database_hostname: "{{ 'matrix-postgres' if matrix_postgres_enabled else '' }}" -matrix_mautrix_twitter_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.twt.db') | to_uuid if matrix_postgres_enabled else '' }}" +matrix_mautrix_twitter_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" +matrix_mautrix_twitter_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.twt.db', rounds=655555) | to_uuid if devture_postgres_enabled else '' }}" ###################################################################### # @@ -667,39 +1161,46 @@ matrix_mautrix_twitter_database_password: "{{ '%s' | format(matrix_homeserver_ge ###################################################################### # -# matrix-bridge-mautrix-whatsapp +# matrix-bridge-mautrix-gmessages # ###################################################################### # We don't enable bridges by default. -matrix_mautrix_whatsapp_enabled: false +matrix_mautrix_gmessages_enabled: false -matrix_mautrix_whatsapp_container_image_self_build: "{{ matrix_architecture not in ['arm64', 'amd64'] }}" +matrix_mautrix_gmessages_container_image_self_build: "{{ matrix_architecture not in ['arm64', 'amd64'] }}" -matrix_mautrix_whatsapp_systemd_required_services_list: | +matrix_mautrix_gmessages_systemd_required_services_list: | {{ ['docker.service'] + ['matrix-' + matrix_homeserver_implementation + '.service'] + - (['matrix-postgres.service'] if matrix_postgres_enabled else []) + ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else []) + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mautrix_whatsapp_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'whats.as.token') | to_uuid }}" +matrix_mautrix_gmessages_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'gmessa.as.token', rounds=655555) | to_uuid }}" -matrix_mautrix_whatsapp_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'whats.hs.token') | to_uuid }}" +matrix_mautrix_gmessages_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'gmessa.hs.token', rounds=655555) | to_uuid }}" -matrix_mautrix_whatsapp_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" +matrix_mautrix_gmessages_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" + +# People using an external Prometheus server will need to toggle all of these to be able to consume metrics remotely: +# - `matrix_mautrix_gmessages_metrics_enabled` +# - `matrix_mautrix_gmessages_proxying_metrics_enabled` +# - `matrix_nginx_proxy_proxy_matrix_metrics_enabled` +matrix_mautrix_gmessages_metrics_enabled: "{{ prometheus_enabled }}" -# Postgres is the default, except if not using `matrix_postgres` (internal postgres) -matrix_mautrix_whatsapp_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mautrix_whatsapp_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mauwhatsapp.db') | to_uuid }}" +# Postgres is the default, except if not using internal Postgres server +matrix_mautrix_gmessages_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}" +matrix_mautrix_gmessages_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" +matrix_mautrix_gmessages_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'maugmessages.db', rounds=655555) | to_uuid }}" ###################################################################### # -# /matrix-bridge-mautrix-whatsapp +# /matrix-bridge-mautrix-gmessages # ###################################################################### @@ -718,7 +1219,7 @@ matrix_mautrix_wsproxy_systemd_required_services_list: | + (['matrix-synapse.service'] if matrix_synapse_enabled else []) + - (['matrix-postgres.service'] if matrix_postgres_enabled else []) + (['matrix-postgres.service'] if devture_postgres_enabled else []) }} matrix_mautrix_wsproxy_homeserver_domain: '{{ matrix_domain }}' @@ -733,41 +1234,46 @@ matrix_mautrix_wsproxy_homeserver_address: "{{ 'http://matrix-synapse:8008' if m ###################################################################### # -# matrix-bridge-mautrix-discord +# matrix-bridge-mautrix-whatsapp # ###################################################################### -matrix_mautrix_discord_enabled: false -matrix_mautrix_discord_container_image_self_build: "{{ matrix_architecture not in ['arm64', 'amd64'] }}" +# We don't enable bridges by default. +matrix_mautrix_whatsapp_enabled: false -matrix_mautrix_discord_systemd_required_services_list: | +matrix_mautrix_whatsapp_container_image_self_build: "{{ matrix_architecture not in ['arm64', 'amd64'] }}" + +matrix_mautrix_whatsapp_systemd_required_services_list: | {{ ['docker.service'] + ['matrix-' + matrix_homeserver_implementation + '.service'] + - (['matrix-postgres.service'] if matrix_postgres_enabled else []) + ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else []) + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mautrix_discord_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'maudisc.as.tok') | to_uuid }}" +matrix_mautrix_whatsapp_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'whats.as.token', rounds=655555) | to_uuid }}" -matrix_mautrix_discord_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'maudisc.hs.tok') | to_uuid }}" +matrix_mautrix_whatsapp_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'whats.hs.token', rounds=655555) | to_uuid }}" -matrix_mautrix_discord_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" +matrix_mautrix_whatsapp_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" -# Postgres is the default, except if not using `matrix_postgres` (internal postgres) -matrix_mautrix_discord_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mautrix_discord_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'maudiscord.db') | to_uuid }}" +# People using an external Prometheus server will need to toggle all of these to be able to consume metrics remotely: +# - `matrix_mautrix_whatsapp_metrics_enabled` +# - `matrix_mautrix_whatsapp_proxying_metrics_enabled` +# - `matrix_nginx_proxy_proxy_matrix_metrics_enabled` +matrix_mautrix_whatsapp_metrics_enabled: "{{ prometheus_enabled }}" -# Enabling bridge.restricted_rooms for this bridge does not work well with Conduit, so we disable it by default. -# This will be fixed in the upcoming `0.5.0` release of conduit. -matrix_mautrix_discord_bridge_restricted_rooms: "{{ false if matrix_homeserver_implementation == 'conduit' else true }}" +# Postgres is the default, except if not using internal Postgres server +matrix_mautrix_whatsapp_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}" +matrix_mautrix_whatsapp_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" +matrix_mautrix_whatsapp_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mauwhatsapp.db', rounds=655555) | to_uuid }}" ###################################################################### # -# /matrix-bridge-mautrix-discord +# /matrix-bridge-mautrix-whatsapp # ###################################################################### @@ -789,10 +1295,10 @@ matrix_sms_bridge_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_sms_bridge_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'sms.as.token') | to_uuid }}" +matrix_sms_bridge_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'sms.as.token', rounds=655555) | to_uuid }}" matrix_sms_bridge_homeserver_port: "{{ matrix_synapse_container_client_api_port }}" -matrix_sms_bridge_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'sms.hs.token') | to_uuid }}" +matrix_sms_bridge_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'sms.hs.token', rounds=655555) | to_uuid }}" ###################################################################### # @@ -809,9 +1315,9 @@ matrix_sms_bridge_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_ # We don't enable bridges by default. matrix_heisenbridge_enabled: false -matrix_heisenbridge_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'heisen.as.tok') | to_uuid }}" +matrix_heisenbridge_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'heisen.as.tok', rounds=655555) | to_uuid }}" -matrix_heisenbridge_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'heisen.hs.tok') | to_uuid }}" +matrix_heisenbridge_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'heisen.hs.tok', rounds=655555) | to_uuid }}" matrix_heisenbridge_systemd_wanted_services_list: | {{ @@ -837,9 +1343,9 @@ matrix_hookshot_enabled: false matrix_hookshot_container_image_self_build: "{{ matrix_architecture not in ['arm64', 'amd64'] }}" -matrix_hookshot_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'hookshot.as.tok') | to_uuid }}" +matrix_hookshot_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'hookshot.as.tok', rounds=655555) | to_uuid }}" -matrix_hookshot_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'hookshot.hs.tok') | to_uuid }}" +matrix_hookshot_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'hookshot.hs.tok', rounds=655555) | to_uuid }}" matrix_hookshot_systemd_wanted_services_list: | {{ @@ -849,12 +1355,12 @@ matrix_hookshot_systemd_wanted_services_list: | }} matrix_hookshot_container_http_host_bind_ports_defaultmapping: - - "127.0.0.1:{{ matrix_hookshot_appservice_port }}:{{ matrix_hookshot_appservice_port }}" - - "127.0.0.1:{{ matrix_hookshot_metrics_port }}:{{ matrix_hookshot_metrics_port }}" - - "127.0.0.1:{{ matrix_hookshot_webhook_port }}:{{ matrix_hookshot_webhook_port }}" - - "127.0.0.1:{{ matrix_hookshot_provisioning_port }}:{{ matrix_hookshot_provisioning_port }}" + - "{{ matrix_playbook_service_host_bind_interface_prefix }}{{ matrix_hookshot_appservice_port }}:{{ matrix_hookshot_appservice_port }}" + - "{{ matrix_playbook_service_host_bind_interface_prefix }}{{ matrix_hookshot_metrics_port }}:{{ matrix_hookshot_metrics_port }}" + - "{{ matrix_playbook_service_host_bind_interface_prefix }}{{ matrix_hookshot_webhook_port }}:{{ matrix_hookshot_webhook_port }}" + - "{{ matrix_playbook_service_host_bind_interface_prefix }}{{ matrix_hookshot_provisioning_port }}:{{ matrix_hookshot_provisioning_port }}" -matrix_hookshot_container_http_host_bind_ports: "{{ [] if matrix_nginx_proxy_enabled else matrix_hookshot_container_http_host_bind_ports_defaultmapping }}" +matrix_hookshot_container_http_host_bind_ports: "{{ matrix_hookshot_container_http_host_bind_ports_defaultmapping if matrix_playbook_service_host_bind_interface_prefix else [] }}" matrix_hookshot_provisioning_enabled: "{{ matrix_hookshot_provisioning_secret and matrix_dimension_enabled }}" @@ -864,11 +1370,11 @@ matrix_hookshot_provisioning_enabled: "{{ matrix_hookshot_provisioning_secret an # - `matrix_hookshot_metrics_enabled` # - `matrix_hookshot_metrics_proxying_enabled` # - `matrix_nginx_proxy_proxy_matrix_metrics_enabled` -matrix_hookshot_metrics_enabled: "{{ matrix_prometheus_enabled }}" +matrix_hookshot_metrics_enabled: "{{ prometheus_enabled }}" matrix_hookshot_urlprefix_port_enabled: "{{ matrix_nginx_proxy_container_https_host_bind_port == 443 if matrix_nginx_proxy_https_enabled else matrix_nginx_proxy_container_https_host_bind_port == 80 }}" matrix_hookshot_urlprefix_port: ":{{ matrix_nginx_proxy_container_https_host_bind_port if matrix_nginx_proxy_https_enabled else matrix_nginx_proxy_container_http_host_bind_port }}" -matrix_hookshot_urlprefix: "http{{ 's' if matrix_nginx_proxy_https_enabled else '' }}://{{ matrix_server_fqn_matrix }}{{ matrix_hookshot_urlprefix_port if matrix_hookshot_urlprefix_port_enabled else '' }}" +matrix_hookshot_urlprefix: "{{ 'https' if matrix_playbook_ssl_enabled else 'http' }}://{{ matrix_server_fqn_matrix }}{{ matrix_hookshot_urlprefix_port if matrix_hookshot_urlprefix_port_enabled else '' }}" ###################################################################### # @@ -894,20 +1400,21 @@ matrix_mx_puppet_slack_systemd_required_services_list: | + ['matrix-' + matrix_homeserver_implementation + '.service'] + - (['matrix-postgres.service'] if matrix_postgres_enabled else []) + ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else []) + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mx_puppet_slack_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxslk.as.tok') | to_uuid }}" +matrix_mx_puppet_slack_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxslk.as.tok', rounds=655555) | to_uuid }}" -matrix_mx_puppet_slack_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxslk.hs.tok') | to_uuid }}" +matrix_mx_puppet_slack_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxslk.hs.tok', rounds=655555) | to_uuid }}" matrix_mx_puppet_slack_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" -# Postgres is the default, except if not using `matrix_postgres` (internal postgres) -matrix_mx_puppet_slack_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mx_puppet_slack_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxpup.slack.db') | to_uuid }}" +# Postgres is the default, except if not using internal Postgres server +matrix_mx_puppet_slack_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}" +matrix_mx_puppet_slack_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" +matrix_mx_puppet_slack_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxpup.slack.db', rounds=655555) | to_uuid }}" ###################################################################### # @@ -932,22 +1439,23 @@ matrix_mx_puppet_twitter_systemd_required_services_list: | + ['matrix-' + matrix_homeserver_implementation + '.service'] + - (['matrix-postgres.service'] if matrix_postgres_enabled else []) + ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else []) + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mx_puppet_twitter_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxtwt.as.tok') | to_uuid }}" +matrix_mx_puppet_twitter_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxtwt.as.tok', rounds=655555) | to_uuid }}" -matrix_mx_puppet_twitter_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxtwt.hs.tok') | to_uuid }}" +matrix_mx_puppet_twitter_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxtwt.hs.tok', rounds=655555) | to_uuid }}" matrix_mx_puppet_twitter_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" -matrix_mx_puppet_twitter_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else ('127.0.0.1:' ~ matrix_mx_puppet_twitter_appservice_port) }}" +matrix_mx_puppet_twitter_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '' ~ matrix_mx_puppet_twitter_appservice_port) if matrix_playbook_service_host_bind_interface_prefix else '' }}" -# Postgres is the default, except if not using `matrix_postgres` (internal postgres) -matrix_mx_puppet_twitter_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mx_puppet_twitter_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxpup.twitter.db') | to_uuid }}" +# Postgres is the default, except if not using internal Postgres server +matrix_mx_puppet_twitter_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}" +matrix_mx_puppet_twitter_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" +matrix_mx_puppet_twitter_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxpup.twitter.db', rounds=655555) | to_uuid }}" ###################################################################### # @@ -973,20 +1481,21 @@ matrix_mx_puppet_instagram_systemd_required_services_list: | + ['matrix-' + matrix_homeserver_implementation + '.service'] + - (['matrix-postgres.service'] if matrix_postgres_enabled else []) + ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else []) + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mx_puppet_instagram_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxig.as.tok') | to_uuid }}" +matrix_mx_puppet_instagram_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxig.as.tok', rounds=655555) | to_uuid }}" -matrix_mx_puppet_instagram_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxig.hs.tok') | to_uuid }}" +matrix_mx_puppet_instagram_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxig.hs.tok', rounds=655555) | to_uuid }}" matrix_mx_puppet_instagram_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" -# Postgres is the default, except if not using `matrix_postgres` (internal postgres) -matrix_mx_puppet_instagram_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mx_puppet_instagram_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxpup.ig.db') | to_uuid }}" +# Postgres is the default, except if not using internal Postgres server +matrix_mx_puppet_instagram_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}" +matrix_mx_puppet_instagram_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" +matrix_mx_puppet_instagram_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxpup.ig.db', rounds=655555) | to_uuid }}" ###################################################################### # @@ -1011,20 +1520,21 @@ matrix_mx_puppet_discord_systemd_required_services_list: | + ['matrix-' + matrix_homeserver_implementation + '.service'] + - (['matrix-postgres.service'] if matrix_postgres_enabled else []) + ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else []) + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mx_puppet_discord_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxdsc.as.tok') | to_uuid }}" +matrix_mx_puppet_discord_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxdsc.as.tok', rounds=655555) | to_uuid }}" -matrix_mx_puppet_discord_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxdsc.hs.tok') | to_uuid }}" +matrix_mx_puppet_discord_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxdsc.hs.tok', rounds=655555) | to_uuid }}" matrix_mx_puppet_discord_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" -# Postgres is the default, except if not using `matrix_postgres` (internal postgres) -matrix_mx_puppet_discord_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mx_puppet_discord_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxpup.dsc.db') | to_uuid }}" +# Postgres is the default, except if not using internal Postgres server +matrix_mx_puppet_discord_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}" +matrix_mx_puppet_discord_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" +matrix_mx_puppet_discord_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxpup.dsc.db', rounds=655555) | to_uuid }}" ###################################################################### # @@ -1049,20 +1559,21 @@ matrix_mx_puppet_steam_systemd_required_services_list: | + ['matrix-' + matrix_homeserver_implementation + '.service'] + - (['matrix-postgres.service'] if matrix_postgres_enabled else []) + ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else []) + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mx_puppet_steam_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxste.as.tok') | to_uuid }}" +matrix_mx_puppet_steam_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxste.as.tok', rounds=655555) | to_uuid }}" -matrix_mx_puppet_steam_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxste.hs.tok') | to_uuid }}" +matrix_mx_puppet_steam_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxste.hs.tok', rounds=655555) | to_uuid }}" matrix_mx_puppet_steam_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" -# Postgres is the default, except if not using `matrix_postgres` (internal postgres) -matrix_mx_puppet_steam_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mx_puppet_steam_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxpup.steam.db') | to_uuid }}" +# Postgres is the default, except if not using internal Postgres server +matrix_mx_puppet_steam_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}" +matrix_mx_puppet_steam_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" +matrix_mx_puppet_steam_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxpup.steam.db', rounds=655555) | to_uuid }}" ###################################################################### # @@ -1087,20 +1598,21 @@ matrix_mx_puppet_groupme_systemd_required_services_list: | + ['matrix-' + matrix_homeserver_implementation + '.service'] + - (['matrix-postgres.service'] if matrix_postgres_enabled else []) + ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else []) + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mx_puppet_groupme_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxgro.as.tok') | to_uuid }}" +matrix_mx_puppet_groupme_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxgro.as.tok', rounds=655555) | to_uuid }}" -matrix_mx_puppet_groupme_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxgro.hs.tok') | to_uuid }}" +matrix_mx_puppet_groupme_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxgro.hs.tok', rounds=655555) | to_uuid }}" matrix_mx_puppet_groupme_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" -# Postgres is the default, except if not using `matrix_postgres` (internal postgres) -matrix_mx_puppet_groupme_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mx_puppet_groupme_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxpup.groupme.db') | to_uuid }}" +# Postgres is the default, except if not using internal Postgres server +matrix_mx_puppet_groupme_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}" +matrix_mx_puppet_groupme_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" +matrix_mx_puppet_groupme_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxpup.groupme.db', rounds=655555) | to_uuid }}" ###################################################################### # @@ -1123,14 +1635,15 @@ matrix_bot_matrix_reminder_bot_systemd_required_services_list: | + ['matrix-' + matrix_homeserver_implementation + '.service'] + - (['matrix-postgres.service'] if matrix_postgres_enabled else []) + ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else []) + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -# Postgres is the default, except if not using `matrix_postgres` (internal postgres) -matrix_bot_matrix_reminder_bot_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_bot_matrix_reminder_bot_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'reminder.bot.db') | to_uuid }}" +# Postgres is the default, except if not using internal Postgres server +matrix_bot_matrix_reminder_bot_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}" +matrix_bot_matrix_reminder_bot_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" +matrix_bot_matrix_reminder_bot_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'reminder.bot.db', rounds=655555) | to_uuid }}" matrix_bot_matrix_reminder_bot_container_image_self_build: "{{ matrix_architecture != 'amd64' }}" ###################################################################### @@ -1184,7 +1697,7 @@ matrix_bot_maubot_systemd_required_services_list: | + ['matrix-' + matrix_homeserver_implementation + '.service'] + - (['matrix-postgres.service'] if matrix_postgres_enabled else []) + ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else []) + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} @@ -1193,15 +1706,16 @@ matrix_bot_maubot_registration_shared_secret: |- {{ { 'synapse': matrix_synapse_registration_shared_secret, - 'dendrite': matrix_dendrite_registration_shared_secret, + 'dendrite': matrix_dendrite_client_api_registration_shared_secret, }[matrix_homeserver_implementation] }} -matrix_bot_maubot_management_interface_http_bind_port: "{{ '' if matrix_nginx_proxy_enabled else ('127.0.0.1:' + matrix_bot_maubot_management_interface_port | string) }}" +matrix_bot_maubot_management_interface_http_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '' ~ matrix_bot_maubot_management_interface_port | string) if matrix_playbook_service_host_bind_interface_prefix else '' }}" -# Postgres is the default, except if not using `matrix_postgres` (internal postgres) -matrix_bot_maubot_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_bot_maubot_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxpup.dsc.db') | to_uuid }}" +# Postgres is the default, except if not using internal Postgres server +matrix_bot_maubot_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}" +matrix_bot_maubot_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" +matrix_bot_maubot_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxpup.dsc.db', rounds=655555) | to_uuid }}" ###################################################################### # @@ -1219,22 +1733,52 @@ matrix_bot_maubot_database_password: "{{ '%s' | format(matrix_homeserver_generic # We don't enable bots by default. matrix_bot_honoroit_enabled: false +matrix_bot_honoroit_hostname: "{{ matrix_server_fqn_matrix }}" + +matrix_bot_honoroit_path_prefix: /honoroit + +# For consistency with other things hosted at the matrix FQN, we adjust the metrics endpoint +# so that metrics would be served at `/metrics/SERVICE_NAME`, and not at the default path for the role (`PREFIX/metrics`). +matrix_bot_honoroit_container_labels_traefik_metrics_path: /metrics/honoroit + matrix_bot_honoroit_systemd_required_services_list: | {{ ['docker.service'] + - (['matrix-postgres.service'] if matrix_postgres_enabled else []) + ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else []) + (['matrix-synapse.service'] if matrix_synapse_enabled else []) + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -# Postgres is the default, except if not using `matrix_postgres` (internal postgres) -matrix_bot_honoroit_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_bot_honoroit_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'honoroit.bot.db') | to_uuid }}" +# Postgres is the default, except if not using internal Postgres server +matrix_bot_honoroit_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}" +matrix_bot_honoroit_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" +matrix_bot_honoroit_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'honoroit.bot.db', rounds=655555) | to_uuid }}" matrix_bot_honoroit_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}" +matrix_bot_honoroit_container_network: "{{ matrix_docker_network if matrix_playbook_reverse_proxy_type == 'playbook-managed-nginx' else 'matrix-bot-honoroit' }}" + +# For now, we attach this to the matrix-nginx-proxy network (unless that's the same network as the main one for us), +# because that's where the homeserver is expected to be accessed from. +# In the future, this will need to be redone. +matrix_bot_honoroit_container_additional_networks: | + {{ + ( + ([matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else []) + + + ([matrix_nginx_proxy_container_network] if matrix_nginx_proxy_enabled and matrix_bot_honoroit_container_network != matrix_nginx_proxy_container_network else []) + + + ([devture_postgres_container_network] if devture_postgres_enabled and devture_postgres_container_network != matrix_bot_honoroit_container_network else []) + ) | unique + }} + +matrix_bot_honoroit_container_labels_traefik_enabled: "{{ matrix_playbook_traefik_labels_enabled }}" +matrix_bot_honoroit_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" +matrix_bot_honoroit_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" +matrix_bot_honoroit_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" + ###################################################################### # # /matrix-bot-honoroit @@ -1250,21 +1794,46 @@ matrix_bot_honoroit_container_image_self_build: "{{ matrix_architecture not in [ # We don't enable bots by default. matrix_bot_buscarron_enabled: false +matrix_bot_buscarron_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}" + matrix_bot_buscarron_systemd_required_services_list: | {{ ['docker.service'] + - (['matrix-postgres.service'] if matrix_postgres_enabled else []) + ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else []) + (['matrix-synapse.service'] if matrix_synapse_enabled else []) + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -# Postgres is the default, except if not using `matrix_postgres` (internal postgres) -matrix_bot_buscarron_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_bot_buscarron_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'buscarron.bot.db') | to_uuid }}" -matrix_bot_buscarron_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}" +# Postgres is the default, except if not using internal Postgres server +matrix_bot_buscarron_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}" +matrix_bot_buscarron_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" +matrix_bot_buscarron_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'buscarron.bot.db', rounds=655555) | to_uuid }}" + +matrix_bot_buscarron_hostname: "{{ matrix_server_fqn_buscarron }}" + +matrix_bot_buscarron_container_network: "{{ matrix_docker_network if matrix_playbook_reverse_proxy_type == 'playbook-managed-nginx' else 'matrix-bot-buscarron' }}" + +# For now, we attach this to the matrix-nginx-proxy network (unless that's the same network as the main one for us), +# because that's where the homeserver is expected to be accessed from. +# In the future, this will need to be redone. +matrix_bot_buscarron_container_additional_networks: | + {{ + ( + ([matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else []) + + + ([matrix_nginx_proxy_container_network] if matrix_nginx_proxy_enabled and matrix_bot_buscarron_container_network != matrix_nginx_proxy_container_network else []) + + + ([devture_postgres_container_network] if devture_postgres_enabled and devture_postgres_container_network != matrix_bot_buscarron_container_network else []) + ) | unique + }} + +matrix_bot_buscarron_container_labels_traefik_enabled: "{{ matrix_playbook_traefik_labels_enabled }}" +matrix_bot_buscarron_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" +matrix_bot_buscarron_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" +matrix_bot_buscarron_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" ###################################################################### # @@ -1280,24 +1849,71 @@ matrix_bot_buscarron_container_image_self_build: "{{ matrix_architecture not in # We don't enable bots by default. matrix_bot_postmoogle_enabled: false -matrix_bot_postmoogle_ssl_path: "{{ matrix_ssl_config_dir_path }}" -matrix_bot_postmoogle_tls_cert: "/ssl/live/{{ matrix_bot_postmoogle_domain }}/fullchain.pem" -matrix_bot_postmoogle_tls_key: "/ssl/live/{{ matrix_bot_postmoogle_domain }}/privkey.pem" + +matrix_bot_postmoogle_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}" + +matrix_bot_postmoogle_ssl_path: |- + {{ + { + 'playbook-managed-traefik': devture_traefik_certs_dumper_dumped_certificates_dir_path, + 'other-traefik-container': devture_traefik_certs_dumper_dumped_certificates_dir_path, + 'playbook-managed-nginx': (matrix_ssl_config_dir_path if matrix_playbook_ssl_retrieval_method != 'none' else ''), + 'other-nginx-non-container': (matrix_ssl_config_dir_path if matrix_playbook_ssl_retrieval_method != 'none' else ''), + 'other-on-same-host': '', + 'other-on-another-host': '', + 'none': '', + }[matrix_playbook_reverse_proxy_type] + }} + +matrix_playbook_bot_postmoogle_nginx_proxy_tls_cert: "{% for domain in matrix_bot_postmoogle_domains %}/ssl/live/{{ domain }}/fullchain.pem {% endfor %}" +matrix_playbook_bot_postmoogle_nginx_proxy_key: "{% for domain in matrix_bot_postmoogle_domains %}/ssl/live/{{ domain }}/privkey.pem {% endfor %}" + +matrix_playbook_bot_postmoogle_traefik_tls_cert: "{% for domain in matrix_bot_postmoogle_domains %}/ssl/{{ domain }}/certificate.crt {% endfor %}" +matrix_playbook_bot_postmoogle_traefik_key: "{% for domain in matrix_bot_postmoogle_domains %}/ssl/{{ domain }}/privatekey.key {% endfor %}" + +matrix_bot_postmoogle_tls_cert: |- + {{ + { + 'playbook-managed-traefik': matrix_playbook_bot_postmoogle_traefik_tls_cert, + 'other-traefik-container': matrix_playbook_bot_postmoogle_traefik_tls_cert, + 'playbook-managed-nginx': (matrix_playbook_bot_postmoogle_nginx_proxy_tls_cert if matrix_playbook_ssl_retrieval_method != 'none' else ''), + 'other-nginx-non-container': (matrix_playbook_bot_postmoogle_nginx_proxy_tls_cert if matrix_playbook_ssl_retrieval_method != 'none' else ''), + 'other-on-same-host': '', + 'other-on-another-host': '', + 'none': '', + }[matrix_playbook_reverse_proxy_type] + }} + +matrix_bot_postmoogle_tls_key: |- + {{ + { + 'playbook-managed-traefik': matrix_playbook_bot_postmoogle_traefik_key, + 'other-traefik-container': matrix_playbook_bot_postmoogle_traefik_key, + 'playbook-managed-nginx': (matrix_playbook_bot_postmoogle_nginx_proxy_key if matrix_playbook_ssl_retrieval_method != 'none' else ''), + 'other-nginx-non-container': (matrix_playbook_bot_postmoogle_nginx_proxy_key if matrix_playbook_ssl_retrieval_method != 'none' else ''), + 'other-on-same-host': '', + 'other-on-another-host': '', + 'none': '', + }[matrix_playbook_reverse_proxy_type] + }} + +matrix_playbook_bot_postmoogle_traefik_certs_dumper_waiter_services: "{% for domain in matrix_bot_postmoogle_domains %}{{ devture_traefik_certs_dumper_identifier }}-wait-for-domain@{{ domain }}.service {% endfor %}" matrix_bot_postmoogle_systemd_required_services_list: | {{ ['docker.service'] + - (['matrix-postgres.service'] if matrix_postgres_enabled else []) + ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else []) + (['matrix-synapse.service'] if matrix_synapse_enabled else []) + + + (matrix_playbook_bot_postmoogle_traefik_certs_dumper_waiter_services | trim | split(' ') if matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] and devture_traefik_certs_dumper_enabled else []) }} -# Postgres is the default, except if not using `matrix_postgres` (internal postgres) -matrix_bot_postmoogle_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_bot_postmoogle_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'postmoogle.db') | to_uuid }}" - -matrix_bot_postmoogle_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}" +# Postgres is the default, except if not using internal Postgres server +matrix_bot_postmoogle_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}" +matrix_bot_postmoogle_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" +matrix_bot_postmoogle_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'postmoogle.db', rounds=655555) | to_uuid }}" ###################################################################### # @@ -1306,6 +1922,24 @@ matrix_bot_postmoogle_container_image_self_build: "{{ matrix_architecture not in ###################################################################### +###################################################################### +# +# matrix-bot-chatgpt +# +###################################################################### + +# We don't enable bots by default. +matrix_bot_chatgpt_enabled: false + +matrix_bot_chatgpt_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}" + +###################################################################### +# +# /matrix-bot-chatgpt +# +###################################################################### + + ###################################################################### # # matrix-bot-go-neb @@ -1315,17 +1949,41 @@ matrix_bot_postmoogle_container_image_self_build: "{{ matrix_architecture not in # We don't enable bots by default. matrix_bot_go_neb_enabled: false +matrix_bot_go_neb_scheme: "{{ 'https' if matrix_playbook_ssl_enabled else 'http' }}" + +matrix_bot_go_neb_hostname: "{{ matrix_server_fqn_bot_go_neb }}" + +matrix_bot_go_neb_container_network: "{{ matrix_nginx_proxy_container_network if matrix_playbook_reverse_proxy_type == 'playbook-managed-nginx' else 'matrix-bot-go-neb' }}" + +matrix_bot_go_neb_container_additional_networks: | + {{ + ( + ([matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else []) + + + ([matrix_homeserver_container_network] if matrix_homeserver_container_network != matrix_bot_go_neb_container_network else []) + + + ([devture_postgres_container_network] if devture_postgres_enabled and devture_postgres_container_network != matrix_bot_go_neb_container_network else []) + ) | unique + }} + +matrix_bot_go_neb_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '4050') if matrix_playbook_service_host_bind_interface_prefix else '' }}" + +matrix_bot_go_neb_container_labels_traefik_enabled: "{{ matrix_playbook_traefik_labels_enabled }}" +matrix_bot_go_neb_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" +matrix_bot_go_neb_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" +matrix_bot_go_neb_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" + matrix_bot_go_neb_systemd_required_services_list: | {{ ['docker.service'] + ['matrix-' + matrix_homeserver_implementation + '.service'] + + ([devture_postgres_identifier + '.service'] if devture_postgres_enabled else []) + + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_bot_go_neb_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:4050' }}" - ###################################################################### # # /matrix-bot-go-neb @@ -1350,7 +2008,7 @@ matrix_bot_mjolnir_systemd_required_services_list: | + ['matrix-' + matrix_homeserver_implementation + '.service'] + - (['matrix-postgres.service'] if matrix_postgres_enabled else []) + ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else []) + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} @@ -1363,45 +2021,88 @@ matrix_bot_mjolnir_systemd_required_services_list: | ###################################################################### # -# matrix-backup-borg +# matrix-bot-draupnir # ###################################################################### -matrix_backup_borg_enabled: false -matrix_backup_borg_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm32', 'arm64'] }}" -matrix_backup_borg_postgresql_enabled: "{{ matrix_postgres_enabled }}" -matrix_backup_borg_postgresql_databases_hostname: "{{ matrix_postgres_connection_hostname }}" -matrix_backup_borg_postgresql_databases_username: "{{ matrix_postgres_connection_username }}" -matrix_backup_borg_postgresql_databases_password: "{{ matrix_postgres_connection_password }}" -matrix_backup_borg_postgresql_databases_port: "{{ matrix_postgres_connection_port }}" -matrix_backup_borg_postgresql_databases: | +# We don't enable bots by default. +matrix_bot_draupnir_enabled: false + +matrix_bot_draupnir_container_image_self_build: "{{ matrix_architecture != 'amd64' }}" + +matrix_bot_draupnir_systemd_required_services_list: | {{ - (([{ - 'name': matrix_synapse_database_database - }] if (matrix_synapse_enabled and matrix_synapse_database_database == matrix_postgres_db_name and matrix_synapse_database_host == 'matrix-postgres') else []) + ['docker.service'] + - matrix_postgres_additional_databases)|map(attribute='name') | list + ['matrix-' + matrix_homeserver_implementation + '.service'] + + + ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else []) + + + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_backup_borg_location_source_directories: + +###################################################################### +# +# /matrix-bot-draupnir +# +###################################################################### + + +###################################################################### +# +# etke/backup_borg +# +###################################################################### + +backup_borg_enabled: false + +backup_borg_identifier: matrix-backup-borg +backup_borg_retention_prefix: matrix- +backup_borg_storage_archive_name_format: matrix-{now:%Y-%m-%d-%H%M%S} + +backup_borg_base_path: "{{ matrix_base_data_path }}/backup-borg" + +backup_borg_username: "{{ matrix_user_username }}" +backup_borg_uid: "{{ matrix_user_uid }}" +backup_borg_gid: "{{ matrix_user_gid }}" + +backup_borg_container_network: "{{ devture_postgres_container_network if devture_postgres_enabled else backup_borg_identifier }}" + +backup_borg_postgresql_version_detection_devture_postgres_role_name: "{{ 'galaxy/com.devture.ansible.role.postgres' if devture_postgres_enabled else '' }}" + +backup_borg_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm32', 'arm64'] }}" + +backup_borg_postgresql_enabled: "{{ devture_postgres_enabled }}" +backup_borg_postgresql_databases_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" +backup_borg_postgresql_databases_username: "{{ devture_postgres_connection_username if devture_postgres_enabled else '' }}" +backup_borg_postgresql_databases_password: "{{ devture_postgres_connection_password if devture_postgres_enabled else '' }}" +backup_borg_postgresql_databases_port: "{{ devture_postgres_connection_port if devture_postgres_enabled else 5432 }}" +backup_borg_postgresql_databases: "{{ devture_postgres_managed_databases | map(attribute='name') if devture_postgres_enabled else [] }}" + +backup_borg_location_source_directories: - "{{ matrix_base_data_path }}" -matrix_backup_borg_location_exclude_patterns: | + +backup_borg_location_exclude_patterns: | {{ ([matrix_synapse_media_store_path + '/local_thumbnails', matrix_synapse_media_store_path + '/remote_thumbnail', matrix_synapse_media_store_path + '/url_cache', matrix_synapse_media_store_path + '/url_cache_thumbnails'] if matrix_homeserver_implementation == 'synapse' else []) + - ([matrix_postgres_data_path] if matrix_postgres_enabled else []) + ([devture_postgres_data_path] if devture_postgres_enabled else []) }} -matrix_backup_borg_systemd_required_services_list: | + +backup_borg_systemd_required_services_list: | {{ ['docker.service'] + - (['matrix-postgres.service'] if matrix_postgres_enabled else []) + ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else []) }} ###################################################################### # -# /matrix-backup-borg +# /etke/backup_borg # ###################################################################### + + ###################################################################### # # matrix-cactus-comments @@ -1411,8 +2112,8 @@ matrix_backup_borg_systemd_required_services_list: | matrix_cactus_comments_enabled: false # Derive secret values from homeserver secret -matrix_cactus_comments_as_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'cactus.as.token') | to_uuid }}" -matrix_cactus_comments_hs_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'cactus.hs.token') | to_uuid }}" +matrix_cactus_comments_as_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'cactus.as.token', rounds=655555) | to_uuid }}" +matrix_cactus_comments_hs_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'cactus.hs.token', rounds=655555) | to_uuid }}" matrix_cactus_comments_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm32', 'arm64'] }}" matrix_cactus_comments_systemd_required_services_list: | @@ -1445,8 +2146,8 @@ matrix_corporal_container_image_self_build: "{{ matrix_architecture not in ['amd # Normally, matrix-nginx-proxy is enabled and nginx can reach matrix-corporal over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose # matrix-corporal's web-server ports to the local host. -matrix_corporal_container_http_gateway_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:41080' }}" -matrix_corporal_container_http_api_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:41081' }}" +matrix_corporal_container_http_gateway_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '41080') if matrix_playbook_service_host_bind_interface_prefix else '' }}" +matrix_corporal_container_http_api_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '41081') if matrix_playbook_service_host_bind_interface_prefix else '' }}" matrix_corporal_systemd_required_services_list: | {{ @@ -1470,6 +2171,37 @@ matrix_corporal_matrix_registration_shared_secret: "{{ matrix_synapse_registrati # ###################################################################### + +###################################################################### +# +# matrix-rageshake +# +###################################################################### + +# We don't enable rageshake by default. +matrix_rageshake_enabled: false + +matrix_rageshake_container_image_self_build: "{{ matrix_architecture not in ['amd64'] }}" + +matrix_rageshake_hostname: "{{ matrix_server_fqn_rageshake }}" + +matrix_rageshake_container_network: "{{ matrix_docker_network if matrix_playbook_reverse_proxy_type == 'playbook-managed-nginx' else 'matrix-rageshake' }}" + +matrix_rageshake_container_additional_networks: "{{ [matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else [] }}" + +matrix_rageshake_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '9110') if matrix_playbook_service_host_bind_interface_prefix else '' }}" + +matrix_rageshake_container_labels_traefik_enabled: "{{ matrix_playbook_traefik_labels_enabled }}" +matrix_rageshake_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" +matrix_rageshake_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" +matrix_rageshake_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" + +###################################################################### +# +# /matrix-rageshake +# +###################################################################### + ###################################################################### # # matrix-coturn @@ -1482,20 +2214,74 @@ matrix_coturn_container_image_self_build: "{{ matrix_architecture not in ['amd64 matrix_coturn_turn_external_ip_address: "{{ ansible_host }}" -matrix_coturn_turn_static_auth_secret: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'coturn.sas') | to_uuid }}" +matrix_coturn_turn_static_auth_secret: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'coturn.sas', rounds=655555) | to_uuid }}" + +matrix_coturn_tls_enabled: "{{ matrix_playbook_ssl_retrieval_method != 'none' }}" + +matrix_coturn_tls_cert_path: |- + {{ + { + 'playbook-managed-traefik': '/certificate.crt', + 'other-traefik-container': '/certificate.crt', + 'playbook-managed-nginx': '/fullchain.pem', + 'other-nginx-non-container': '/fullchain.pem', + 'other-on-same-host': '', + 'other-on-another-host': '', + 'none': '', + }[matrix_playbook_reverse_proxy_type] + }} + +matrix_coturn_tls_key_path: |- + {{ + { + 'playbook-managed-traefik': '/privatekey.key', + 'other-traefik-container': '/privatekey.key', + 'playbook-managed-nginx': '/privkey.pem', + 'other-nginx-non-container': '/privkey.pem', + 'other-on-same-host': '', + 'other-on-another-host': '', + 'none': '', + }[matrix_playbook_reverse_proxy_type] + }} -matrix_coturn_tls_enabled: "{{ matrix_ssl_retrieval_method != 'none' }}" -matrix_coturn_tls_cert_path: "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_server_fqn_matrix }}/fullchain.pem" -matrix_coturn_tls_key_path: "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_server_fqn_matrix }}/privkey.pem" matrix_coturn_container_additional_volumes: | {{ - ([] if matrix_ssl_retrieval_method == 'none' else [ - { - 'src': matrix_ssl_config_dir_path, - 'dst': matrix_ssl_config_dir_path, - 'options': 'ro', - } - ]) + ( + [ + { + 'src': (matrix_ssl_config_dir_path + '/live/' + matrix_server_fqn_matrix + '/fullchain.pem'), + 'dst': '/fullchain.pem', + 'options': 'ro', + }, + { + 'src': (matrix_ssl_config_dir_path + '/live/' + matrix_server_fqn_matrix + '/privkey.pem'), + 'dst': '/privkey.pem', + 'options': 'ro', + }, + ] if matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] and matrix_coturn_tls_enabled else [] + ) + + + ( + [ + { + 'src': (devture_traefik_certs_dumper_dumped_certificates_dir_path + '/' + matrix_server_fqn_matrix + '/certificate.crt'), + 'dst': '/certificate.crt', + 'options': 'ro', + }, + { + 'src': (devture_traefik_certs_dumper_dumped_certificates_dir_path + '/' + matrix_server_fqn_matrix + '/privatekey.key'), + 'dst': '/privatekey.key', + 'options': 'ro', + }, + ] if matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] and devture_traefik_certs_dumper_enabled and matrix_coturn_tls_enabled else [] + ) + }} + +matrix_coturn_systemd_required_services_list: | + {{ + ['docker.service'] + + + ([devture_traefik_certs_dumper_identifier + '-wait-for-domain@' + matrix_server_fqn_matrix + '.service'] if matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] and devture_traefik_certs_dumper_enabled and matrix_coturn_tls_enabled else []) }} ###################################################################### @@ -1514,12 +2300,33 @@ matrix_dimension_enabled: false matrix_dimension_container_image_self_build: "{{ matrix_architecture != 'amd64' }}" -# Normally, matrix-nginx-proxy is enabled and nginx can reach Dimension over the container network. -# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose -# the Dimension HTTP port to the local host. -matrix_dimension_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:8184' }}" +matrix_dimension_scheme: "{{ 'https' if matrix_playbook_ssl_enabled else 'http' }}" + +matrix_dimension_hostname: "{{ matrix_server_fqn_dimension }}" + +matrix_dimension_container_network: "{{ matrix_nginx_proxy_container_network if matrix_playbook_reverse_proxy_type == 'playbook-managed-nginx' else 'matrix-dimension' }}" + +matrix_dimension_container_additional_networks: | + {{ + ( + ([matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else []) + + + ([matrix_homeserver_container_network] if matrix_homeserver_container_network != matrix_dimension_container_network else []) + + + ([devture_postgres_container_network] if devture_postgres_enabled and devture_postgres_container_network != matrix_dimension_container_network else []) + ) | unique + }} + +matrix_dimension_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '8184') if matrix_playbook_service_host_bind_interface_prefix else '' }}" + +matrix_dimension_container_labels_traefik_enabled: "{{ matrix_playbook_traefik_labels_enabled }}" +matrix_dimension_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" +matrix_dimension_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" +matrix_dimension_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" +matrix_dimension_homeserver_clientServerUrl: "{{ matrix_homeserver_container_url }}" matrix_dimension_homeserver_federationUrl: "{{ matrix_homeserver_container_federation_url }}" +matrix_dimension_homeserver_mediaUrl: "https://{{ matrix_server_fqn_matrix }}" matrix_dimension_systemd_required_services_list: | {{ @@ -1527,14 +2334,15 @@ matrix_dimension_systemd_required_services_list: | + ['matrix-' + matrix_homeserver_implementation + '.service'] + - (['matrix-postgres.service'] if matrix_postgres_enabled else []) + ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else []) + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -# Postgres is the default, except if not using `matrix_postgres` (internal postgres) -matrix_dimension_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_dimension_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'dimension.db') | to_uuid }}" +# Postgres is the default, except if not using internal Postgres server +matrix_dimension_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}" +matrix_dimension_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" +matrix_dimension_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'dimension.db', rounds=655555) | to_uuid }}" ###################################################################### # @@ -1544,28 +2352,57 @@ matrix_dimension_database_password: "{{ '%s' | format(matrix_homeserver_generic_ ###################################################################### # -# matrix-etherpad +# etke/etherpad # ###################################################################### -matrix_etherpad_enabled: false +etherpad_enabled: false + +etherpad_identifier: matrix-etherpad + +etherpad_scheme: "{{ 'https' if matrix_playbook_ssl_enabled else 'http' }}" + +etherpad_base_path: "{{ matrix_base_data_path }}/etherpad" + +etherpad_framing_enabled: "{{ matrix_dimension_enabled or jitsi_enabled }}" + +etherpad_hostname: "{{ matrix_server_fqn_etherpad }}" + +etherpad_container_image_self_build: "{{ matrix_architecture not in ['amd64'] }}" + +etherpad_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '9001') if matrix_playbook_service_host_bind_interface_prefix else '' }}" + +etherpad_container_network: "{{ matrix_nginx_proxy_container_network if matrix_playbook_reverse_proxy_type == 'playbook-managed-nginx' else etherpad_identifier }}" -matrix_etherpad_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9001' }}" +etherpad_container_additional_networks: | + {{ + ( + ([matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else []) + + + ([devture_postgres_container_network] if devture_postgres_enabled and devture_postgres_container_network != etherpad_container_network else []) + ) | unique + }} -matrix_etherpad_base_url: "{{ 'https://'+ matrix_server_fqn_dimension + matrix_etherpad_public_endpoint if matrix_etherpad_mode == 'dimension' else 'https://' + matrix_server_fqn_etherpad + '/' }}" +etherpad_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}" +etherpad_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" +etherpad_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" +etherpad_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" -matrix_etherpad_systemd_required_services_list: | +etherpad_systemd_required_services_list: | {{ ['docker.service'] + - (['matrix-postgres.service'] if matrix_postgres_enabled else []) + ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else []) }} -matrix_etherpad_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'etherpad.db') | to_uuid }}" +etherpad_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" +etherpad_database_name: matrix_etherpad +etherpad_database_username: matrix_etherpad +etherpad_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'etherpad.db', rounds=655555) | to_uuid }}" ###################################################################### # -# /matrix-etherpad +# /etke/etherpad # ###################################################################### @@ -1601,47 +2438,99 @@ matrix_email2matrix_container_image_self_build: "{{ matrix_architecture not in [ ###################################################################### # -# matrix-jitsi +# jitsi # ###################################################################### -matrix_jitsi_enabled: false +jitsi_enabled: false + +jitsi_architecture: "{{ matrix_architecture }}" + +jitsi_hostname: "{{ matrix_server_fqn_jitsi }}" + +jitsi_identifier: matrix-jitsi + +jitsi_base_path: "{{ matrix_base_data_path }}/jitsi" + +jitsi_uid: "{{ matrix_user_uid }}" +jitsi_gid: "{{ matrix_user_gid }}" # Normally, matrix-nginx-proxy is enabled and nginx can reach jitsi/web over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose # the Jitsi HTTP port to the local host. -matrix_jitsi_web_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:13080' }}" - -matrix_jitsi_jvb_container_colibri_ws_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:13090' }}" +jitsi_web_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '13080') if matrix_playbook_service_host_bind_interface_prefix else '' }}" -matrix_jitsi_prosody_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:5280' }}" +jitsi_web_container_additional_networks_auto: | + {{ + ([matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else []) + }} -matrix_jitsi_jibri_xmpp_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'jibri') | to_uuid }}" -matrix_jitsi_jicofo_auth_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'jicofo') | to_uuid }}" -matrix_jitsi_jvb_auth_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'jvb') | to_uuid }}" +jitsi_jvb_container_colibri_ws_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '13090') if matrix_playbook_service_host_bind_interface_prefix else '' }}" -matrix_jitsi_web_stun_servers: | +jitsi_jvb_container_additional_networks_auto: | {{ - [ - 'stun:' + matrix_server_fqn_matrix + ':5349', - 'stun:' + matrix_server_fqn_matrix + ':3478', - ] - if matrix_coturn_enabled - else [ 'stun:meet-jit-si-turnrelay.jitsi.net:443'] + ([matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else []) }} +jitsi_prosody_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '5280') if matrix_playbook_service_host_bind_interface_prefix else '' }}" + +jitsi_prosody_container_additional_networks_auto: | + {{ + ([matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else []) + }} + +jitsi_container_labels_traefik_enabled: "{{ matrix_playbook_traefik_labels_enabled }}" +jitsi_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" +jitsi_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" +jitsi_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" + +jitsi_jibri_xmpp_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'jibri', rounds=655555) | to_uuid }}" +jitsi_jicofo_auth_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'jicofo', rounds=655555) | to_uuid }}" +jitsi_jvb_auth_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'jvb', rounds=655555) | to_uuid }}" + +jitsi_web_stun_servers: | + {{ + [ + 'stun:' + matrix_server_fqn_matrix + ':5349', + 'stun:' + matrix_server_fqn_matrix + ':3478', + ] + if matrix_coturn_enabled + else [ 'stun:meet-jit-si-turnrelay.jitsi.net:443'] + }} + +# The Jitsi instance installed by this playbook is meant for embedding into Matrix clients, so framing is allowed. +jitsi_web_framing_enabled: true + +jitsi_turn_credentials: "{{ matrix_coturn_turn_static_auth_secret if matrix_coturn_enabled else '' }}" +jitsi_turn_host: "{{ ('turn.' + matrix_server_fqn_matrix) if matrix_coturn_enabled else '' }}" +jitsi_turns_host: "{{ ('turn.' + matrix_server_fqn_matrix) if matrix_coturn_enabled else '' }}" +jitsi_turn_port: "{{ matrix_coturn_container_stun_plain_host_bind_port if matrix_coturn_enabled else '' }}" +jitsi_turns_port: "{{ matrix_coturn_container_stun_tls_host_bind_port if matrix_coturn_enabled else '' }}" + # If the self-hosted Etherpad instance is available, it will also show up in Jitsi conferences, -# unless explicitly disabled by setting `matrix_jitsi_etherpad_enabled` to false. -# Falls back to the scalar.vector.im etherpad in case someone sets `matrix_jitsi_etherpad_enabled` to true, -# while also setting `matrix_etherpad_enabled` to false. -matrix_jitsi_etherpad_enabled: "{{ matrix_etherpad_enabled }}" -matrix_jitsi_etherpad_base: "{{ matrix_etherpad_base_url if matrix_etherpad_enabled else 'https://scalar.vector.im/etherpad' }}" +# unless explicitly disabled by setting `jitsi_etherpad_enabled` to false. +# Falls back to the scalar.vector.im etherpad in case someone sets `jitsi_etherpad_enabled` to true, +# while also setting `etherpad_enabled` to false. +jitsi_etherpad_enabled: "{{ etherpad_enabled }}" +jitsi_etherpad_base: "{{ etherpad_base_url if etherpad_enabled else 'https://scalar.vector.im/etherpad' }}" + +# Allow verification using JWT and matrix-UVS +jitsi_prosody_auth_matrix_uvs_auth_token: "{{ matrix_user_verification_service_uvs_auth_token }}" +jitsi_prosody_auth_matrix_uvs_location: "{{ matrix_user_verification_service_container_url }}" + +jitsi_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else true }}" + +# Gravatar is enabled by default upstream, but there's no need to leak data there needlessly +# when embedding Jitsi in Matrix rooms. +jitsi_disable_gravatar: true ###################################################################### # -# /matrix-jitsi +# /jitsi # ###################################################################### + + ###################################################################### # # matrix-ldap-registration-proxy @@ -1698,7 +2587,7 @@ matrix_ma1sd_container_image_self_build: "{{ matrix_architecture != 'amd64' }}" # Normally, matrix-nginx-proxy is enabled and nginx can reach ma1sd over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose # ma1sd's web-server port. -matrix_ma1sd_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:' + matrix_ma1sd_container_port | string }}" +matrix_ma1sd_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '' ~ matrix_ma1sd_container_port | string) if matrix_playbook_service_host_bind_interface_prefix else '' }}" # We enable Synapse integration via its Postgres database by default. @@ -1712,7 +2601,7 @@ matrix_ma1sd_dns_overwrite_enabled: true matrix_ma1sd_dns_overwrite_homeserver_client_name: "{{ matrix_server_fqn_matrix }}" # The `matrix_ma1sd_dns_overwrite_homeserver_client_value` value when matrix_nginx_proxy_enabled is false covers the general case, # but may be inaccurate if matrix-corporal is enabled. -matrix_ma1sd_dns_overwrite_homeserver_client_value: "{{ ('http://' + matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container) if matrix_nginx_proxy_enabled else matrix_homeserver_container_url }}" +matrix_ma1sd_dns_overwrite_homeserver_client_value: "{{ matrix_homeserver_container_url }}" # By default, we send mail through the `matrix-mailer` service. matrix_ma1sd_threepid_medium_email_identity_from: "{{ matrix_mailer_sender_address }}" @@ -1720,25 +2609,26 @@ matrix_ma1sd_threepid_medium_email_connectors_smtp_host: "matrix-mailer" matrix_ma1sd_threepid_medium_email_connectors_smtp_port: 8025 matrix_ma1sd_threepid_medium_email_connectors_smtp_tls: 0 -matrix_ma1sd_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else true }}" +matrix_ma1sd_self_check_validate_certificates: "{{ false if matrix_playbook_ssl_retrieval_method == 'self-signed' else true }}" matrix_ma1sd_systemd_required_services_list: | {{ - (['matrix-postgres.service'] if matrix_postgres_enabled else []) + ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else []) }} matrix_ma1sd_systemd_wanted_services_list: | {{ (['matrix-corporal.service'] if matrix_corporal_enabled else ['matrix-' + matrix_homeserver_implementation + '.service']) + - (['matrix-postgres.service'] if matrix_postgres_enabled else []) + ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else []) + (['matrix-mailer.service'] if matrix_mailer_enabled else []) }} -# Postgres is the default, except if not using `matrix_postgres` (internal postgres) -matrix_ma1sd_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_ma1sd_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'ma1sd.db') | to_uuid }}" +# Postgres is the default, except if not using internal Postgres server +matrix_ma1sd_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}" +matrix_ma1sd_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" +matrix_ma1sd_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'ma1sd.db', rounds=655555) | to_uuid }}" ###################################################################### # @@ -1746,16 +2636,71 @@ matrix_ma1sd_database_password: "{{ '%s' | format(matrix_homeserver_generic_secr # ###################################################################### +###################################################################### +# +# matrix-media-repo +# +###################################################################### + +matrix_media_repo_enabled: false +matrix_media_repo_container_network: "{{ matrix_docker_network }}" + +matrix_media_repo_container_labels_traefik_enabled: false +matrix_media_repo_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" +matrix_media_repo_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" +matrix_media_repo_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" + +matrix_media_repo_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" +matrix_media_repo_database_username: matrix_media_repo +matrix_media_repo_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mediarepo.db', rounds=655555) | to_uuid }}" +matrix_media_repo_database_name: matrix_media_repo + +matrix_media_repo_systemd_required_services_list: | + {{ + (['docker.service']) + + + ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled and matrix_media_repo_database_hostname == devture_postgres_connection_hostname else []) + }} + +###################################################################### +# +# /matrix-media-repo +# +###################################################################### + ###################################################################### # # matrix-nginx-proxy # ###################################################################### -# By default, this playbook sets up a reverse-proxy nginx proxy server on TCP ports 80, 443 and 8448. -# This is fine if you're dedicating the whole server to Matrix. -# If that's not the case, you may wish to disable this and take care of proxying yourself. -matrix_nginx_proxy_enabled: true +# This playbook installs its own nginx if +# - it's explicitly enabled +# - Traefik is in use. Not all services are Traefik-native yet, so we use reverse-proxy to some via a local-only matrix-nginx-proxy +matrix_nginx_proxy_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'playbook-managed-traefik', 'other-traefik-container'] }}" + +# matrix-nginx-proxy is only to handle HTTPS only if it's the chosen reverse-proxy. +# It may be enabled even if it's not chosen. See `matrix_nginx_proxy_enabled`. +matrix_ssl_retrieval_method: "{{ 'lets-encrypt' if matrix_playbook_reverse_proxy_type == 'playbook-managed-nginx' else 'none' }}" +matrix_nginx_proxy_https_enabled: "{{ matrix_playbook_reverse_proxy_type == 'playbook-managed-nginx' }}" + +# matrix-nginx-proxy is to publish ports only if it's the chosen reverse-proxy. +# It may be enabled even if it's not chosen. See `matrix_nginx_proxy_enabled`. +matrix_nginx_proxy_container_http_host_bind_port: "{{ '80' if matrix_playbook_reverse_proxy_type == 'playbook-managed-nginx' else '' }}" +matrix_nginx_proxy_container_federation_host_bind_port: "{{ matrix_federation_public_port if matrix_playbook_reverse_proxy_type == 'playbook-managed-nginx' else '' }}" + +# matrix-nginx-proxy is to trust reverse-proxy forwarded protocol and headers, unless it's the "main" (chosen) reverse-proxy +matrix_nginx_proxy_trust_forwarded_proto: "{{ matrix_playbook_reverse_proxy_type != 'playbook-managed-nginx' }}" +matrix_nginx_proxy_x_forwarded_for: "{{ '$remote_addr' if matrix_playbook_reverse_proxy_type == 'playbook-managed-nginx' else '$proxy_add_x_forwarded_for' }}" + +matrix_nginx_proxy_container_additional_networks: | + {{ + ( + ([matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else []) + + + ([jitsi_container_network] if jitsi_enabled and matrix_playbook_reverse_proxy_type == 'playbook-managed-nginx' and jitsi_container_network != matrix_nginx_proxy_container_network else []) + ) | unique + }} matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container: "{{ 'matrix-corporal:41080' if matrix_corporal_enabled else 'matrix-nginx-proxy:12080' }}" matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container: "{{ '127.0.0.1:41080' if matrix_corporal_enabled else '127.0.0.1:12080' }}" @@ -1773,18 +2718,28 @@ matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_ matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain: "{{ matrix_server_fqn_element if matrix_client_element_enabled else '' }}" matrix_nginx_proxy_proxy_matrix_enabled: true -matrix_nginx_proxy_proxy_element_enabled: "{{ matrix_client_element_enabled }}" -matrix_nginx_proxy_proxy_hydrogen_enabled: "{{ matrix_client_hydrogen_enabled }}" -matrix_nginx_proxy_proxy_cinny_enabled: "{{ matrix_client_cinny_enabled }}" -matrix_nginx_proxy_proxy_buscarron_enabled: "{{ matrix_bot_buscarron_enabled }}" -matrix_nginx_proxy_proxy_dimension_enabled: "{{ matrix_dimension_enabled }}" -matrix_nginx_proxy_proxy_etherpad_enabled: "{{ matrix_etherpad_enabled and matrix_etherpad_mode == 'standalone' }}" -matrix_nginx_proxy_proxy_bot_go_neb_enabled: "{{ matrix_bot_go_neb_enabled }}" -matrix_nginx_proxy_proxy_jitsi_enabled: "{{ matrix_jitsi_enabled }}" -matrix_nginx_proxy_proxy_grafana_enabled: "{{ matrix_grafana_enabled }}" -matrix_nginx_proxy_proxy_sygnal_enabled: "{{ matrix_sygnal_enabled }}" -matrix_nginx_proxy_proxy_mautrix_wsproxy_enabled: "{{ matrix_mautrix_wsproxy_enabled }}" -matrix_nginx_proxy_proxy_ntfy_enabled: "{{ matrix_ntfy_enabled }}" +matrix_nginx_proxy_proxy_element_enabled: "{{ matrix_client_element_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}" +matrix_nginx_proxy_proxy_hydrogen_enabled: "{{ matrix_client_hydrogen_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}" +matrix_nginx_proxy_proxy_cinny_enabled: "{{ matrix_client_cinny_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}" +matrix_nginx_proxy_proxy_buscarron_enabled: "{{ matrix_bot_buscarron_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}" +matrix_nginx_proxy_proxy_dimension_enabled: "{{ matrix_dimension_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}" +matrix_nginx_proxy_proxy_rageshake_enabled: "{{ matrix_rageshake_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}" +matrix_nginx_proxy_proxy_etherpad_enabled: "{{ etherpad_enabled and not etherpad_nginx_proxy_dimension_integration_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}" +matrix_nginx_proxy_proxy_bot_go_neb_enabled: "{{ matrix_bot_go_neb_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}" +matrix_nginx_proxy_proxy_mautrix_wsproxy_enabled: "{{ matrix_mautrix_wsproxy_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}" + +matrix_nginx_proxy_proxy_jitsi_enabled: "{{ jitsi_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}" + +matrix_nginx_proxy_proxy_grafana_enabled: "{{ grafana_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}" +matrix_nginx_proxy_proxy_sygnal_enabled: "{{ matrix_sygnal_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}" +matrix_nginx_proxy_proxy_ntfy_enabled: "{{ ntfy_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}" + +matrix_nginx_proxy_container_labels_traefik_enabled: "{{ matrix_playbook_traefik_labels_enabled }}" +matrix_nginx_proxy_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" +matrix_nginx_proxy_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" +matrix_nginx_proxy_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" + +matrix_nginx_proxy_container_labels_traefik_proxy_matrix_enabled: true matrix_nginx_proxy_proxy_matrix_corporal_api_enabled: "{{ matrix_corporal_enabled and matrix_corporal_http_api_enabled }}" matrix_nginx_proxy_proxy_matrix_corporal_api_addr_with_container: "matrix-corporal:41081" @@ -1794,6 +2749,10 @@ matrix_nginx_proxy_proxy_matrix_identity_api_enabled: "{{ matrix_ma1sd_enabled } matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container: "matrix-ma1sd:{{ matrix_ma1sd_container_port }}" matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container: "127.0.0.1:{{ matrix_ma1sd_container_port }}" +matrix_nginx_proxy_proxy_media_repo_enabled: "{{ matrix_media_repo_enabled }}" +matrix_nginx_proxy_proxy_media_repo_addr_with_container: "{{ matrix_media_repo_identifier }}:{{ matrix_media_repo_port }}" +matrix_nginx_proxy_proxy_media_repo_addr_sans_container: "127.0.0.1:{{ matrix_media_repo_port }}" + # By default, we do TLS termination for the Matrix Federation API (port 8448) at matrix-nginx-proxy. # Unless this is handled there OR Synapse's federation listener port is disabled, we'll reverse-proxy. matrix_nginx_proxy_proxy_matrix_federation_api_enabled: |- @@ -1809,10 +2768,10 @@ matrix_nginx_proxy_proxy_matrix_federation_api_addr_with_container: "matrix-ngin matrix_nginx_proxy_proxy_matrix_federation_api_addr_sans_container: "127.0.0.1:12088" matrix_nginx_proxy_proxy_synapse_enabled: "{{ matrix_synapse_enabled }}" -matrix_nginx_proxy_proxy_synapse_client_api_addr_with_container: "matrix-synapse:{{ matrix_synapse_container_client_api_port }}" -matrix_nginx_proxy_proxy_synapse_client_api_addr_sans_container: "127.0.0.1:{{ matrix_synapse_container_client_api_port }}" -matrix_nginx_proxy_proxy_synapse_federation_api_addr_with_container: "matrix-synapse:{{matrix_synapse_container_federation_api_plain_port | string}}" -matrix_nginx_proxy_proxy_synapse_federation_api_addr_sans_container: "127.0.0.1:{{matrix_synapse_container_federation_api_plain_port | string}}" +matrix_nginx_proxy_proxy_synapse_client_api_addr_with_container: "{{ 'matrix-synapse-reverse-proxy-companion:8008' if matrix_synapse_reverse_proxy_companion_enabled else 'matrix-synapse:8008' }}" +matrix_nginx_proxy_proxy_synapse_client_api_addr_sans_container: "127.0.0.1:8008" +matrix_nginx_proxy_proxy_synapse_federation_api_addr_with_container: "{{ 'matrix-synapse-reverse-proxy-companion:8048' if matrix_synapse_reverse_proxy_companion_enabled else 'matrix-synapse:8048' }}" +matrix_nginx_proxy_proxy_synapse_federation_api_addr_sans_container: "127.0.0.1:8048" matrix_nginx_proxy_proxy_dendrite_enabled: "{{ matrix_dendrite_enabled }}" matrix_nginx_proxy_proxy_dendrite_client_api_addr_with_container: "matrix-dendrite:{{ matrix_dendrite_http_bind_port | string }}" @@ -1829,32 +2788,16 @@ matrix_nginx_proxy_proxy_conduit_federation_api_addr_sans_container: "127.0.0.1: # When matrix-nginx-proxy is disabled, the actual port number that the vhost uses may begin to matter. matrix_nginx_proxy_proxy_matrix_federation_port: "{{ matrix_federation_public_port }}" -matrix_nginx_proxy_container_federation_host_bind_port: "{{ matrix_federation_public_port }}" - matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled: "{{ matrix_ma1sd_enabled }}" matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container: "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container }}" matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container: "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container }}" -matrix_nginx_proxy_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else true }}" +matrix_nginx_proxy_self_check_validate_certificates: "{{ false if matrix_playbook_ssl_retrieval_method == 'self-signed' else true }}" # OCSP stapling does not make sense when self-signed certificates are used. # See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1073 # and https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1074 -matrix_nginx_proxy_ocsp_stapling_enabled: "{{ matrix_ssl_retrieval_method != 'self-signed' }}" - -matrix_nginx_proxy_synapse_presence_disabled: "{{ not matrix_synapse_presence_enabled }}" - -matrix_nginx_proxy_synapse_workers_enabled: "{{ matrix_synapse_workers_enabled }}" -matrix_nginx_proxy_synapse_workers_list: "{{ matrix_synapse_workers_enabled_list }}" -matrix_nginx_proxy_synapse_generic_worker_client_server_locations: "{{ matrix_synapse_workers_generic_worker_client_server_endpoints }}" -matrix_nginx_proxy_synapse_generic_worker_federation_locations: "{{ matrix_synapse_workers_generic_worker_federation_endpoints }}" -matrix_nginx_proxy_synapse_stream_writer_typing_stream_worker_client_server_locations: "{{ matrix_synapse_workers_stream_writer_typing_stream_worker_client_server_endpoints }}" -matrix_nginx_proxy_synapse_stream_writer_to_device_stream_worker_client_server_locations: "{{ matrix_synapse_workers_stream_writer_to_device_stream_worker_client_server_endpoints }}" -matrix_nginx_proxy_synapse_stream_writer_account_data_stream_worker_client_server_locations: "{{ matrix_synapse_workers_stream_writer_account_data_stream_worker_client_server_endpoints }}" -matrix_nginx_proxy_synapse_stream_writer_receipts_stream_worker_client_server_locations: "{{ matrix_synapse_workers_stream_writer_receipts_stream_worker_client_server_endpoints }}" -matrix_nginx_proxy_synapse_stream_writer_presence_stream_worker_client_server_locations: "{{ matrix_synapse_workers_stream_writer_presence_stream_worker_client_server_endpoints }}" -matrix_nginx_proxy_synapse_media_repository_locations: "{{matrix_synapse_workers_media_repository_endpoints|default([]) }}" -matrix_nginx_proxy_synapse_user_dir_locations: "{{ matrix_synapse_workers_user_dir_worker_client_server_endpoints|default([]) }}" +matrix_nginx_proxy_ocsp_stapling_enabled: "{{ matrix_playbook_ssl_retrieval_method != 'self-signed' }}" matrix_nginx_proxy_systemd_wanted_services_list: | {{ @@ -1862,33 +2805,39 @@ matrix_nginx_proxy_systemd_wanted_services_list: | + (matrix_synapse_webserving_workers_systemd_services_list if matrix_homeserver_implementation == 'synapse' and matrix_synapse_workers_enabled else []) + + (['matrix-synapse-reverse-proxy-companion.service'] if matrix_synapse_reverse_proxy_companion_enabled else []) + + (['matrix-corporal.service'] if matrix_corporal_enabled else []) + (['matrix-ma1sd.service'] if matrix_ma1sd_enabled else []) + - (['matrix-client-cinny.service'] if matrix_client_cinny_enabled else []) + ([(matrix_media_repo_identifier + '.service')] if matrix_media_repo_enabled else []) + + + (['matrix-client-cinny.service'] if matrix_client_cinny_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] else []) + + + (['matrix-bot-buscarron.service'] if matrix_bot_buscarron_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] else []) + - (['matrix-bot-buscarron.service'] if matrix_bot_buscarron_enabled else []) + (['matrix-client-element.service'] if matrix_client_element_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] else []) + - (['matrix-client-element.service'] if matrix_client_element_enabled else []) + (['matrix-client-hydrogen.service'] if matrix_client_hydrogen_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] else []) + - (['matrix-client-hydrogen.service'] if matrix_client_hydrogen_enabled else []) + ([(grafana_identifier + '.service')] if grafana_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] else []) + - (['matrix-grafana.service'] if matrix_grafana_enabled else []) + (['matrix-dimension.service'] if matrix_dimension_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] else []) + - (['matrix-dimension.service'] if matrix_dimension_enabled else []) + (['matrix-rageshake.service'] if matrix_rageshake_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] else []) + - (['matrix-sygnal.service'] if matrix_sygnal_enabled else []) + (['matrix-sygnal.service'] if matrix_sygnal_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] else []) + - (['matrix-ntfy.service'] if matrix_ntfy_enabled else []) + ([(ntfy_identifier + '.service')] if ntfy_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] else []) + - (['matrix-jitsi.service'] if matrix_jitsi_enabled else []) + ([(jitsi_identifier + '-web.service')] if jitsi_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] else []) + - (['matrix-bot-go-neb.service'] if matrix_bot_go_neb_enabled else []) + (['matrix-bot-go-neb.service'] if matrix_bot_go_neb_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] else []) + - (['matrix-etherpad.service'] if matrix_etherpad_enabled else []) + ([etherpad_identifier + '.service'] if etherpad_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] else []) + - (['matrix-hookshot.service'] if matrix_hookshot_enabled else []) + (['matrix-hookshot.service'] if matrix_hookshot_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] else []) }} matrix_ssl_domains_to_obtain_certificates_for: | @@ -1907,21 +2856,23 @@ matrix_ssl_domains_to_obtain_certificates_for: | + ([matrix_server_fqn_dimension] if matrix_dimension_enabled else []) + - ([matrix_server_fqn_etherpad] if (matrix_etherpad_enabled and matrix_etherpad_mode == 'standalone') else []) + ([matrix_server_fqn_etherpad] if (etherpad_enabled and not etherpad_nginx_proxy_dimension_integration_enabled) else []) + ([matrix_server_fqn_bot_go_neb] if matrix_bot_go_neb_enabled else []) + - ([matrix_server_fqn_jitsi] if matrix_jitsi_enabled else []) + ([matrix_server_fqn_jitsi] if jitsi_enabled else []) + - ([matrix_server_fqn_grafana] if matrix_grafana_enabled else []) + ([matrix_server_fqn_grafana] if grafana_enabled else []) + ([matrix_server_fqn_sygnal] if matrix_sygnal_enabled else []) + ([matrix_server_fqn_mautrix_wsproxy] if matrix_mautrix_wsproxy_enabled else []) + - ([matrix_server_fqn_ntfy] if matrix_ntfy_enabled else []) + ([ntfy_hostname] if ntfy_enabled else []) + - ([matrix_bot_postmoogle_domain] if matrix_bot_postmoogle_enabled else []) + ([matrix_server_fqn_rageshake] if matrix_rageshake_enabled else []) + + + (matrix_bot_postmoogle_domains if matrix_bot_postmoogle_enabled else []) + ([matrix_domain] if matrix_nginx_proxy_base_domain_serving_enabled else []) + @@ -1938,46 +2889,61 @@ matrix_ssl_architecture: "{{ matrix_ssl_pre_obtaining_required_service_name: "{{ 'matrix-dynamic-dns' if matrix_dynamic_dns_enabled else '' }}" +matrix_nginx_proxy_access_log_syslog_integration_enabled: "{{ matrix_prometheus_nginxlog_exporter_enabled }}" +matrix_nginx_proxy_access_log_syslog_integration_server_port: "{{ (matrix_prometheus_nginxlog_exporter_container_hostname | string +':'+ matrix_prometheus_nginxlog_exporter_container_syslog_port | string) | default('') }}" + ###################################################################### # # /matrix-nginx-proxy # ###################################################################### -###################################################################### -# -# matrix-postgres -# -###################################################################### -matrix_postgres_enabled: true +######################################################################## +# # +# com.devture.ansible.role.postgres # +# # +######################################################################## + +# To completely disable installing Postgres, use `devture_postgres_enabled: false`. + +devture_postgres_identifier: matrix-postgres + +devture_postgres_architecture: "{{ matrix_architecture }}" + +devture_postgres_base_path: "{{ matrix_base_data_path }}/postgres" + +devture_postgres_container_network: "{{ matrix_docker_network }}" -matrix_postgres_architecture: "{{ matrix_architecture }}" +devture_postgres_uid: "{{ matrix_user_uid }}" +devture_postgres_gid: "{{ matrix_user_gid }}" -# We unset this if internal Postgres disabled, which will cascade to some other variables -# and tell users they need to set it (either here or in those variables). -matrix_postgres_connection_hostname: "{{ 'matrix-postgres' if matrix_postgres_enabled else '' }}" +devture_postgres_connection_username: matrix +devture_postgres_db_name: matrix -matrix_postgres_pgloader_container_image_self_build: "{{ matrix_architecture != 'amd64' }}" +devture_postgres_systemd_services_to_stop_for_maintenance_list: | + {{ + ['matrix-' + matrix_homeserver_implementation + '.service'] + }} -matrix_postgres_additional_databases: | +devture_postgres_managed_databases_auto: | {{ ([{ 'name': matrix_synapse_database_database, 'username': matrix_synapse_database_user, 'password': matrix_synapse_database_password, - }] if (matrix_synapse_enabled and matrix_synapse_database_database != matrix_postgres_db_name and matrix_synapse_database_host == 'matrix-postgres') else []) + }] if (matrix_synapse_enabled and matrix_synapse_database_host == devture_postgres_connection_hostname) else []) + ([{ - 'name': matrix_dendrite_federationapi_database, + 'name': matrix_dendrite_federation_api_database, 'username': matrix_dendrite_database_user, 'password': matrix_dendrite_database_password, },{ - 'name': matrix_dendrite_keyserver_database, + 'name': matrix_dendrite_key_server_database, 'username': matrix_dendrite_database_user, 'password': matrix_dendrite_database_password, },{ - 'name': matrix_dendrite_mediaapi_database, + 'name': matrix_dendrite_media_api_database, 'username': matrix_dendrite_database_user, 'password': matrix_dendrite_database_password, },{ @@ -1985,130 +2951,140 @@ matrix_postgres_additional_databases: | 'username': matrix_dendrite_database_user, 'password': matrix_dendrite_database_password, },{ - 'name': matrix_dendrite_syncapi_database, + 'name': matrix_dendrite_sync_api_database, + 'username': matrix_dendrite_database_user, + 'password': matrix_dendrite_database_password, + },{ + 'name': matrix_dendrite_user_api_database, 'username': matrix_dendrite_database_user, 'password': matrix_dendrite_database_password, },{ - 'name': matrix_dendrite_userapi_database, + 'name': matrix_dendrite_relay_api_database, 'username': matrix_dendrite_database_user, 'password': matrix_dendrite_database_password, },{ - 'name': matrix_dendrite_pushserver_database, + 'name': matrix_dendrite_push_server_database, 'username': matrix_dendrite_database_user, 'password': matrix_dendrite_database_password, },{ 'name': matrix_dendrite_mscs_database, 'username': matrix_dendrite_database_user, 'password': matrix_dendrite_database_password, - }] if (matrix_dendrite_enabled and matrix_dendrite_database_hostname == 'matrix-postgres') else []) + }] if (matrix_dendrite_enabled and matrix_dendrite_database_hostname == devture_postgres_connection_hostname) else []) + + + ([{ + 'name': matrix_sliding_sync_database_name, + 'username': matrix_sliding_sync_database_username, + 'password': matrix_sliding_sync_database_password, + }] if (matrix_sliding_sync_enabled) else []) + ([{ 'name': matrix_ma1sd_database_name, 'username': matrix_ma1sd_database_username, 'password': matrix_ma1sd_database_password, - }] if (matrix_ma1sd_enabled and matrix_ma1sd_database_engine == 'postgres' and matrix_ma1sd_database_hostname == 'matrix-postgres') else []) + }] if (matrix_ma1sd_enabled and matrix_ma1sd_database_engine == 'postgres' and matrix_ma1sd_database_hostname == devture_postgres_connection_hostname) else []) + ([{ 'name': matrix_bot_matrix_reminder_bot_database_name, 'username': matrix_bot_matrix_reminder_bot_database_username, 'password': matrix_bot_matrix_reminder_bot_database_password, - }] if (matrix_bot_matrix_reminder_bot_enabled and matrix_bot_matrix_reminder_bot_database_engine == 'postgres' and matrix_bot_matrix_reminder_bot_database_hostname == 'matrix-postgres') else []) + }] if (matrix_bot_matrix_reminder_bot_enabled and matrix_bot_matrix_reminder_bot_database_engine == 'postgres' and matrix_bot_matrix_reminder_bot_database_hostname == devture_postgres_connection_hostname) else []) + ([{ 'name': matrix_bot_honoroit_database_name, 'username': matrix_bot_honoroit_database_username, 'password': matrix_bot_honoroit_database_password, - }] if (matrix_bot_honoroit_enabled and matrix_bot_honoroit_database_engine == 'postgres' and matrix_bot_honoroit_database_hostname == 'matrix-postgres') else []) + }] if (matrix_bot_honoroit_enabled and matrix_bot_honoroit_database_engine == 'postgres' and matrix_bot_honoroit_database_hostname == devture_postgres_connection_hostname) else []) + ([{ 'name': matrix_bot_postmoogle_database_name, 'username': matrix_bot_postmoogle_database_username, 'password': matrix_bot_postmoogle_database_password, - }] if (matrix_bot_postmoogle_enabled and matrix_bot_postmoogle_database_engine == 'postgres' and matrix_bot_postmoogle_database_hostname == 'matrix-postgres') else []) + }] if (matrix_bot_postmoogle_enabled and matrix_bot_postmoogle_database_engine == 'postgres' and matrix_bot_postmoogle_database_hostname == devture_postgres_connection_hostname) else []) + ([{ 'name': matrix_bot_maubot_database_name, 'username': matrix_bot_maubot_database_username, 'password': matrix_bot_maubot_database_password, - }] if (matrix_bot_maubot_enabled and matrix_bot_maubot_database_engine == 'postgres' and matrix_bot_maubot_database_hostname == 'matrix-postgres') else []) + }] if (matrix_bot_maubot_enabled and matrix_bot_maubot_database_engine == 'postgres' and matrix_bot_maubot_database_hostname == devture_postgres_connection_hostname) else []) + ([{ 'name': matrix_bot_buscarron_database_name, 'username': matrix_bot_buscarron_database_username, 'password': matrix_bot_buscarron_database_password, - }] if (matrix_bot_buscarron_enabled and matrix_bot_buscarron_database_engine == 'postgres' and matrix_bot_buscarron_database_hostname == 'matrix-postgres') else []) + }] if (matrix_bot_buscarron_enabled and matrix_bot_buscarron_database_engine == 'postgres' and matrix_bot_buscarron_database_hostname == devture_postgres_connection_hostname) else []) + ([{ 'name': matrix_registration_database_name, 'username': matrix_registration_database_username, 'password': matrix_registration_database_password, - }] if (matrix_registration_enabled and matrix_registration_database_engine == 'postgres' and matrix_registration_database_hostname == 'matrix-postgres') else []) + }] if (matrix_registration_enabled and matrix_registration_database_engine == 'postgres' and matrix_registration_database_hostname == devture_postgres_connection_hostname) else []) + ([{ 'name': matrix_appservice_discord_database_name, 'username': matrix_appservice_discord_database_username, 'password': matrix_appservice_discord_database_password, - }] if (matrix_appservice_discord_enabled and matrix_appservice_discord_database_engine == 'postgres' and matrix_appservice_discord_database_hostname == 'matrix-postgres') else []) + }] if (matrix_appservice_discord_enabled and matrix_appservice_discord_database_engine == 'postgres' and matrix_appservice_discord_database_hostname == devture_postgres_connection_hostname) else []) + ([{ 'name': matrix_appservice_slack_database_name, 'username': matrix_appservice_slack_database_username, 'password': matrix_appservice_slack_database_password, - }] if (matrix_appservice_slack_enabled and matrix_appservice_slack_database_engine == 'postgres' and matrix_appservice_slack_database_hostname == 'matrix-postgres') else []) + }] if (matrix_appservice_slack_enabled and matrix_appservice_slack_database_engine == 'postgres' and matrix_appservice_slack_database_hostname == devture_postgres_connection_hostname) else []) + ([{ 'name': matrix_appservice_irc_database_name, 'username': matrix_appservice_irc_database_username, 'password': matrix_appservice_irc_database_password, - }] if (matrix_appservice_irc_enabled and matrix_appservice_irc_database_engine == 'postgres' and matrix_appservice_irc_database_hostname == 'matrix-postgres') else []) + }] if (matrix_appservice_irc_enabled and matrix_appservice_irc_database_engine == 'postgres' and matrix_appservice_irc_database_hostname == devture_postgres_connection_hostname) else []) + ([{ 'name': matrix_appservice_kakaotalk_database_name, 'username': matrix_appservice_kakaotalk_database_username, 'password': matrix_appservice_kakaotalk_database_password, - }] if (matrix_appservice_kakaotalk_enabled and matrix_appservice_kakaotalk_database_engine == 'postgres' and matrix_appservice_kakaotalk_database_hostname == 'matrix-postgres') else []) + }] if (matrix_appservice_kakaotalk_enabled and matrix_appservice_kakaotalk_database_engine == 'postgres' and matrix_appservice_kakaotalk_database_hostname == devture_postgres_connection_hostname) else []) + ([{ 'name': matrix_beeper_linkedin_database_name, 'username': matrix_beeper_linkedin_database_username, 'password': matrix_beeper_linkedin_database_password, - }] if (matrix_beeper_linkedin_enabled and matrix_beeper_linkedin_database_engine == 'postgres' and matrix_beeper_linkedin_database_hostname == 'matrix-postgres') else []) + }] if (matrix_beeper_linkedin_enabled and matrix_beeper_linkedin_database_engine == 'postgres' and matrix_beeper_linkedin_database_hostname == devture_postgres_connection_hostname) else []) + ([{ 'name': matrix_go_skype_bridge_database_name, 'username': matrix_go_skype_bridge_database_username, 'password': matrix_go_skype_bridge_database_password, - }] if (matrix_go_skype_bridge_enabled and matrix_go_skype_bridge_database_engine == 'postgres' and matrix_go_skype_bridge_database_hostname == 'matrix-postgres') else []) + }] if (matrix_go_skype_bridge_enabled and matrix_go_skype_bridge_database_engine == 'postgres' and matrix_go_skype_bridge_database_hostname == devture_postgres_connection_hostname) else []) + ([{ 'name': matrix_mautrix_facebook_database_name, 'username': matrix_mautrix_facebook_database_username, 'password': matrix_mautrix_facebook_database_password, - }] if (matrix_mautrix_facebook_enabled and matrix_mautrix_facebook_database_engine == 'postgres' and matrix_mautrix_facebook_database_hostname == 'matrix-postgres') else []) + }] if (matrix_mautrix_facebook_enabled and matrix_mautrix_facebook_database_engine == 'postgres' and matrix_mautrix_facebook_database_hostname == devture_postgres_connection_hostname) else []) + ([{ 'name': matrix_mautrix_hangouts_database_name, 'username': matrix_mautrix_hangouts_database_username, 'password': matrix_mautrix_hangouts_database_password, - }] if (matrix_mautrix_hangouts_enabled and matrix_mautrix_hangouts_database_engine == 'postgres' and matrix_mautrix_hangouts_database_hostname == 'matrix-postgres') else []) + }] if (matrix_mautrix_hangouts_enabled and matrix_mautrix_hangouts_database_engine == 'postgres' and matrix_mautrix_hangouts_database_hostname == devture_postgres_connection_hostname) else []) + ([{ 'name': matrix_mautrix_googlechat_database_name, 'username': matrix_mautrix_googlechat_database_username, 'password': matrix_mautrix_googlechat_database_password, - }] if (matrix_mautrix_googlechat_enabled and matrix_mautrix_googlechat_database_engine == 'postgres' and matrix_mautrix_googlechat_database_hostname == 'matrix-postgres') else []) + }] if (matrix_mautrix_googlechat_enabled and matrix_mautrix_googlechat_database_engine == 'postgres' and matrix_mautrix_googlechat_database_hostname == devture_postgres_connection_hostname) else []) + ([{ 'name': matrix_mautrix_instagram_database_name, 'username': matrix_mautrix_instagram_database_username, 'password': matrix_mautrix_instagram_database_password, - }] if (matrix_mautrix_instagram_enabled and matrix_mautrix_instagram_database_engine == 'postgres' and matrix_mautrix_instagram_database_hostname == 'matrix-postgres') else []) + }] if (matrix_mautrix_instagram_enabled and matrix_mautrix_instagram_database_engine == 'postgres' and matrix_mautrix_instagram_database_hostname == devture_postgres_connection_hostname) else []) + ([{ 'name': matrix_mautrix_signal_database_name, 'username': matrix_mautrix_signal_database_username, 'password': matrix_mautrix_signal_database_password, - }] if (matrix_mautrix_signal_enabled and matrix_mautrix_signal_database_engine == 'postgres' and matrix_mautrix_signal_database_hostname == 'matrix-postgres') else []) + }] if (matrix_mautrix_signal_enabled and matrix_mautrix_signal_database_engine == 'postgres' and matrix_mautrix_signal_database_hostname == devture_postgres_connection_hostname) else []) + ([{ 'name': matrix_mautrix_wsproxy_syncproxy_database_name, @@ -2120,92 +3096,148 @@ matrix_postgres_additional_databases: | 'name': matrix_mautrix_telegram_database_name, 'username': matrix_mautrix_telegram_database_username, 'password': matrix_mautrix_telegram_database_password, - }] if (matrix_mautrix_telegram_enabled and matrix_mautrix_telegram_database_engine == 'postgres' and matrix_mautrix_telegram_database_hostname == 'matrix-postgres') else []) + }] if (matrix_mautrix_telegram_enabled and matrix_mautrix_telegram_database_engine == 'postgres' and matrix_mautrix_telegram_database_hostname == devture_postgres_connection_hostname) else []) + ([{ 'name': matrix_mautrix_twitter_database_name, 'username': matrix_mautrix_twitter_database_username, 'password': matrix_mautrix_twitter_database_password, - }] if (matrix_mautrix_twitter_enabled and matrix_mautrix_twitter_database_engine == 'postgres' and matrix_mautrix_twitter_database_hostname == 'matrix-postgres') else []) + }] if (matrix_mautrix_twitter_enabled and matrix_mautrix_twitter_database_engine == 'postgres' and matrix_mautrix_twitter_database_hostname == devture_postgres_connection_hostname) else []) + + + ([{ + 'name': matrix_mautrix_gmessages_database_name, + 'username': matrix_mautrix_gmessages_database_username, + 'password': matrix_mautrix_gmessages_database_password, + }] if (matrix_mautrix_gmessages_enabled and matrix_mautrix_gmessages_database_engine == 'postgres' and matrix_mautrix_gmessages_database_hostname == devture_postgres_connection_hostname) else []) + ([{ 'name': matrix_mautrix_whatsapp_database_name, 'username': matrix_mautrix_whatsapp_database_username, 'password': matrix_mautrix_whatsapp_database_password, - }] if (matrix_mautrix_whatsapp_enabled and matrix_mautrix_whatsapp_database_engine == 'postgres' and matrix_mautrix_whatsapp_database_hostname == 'matrix-postgres') else []) + }] if (matrix_mautrix_whatsapp_enabled and matrix_mautrix_whatsapp_database_engine == 'postgres' and matrix_mautrix_whatsapp_database_hostname == devture_postgres_connection_hostname) else []) + ([{ 'name': matrix_mautrix_discord_database_name, 'username': matrix_mautrix_discord_database_username, 'password': matrix_mautrix_discord_database_password, - }] if (matrix_mautrix_discord_enabled and matrix_mautrix_discord_database_engine == 'postgres' and matrix_mautrix_discord_database_hostname == 'matrix-postgres') else []) + }] if (matrix_mautrix_discord_enabled and matrix_mautrix_discord_database_engine == 'postgres' and matrix_mautrix_discord_database_hostname == devture_postgres_connection_hostname) else []) + + + ([{ + 'name': matrix_mautrix_slack_database_name, + 'username': matrix_mautrix_slack_database_username, + 'password': matrix_mautrix_slack_database_password, + }] if (matrix_mautrix_slack_enabled and matrix_mautrix_slack_database_engine == 'postgres' and matrix_mautrix_slack_database_hostname == devture_postgres_connection_hostname) else []) + ([{ 'name': matrix_mx_puppet_slack_database_name, 'username': matrix_mx_puppet_slack_database_username, 'password': matrix_mx_puppet_slack_database_password, - }] if (matrix_mx_puppet_slack_enabled and matrix_mx_puppet_slack_database_engine == 'postgres' and matrix_mx_puppet_slack_database_hostname == 'matrix-postgres') else []) + }] if (matrix_mx_puppet_slack_enabled and matrix_mx_puppet_slack_database_engine == 'postgres' and matrix_mx_puppet_slack_database_hostname == devture_postgres_connection_hostname) else []) + ([{ 'name': matrix_mx_puppet_twitter_database_name, 'username': matrix_mx_puppet_twitter_database_username, 'password': matrix_mx_puppet_twitter_database_password, - }] if (matrix_mx_puppet_twitter_enabled and matrix_mx_puppet_twitter_database_engine == 'postgres' and matrix_mx_puppet_twitter_database_hostname == 'matrix-postgres') else []) + }] if (matrix_mx_puppet_twitter_enabled and matrix_mx_puppet_twitter_database_engine == 'postgres' and matrix_mx_puppet_twitter_database_hostname == devture_postgres_connection_hostname) else []) + ([{ 'name': matrix_mx_puppet_instagram_database_name, 'username': matrix_mx_puppet_instagram_database_username, 'password': matrix_mx_puppet_instagram_database_password, - }] if (matrix_mx_puppet_instagram_enabled and matrix_mx_puppet_instagram_database_engine == 'postgres' and matrix_mx_puppet_instagram_database_hostname == 'matrix-postgres') else []) + }] if (matrix_mx_puppet_instagram_enabled and matrix_mx_puppet_instagram_database_engine == 'postgres' and matrix_mx_puppet_instagram_database_hostname == devture_postgres_connection_hostname) else []) + ([{ 'name': matrix_mx_puppet_discord_database_name, 'username': matrix_mx_puppet_discord_database_username, 'password': matrix_mx_puppet_discord_database_password, - }] if (matrix_mx_puppet_discord_enabled and matrix_mx_puppet_discord_database_engine == 'postgres' and matrix_mx_puppet_discord_database_hostname == 'matrix-postgres') else []) + }] if (matrix_mx_puppet_discord_enabled and matrix_mx_puppet_discord_database_engine == 'postgres' and matrix_mx_puppet_discord_database_hostname == devture_postgres_connection_hostname) else []) + ([{ 'name': matrix_mx_puppet_steam_database_name, 'username': matrix_mx_puppet_steam_database_username, 'password': matrix_mx_puppet_steam_database_password, - }] if (matrix_mx_puppet_steam_enabled and matrix_mx_puppet_steam_database_engine == 'postgres' and matrix_mx_puppet_steam_database_hostname == 'matrix-postgres') else []) + }] if (matrix_mx_puppet_steam_enabled and matrix_mx_puppet_steam_database_engine == 'postgres' and matrix_mx_puppet_steam_database_hostname == devture_postgres_connection_hostname) else []) + ([{ 'name': matrix_mx_puppet_groupme_database_name, 'username': matrix_mx_puppet_groupme_database_username, 'password': matrix_mx_puppet_groupme_database_password, - }] if (matrix_mx_puppet_groupme_enabled and matrix_mx_puppet_groupme_database_engine == 'postgres' and matrix_mx_puppet_groupme_database_hostname == 'matrix-postgres') else []) + }] if (matrix_mx_puppet_groupme_enabled and matrix_mx_puppet_groupme_database_engine == 'postgres' and matrix_mx_puppet_groupme_database_hostname == devture_postgres_connection_hostname) else []) + ([{ 'name': matrix_dimension_database_name, 'username': matrix_dimension_database_username, 'password': matrix_dimension_database_password, - }] if (matrix_dimension_enabled and matrix_dimension_database_engine == 'postgres' and matrix_dimension_database_hostname == 'matrix-postgres') else []) + }] if (matrix_dimension_enabled and matrix_dimension_database_engine == 'postgres' and matrix_dimension_database_hostname == devture_postgres_connection_hostname) else []) + ([{ - 'name': matrix_etherpad_database_name, - 'username': matrix_etherpad_database_username, - 'password': matrix_etherpad_database_password, - }] if (matrix_etherpad_enabled and matrix_etherpad_database_engine == 'postgres' and matrix_etherpad_database_hostname == 'matrix-postgres') else []) + 'name': etherpad_database_name, + 'username': etherpad_database_username, + 'password': etherpad_database_password, + }] if (etherpad_enabled and etherpad_database_engine == 'postgres' and etherpad_database_hostname == devture_postgres_connection_hostname) else []) + ([{ - 'name': matrix_prometheus_postgres_exporter_database_name, - 'username': matrix_prometheus_postgres_exporter_database_username, - 'password': matrix_prometheus_postgres_exporter_database_password, - }] if (matrix_prometheus_postgres_exporter_enabled and matrix_prometheus_postgres_exporter_database_hostname == 'matrix-postgres') else []) + 'name': prometheus_postgres_exporter_database_name, + 'username': prometheus_postgres_exporter_database_username, + 'password': prometheus_postgres_exporter_database_password, + }] if (prometheus_postgres_exporter_enabled and prometheus_postgres_exporter_database_hostname == devture_postgres_connection_hostname) else []) + + + ([{ + 'name': matrix_media_repo_database_name, + 'username': matrix_media_repo_database_username, + 'password': matrix_media_repo_database_password, + }] if (matrix_media_repo_enabled and matrix_media_repo_database_hostname == devture_postgres_connection_hostname) else []) }} -matrix_postgres_systemd_services_to_stop_for_maintenance_list: | +######################################################################## +# # +# /com.devture.ansible.role.postgres # +# # +######################################################################## + + +######################################################################## +# # +# com.devture.ansible.role.postgres_backup # +# # +######################################################################## + +devture_postgres_backup_enabled: false + +devture_postgres_backup_identifier: matrix-postgres-backup + +devture_postgres_backup_architecture: "{{ matrix_architecture }}" + +devture_postgres_backup_base_path: "{{ matrix_base_data_path }}/postgres-backup" + +devture_postgres_backup_systemd_required_services_list: | {{ - ['matrix-' + matrix_homeserver_implementation + '.service'] + (['docker.service']) + + + ([(devture_postgres_identifier + '.service')] if devture_postgres_enabled else []) }} -###################################################################### -# -# /matrix-postgres -# -###################################################################### +devture_postgres_backup_container_network: "{{ matrix_docker_network }}" + +devture_postgres_backup_uid: "{{ matrix_user_uid }}" +devture_postgres_backup_gid: "{{ matrix_user_gid }}" + +devture_postgres_backup_connection_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" +devture_postgres_backup_connection_port: "{{ devture_postgres_connection_port if devture_postgres_enabled else 5432 }}" +devture_postgres_backup_connection_username: "{{ devture_postgres_connection_username if devture_postgres_enabled else '' }}" +devture_postgres_backup_connection_password: "{{ devture_postgres_connection_password if devture_postgres_enabled else '' }}" + +devture_postgres_backup_postgres_data_path: "{{ devture_postgres_data_path if devture_postgres_enabled else '' }}" + +devture_postgres_backup_databases: "{{ devture_postgres_managed_databases | map(attribute='name') if devture_postgres_enabled else [] }}" + +######################################################################## +# # +# /com.devture.ansible.role.postgres_backup # +# # +######################################################################## + ###################################################################### # @@ -2217,9 +3249,20 @@ matrix_postgres_systemd_services_to_stop_for_maintenance_list: | matrix_sygnal_enabled: false # If someone instals Prometheus via the playbook, they most likely wish to monitor Sygnal. -matrix_sygnal_metrics_prometheus_enabled: "{{ matrix_prometheus_enabled }}" +matrix_sygnal_metrics_prometheus_enabled: "{{ prometheus_enabled }}" + +matrix_sygnal_hostname: "{{ matrix_server_fqn_sygnal }}" + +matrix_sygnal_container_network: "{{ matrix_nginx_proxy_container_network if matrix_playbook_reverse_proxy_type == 'playbook-managed-nginx' else 'matrix-sygnal' }}" + +matrix_sygnal_container_additional_networks: "{{ [matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else [] }}" + +matrix_sygnal_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '6000') if matrix_playbook_service_host_bind_interface_prefix else '' }}" -matrix_sygnal_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:6000' }}" +matrix_sygnal_container_labels_traefik_enabled: "{{ matrix_playbook_traefik_labels_enabled }}" +matrix_sygnal_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" +matrix_sygnal_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" +matrix_sygnal_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" ###################################################################### # @@ -2229,31 +3272,61 @@ matrix_sygnal_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enable ###################################################################### # -# matrix-ntfy +# etke/ntfy # ###################################################################### -matrix_ntfy_enabled: false +ntfy_enabled: false + +ntfy_identifier: matrix-ntfy + +ntfy_base_path: "{{ matrix_base_data_path }}/ntfy" + +ntfy_uid: "{{ matrix_user_uid }}" +ntfy_gid: "{{ matrix_user_gid }}" + +ntfy_hostname: "{{ matrix_server_fqn_ntfy }}" + +ntfy_container_network: "{{ matrix_nginx_proxy_container_network if matrix_playbook_reverse_proxy_type == 'playbook-managed-nginx' else ntfy_identifier }}" + +ntfy_container_additional_networks: "{{ [matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else [] }}" -matrix_ntfy_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:2586' }}" +ntfy_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '2586') if matrix_playbook_service_host_bind_interface_prefix else '' }}" + +ntfy_container_labels_traefik_enabled: "{{ matrix_playbook_traefik_labels_enabled }}" +ntfy_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" +ntfy_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" +ntfy_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" + +ntfy_visitor_request_limit_exempt_hosts_hostnames_auto: | + {{ + [matrix_server_fqn_matrix] + }} ###################################################################### # -# /matrix-ntfy +# /etky/ntfy # ###################################################################### ###################################################################### # -# matrix-redis +# etke/redis # ###################################################################### -matrix_redis_enabled: "{{ matrix_synapse_workers_enabled }}" +redis_enabled: "{{ matrix_synapse_workers_enabled }}" + +redis_identifier: matrix-redis + +redis_uid: "{{ matrix_user_uid }}" +redis_gid: "{{ matrix_user_gid }}" + +redis_base_path: "{{ matrix_base_data_path }}/redis" ###################################################################### # -# /matrix-redis +# /etle/redis # ###################################################################### @@ -2272,7 +3345,16 @@ matrix_client_element_container_image_self_build: "{{ matrix_architecture not in # Normally, matrix-nginx-proxy is enabled and nginx can reach Element over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose # the Element HTTP port to the local host. -matrix_client_element_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:8765' }}" +matrix_client_element_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '8765') if matrix_playbook_service_host_bind_interface_prefix else '' }}" + +matrix_client_element_container_network: "{{ matrix_nginx_proxy_container_network if matrix_playbook_reverse_proxy_type == 'playbook-managed-nginx' else 'matrix-client-element' }}" + +matrix_client_element_container_additional_networks: "{{ [matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else [] }}" + +matrix_client_element_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}" +matrix_client_element_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" +matrix_client_element_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" +matrix_client_element_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" matrix_client_element_default_hs_url: "{{ matrix_homeserver_url }}" matrix_client_element_default_is_url: "{{ matrix_identity_server_url }}" @@ -2283,7 +3365,7 @@ matrix_client_element_integrations_rest_url: "{{ matrix_dimension_integrations_r matrix_client_element_integrations_widgets_urls: "{{ matrix_dimension_integrations_widgets_urls if matrix_dimension_enabled else ['https://scalar.vector.im/api'] }}" matrix_client_element_integrations_jitsi_widget_url: "{{ matrix_dimension_integrations_jitsi_widget_url if matrix_dimension_enabled else 'https://scalar.vector.im/api/widgets/jitsi.html' }}" -matrix_client_element_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else true }}" +matrix_client_element_self_check_validate_certificates: "{{ false if matrix_playbook_ssl_retrieval_method == 'self-signed' else true }}" matrix_client_element_registration_enabled: "{{ matrix_synapse_enable_registration }}" @@ -2296,7 +3378,7 @@ matrix_client_element_enable_presence_by_hs_url: | matrix_client_element_welcome_user_id: ~ -matrix_client_element_jitsi_preferredDomain: "{{ matrix_server_fqn_jitsi if matrix_jitsi_enabled else '' }}" +matrix_client_element_jitsi_preferredDomain: "{{ matrix_server_fqn_jitsi if jitsi_enabled else '' }}" ###################################################################### # @@ -2312,14 +3394,25 @@ matrix_client_element_jitsi_preferredDomain: "{{ matrix_server_fqn_jitsi if matr matrix_client_hydrogen_enabled: false +matrix_client_hydrogen_container_image_self_build: "{{ matrix_architecture not in ['amd64'] }}" + # Normally, matrix-nginx-proxy is enabled and nginx can reach Hydrogen over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose # the HTTP port to the local host. -matrix_client_hydrogen_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:8768' }}" +matrix_client_hydrogen_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '8768') if matrix_playbook_service_host_bind_interface_prefix else '' }}" + +matrix_client_hydrogen_container_network: "{{ matrix_nginx_proxy_container_network if matrix_playbook_reverse_proxy_type == 'playbook-managed-nginx' else 'matrix-client-hydrogen' }}" + +matrix_client_hydrogen_container_additional_networks: "{{ [matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else [] }}" + +matrix_client_hydrogen_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}" +matrix_client_hydrogen_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" +matrix_client_hydrogen_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" +matrix_client_hydrogen_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" matrix_client_hydrogen_default_hs_url: "{{ matrix_homeserver_url }}" -matrix_client_hydrogen_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else true }}" +matrix_client_hydrogen_self_check_validate_certificates: "{{ false if matrix_playbook_ssl_retrieval_method == 'self-signed' else true }}" ###################################################################### # @@ -2340,11 +3433,20 @@ matrix_client_cinny_container_image_self_build: "{{ matrix_architecture not in [ # Normally, matrix-nginx-proxy is enabled and nginx can reach Cinny over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose # the HTTP port to the local host. -matrix_client_cinny_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:8080' }}" +matrix_client_cinny_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '8080') if matrix_playbook_service_host_bind_interface_prefix else '' }}" + +matrix_client_cinny_container_network: "{{ matrix_nginx_proxy_container_network if matrix_playbook_reverse_proxy_type == 'playbook-managed-nginx' else 'matrix-client-cinny' }}" + +matrix_client_cinny_container_additional_networks: "{{ [matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else [] }}" + +matrix_client_cinny_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}" +matrix_client_cinny_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" +matrix_client_cinny_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" +matrix_client_cinny_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" matrix_client_cinny_default_hs_url: "{{ matrix_homeserver_url }}" -matrix_client_cinny_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else true }}" +matrix_client_cinny_self_check_validate_certificates: "{{ false if matrix_playbook_ssl_retrieval_method == 'self-signed' else true }}" ###################################################################### # @@ -2360,36 +3462,36 @@ matrix_client_cinny_self_check_validate_certificates: "{{ false if matrix_ssl_re matrix_synapse_enabled: "{{ matrix_homeserver_implementation == 'synapse' }}" +matrix_synapse_username: "{{ matrix_user_username }}" +matrix_synapse_uid: "{{ matrix_user_uid }}" +matrix_synapse_gid: "{{ matrix_user_gid }}" + matrix_synapse_container_image_self_build: "{{ matrix_architecture not in ['arm64', 'amd64'] }}" # When ma1sd is enabled, we can use it to validate phone numbers. It's something that the homeserver cannot do by itself. matrix_synapse_account_threepid_delegates_msisdn: "{{ 'http://matrix-ma1sd:' + matrix_ma1sd_container_port | string if matrix_ma1sd_enabled else '' }}" -# Normally, matrix-nginx-proxy is enabled and nginx can reach Synapse over the container network. -# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, -# you can expose Synapse's ports to the host. -# -# For exposing the Matrix Client API's port (plain HTTP) to the local host. -matrix_synapse_container_client_api_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:' + matrix_synapse_container_client_api_port | string }}" -# -# For exposing the Matrix Federation API's plain port (plain HTTP) to the local host. -matrix_synapse_container_federation_api_plain_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:' + matrix_synapse_container_federation_api_plain_port | string }}" -# # For exposing the Matrix Federation API's TLS port (HTTPS) to the internet on all network interfaces. matrix_synapse_container_federation_api_tls_host_bind_port: "{{ matrix_federation_public_port if (matrix_synapse_federation_enabled and matrix_synapse_tls_federation_listener_enabled) else '' }}" # # For exposing the Synapse Metrics API's port (plain HTTP) to the local host. -matrix_synapse_container_metrics_api_host_bind_port: "{{ '127.0.0.1:9100' if (matrix_synapse_metrics_enabled and not matrix_nginx_proxy_enabled) else '' }}" +matrix_synapse_container_metrics_api_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '9100') if matrix_synapse_metrics_enabled and matrix_playbook_service_host_bind_interface_prefix else '' }}" # # For exposing the Synapse Manhole port (plain HTTP) to the local host. -matrix_synapse_container_manhole_api_host_bind_port: "{{ '127.0.0.1:9000' if matrix_synapse_manhole_enabled else '' }}" -# +matrix_synapse_container_manhole_api_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '9000') if matrix_synapse_metrics_enabled and matrix_playbook_service_host_bind_interface_prefix else '' }}" + +matrix_synapse_container_additional_networks: | + {{ + ([redis_container_network] if matrix_synapse_redis_enabled and matrix_synapse_redis_host == redis_identifier else []) + }} + # For exposing the Synapse worker (and metrics) ports to the local host. -matrix_synapse_workers_container_host_bind_address: "{{ '127.0.0.1' if (matrix_synapse_workers_enabled and not matrix_nginx_proxy_enabled) else '' }}" +matrix_synapse_workers_container_host_bind_address: "{{ matrix_playbook_service_host_bind_interface_prefix[0:-1] if (matrix_synapse_workers_enabled and matrix_playbook_service_host_bind_interface_prefix) else '' }}" -matrix_synapse_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'synapse.db') | to_uuid }}" +matrix_synapse_database_host: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" +matrix_synapse_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'synapse.db', rounds=655555) | to_uuid }}" -matrix_synapse_macaroon_secret_key: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'synapse.mac') | to_uuid }}" +matrix_synapse_macaroon_secret_key: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'synapse.mac', rounds=655555) | to_uuid }}" # We do not enable TLS in Synapse by default. # TLS is handled by the matrix-nginx-proxy, which proxies the requests to Synapse. @@ -2397,10 +3499,10 @@ matrix_synapse_tls_federation_listener_enabled: false matrix_synapse_tls_certificate_path: ~ matrix_synapse_tls_private_key_path: ~ -matrix_synapse_federation_port_openid_resource_required: "{{ not matrix_synapse_federation_enabled and (matrix_dimension_enabled or matrix_ma1sd_enabled) }}" +matrix_synapse_federation_port_openid_resource_required: "{{ not matrix_synapse_federation_enabled and (matrix_dimension_enabled or matrix_ma1sd_enabled or matrix_user_verification_service_enabled) }}" # If someone instals Prometheus via the playbook, they most likely wish to monitor Synapse. -matrix_synapse_metrics_enabled: "{{ matrix_prometheus_enabled }}" +matrix_synapse_metrics_enabled: "{{ prometheus_enabled }}" matrix_synapse_email_enabled: "{{ matrix_mailer_enabled }}" matrix_synapse_email_smtp_host: "matrix-mailer" @@ -2421,7 +3523,7 @@ matrix_synapse_turn_uris: | [ 'turns:' + matrix_server_fqn_matrix + '?transport=udp', 'turns:' + matrix_server_fqn_matrix + '?transport=tcp', - ] if matrix_coturn_enabled and matrix_coturn_tls_enabled and matrix_ssl_retrieval_method != 'lets-encrypt' else [] + ] if matrix_coturn_enabled and matrix_coturn_tls_enabled and matrix_playbook_ssl_retrieval_method != 'lets-encrypt' else [] + [ 'turn:' + matrix_server_fqn_matrix + '?transport=udp', @@ -2431,13 +3533,15 @@ matrix_synapse_turn_uris: | matrix_synapse_turn_shared_secret: "{{ matrix_coturn_turn_static_auth_secret if matrix_coturn_enabled else '' }}" -matrix_synapse_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else true }}" +matrix_synapse_self_check_validate_certificates: "{{ false if matrix_playbook_ssl_retrieval_method == 'self-signed' else true }}" matrix_synapse_systemd_required_services_list: | {{ (['docker.service']) + - (['matrix-postgres.service'] if matrix_postgres_enabled else []) + ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else []) + + + ([redis_identifier ~ '.service'] if matrix_synapse_redis_enabled and matrix_synapse_redis_host == redis_identifier else []) + (['matrix-goofys.service'] if matrix_s3_media_store_enabled else []) }} @@ -2450,12 +3554,15 @@ matrix_synapse_systemd_wanted_services_list: | }} # Synapse workers (used for parallel load-scaling) need Redis for IPC. -matrix_synapse_redis_enabled: "{{ matrix_redis_enabled }}" -matrix_synapse_redis_host: "{{ 'matrix-redis' if matrix_redis_enabled else '' }}" -matrix_synapse_redis_password: "{{ matrix_redis_connection_password if matrix_redis_enabled else '' }}" +matrix_synapse_redis_enabled: "{{ redis_enabled }}" +matrix_synapse_redis_host: "{{ redis_identifier if redis_enabled else '' }}" +matrix_synapse_redis_password: "{{ redis_connection_password if redis_enabled else '' }}" + +matrix_synapse_container_extra_arguments_auto: "{{ matrix_homeserver_container_extra_arguments_auto }}" +matrix_synapse_app_service_config_files_auto: "{{ matrix_homeserver_app_service_config_files_auto }}" -matrix_synapse_container_runtime_injected_arguments: "{{ matrix_homeserver_container_runtime_injected_arguments }}" -matrix_synapse_app_service_runtime_injected_config_files: "{{ matrix_homeserver_app_service_runtime_injected_config_files }}" +# Disable creation of media repository Synapse worker when using media-repo +matrix_synapse_ext_media_repo_enabled: "{{ matrix_media_repo_enabled }}" ###################################################################### # @@ -2463,6 +3570,77 @@ matrix_synapse_app_service_runtime_injected_config_files: "{{ matrix_homeserver_ # ###################################################################### + +###################################################################### +# +# matrix-synapse-auto-compressor +# +###################################################################### + +# Not enabled by default, for now +matrix_synapse_auto_compressor_enabled: false + +matrix_synapse_auto_compressor_container_image_self_build: "{{ matrix_architecture not in ['amd64'] }}" + +matrix_synapse_auto_compressor_container_additional_networks: | + {{ + ([devture_postgres_container_network] if devture_postgres_enabled and devture_postgres_container_network != matrix_synapse_auto_compressor_container_network else []) + }} + +matrix_synapse_auto_compressor_database_username: "{{ matrix_synapse_database_user if matrix_synapse_enabled else '' }}" +matrix_synapse_auto_compressor_database_password: "{{ matrix_synapse_database_password if matrix_synapse_enabled else '' }}" +matrix_synapse_auto_compressor_database_hostname: "{{ matrix_synapse_database_host if matrix_synapse_enabled else '' }}" +matrix_synapse_auto_compressor_database_port: "{{ matrix_synapse_database_port if matrix_synapse_enabled else '5432' }}" +matrix_synapse_auto_compressor_database_name: "{{ matrix_synapse_database_database if matrix_synapse_enabled else '' }}" + +matrix_synapse_auto_compressor_systemd_required_services_list: | + {{ + ['docker.service'] + + + ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else []) + }} + +###################################################################### +# +# /matrix-synapse-auto-compressor +# +###################################################################### + + +###################################################################### +# +# matrix-synapse-reverse-proxy-companion +# +###################################################################### + +matrix_synapse_reverse_proxy_companion_enabled: "{{ matrix_synapse_enabled }}" + +matrix_synapse_reverse_proxy_companion_client_api_client_max_body_size_mb: "{{ matrix_synapse_max_upload_size_mb }}" + +matrix_synapse_reverse_proxy_companion_container_client_api_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '8008') if matrix_playbook_service_host_bind_interface_prefix else '' }}" +matrix_synapse_reverse_proxy_companion_container_federation_api_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '8048') if matrix_playbook_service_host_bind_interface_prefix else '' }}" + +matrix_synapse_reverse_proxy_companion_synapse_workers_enabled: "{{ matrix_synapse_workers_enabled }}" +matrix_synapse_reverse_proxy_companion_synapse_workers_list: "{{ matrix_synapse_workers_enabled_list }}" +matrix_synapse_reverse_proxy_companion_synapse_generic_worker_client_server_locations: "{{ matrix_synapse_workers_generic_worker_client_server_endpoints }}" +matrix_synapse_reverse_proxy_companion_synapse_generic_worker_federation_locations: "{{ matrix_synapse_workers_generic_worker_federation_endpoints }}" +matrix_synapse_reverse_proxy_companion_synapse_stream_writer_typing_stream_worker_client_server_locations: "{{ matrix_synapse_workers_stream_writer_typing_stream_worker_client_server_endpoints }}" +matrix_synapse_reverse_proxy_companion_synapse_stream_writer_to_device_stream_worker_client_server_locations: "{{ matrix_synapse_workers_stream_writer_to_device_stream_worker_client_server_endpoints }}" +matrix_synapse_reverse_proxy_companion_synapse_stream_writer_account_data_stream_worker_client_server_locations: "{{ matrix_synapse_workers_stream_writer_account_data_stream_worker_client_server_endpoints }}" +matrix_synapse_reverse_proxy_companion_synapse_stream_writer_receipts_stream_worker_client_server_locations: "{{ matrix_synapse_workers_stream_writer_receipts_stream_worker_client_server_endpoints }}" +matrix_synapse_reverse_proxy_companion_synapse_stream_writer_presence_stream_worker_client_server_locations: "{{ matrix_synapse_workers_stream_writer_presence_stream_worker_client_server_endpoints }}" +matrix_synapse_reverse_proxy_companion_synapse_media_repository_locations: "{{matrix_synapse_workers_media_repository_endpoints|default([]) }}" +matrix_synapse_reverse_proxy_companion_synapse_user_dir_locations: "{{ matrix_synapse_workers_user_dir_worker_client_server_endpoints|default([]) }}" + +matrix_synapse_reverse_proxy_companion_access_log_syslog_integration_enabled: "{{ matrix_prometheus_nginxlog_exporter_enabled }}" +matrix_synapse_reverse_proxy_companion_access_log_syslog_integration_server_port: "{{ (matrix_prometheus_nginxlog_exporter_container_hostname | string +':'+ matrix_prometheus_nginxlog_exporter_container_syslog_port | string) | default('') }}" + +###################################################################### +# +# /matrix-synapse-reverse-proxy-companion +# +###################################################################### + ###################################################################### # # matrix-synapse-admin @@ -2471,132 +3649,314 @@ matrix_synapse_app_service_runtime_injected_config_files: "{{ matrix_homeserver_ matrix_synapse_admin_enabled: false -# Normally, matrix-nginx-proxy is enabled and nginx can reach Synapse Admin over the container network. -# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose -# Synapse Admin's HTTP port to the local host. -matrix_synapse_admin_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:8766' }}" +matrix_synapse_admin_nginx_proxy_integration_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}" + +matrix_synapse_admin_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '8766') if matrix_playbook_service_host_bind_interface_prefix else '' }}" matrix_synapse_admin_container_image_self_build: "{{ matrix_architecture not in ['arm64', 'amd64'] }}" +matrix_synapse_admin_container_network: "{{ matrix_nginx_proxy_container_network if matrix_playbook_reverse_proxy_type == 'playbook-managed-nginx' else 'matrix-synapse-admin' }}" + +matrix_synapse_admin_container_additional_networks: "{{ [matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else [] }}" + +matrix_synapse_admin_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}" +matrix_synapse_admin_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" +matrix_synapse_admin_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" +matrix_synapse_admin_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" + ###################################################################### # # /matrix-synapse-admin # ###################################################################### + ###################################################################### # -# matrix-prometheus-node-exporter +# etke/prometheus_node_exporter # ###################################################################### -matrix_prometheus_node_exporter_enabled: false +prometheus_node_exporter_enabled: false + +prometheus_node_exporter_identifier: matrix-prometheus-node-exporter + +prometheus_node_exporter_base_path: "{{ matrix_base_data_path }}/prometheus-node-exporter" + +prometheus_node_exporter_uid: "{{ matrix_user_uid }}" +prometheus_node_exporter_gid: "{{ matrix_user_gid }}" + +# _server_fqn is the old var, _hostname - the new one. Seamless migration +prometheus_node_exporter_server_fqn: "{{ matrix_server_fqn_matrix }}" +prometheus_node_exporter_hostname: "{{ prometheus_node_exporter_server_fqn }}" + +prometheus_node_exporter_container_network: "{{ matrix_docker_network }}" + +prometheus_node_exporter_container_additional_networks: "{{ [matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else [] }}" + +prometheus_node_exporter_container_labels_traefik_enabled: false +prometheus_node_exporter_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" +prometheus_node_exporter_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" +prometheus_node_exporter_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" ###################################################################### # -# /matrix-prometheus-node-exporter +# /etke/prometheus_node_exporter # ###################################################################### + ###################################################################### # -# matrix-prometheus +# etke/prometheus_postgres_exporter # ###################################################################### -matrix_prometheus_enabled: false +prometheus_postgres_exporter_enabled: false -# Normally, matrix-nginx-proxy is enabled and nginx can reach Prometheus over the container network. -# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose -# Prometheus' HTTP port to the local host. -matrix_prometheus_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9090' }}" +prometheus_postgres_exporter_identifier: matrix-prometheus-postgres-exporter + +prometheus_postgres_exporter_base_path: "{{ matrix_base_data_path }}/prometheus-postgres-exporter" + +prometheus_postgres_exporter_uid: "{{ matrix_user_uid }}" +prometheus_postgres_exporter_gid: "{{ matrix_user_gid }}" + +prometheus_postgres_exporter_server_fqn: "{{ matrix_server_fqn_matrix }}" + +prometheus_postgres_exporter_container_network: "{{ matrix_docker_network }}" -matrix_prometheus_scraper_synapse_enabled: "{{ matrix_synapse_enabled and matrix_synapse_metrics_enabled }}" -matrix_prometheus_scraper_synapse_targets: ['matrix-synapse:{{ matrix_synapse_metrics_port }}'] -matrix_prometheus_scraper_synapse_workers_enabled_list: "{{ matrix_synapse_workers_enabled_list }}" -matrix_prometheus_scraper_synapse_rules_synapse_tag: "{{ matrix_synapse_docker_image_tag }}" +prometheus_postgres_exporter_container_additional_networks: "{{ [matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else [] }}" + +prometheus_postgres_exporter_container_labels_traefik_enabled: false +prometheus_postgres_exporter_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" +prometheus_postgres_exporter_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" +prometheus_postgres_exporter_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" + +prometheus_postgres_exporter_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" +prometheus_postgres_exporter_database_username: matrix_prometheus_postgres_exporter +prometheus_postgres_exporter_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'prometheus.pg.db', rounds=655555) | to_uuid }}" +prometheus_postgres_exporter_database_name: matrix_prometheus_postgres_exporter + +prometheus_postgres_exporter_systemd_required_services_list: | + {{ + ['docker.service'] + + + ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else []) + }} + +###################################################################### +# +# /etke/prometheus_postgres_exporter +# +###################################################################### -matrix_prometheus_scraper_node_enabled: "{{ matrix_prometheus_node_exporter_enabled }}" -matrix_prometheus_scraper_node_targets: "{{ ['matrix-prometheus-node-exporter:9100'] if matrix_prometheus_node_exporter_enabled else [] }}" -matrix_prometheus_scraper_postgres_enabled: "{{ matrix_prometheus_postgres_exporter_enabled }}" -matrix_prometheus_scraper_postgres_targets: "{{ ['matrix-prometheus-postgres-exporter:'+ matrix_prometheus_postgres_exporter_port | string] if matrix_prometheus_scraper_postgres_enabled else [] }}" +###################################################################### +# +# matrix-prometheus-nginxlog-exporter +# +###################################################################### -matrix_prometheus_scraper_hookshot_enabled: "{{ matrix_hookshot_metrics_enabled|default(false) }}" -matrix_prometheus_scraper_hookshot_targets: "{{ [matrix_hookshot_container_url | string +':'+ matrix_hookshot_metrics_port | string] if matrix_hookshot_metrics_enabled else [] }}" +matrix_prometheus_nginxlog_exporter_enabled: false ###################################################################### # -# /matrix-prometheus +# /matrix-prometheus-nginxlog-exporter # ###################################################################### + ###################################################################### # -# matrix-prometheus-postgres-exporter +# prometheus # ###################################################################### -matrix_prometheus_postgres_exporter_enabled: false -matrix_prometheus_postgres_exporter_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'prometheus.pg.db') | to_uuid }}" +prometheus_enabled: false + +prometheus_identifier: matrix-prometheus + +prometheus_base_path: "{{ matrix_base_data_path }}/prometheus" -matrix_prometheus_postgres_exporter_systemd_required_services_list: | +prometheus_uid: "{{ matrix_user_uid }}" +prometheus_gid: "{{ matrix_user_gid }}" + +prometheus_container_additional_networks: | {{ - ['docker.service'] + ( + ([prometheus_node_exporter_container_network] if prometheus_self_node_scraper_enabled and prometheus_node_exporter_container_network != prometheus_container_network else []) + + + ([matrix_synapse_container_network] if matrix_prometheus_services_connect_scraper_synapse_enabled and matrix_synapse_container_network != prometheus_container_network else []) + + + ([prometheus_postgres_exporter_container_network] if matrix_prometheus_services_connect_scraper_postgres_enabled and prometheus_postgres_exporter_container_network != prometheus_container_network else []) + + + ([matrix_hookshot_container_network] if matrix_prometheus_services_connect_scraper_hookshot_enabled and matrix_hookshot_container_network != prometheus_container_network else []) + + + ([matrix_prometheus_nginxlog_exporter_container_network] if matrix_prometheus_services_connect_scraper_nginxlog_enabled and matrix_prometheus_nginxlog_exporter_container_network != prometheus_container_network else []) + + + ([matrix_media_repo_container_network] if matrix_prometheus_services_connect_scraper_media_repo_enabled and matrix_media_repo_container_network != prometheus_container_network else []) + ) | unique + }} + +# Normally, matrix-nginx-proxy is enabled and nginx can reach Prometheus over the container network. +# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose +# Prometheus' HTTP port to the local host. +prometheus_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '9090') if matrix_playbook_service_host_bind_interface_prefix else '' }}" + +prometheus_config_rule_files_auto: | + {{ + (['synapse-v2.rules'] if matrix_prometheus_services_connect_synapse_rules_enabled else []) + }} + +prometheus_self_node_scraper_enabled: "{{ prometheus_node_exporter_enabled }}" +prometheus_self_node_scraper_static_configs_target: "{{ (prometheus_node_exporter_identifier + ':9100') if prometheus_node_exporter_enabled else '' }}" + +prometheus_config_scrape_configs_auto: | + {{ + (matrix_prometheus_services_connect_scraper_synapse_configs if matrix_prometheus_services_connect_scraper_synapse_enabled else []) + + + (matrix_prometheus_services_connect_scraper_postgres_scrape_configs if matrix_prometheus_services_connect_scraper_postgres_enabled else []) + + + (matrix_prometheus_services_connect_scraper_hookshot_scrape_configs if matrix_prometheus_services_connect_scraper_hookshot_enabled else []) + - (['matrix-postgres.service'] if matrix_postgres_enabled else []) + (matrix_prometheus_services_connect_scraper_nginxlog_scrape_configs if matrix_prometheus_services_connect_scraper_nginxlog_enabled else []) + + + (matrix_prometheus_services_connect_scraper_media_repo_scrape_configs if matrix_prometheus_services_connect_scraper_media_repo_enabled else []) }} ###################################################################### # -# /matrix-prometheus-postgres-exporter +# /prometheus +# +###################################################################### + + +###################################################################### +# +# matrix-prometheus-services-connect # ###################################################################### +matrix_prometheus_services_connect_synapse_enabled: "{{ prometheus_enabled and matrix_synapse_enabled }}" + +matrix_prometheus_services_connect_synapse_rules_download_synapse_tag: "{{ matrix_synapse_docker_image_tag }}" +matrix_prometheus_services_connect_synapse_rules_download_dir_path: "{{ prometheus_config_path }}" +matrix_prometheus_services_connect_synapse_rules_download_owner: "{{ prometheus_uid }}" +matrix_prometheus_services_connect_synapse_rules_download_group: "{{ prometheus_gid }}" + +matrix_prometheus_services_connect_scraper_synapse_enabled: "{{ matrix_synapse_enabled and matrix_synapse_metrics_enabled }}" +matrix_prometheus_services_connect_scraper_synapse_main_process_static_configs_target: "matrix-synapse:{{ matrix_synapse_metrics_port }}" +matrix_prometheus_services_connect_scraper_synapse_workers_enabled_list: "{{ matrix_synapse_workers_enabled_list }}" + +matrix_prometheus_services_connect_scraper_postgres_enabled: "{{ prometheus_postgres_exporter_enabled }}" +matrix_prometheus_services_connect_scraper_postgres_static_configs_target: "{{ prometheus_postgres_exporter_identifier }}:{{ prometheus_postgres_exporter_port | string }}" + +matrix_prometheus_services_connect_scraper_hookshot_enabled: "{{ matrix_hookshot_enabled and matrix_hookshot_metrics_enabled }}" +matrix_prometheus_services_connect_scraper_hookshot_static_configs_target: "{{ matrix_hookshot_container_url }}:{{ matrix_hookshot_metrics_port | string }}" + +matrix_prometheus_services_connect_scraper_nginxlog_enabled: "{{ matrix_prometheus_nginxlog_exporter_enabled }}" +matrix_prometheus_services_connect_scraper_nginxlog_static_configs_target: "{{ matrix_prometheus_nginxlog_exporter_container_hostname }}:{{ matrix_prometheus_nginxlog_exporter_container_metrics_port | string }}" + +matrix_prometheus_services_connect_scraper_media_repo_enabled: "{{ matrix_media_repo_enabled and matrix_media_repo_metrics_enabled }}" +matrix_prometheus_services_connect_scraper_media_repo_static_configs_target: "{{ matrix_media_repo_identifier }}:{{ matrix_media_repo_metrics_port }}" + ###################################################################### # -# matrix-grafana +# /matrix-prometheus-services-connect # ###################################################################### -matrix_grafana_enabled: false + +###################################################################### +# +# etke/grafana +# +###################################################################### + +grafana_enabled: false + +grafana_identifier: matrix-grafana + +grafana_uid: "{{ matrix_user_uid }}" +grafana_gid: "{{ matrix_user_gid }}" + +grafana_hostname: "{{ matrix_server_fqn_grafana }}" + +grafana_base_path: "{{ matrix_base_data_path }}/grafana" + +grafana_container_network: "{{ matrix_nginx_proxy_container_network if matrix_playbook_reverse_proxy_type == 'playbook-managed-nginx' else grafana_identifier }}" + +grafana_container_additional_networks: | + {{ + ( + ([matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else []) + + + ([prometheus_container_network] if prometheus_enabled and prometheus_container_network != grafana_container_network else []) + ) | unique + }} + +grafana_container_labels_traefik_enabled: "{{ matrix_playbook_traefik_labels_enabled }}" +grafana_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" +grafana_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" +grafana_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" # Normally, matrix-nginx-proxy is enabled and nginx can reach Grafana over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose # Grafana's HTTP port to the local host. -matrix_grafana_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:3000' }}" +grafana_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '3000') if matrix_playbook_service_host_bind_interface_prefix else '' }}" -matrix_grafana_dashboard_download_urls: | +grafana_provisioning_datasources: | + {{ + ([{ + 'name': (matrix_server_fqn_matrix + ' - Prometheus'), + 'type': 'prometheus', + 'access': 'proxy', + 'url': 'http://matrix-prometheus:9090', + }] if prometheus_enabled else []) + }} + +grafana_dashboard_download_urls: | {{ (matrix_synapse_grafana_dashboard_urls if matrix_homeserver_implementation == 'synapse' and matrix_synapse_metrics_enabled else []) + - (matrix_prometheus_node_exporter_dashboard_urls if matrix_prometheus_node_exporter_enabled else []) + (prometheus_node_exporter_dashboard_urls if prometheus_node_exporter_enabled else []) + + + (prometheus_postgres_exporter_dashboard_urls if prometheus_postgres_exporter_enabled else []) + + + (matrix_prometheus_nginxlog_exporter_dashboard_urls if matrix_prometheus_nginxlog_exporter_enabled else []) + - (matrix_prometheus_postgres_exporter_dashboard_urls if matrix_prometheus_postgres_exporter_enabled else []) + (matrix_media_repo_dashboard_urls if matrix_media_repo_metrics_enabled else []) }} -matrix_grafana_default_home_dashboard_path: |- +grafana_provisioning_dashboard_template_files: | {{ - { - 'synapse': ('/etc/grafana/dashboards/synapse.json' if matrix_synapse_metrics_enabled else '/etc/grafana/dashboards/node-exporter-full.json'), - 'dendrite': '/etc/grafana/dashboards/node-exporter-full.json', - 'conduit': '/etc/grafana/dashboards/node-exporter-full.json', - }[matrix_homeserver_implementation] + ([{ + 'path': 'roles/custom/matrix-prometheus-nginxlog-exporter/templates/grafana/nginx-proxy.json', + 'name': 'nginx-proxy.json', + }] if matrix_prometheus_nginxlog_exporter_enabled else []) + + + ([{ + 'path': 'roles/custom/matrix-media-repo/templates/grafana/media-repo.json', + 'name': 'media-repo.json', + }] if matrix_media_repo_metrics_enabled else []) }} -matrix_grafana_systemd_wanted_services_list: | +grafana_default_home_dashboard_path: |- {{ - [] - + - (['matrix-prometheus-postgres-exporter.service'] if matrix_prometheus_postgres_exporter_enabled else []) + { + 'synapse': ('/etc/grafana/dashboards/synapse.json' if matrix_synapse_metrics_enabled and matrix_synapse_metrics_enabled else ('/etc/grafana/dashboards/node-exporter-full.json' if prometheus_node_exporter_enabled else '')), + 'dendrite': ('/etc/grafana/dashboards/node-exporter-full.json' if prometheus_node_exporter_enabled else ''), + 'conduit': ('/etc/grafana/dashboards/node-exporter-full.json' if prometheus_node_exporter_enabled else ''), + }[matrix_homeserver_implementation] }} ###################################################################### # -# /matrix-grafana +# /etke/grafana # ###################################################################### + ###################################################################### # # matrix-registration @@ -2608,7 +3968,7 @@ matrix_registration_enabled: false # Normally, matrix-nginx-proxy is enabled and nginx can reach matrix-registration over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose # matrix-registration's HTTP port to the local host. -matrix_registration_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:8767' }}" +matrix_registration_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '8767') if matrix_playbook_service_host_bind_interface_prefix else '' }}" matrix_registration_riot_instance: "{{ ('https://' + matrix_server_fqn_element) if matrix_client_element_enabled else 'https://riot.im/app/' }}" @@ -2616,14 +3976,14 @@ matrix_registration_shared_secret: |- {{ { 'synapse': matrix_synapse_registration_shared_secret, - 'dendrite': matrix_dendrite_registration_shared_secret, + 'dendrite': matrix_dendrite_client_api_registration_shared_secret, 'conduit': '', }[matrix_homeserver_implementation] }} matrix_registration_server_location: "{{ matrix_homeserver_container_url }}" -matrix_registration_api_validate_certs: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else true }}" +matrix_registration_api_validate_certs: "{{ false if matrix_playbook_ssl_retrieval_method == 'self-signed' else true }}" matrix_registration_container_image_self_build: "{{ matrix_architecture != 'amd64' }}" @@ -2631,12 +3991,13 @@ matrix_registration_systemd_required_services_list: | {{ ['docker.service'] + - (['matrix-postgres.service'] if matrix_postgres_enabled else []) + ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else []) }} -# Postgres is the default, except if not using `matrix_postgres` (internal postgres) -matrix_registration_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_registration_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mx.registr.db') | to_uuid }}" +# Postgres is the default, except if not using internal Postgres server +matrix_registration_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}" +matrix_registration_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" +matrix_registration_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mx.registr.db', rounds=655555) | to_uuid }}" ###################################################################### # @@ -2644,35 +4005,63 @@ matrix_registration_database_password: "{{ '%s' | format(matrix_homeserver_gener # ###################################################################### + ###################################################################### # -# matrix-postgres-backup +# matrix-sliding-sync # ###################################################################### -matrix_postgres_backup_connection_hostname: "{{ matrix_postgres_connection_hostname }}" -matrix_postgres_backup_connection_port: "{{ matrix_postgres_connection_port }}" -matrix_postgres_backup_connection_username: "{{ matrix_postgres_connection_username }}" -matrix_postgres_backup_connection_password: "{{ matrix_postgres_connection_password }}" +# We don't enable the sliding sync proxy by default. +matrix_sliding_sync_enabled: false + +matrix_sliding_sync_scheme: "{{ 'https' if matrix_playbook_ssl_enabled else 'http' }}" + +matrix_sliding_sync_hostname: "{{ matrix_server_fqn_matrix }}" + +matrix_sliding_sync_path_prefix: /sliding-sync + +matrix_sliding_sync_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}" + +matrix_sliding_sync_container_additional_networks: | + {{ + ( + ([matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else []) + + + ([matrix_nginx_proxy_container_network] if matrix_nginx_proxy_enabled and matrix_nginx_proxy_container_network != matrix_sliding_sync_container_network else []) + + + ([devture_postgres_container_network] if devture_postgres_enabled and devture_postgres_container_network != matrix_sliding_sync_container_network else []) + ) | unique + }} -matrix_postgres_backup_postgres_data_path: "{{ matrix_postgres_data_path if matrix_postgres_enabled else '' }}" +matrix_sliding_sync_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}" +matrix_sliding_sync_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" +matrix_sliding_sync_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" +matrix_sliding_sync_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" -# the default matrix synapse databse is not always part of the matrix_postgres_additional_databases variable thus we have to add it if the default database is used -matrix_postgres_backup_databases: | +matrix_sliding_sync_systemd_required_services_list: | {{ - (([{ - 'name': matrix_synapse_database_database - }] if (matrix_synapse_enabled and matrix_synapse_database_database == matrix_postgres_db_name and matrix_synapse_database_host == 'matrix-postgres') else []) + ['docker.service'] + + + ['matrix-' + matrix_homeserver_implementation + '.service'] + + + ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else []) + - matrix_postgres_additional_databases)|map(attribute='name') | list + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} +matrix_sliding_sync_environment_variable_syncv3_secret: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'ss.secret', rounds=655555) | to_uuid }}" + +matrix_sliding_sync_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" +matrix_sliding_sync_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'ss.db', rounds=655555) | to_uuid }}" + ###################################################################### # -# /matrix-postgres-backup +# /matrix-sliding-sync # ###################################################################### + ###################################################################### # # matrix-dendrite @@ -2686,20 +4075,20 @@ matrix_dendrite_enabled: "{{ matrix_homeserver_implementation == 'dendrite' }}" # you can expose Dendrite's ports to the host. # # For exposing Dendrite's plain HTTP server to the local host. -matrix_dendrite_container_http_host_bind_address: "{{ '' if matrix_nginx_proxy_enabled else ('127.0.0.1:' + matrix_dendrite_http_bind_port | string) }}" +matrix_dendrite_container_http_host_bind_address: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ matrix_dendrite_http_bind_port | string) if matrix_playbook_service_host_bind_interface_prefix else '' }}" # # For exposing Dendrite's HTTPS server to the local host. -matrix_dendrite_container_https_host_bind_address: "{{ '' if matrix_nginx_proxy_enabled or not matrix_dendrite_https_bind_port else ('127.0.0.1:' + matrix_dendrite_https_bind_port | string) }}" +matrix_dendrite_container_https_host_bind_address: "{{ '' if not matrix_dendrite_https_bind_port or not matrix_playbook_service_host_bind_interface_prefix else (matrix_playbook_service_host_bind_interface_prefix + matrix_dendrite_https_bind_port | string) }}" -matrix_dendrite_sync_api_real_ip_header: "{{ 'X-Forwarded-For' if matrix_nginx_proxy_enabled else '' }}" +matrix_dendrite_client_api_registration_shared_secret: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'dendrite.rss', rounds=655555) | to_uuid }}" -matrix_dendrite_registration_shared_secret: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'dendrite.rss') | to_uuid }}" +matrix_dendrite_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" -matrix_dendrite_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'dendrite.db') | to_uuid }}" +matrix_dendrite_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'dendrite.db', rounds=655555) | to_uuid }}" # Even if TURN doesn't support TLS (it does by default), # it doesn't hurt to try a secure connection anyway. -matrix_dendrite_turn_uris: | +matrix_dendrite_client_api_turn_uris: | {{ [ 'turns:' + matrix_server_fqn_matrix + '?transport=udp', @@ -2711,11 +4100,11 @@ matrix_dendrite_turn_uris: | else [] }} -matrix_dendrite_turn_shared_secret: "{{ matrix_coturn_turn_static_auth_secret if matrix_coturn_enabled else '' }}" +matrix_dendrite_client_api_turn_shared_secret: "{{ matrix_coturn_turn_static_auth_secret if matrix_coturn_enabled else '' }}" -matrix_dendrite_disable_tls_validation: "{{ true if matrix_ssl_retrieval_method == 'self-signed' else false }}" +matrix_dendrite_disable_tls_validation: "{{ true if matrix_playbook_ssl_retrieval_method == 'self-signed' else false }}" -matrix_dendrite_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else true }}" +matrix_dendrite_self_check_validate_certificates: "{{ false if matrix_playbook_ssl_retrieval_method == 'self-signed' else true }}" matrix_dendrite_trusted_id_servers: "{{ [matrix_server_fqn_matrix] if matrix_ma1sd_enabled else ['matrix.org', 'vector.im'] }}" @@ -2723,7 +4112,7 @@ matrix_dendrite_systemd_required_services_list: | {{ (['docker.service']) + - (['matrix-postgres.service'] if matrix_postgres_enabled else []) + ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else []) + (['matrix-goofys.service'] if matrix_s3_media_store_enabled else []) }} @@ -2733,8 +4122,8 @@ matrix_dendrite_systemd_wanted_services_list: | (['matrix-coturn.service'] if matrix_coturn_enabled else []) }} -matrix_dendrite_container_runtime_injected_arguments: "{{ matrix_homeserver_container_runtime_injected_arguments }}" -matrix_dendrite_app_service_runtime_injected_config_files: "{{ matrix_homeserver_app_service_runtime_injected_config_files }}" +matrix_dendrite_container_extra_arguments_auto: "{{ matrix_homeserver_container_extra_arguments_auto }}" +matrix_dendrite_app_service_config_files_auto: "{{ matrix_homeserver_app_service_config_files_auto }}" ###################################################################### # @@ -2771,29 +4160,35 @@ matrix_conduit_systemd_required_services_list: | matrix_user_creator_users_auto: | {{ - [{ + ([{ + 'username': matrix_bot_matrix_registration_bot_matrix_user_id_localpart, + 'initial_password': matrix_bot_matrix_registration_bot_bot_password, + 'initial_type': 'admin', + }] if matrix_bot_matrix_registration_bot_enabled else []) + + + ([{ 'username': matrix_bot_matrix_reminder_bot_matrix_user_id_localpart, 'initial_password': matrix_bot_matrix_reminder_bot_matrix_user_password, 'initial_type': 'bot', - }] if matrix_bot_matrix_reminder_bot_enabled else [] + }] if matrix_bot_matrix_reminder_bot_enabled else []) + - [{ + ([{ 'username': matrix_bot_honoroit_login, 'initial_password': matrix_bot_honoroit_password, 'initial_type': 'bot', - }] if matrix_bot_honoroit_enabled else [] + }] if matrix_bot_honoroit_enabled else []) + - [{ + ([{ 'username': matrix_bot_postmoogle_login, 'initial_password': matrix_bot_postmoogle_password, 'initial_type': 'bot', - }] if matrix_bot_postmoogle_enabled else [] + }] if matrix_bot_postmoogle_enabled else []) + - [{ + ([{ 'username': matrix_bot_buscarron_login, 'initial_password': matrix_bot_buscarron_password, 'initial_type': 'bot', - }] if matrix_bot_buscarron_enabled else [] + }] if matrix_bot_buscarron_enabled else []) }} ###################################################################### @@ -2801,3 +4196,148 @@ matrix_user_creator_users_auto: | # /matrix-user-creator # ###################################################################### + + +###################################################################### +# +# matrix-user-verification-service +# +###################################################################### + +## FIXME: Needs to be updated when there is a proper release by upstream. +matrix_user_verification_service_docker_image: "{{ matrix_user_verification_service_docker_image_name_prefix }}matrixdotorg/matrix-user-verification-service@sha256:d2aabc984dd69d258c91900c36928972d7aaef19d776caa3cd6a0fbc0e307270" + +matrix_user_verification_service_enabled: false +matrix_user_verification_service_systemd_required_services_list: | + {{ + ['docker.service'] + + + (['matrix-' + matrix_homeserver_implementation + '.service']) + }} + +matrix_user_verification_service_container_additional_networks: | + {{ + ( + ([matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else []) + + + ([matrix_homeserver_container_network] if matrix_homeserver_container_network != matrix_user_verification_service_container_network else []) + ) | unique + }} + +# If Jitsi is managed by this playbook we can use the docker network - no need to expose a port. +# If Jitsi is not managed by this playbook, or you otherwise have a need for it, you can expose +# matrix-user-verfification-services's client-server port to port 3003. +# By default Matrix-User-Verification-Service binds to port 3000, which collides with grafana, therefore this uses port 3003. +matrix_user_verification_service_container_http_host_bind_port: "{{ '' if (jitsi_enabled | bool and jitsi_enable_auth | bool and jitsi_auth_type == 'matrix') else matrix_playbook_service_host_bind_interface_prefix ~ '3003' }}" + +# URL exposed in the docker network +matrix_user_verification_service_container_url: "http://{{ matrix_user_verification_service_container_name }}:3000" + +# We connect via the container network (private IPs), so we need to disable IP checks +matrix_user_verification_service_uvs_disable_ip_blacklist: "{{'true' if matrix_synapse_enabled else 'false'}}" + +matrix_user_verification_service_uvs_auth_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'uvs.auth.token', rounds=655555) | to_uuid }}" + +###################################################################### +# +# /matrix-user-verification-service +# +###################################################################### + + +######################################################################## +# # +# com.devture.ansible.role.container_socket_proxy # +# # +######################################################################## + +devture_container_socket_proxy_enabled: "{{ matrix_playbook_reverse_proxy_type == 'playbook-managed-traefik' }}" + +devture_container_socket_proxy_identifier: matrix-container-socket-proxy + +devture_container_socket_proxy_base_path: "{{ matrix_base_data_path }}/container-socket-proxy" + +devture_container_socket_proxy_uid: "{{ matrix_user_uid }}" +devture_container_socket_proxy_gid: "{{ matrix_user_gid }}" + +# Traefik requires read access to the containers APIs to do its job +devture_container_socket_proxy_api_containers_enabled: true + +######################################################################## +# # +# /com.devture.ansible.role.container_socket_proxy # +# # +######################################################################## + + +######################################################################## +# # +# com.devture.ansible.role.traefik # +# # +######################################################################## + +devture_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type == 'playbook-managed-traefik' }}" + +devture_traefik_identifier: matrix-traefik + +devture_traefik_base_path: "{{ matrix_base_data_path }}/traefik" + +devture_traefik_uid: "{{ matrix_user_uid }}" +devture_traefik_gid: "{{ matrix_user_gid }}" + +devture_traefik_federation_entrypoint: + name: matrix-federation + port: "{{ matrix_federation_public_port }}" + host_bind_port: "{{ matrix_federation_public_port }}" + config: {} + +devture_traefik_additional_entrypoints_auto: | + {{ + ([devture_traefik_federation_entrypoint] if (matrix_federation_public_port != devture_traefik_config_entrypoint_web_port) and (matrix_federation_public_port != devture_traefik_config_entrypoint_web_secure_port) else []) + }} + +devture_traefik_additional_domains_to_obtain_certificates_for: "{{ matrix_ssl_additional_domains_to_obtain_certificates_for }}" + +devture_traefik_config_providers_docker_endpoint: "{{ devture_container_socket_proxy_endpoint if devture_container_socket_proxy_enabled else 'unix:///var/run/docker.sock' }}" + +devture_traefik_container_additional_networks: | + {{ + ([devture_container_socket_proxy_container_network] if devture_container_socket_proxy_enabled else []) + }} + +devture_traefik_systemd_required_services_list: | + {{ + (['docker.service']) + + + ([devture_container_socket_proxy_identifier + '.service'] if devture_container_socket_proxy_enabled else []) + }} + +######################################################################## +# # +# /com.devture.ansible.role.traefik # +# # +######################################################################## + + +######################################################################## +# # +# com.devture.ansible.role.traefik_certs_dumper # +# # +######################################################################## + +devture_traefik_certs_dumper_enabled: "{{ (matrix_playbook_reverse_proxy_type == 'playbook-managed-traefik' and devture_traefik_config_entrypoint_web_secure_enabled and devture_traefik_config_certificatesResolvers_acme_enabled) or matrix_playbook_reverse_proxy_type == 'other-traefik-container' }}" + +devture_traefik_certs_dumper_identifier: matrix-traefik-certs-dumper + +devture_traefik_certs_dumper_base_path: "{{ matrix_base_data_path }}/traefik-certs-dumper" + +devture_traefik_certs_dumper_uid: "{{ matrix_user_uid }}" +devture_traefik_certs_dumper_gid: "{{ matrix_user_gid }}" + +devture_traefik_certs_dumper_ssl_dir_path: "{{ devture_traefik_ssl_dir_path if devture_traefik_enabled else '' }}" + +######################################################################## +# # +# /com.devture.ansible.role.traefik_certs_dumper # +# # +######################################################################## diff --git a/inventory/scripts/jitsi-generate-passwords.sh b/inventory/scripts/jitsi-generate-passwords.sh deleted file mode 100755 index f24a3fba5..000000000 --- a/inventory/scripts/jitsi-generate-passwords.sh +++ /dev/null @@ -1,24 +0,0 @@ -#!/usr/bin/env bash -# This is a bash script for generating strong passwords for the Jitsi role in this ansible project: -# https://github.com/spantaleev/matrix-docker-ansible-deploy - -function generatePassword() { - openssl rand -hex 16 -} - -echo "# If this script fails, it's likely because you don't have the openssl tool installed." -echo "# Install it before using this script, or simply create your own passwords manually." - -echo "" - -JICOFO_AUTH_PASSWORD=$(generatePassword) -JVB_AUTH_PASSWORD=$(generatePassword) -JIBRI_RECORDER_PASSWORD=$(generatePassword) -JIBRI_XMPP_PASSWORD=$(generatePassword) - -echo "# Paste these variables into your inventory/host_vars/matrix.DOMAIN/vars.yml file:" -echo "" -echo "matrix_jitsi_jicofo_auth_password: $JICOFO_AUTH_PASSWORD" -echo "matrix_jitsi_jvb_auth_password: $JVB_AUTH_PASSWORD" -echo "matrix_jitsi_jibri_recorder_password: $JIBRI_RECORDER_PASSWORD" -echo "matrix_jitsi_jibri_xmpp_password: $JIBRI_XMPP_PASSWORD" diff --git a/jitsi_jvb.yml b/jitsi_jvb.yml new file mode 100644 index 000000000..16acd0ee6 --- /dev/null +++ b/jitsi_jvb.yml @@ -0,0 +1,35 @@ +--- +- name: "Set up additional Jitsi JVB servers" + hosts: "jitsi_jvb_servers" + become: true + + roles: + - role: galaxy/com.devture.ansible.role.playbook_help + - role: galaxy/com.devture.ansible.role.systemd_docker_base + + - when: matrix_playbook_docker_installation_enabled | bool + role: galaxy/geerlingguy.docker + vars: + docker_install_compose: false + tags: + - setup-docker + - setup-all + - setup-additional-jitsi-jvb + - install-docker + - install-all + + - when: devture_docker_sdk_for_python_installation_enabled | bool + role: galaxy/com.devture.ansible.role.docker_sdk_for_python + tags: + - setup-docker + - setup-all + - setup-additional-jitsi-jvb + - install-docker + - install-all + + - custom/matrix-base + - galaxy/jitsi + - custom/matrix-common-after + + - when: devture_systemd_service_manager_enabled | bool + role: galaxy/com.devture.ansible.role.systemd_service_manager diff --git a/justfile b/justfile new file mode 100644 index 000000000..46abd7bfb --- /dev/null +++ b/justfile @@ -0,0 +1,60 @@ +# Shows help +default: + @just --list --justfile {{ justfile() }} + +# Pulls external Ansible roles +roles: + #!/usr/bin/env sh + if [ -x "$(command -v agru)" ]; then + agru + else + rm -rf roles/galaxy + ansible-galaxy install -r requirements.yml -p roles/galaxy/ --force + fi + +# Updates requirements.yml if there are any new tags available. Requires agru +update: + @agru -u + +# Runs ansible-lint against all roles in the playbook +lint: + ansible-lint + +# Runs the playbook with --tags=install-all,ensure-matrix-users-created,start and optional arguments +install-all *extra_args: (run-tags "install-all,ensure-matrix-users-created,start" extra_args) + +# Runs installation tasks for a single service +install-service service *extra_args: + just --justfile {{ justfile() }} run \ + --tags=install-{{ service }},start-group \ + --extra-vars=group={{ service }} \ + --extra-vars=devture_systemd_service_manager_service_restart_mode=one-by-one {{ extra_args }} + +# Runs the playbook with --tags=setup-all,ensure-matrix-users-created,start and optional arguments +setup-all *extra_args: (run-tags "setup-all,ensure-matrix-users-created,start" extra_args) + +# Runs the playbook with the given list of arguments +run +extra_args: + ansible-playbook -i inventory/hosts setup.yml {{ extra_args }} + +# Runs the playbook with the given list of comma-separated tags and optional arguments +run-tags tags *extra_args: + just --justfile {{ justfile() }} run --tags={{ tags }} {{ extra_args }} + +# Runs the playbook in user-registration mode +register-user username password admin_yes_or_no *extra_args: + ansible-playbook -i inventory/hosts setup.yml --tags=register-user --extra-vars="username={{ username }} password={{ password }} admin={{ admin_yes_or_no }}" {{ extra_args }} + +# Starts all services +start-all *extra_args: (run-tags "start-all" extra_args) + +# Starts a specific service group +start-group group *extra_args: + @just --justfile {{ justfile() }} run-tags start-group --extra-vars="group={{ group }}" {{ extra_args }} + +# Stops all services +stop-all *extra_args: (run-tags "stop-all" extra_args) + +# Stops a specific service group +stop-group group *extra_args: + @just --justfile {{ justfile() }} run-tags stop-group --extra-vars="group={{ group }}" {{ extra_args }} diff --git a/requirements.yml b/requirements.yml index a57b63a9b..1ef1f4da0 100644 --- a/requirements.yml +++ b/requirements.yml @@ -1,16 +1,53 @@ --- +- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-aux.git + version: v1.0.0-1 + name: auxiliary +- src: git+https://gitlab.com/etke.cc/roles/backup_borg.git + version: v1.2.4-1.7.15-1 +- src: git+https://github.com/devture/com.devture.ansible.role.container_socket_proxy.git + version: v0.1.1-2 +- src: git+https://github.com/devture/com.devture.ansible.role.docker_sdk_for_python.git + version: 129c8590e106b83e6f4c259649a613c6279e937a - src: git+https://github.com/devture/com.devture.ansible.role.playbook_help.git version: c1f40e82b4d6b072b6f0e885239322bdaaaf554f - -- src: git+https://github.com/devture/com.devture.ansible.role.systemd_docker_base.git - version: 327d2e17f5189ac2480d6012f58cf64a2b46efba - -- src: git+https://github.com/devture/com.devture.ansible.role.timesync.git - version: 461ace97fcf0e36c76747b36fcad8587d9b072f5 - +- src: git+https://github.com/devture/com.devture.ansible.role.playbook_runtime_messages.git + version: 9b4b088c62b528b73a9a7c93d3109b091dd42ec6 - src: git+https://github.com/devture/com.devture.ansible.role.playbook_state_preserver.git version: ff2fd42e1c1a9e28e3312bbd725395f9c2fc7f16 - -- src: git+https://github.com/devture/com.devture.ansible.role.playbook_runtime_messages.git - version: f1c78d4e85e875129790c58335d0e44385683f6b +- src: git+https://github.com/devture/com.devture.ansible.role.postgres.git + version: v15.3-0 +- src: git+https://github.com/devture/com.devture.ansible.role.postgres_backup.git + version: a0cc7c1c696872ba8880d9c5e5a54098de825030 +- src: git+https://github.com/devture/com.devture.ansible.role.systemd_docker_base.git + version: v1.0.0-0 +- src: git+https://github.com/devture/com.devture.ansible.role.systemd_service_manager.git + version: v1.0.0-1 +- src: git+https://github.com/devture/com.devture.ansible.role.timesync.git + version: v1.0.0-0 +- src: git+https://github.com/devture/com.devture.ansible.role.traefik.git + version: v2.10.4-0 +- src: git+https://github.com/devture/com.devture.ansible.role.traefik_certs_dumper.git + version: v2.8.1-0 +- src: git+https://gitlab.com/etke.cc/roles/etherpad.git + version: v1.9.0-0 +- src: git+https://github.com/geerlingguy/ansible-role-docker + version: 6.1.0 + name: geerlingguy.docker +- src: git+https://gitlab.com/etke.cc/roles/grafana.git + version: v10.0.3-0 +- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-jitsi.git + version: v8615-2 + name: jitsi +- src: git+https://gitlab.com/etke.cc/roles/ntfy.git + version: v2.6.2-0 +- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus.git + version: v2.45.0-0 + name: prometheus +- src: git+https://gitlab.com/etke.cc/roles/prometheus_node_exporter.git + version: v1.6.0-0 +- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus-postgres-exporter.git + version: v0.13.2-0 + name: prometheus_postgres_exporter +- src: git+https://gitlab.com/etke.cc/roles/redis.git + version: v7.0.10-0 diff --git a/roles/custom/etherpad-proxy-connect/defaults/main.yml b/roles/custom/etherpad-proxy-connect/defaults/main.yml new file mode 100644 index 000000000..83df826f8 --- /dev/null +++ b/roles/custom/etherpad-proxy-connect/defaults/main.yml @@ -0,0 +1,11 @@ +--- + +# etherpad-proxy-connect is a compatibility role connecting the new Etherpad role with matrix-nginx-proxy. +# It adds back support for serving Etherpad under the Dimension domain (`matrix_server_fqn_dimension`). + +# Controls whether Etherpad will be hosted under the Dimension domain when matrix-nginx-proxy is used (depending on matrix_playbook_reverse_proxy_type). +# If you're not using matrix-nginx-proxy, then this value has no effect. +etherpad_nginx_proxy_dimension_integration_enabled: false + +# Controls the path at which Etherpad will be exposed on the Dimension domain. +etherpad_nginx_proxy_dimension_integration_path_prefix: "{{ etherpad_path_prefix }}" diff --git a/roles/custom/etherpad-proxy-connect/tasks/inject_into_nginx_proxy.yml b/roles/custom/etherpad-proxy-connect/tasks/inject_into_nginx_proxy.yml new file mode 100644 index 000000000..6252dba1c --- /dev/null +++ b/roles/custom/etherpad-proxy-connect/tasks/inject_into_nginx_proxy.yml @@ -0,0 +1,46 @@ +--- + +- name: Fail if matrix-nginx-proxy role already executed + ansible.builtin.fail: + msg: >- + Trying to append Etherpad's reverse-proxying configuration to matrix-nginx-proxy, + but it's pointless since the matrix-nginx-proxy role had already executed. + To fix this, please change the order of roles in your playbook, + so that the matrix-nginx-proxy role would run after the matrix-etherpad role. + when: matrix_nginx_proxy_role_executed | default(False) | bool + +- name: Generate Etherpad proxying configuration for matrix-nginx-proxy + ansible.builtin.set_fact: + etherpad_matrix_nginx_proxy_configuration: | + rewrite ^{{ etherpad_nginx_proxy_dimension_integration_path_prefix }}$ {{ matrix_nginx_proxy_x_forwarded_proto_value }}://$server_name{{ etherpad_nginx_proxy_dimension_integration_path_prefix }}/ permanent; + + location {{ etherpad_nginx_proxy_dimension_integration_path_prefix }}/ { + {% if matrix_nginx_proxy_enabled | default(False) %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + proxy_pass http://{{ etherpad_identifier }}:9001/; + {# These are proxy directives needed specifically by Etherpad #} + proxy_buffering off; + proxy_http_version 1.1; # recommended with keepalive connections + proxy_pass_header Server; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }}; # for EP to set secure cookie flag when https is used + # WebSocket proxying - from http://nginx.org/en/docs/http/websocket.html + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + {% else %} + {# Generic configuration for use outside of our container setup #} + # A good guide for setting up your Etherpad behind nginx: + # https://docs.gandi.net/en/cloud/tutorials/etherpad_lite.html + proxy_pass http://127.0.0.1:9001/; + {% endif %} + } + +- name: Register Etherpad proxying configuration with matrix-nginx-proxy + ansible.builtin.set_fact: + matrix_nginx_proxy_proxy_dimension_additional_server_configuration_blocks: | + {{ + matrix_nginx_proxy_proxy_dimension_additional_server_configuration_blocks | default([]) + + + [etherpad_matrix_nginx_proxy_configuration] + }} diff --git a/roles/custom/etherpad-proxy-connect/tasks/main.yml b/roles/custom/etherpad-proxy-connect/tasks/main.yml new file mode 100644 index 000000000..630ab87f1 --- /dev/null +++ b/roles/custom/etherpad-proxy-connect/tasks/main.yml @@ -0,0 +1,12 @@ +--- + +- when: etherpad_enabled | bool and etherpad_nginx_proxy_dimension_integration_enabled | bool + tags: + - install-all + - setup-all + - install-nginx-proxy + - setup-nginx-proxy + block: + - ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" + + - ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" diff --git a/roles/custom/etherpad-proxy-connect/tasks/validate_config.yml b/roles/custom/etherpad-proxy-connect/tasks/validate_config.yml new file mode 100644 index 000000000..51a672ee5 --- /dev/null +++ b/roles/custom/etherpad-proxy-connect/tasks/validate_config.yml @@ -0,0 +1,32 @@ +--- + +- name: Fail if reverse-proxy is not nginx + when: matrix_playbook_reverse_proxy_type not in ['playbook-managed-nginx', 'other-nginx-non-container'] + ansible.builtin.fail: + msg: > + Etherpad's integration into matrix-nginx-proxy's Dimension server only makes sense if you're using matrix-nginx-proxy. + `matrix_playbook_reverse_proxy_type` ({{ matrix_playbook_reverse_proxy_type }}) indicates that you're using another reverse-proxy. + If you're using Traefik, you should configure `etherpad_hostname` and `etherpad_path_prefix` instead. + +- name: Fail if Dimension not enabled + when: not matrix_dimension_enabled + ansible.builtin.fail: + msg: > + Etherpad's integration into matrix-nginx-proxy's Dimension server only makes sense if you're using Dimension. + Looks like Dimension is not enabled in your configuration (judging by `matrix_dimension_enabled`). + Consider configuring `etherpad_hostname` and `etherpad_path_prefix` instead. + +- name: Fail if Etherpad hostname does not match Dimension hostname + when: etherpad_hostname != matrix_server_fqn_dimension + ansible.builtin.fail: + msg: > + Etherpad's integration into matrix-nginx-proxy's Dimension server requires that you set `etherpad_hostname` to `matrix_server_fqn_dimension`. + Consider adding this to your configuration: `{% raw %}etherpad_hostname: "{{ matrix_server_fqn_dimension }}"{% endraw %}` + +- name: Fail if / path prefix used for Etherpad + when: etherpad_nginx_proxy_dimension_integration_path_prefix == '/' + ansible.builtin.fail: + msg: > + Etherpad's integration into matrix-nginx-proxy's Dimension server only makes sense if you're using a non-`/` path for Etherpad. + You've chosen a path prefix of `/` in `etherpad_nginx_proxy_dimension_integration_path_prefix`. + The `/` path must go to Dimension itself, so you need to pick a different prefix (e.g. `/etherpad`). diff --git a/roles/custom/matrix-aux/defaults/main.yml b/roles/custom/matrix-aux/defaults/main.yml deleted file mode 100644 index 4c1f88796..000000000 --- a/roles/custom/matrix-aux/defaults/main.yml +++ /dev/null @@ -1,81 +0,0 @@ ---- - -# matrix-aux is a role that manages auxiliary files and directories on your Matrix server. -# -# Certain components (like matrix-synapse, etc.) may sometimes require additional templates (email templates, privacy policies, etc.). -# This role allows such files to be managed by the playbook. -# -# Note that files and directories created via this role are not automatically made available for containers to use. -# If you use this role to put files in a directory that's already mounted into a container, -# you can access the files without additional work. -# Otherwise, you'd need to mount the file/directory to the container that needs it. -# Roles usually provide a `matrix_*_additional_volumes` or `matrix_*_container_extra_arguments` variable -# that you can use to mount an additional volume. - -# The default permission mode when creating directories using `matrix_aux_directory_definitions` -matrix_aux_directory_default_mode: '0750' - -# Holds a list of directories to create on the server. -# -# By default, directories are: -# - created with permissions as specified in `matrix_aux_directory_default_mode` -# - owned by the `matrix_user_username` user and `matrix_user_groupname` group (usually `matrix:matrix`) -# -# Example: -# -# matrix_aux_directory_definitions: -# - dest: /matrix/aux -# -# - dest: /matrix/another -# mode: '0700' -# owner: 'some-user' -# group: 'some-group' -matrix_aux_directory_definitions: [] - -# The default permission mode when creating directories using `matrix_aux_directory_definitions` -matrix_aux_file_default_mode: '0640' - -# Holds a list of files to create on the server. -# -# By default, files are: -# - created with permissions as specified in `matrix_aux_file_default_mode` -# - owned by the `matrix_user_username` user and `matrix_user_groupname` group (usually `matrix:matrix`) -# -# You can define the file content inline (in your `vars.yml` file) or as an external file (see the example below). -# Defining the content inline in `vars.yml` has the benefit of not splitting your configuration into multiple files, -# but rather keeping everything inside `vars.yml` (which also gets backed up on the server in `/matrix/vars.yml`). -# -# Note: parent paths for files must exist. -# If you've defined a file with a destination of `/matrix/some/path/file.txt`, -# then you likely need to add `/matrix/some/path` to `matrix_aux_directory_definitions` as well. -# You don't need to do this for directories that the playbook already creates for you. -# -# Use a `content` key for text content and `src` with a location to a file for binary content. -# The `content` key does not support binary content (see https://github.com/ansible/ansible/issues/11594). -# -# Example: -# -# matrix_aux_file_definitions: -# - dest: "{{ matrix_synapse_config_dir_path }}/something.html" -# content: | -# -# Something -# -# - dest: /matrix/aux/some-other-file.txt -# content: "Something" -# mode: '0600' -# owner: 'some-user' -# group: 'some-group' -# -# - dest: /matrix/aux/yet-another-file.txt -# content: "{{ lookup('template', '/path/to/file.txt.j2') }}" -# mode: '0600' -# owner: 'some-user' -# group: 'some-group' -# -# - dest: /matrix/aux/binary-file.dat -# src: "/path/to/binary.dat" -# mode: '0600' -# owner: 'some-user' -# group: 'some-group' -matrix_aux_file_definitions: [] diff --git a/roles/custom/matrix-aux/tasks/main.yml b/roles/custom/matrix-aux/tasks/main.yml deleted file mode 100644 index df7c77d0c..000000000 --- a/roles/custom/matrix-aux/tasks/main.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup.yml" - when: run_stop | bool - tags: - - setup-all - - setup-aux-files diff --git a/roles/custom/matrix-aux/tasks/setup.yml b/roles/custom/matrix-aux/tasks/setup.yml deleted file mode 100644 index eb0adad49..000000000 --- a/roles/custom/matrix-aux/tasks/setup.yml +++ /dev/null @@ -1,20 +0,0 @@ ---- - -- name: Ensure AUX directories are created - ansible.builtin.file: - dest: "{{ item.dest }}" - state: directory - owner: "{{ item.owner | default(matrix_user_username) }}" - group: "{{ item.group | default(matrix_user_groupname) }}" - mode: "{{ item.mode | default(matrix_aux_directory_default_mode) }}" - with_items: "{{ matrix_aux_directory_definitions }}" - -- name: Ensure AUX files are created - ansible.builtin.copy: - src: "{{ item.src if 'src' in item else omit }}" - content: "{{ item.content if 'content' in item else omit }}" - dest: "{{ item.dest }}" - owner: "{{ item.owner | default(matrix_user_username) }}" - group: "{{ item.group | default(matrix_user_groupname) }}" - mode: "{{ item.mode | default(matrix_aux_file_default_mode) }}" - with_items: "{{ matrix_aux_file_definitions }}" diff --git a/roles/custom/matrix-backup-borg/defaults/main.yml b/roles/custom/matrix-backup-borg/defaults/main.yml deleted file mode 100644 index de086ebd9..000000000 --- a/roles/custom/matrix-backup-borg/defaults/main.yml +++ /dev/null @@ -1,104 +0,0 @@ ---- -# Project source code URL: https://gitlab.com/etke.cc/borgmatic - -matrix_backup_borg_enabled: true - -matrix_backup_borg_base_path: "{{ matrix_base_data_path }}/backup-borg" -matrix_backup_borg_config_path: "{{ matrix_backup_borg_base_path }}/config" - -matrix_backup_borg_container_image_self_build: false -matrix_backup_borg_docker_repo: "https://gitlab.com/etke.cc/borgmatic" -matrix_backup_borg_docker_repo_version: main -matrix_backup_borg_docker_src_files_path: "{{ matrix_backup_borg_base_path }}/docker-src" - -# version determined automatically, based on postgres server version (if enabled), otherwise latest is used -matrix_backup_borg_version: "" -matrix_backup_borg_docker_image: "{{ matrix_backup_borg_docker_image_name_prefix }}etke.cc/borgmatic:{{ matrix_backup_borg_version }}" -matrix_backup_borg_docker_image_name_prefix: "{{ 'localhost/' if matrix_backup_borg_container_image_self_build else 'registry.gitlab.com/' }}" -matrix_backup_borg_docker_image_force_pull: "{{ matrix_backup_borg_docker_image.endswith(':latest') or matrix_backup_borg_version | default('') == '' }}" - -# A list of extra arguments to pass to the container -matrix_backup_borg_container_extra_arguments: [] - -# List of systemd services that matrix-backup-borg.service depends on -matrix_backup_borg_systemd_required_services_list: ['docker.service'] - -# List of systemd services that matrix-backup-borg.service wants -matrix_backup_borg_systemd_wanted_services_list: [] - -# systemd calendar configuration for the backup job -# the actual job may run with a delay (see matrix_backup_borg_schedule_randomized_delay_sec) -matrix_backup_borg_schedule: "*-*-* 04:00:00" -# the delay with which the systemd timer may run in relation to the `matrix_backup_borg_schedule` schedule -matrix_backup_borg_schedule_randomized_delay_sec: 2h - -# what directories should be added to backup -matrix_backup_borg_location_source_directories: [] - -# postgres db backup -matrix_backup_borg_postgresql_enabled: true -matrix_backup_borg_supported_postgres_versions: ['12', '13', '14'] -matrix_backup_borg_postgresql_databases: [] -matrix_backup_borg_postgresql_databases_hostname: "matrix-postgres" -matrix_backup_borg_postgresql_databases_username: "matrix" -matrix_backup_borg_postgresql_databases_password: "" -matrix_backup_borg_postgresql_databases_port: 5432 - -# target repositories -matrix_backup_borg_location_repositories: [] - -# exclude following paths: -matrix_backup_borg_location_exclude_patterns: [] - -# borg encryption mode, only "repokey-*" and "none" are supported -matrix_backup_borg_encryption: repokey-blake2 - -# private ssh key used to connect to the borg repo -matrix_backup_borg_ssh_key_private: "" - -# allow unencrypted repo access -matrix_backup_borg_unknown_unencrypted_repo_access_is_ok: "{{ matrix_backup_borg_encryption == 'none' }}" - -# borg ssh command with ssh key -matrix_backup_borg_storage_ssh_command: ssh -o "StrictHostKeyChecking accept-new" -i /etc/borgmatic.d/sshkey - -# compression algorithm -matrix_backup_borg_storage_compression: lz4 - -# archive name format -matrix_backup_borg_storage_archive_name_format: matrix-{now:%Y-%m-%d-%H%M%S} - -# repository passphrase -matrix_backup_borg_storage_encryption_passphrase: "" - -# retention configuration -matrix_backup_borg_retention_keep_hourly: 0 -matrix_backup_borg_retention_keep_daily: 7 -matrix_backup_borg_retention_keep_weekly: 4 -matrix_backup_borg_retention_keep_monthly: 12 -matrix_backup_borg_retention_keep_yearly: 2 - -# retention prefix -matrix_backup_borg_retention_prefix: matrix- - -# Default borgmatic configuration template which covers the generic use case. -# You can customize it by controlling the various variables inside it. -# -# For a more advanced customization, you can extend the default (see `matrix_backup_borg_configuration_extension_yaml`) -# or completely replace this variable with your own template. -matrix_backup_borg_configuration_yaml: "{{ lookup('template', 'templates/config.yaml.j2') }}" - -matrix_backup_borg_configuration_extension_yaml: | - # Your custom YAML configuration for borgmatic goes here. - # This configuration extends the default starting configuration (`matrix_borg_configuration_yaml`). - # - # You can override individual variables from the default configuration, or introduce new ones. - # - # If you need something more special, you can take full control by - # completely redefining `matrix_backup_borg_configuration_yaml`. - -matrix_backup_borg_configuration_extension: "{{ matrix_backup_borg_configuration_extension_yaml | from_yaml if matrix_backup_borg_configuration_extension_yaml | from_yaml is mapping else {} }}" - -# Holds the final borgmatic configuration (a combination of the default and its extension). -# You most likely don't need to touch this variable. Instead, see `matrix_backup_borg_configuration_yaml`. -matrix_backup_borg_configuration: "{{ matrix_backup_borg_configuration_yaml | from_yaml | combine(matrix_backup_borg_configuration_extension, recursive=True) }}" diff --git a/roles/custom/matrix-backup-borg/tasks/init.yml b/roles/custom/matrix-backup-borg/tasks/init.yml deleted file mode 100644 index d57f12491..000000000 --- a/roles/custom/matrix-backup-borg/tasks/init.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-backup-borg.timer'] }}" - when: matrix_backup_borg_enabled | bool diff --git a/roles/custom/matrix-backup-borg/tasks/main.yml b/roles/custom/matrix-backup-borg/tasks/main.yml deleted file mode 100644 index 5de4559c5..000000000 --- a/roles/custom/matrix-backup-borg/tasks/main.yml +++ /dev/null @@ -1,23 +0,0 @@ ---- - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup | bool and matrix_backup_borg_enabled | bool" - tags: - - setup-all - - setup-backup-borg - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_install.yml" - when: "run_setup | bool and matrix_backup_borg_enabled | bool" - tags: - - setup-all - - setup-backup-borg - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - when: "run_setup | bool and not matrix_backup_borg_enabled | bool" - tags: - - setup-all - - setup-backup-borg diff --git a/roles/custom/matrix-backup-borg/tasks/setup_install.yml b/roles/custom/matrix-backup-borg/tasks/setup_install.yml deleted file mode 100644 index d12229e20..000000000 --- a/roles/custom/matrix-backup-borg/tasks/setup_install.yml +++ /dev/null @@ -1,123 +0,0 @@ ---- - -- when: matrix_backup_borg_postgresql_enabled | bool and matrix_backup_borg_version == '' - block: - - name: Fail with matrix_backup_borg_version advice if Postgres not enabled - ansible.builtin.fail: - msg: >- - You are not running a built-in Postgres server (`matrix_postgres_enabled: false`), so auto-detecting its version and setting `matrix_backup_borg_version` automatically based on that cannot happen. - Consider setting `matrix_backup_borg_version` to your Postgres version manually. - when: not matrix_postgres_enabled - - - ansible.builtin.import_role: - name: custom/matrix-postgres - tasks_from: detect_existing_postgres_version - - - name: Fail if detected Postgres version is unsupported - ansible.builtin.fail: - msg: "You cannot use borg backup with such an old version ({{ matrix_postgres_detected_version }}) of Postgres. Consider upgrading - link to docs for upgrading Postgres: docs/maintenance-postgres.md#upgrading-postgresql" - when: "matrix_postgres_detected_version not in matrix_backup_borg_supported_postgres_versions" - - - name: Set the correct borg backup version to use - ansible.builtin.set_fact: - matrix_backup_borg_version: "{{ matrix_postgres_detected_version }}" - -- name: Ensure borg paths exist - ansible.builtin.file: - path: "{{ item.path }}" - state: directory - mode: 0750 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - with_items: - - {path: "{{ matrix_backup_borg_config_path }}", when: true} - - {path: "{{ matrix_backup_borg_docker_src_files_path }}", when: true} - when: "item.when | bool" - -- name: Ensure borgmatic config is created - ansible.builtin.copy: - content: "{{ matrix_backup_borg_configuration | to_nice_yaml(indent=2, width=999999) }}" - dest: "{{ matrix_backup_borg_config_path }}/config.yaml" - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - mode: 0640 - -- name: Ensure borg passwd is created - ansible.builtin.template: - src: "{{ role_path }}/templates/passwd.j2" - dest: "{{ matrix_backup_borg_config_path }}/passwd" - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - mode: 0640 - -- name: Ensure borg ssh key is created - ansible.builtin.template: - src: "{{ role_path }}/templates/sshkey.j2" - dest: "{{ matrix_backup_borg_config_path }}/sshkey" - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - mode: 0600 - -- name: Ensure borg image is pulled - community.docker.docker_image: - name: "{{ matrix_backup_borg_docker_image }}" - source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_backup_borg_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_backup_borg_docker_image_force_pull }}" - when: "not matrix_backup_borg_container_image_self_build | bool" - register: result - retries: "{{ devture_playbook_help_container_retries_count }}" - delay: "{{ devture_playbook_help_container_retries_delay }}" - until: result is not failed - -- name: Ensure borg repository is present on self-build - ansible.builtin.git: - repo: "{{ matrix_backup_borg_docker_repo }}" - version: "{{ matrix_backup_borg_docker_repo_version }}" - dest: "{{ matrix_backup_borg_docker_src_files_path }}" - force: "yes" - become: true - become_user: "{{ matrix_user_username }}" - register: matrix_backup_borg_git_pull_results - when: "matrix_backup_borg_container_image_self_build | bool" - -- name: Ensure borg image is built - community.docker.docker_image: - name: "{{ matrix_backup_borg_docker_image }}" - source: build - force_source: "{{ matrix_backup_borg_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mailer_git_pull_results.changed }}" - build: - dockerfile: Dockerfile - path: "{{ matrix_backup_borg_docker_src_files_path }}" - pull: true - when: "matrix_backup_borg_container_image_self_build | bool" - -- name: Ensure matrix-backup-borg.service installed - ansible.builtin.template: - src: "{{ role_path }}/templates/systemd/matrix-backup-borg.service.j2" - dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-backup-borg.service" - mode: 0644 - register: matrix_backup_borg_systemd_service_result - -- name: Ensure matrix-backup-borg.timer installed - ansible.builtin.template: - src: "{{ role_path }}/templates/systemd/matrix-backup-borg.timer.j2" - dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-backup-borg.timer" - mode: 0644 - register: matrix_backup_borg_systemd_timer_result - -- name: Ensure systemd reloaded after matrix-backup-borg.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_backup_borg_systemd_service_result.changed | bool" - -- name: Ensure matrix-backup-borg.service enabled - ansible.builtin.service: - enabled: true - name: matrix-backup-borg.service - -- name: Ensure matrix-backup-borg.timer enabled - ansible.builtin.service: - enabled: true - name: matrix-backup-borg.timer diff --git a/roles/custom/matrix-backup-borg/tasks/setup_uninstall.yml b/roles/custom/matrix-backup-borg/tasks/setup_uninstall.yml deleted file mode 100644 index c4c1028d4..000000000 --- a/roles/custom/matrix-backup-borg/tasks/setup_uninstall.yml +++ /dev/null @@ -1,41 +0,0 @@ ---- -- name: Check existence of matrix-backup-borg service - ansible.builtin.stat: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-backup-borg.service" - register: matrix_backup_borg_service_stat - -- name: Ensure matrix-backup-borg is stopped - ansible.builtin.service: - name: matrix-backup-borg - state: stopped - enabled: false - daemon_reload: true - register: stopping_result - when: "matrix_backup_borg_service_stat.stat.exists | bool" - -- name: Ensure matrix-backup-borg.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-backup-borg.service" - state: absent - when: "matrix_backup_borg_service_stat.stat.exists | bool" - -- name: Ensure matrix-backup-borg.timer doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-backup-borg.timer" - state: absent - when: "matrix_backup_borg_service_stat.stat.exists | bool" - -- name: Ensure systemd reloaded after matrix-backup-borg.service removal - ansible.builtin.service: - daemon_reload: true - when: "matrix_backup_borg_service_stat.stat.exists | bool" - -- name: Ensure Matrix borg paths don't exist - ansible.builtin.file: - path: "{{ matrix_backup_borg_base_path }}" - state: absent - -- name: Ensure borg Docker image doesn't exist - community.docker.docker_image: - name: "{{ matrix_backup_borg_docker_image }}" - state: absent diff --git a/roles/custom/matrix-backup-borg/tasks/validate_config.yml b/roles/custom/matrix-backup-borg/tasks/validate_config.yml deleted file mode 100644 index 66e487dd9..000000000 --- a/roles/custom/matrix-backup-borg/tasks/validate_config.yml +++ /dev/null @@ -1,15 +0,0 @@ ---- -- name: Fail if required settings not defined - ansible.builtin.fail: - msg: >- - You need to define a required configuration setting (`{{ item }}`). - when: "vars[item] == ''" - with_items: - - "matrix_backup_borg_ssh_key_private" - - "matrix_backup_borg_location_repositories" - -- name: Fail if encryption passphrase is undefined unless repository is unencrypted - ansible.builtin.fail: - msg: >- - You need to define a required passphrase using the `matrix_backup_borg_storage_encryption_passphrase` variable. - when: "matrix_backup_borg_storage_encryption_passphrase == '' and matrix_backup_borg_encryption != 'none'" diff --git a/roles/custom/matrix-backup-borg/templates/config.yaml.j2 b/roles/custom/matrix-backup-borg/templates/config.yaml.j2 deleted file mode 100644 index 210b7a65a..000000000 --- a/roles/custom/matrix-backup-borg/templates/config.yaml.j2 +++ /dev/null @@ -1,43 +0,0 @@ -#jinja2: lstrip_blocks: "True", trim_blocks: "True" - -location: - source_directories: {{ matrix_backup_borg_location_source_directories|to_json }} - repositories: {{ matrix_backup_borg_location_repositories|to_json }} - one_file_system: true - exclude_patterns: {{ matrix_backup_borg_location_exclude_patterns|to_json }} - -storage: - compression: {{ matrix_backup_borg_storage_compression|to_json }} - ssh_command: {{ matrix_backup_borg_storage_ssh_command|to_json }} - archive_name_format: {{ matrix_backup_borg_storage_archive_name_format|to_json }} - encryption_passphrase: {{ matrix_backup_borg_storage_encryption_passphrase|to_json }} - unknown_unencrypted_repo_access_is_ok: {{ matrix_backup_borg_unknown_unencrypted_repo_access_is_ok|to_json }} - -retention: - keep_hourly: {{ matrix_backup_borg_retention_keep_hourly|to_json }} - keep_daily: {{ matrix_backup_borg_retention_keep_daily|to_json }} - keep_weekly: {{ matrix_backup_borg_retention_keep_weekly|to_json }} - keep_monthly: {{ matrix_backup_borg_retention_keep_monthly|to_json }} - keep_yearly: {{ matrix_backup_borg_retention_keep_yearly|to_json }} - prefix: {{ matrix_backup_borg_retention_prefix|to_json }} - -consistency: - checks: - - repository - - archives - -hooks: -{% if matrix_backup_borg_postgresql_enabled and matrix_backup_borg_postgresql_databases|length > 0 %} - postgresql_databases: - {% for database in matrix_backup_borg_postgresql_databases %} - - name: {{ database|to_json }} - hostname: {{ matrix_backup_borg_postgresql_databases_hostname|to_json }} - username: {{ matrix_backup_borg_postgresql_databases_username|to_json }} - password: {{ matrix_backup_borg_postgresql_databases_password|to_json }} - port: {{ matrix_backup_borg_postgresql_databases_port|to_json }} - {% endfor %} -{% endif %} - after_backup: - - echo "Backup created." - on_error: - - echo "Error while creating a backup." diff --git a/roles/custom/matrix-backup-borg/templates/passwd.j2 b/roles/custom/matrix-backup-borg/templates/passwd.j2 deleted file mode 100644 index d3665cf4b..000000000 --- a/roles/custom/matrix-backup-borg/templates/passwd.j2 +++ /dev/null @@ -1,29 +0,0 @@ -{# the passwd file with correct username, UID and GID is mandatory to work with borg over ssh, otherwise ssh connections will fail #} -root:x:0:0:root:/root:/bin/ash -bin:x:1:1:bin:/bin:/sbin/nologin -daemon:x:2:2:daemon:/sbin:/sbin/nologin -adm:x:3:4:adm:/var/adm:/sbin/nologin -lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin -sync:x:5:0:sync:/sbin:/bin/sync -shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown -halt:x:7:0:halt:/sbin:/sbin/halt -mail:x:8:12:mail:/var/mail:/sbin/nologin -news:x:9:13:news:/usr/lib/news:/sbin/nologin -uucp:x:10:14:uucp:/var/spool/uucppublic:/sbin/nologin -operator:x:11:0:operator:/root:/sbin/nologin -man:x:13:15:man:/usr/man:/sbin/nologin -postmaster:x:14:12:postmaster:/var/mail:/sbin/nologin -cron:x:16:16:cron:/var/spool/cron:/sbin/nologin -ftp:x:21:21::/var/lib/ftp:/sbin/nologin -sshd:x:22:22:sshd:/dev/null:/sbin/nologin -at:x:25:25:at:/var/spool/cron/atjobs:/sbin/nologin -squid:x:31:31:Squid:/var/cache/squid:/sbin/nologin -xfs:x:33:33:X Font Server:/etc/X11/fs:/sbin/nologin -games:x:35:35:games:/usr/games:/sbin/nologin -cyrus:x:85:12::/usr/cyrus:/sbin/nologin -vpopmail:x:89:89::/var/vpopmail:/sbin/nologin -ntp:x:123:123:NTP:/var/empty:/sbin/nologin -smmsp:x:209:209:smmsp:/var/spool/mqueue:/sbin/nologin -guest:x:405:100:guest:/dev/null:/sbin/nologin -{{ matrix_user_username }}:x:{{ matrix_user_uid }}:{{ matrix_user_gid }}:Matrix:/tmp:/bin/ash -nobody:x:65534:65534:nobody:/:/sbin/nologin diff --git a/roles/custom/matrix-backup-borg/templates/sshkey.j2 b/roles/custom/matrix-backup-borg/templates/sshkey.j2 deleted file mode 100644 index 999cf38d1..000000000 --- a/roles/custom/matrix-backup-borg/templates/sshkey.j2 +++ /dev/null @@ -1 +0,0 @@ -{{ matrix_backup_borg_ssh_key_private }} diff --git a/roles/custom/matrix-backup-borg/templates/systemd/matrix-backup-borg.service.j2 b/roles/custom/matrix-backup-borg/templates/systemd/matrix-backup-borg.service.j2 deleted file mode 100644 index 533f6e42f..000000000 --- a/roles/custom/matrix-backup-borg/templates/systemd/matrix-backup-borg.service.j2 +++ /dev/null @@ -1,58 +0,0 @@ -#jinja2: lstrip_blocks: "True" -[Unit] -Description=Matrix Borg Backup -{% for service in matrix_backup_borg_systemd_required_services_list %} -Requires={{ service }} -After={{ service }} -{% endfor %} -{% for service in matrix_backup_borg_systemd_wanted_services_list %} -Wants={{ service }} -{% endfor %} -DefaultDependencies=no - -[Service] -Type=oneshot -Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" -ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-backup-borg 2>/dev/null || true' -ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-backup-borg 2>/dev/null || true' -ExecStartPre=-{{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-backup-borg \ - --log-driver=none \ - --cap-drop=ALL \ - --read-only \ - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ - --network={{ matrix_docker_network }} \ - --tmpfs=/tmp:rw,noexec,nosuid,size=100m \ - --mount type=bind,src={{ matrix_backup_borg_config_path }}/passwd,dst=/etc/passwd,ro \ - --mount type=bind,src={{ matrix_backup_borg_config_path }},dst=/etc/borgmatic.d,ro \ - {% for source in matrix_backup_borg_location_source_directories %} - --mount type=bind,src={{ source }},dst={{ source }},ro \ - {% endfor %} - {% for arg in matrix_backup_borg_container_extra_arguments %} - {{ arg }} \ - {% endfor %} - {{ matrix_backup_borg_docker_image }} \ - sh -c "borgmatic --init --encryption {{ matrix_backup_borg_encryption }}" - -ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-backup-borg \ - --log-driver=none \ - --cap-drop=ALL \ - --read-only \ - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ - --network={{ matrix_docker_network }} \ - --tmpfs=/tmp:rw,noexec,nosuid,size=100m \ - --mount type=bind,src={{ matrix_backup_borg_config_path }}/passwd,dst=/etc/passwd,ro \ - --mount type=bind,src={{ matrix_backup_borg_config_path }},dst=/etc/borgmatic.d,ro \ - {% for source in matrix_backup_borg_location_source_directories %} - --mount type=bind,src={{ source }},dst={{ source }},ro \ - {% endfor %} - {% for arg in matrix_backup_borg_container_extra_arguments %} - {{ arg }} \ - {% endfor %} - {{ matrix_backup_borg_docker_image }} - -ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-backup-borg 2>/dev/null || true' -ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-backup-borg 2>/dev/null || true' -SyslogIdentifier=matrix-backup-borg - -[Install] -WantedBy=multi-user.target diff --git a/roles/custom/matrix-backup-borg/templates/systemd/matrix-backup-borg.timer.j2 b/roles/custom/matrix-backup-borg/templates/systemd/matrix-backup-borg.timer.j2 deleted file mode 100644 index fdafef766..000000000 --- a/roles/custom/matrix-backup-borg/templates/systemd/matrix-backup-borg.timer.j2 +++ /dev/null @@ -1,10 +0,0 @@ -[Unit] -Description=Matrix Borg Backup timer - -[Timer] -Unit=matrix-backup-borg.service -OnCalendar={{ matrix_backup_borg_schedule }} -RandomizedDelaySec={{ matrix_backup_borg_schedule_randomized_delay_sec }} - -[Install] -WantedBy=timers.target diff --git a/roles/custom/matrix-base/defaults/main.yml b/roles/custom/matrix-base/defaults/main.yml index 6b6885c6e..ccc68dc9b 100644 --- a/roles/custom/matrix-base/defaults/main.yml +++ b/roles/custom/matrix-base/defaults/main.yml @@ -1,4 +1,5 @@ --- + # The bare domain name which represents your Matrix identity. # Matrix user ids for your server will be of the form (`@user:`). # @@ -12,6 +13,21 @@ matrix_domain: ~ # Example value: "@someone:{{ matrix_domain }}" matrix_admin: '' +# Global var to enable/disable encryption across all bridges with encryption support +matrix_bridges_encryption_enabled: false + +# Global var to enable/disable relay mode across all bridges with relay mode support +matrix_bridges_relay_enabled: false + +# matrix_homeserver_enabled controls whether to enable the homeserver systemd service, etc. +# +# Unless you're wrapping this playbook in another one +# where you optionally wish to disable homeserver integration, you don't need to use this. +# +# Note: disabling this does not mean that a homeserver won't get installed. +# Whether homeserver software is installed depends on other (`matrix_HOMESERVER_enabled`) variables - see `group_vars/matrix_servers`. +matrix_homeserver_enabled: true + # Homeserver admin contacts and support page as per MSC 1929 # See: https://github.com/matrix-org/matrix-spec-proposals/pull/1929 # Users in form: @@ -62,7 +78,7 @@ matrix_server_fqn_buscarron: "buscarron.{{ matrix_domain }}" # This is where you access the Dimension. matrix_server_fqn_dimension: "dimension.{{ matrix_domain }}" -# This is where you access the etherpad (if enabled via matrix_etherpad_enabled; disabled by default). +# This is where you access the etherpad (if enabled via etherpad_enabled; disabled by default). matrix_server_fqn_etherpad: "etherpad.{{ matrix_domain }}" # For use with Go-NEB! (github callback url for example) @@ -83,13 +99,19 @@ matrix_server_fqn_mautrix_wsproxy: "wsproxy.{{ matrix_domain }}" # This is where you access the ntfy push notification service. matrix_server_fqn_ntfy: "ntfy.{{ matrix_domain }}" +# This is where you access rageshake. +matrix_server_fqn_rageshake: "rageshake.{{ matrix_domain }}" + matrix_federation_public_port: 8448 +# The name of the Traefik entrypoint for handling Matrix Federation +matrix_federation_traefik_entrypoint: matrix-federation + # The architecture that your server runs. # Recognized values by us are 'amd64', 'arm32' and 'arm64'. # Not all architectures support all services, so your experience (on non-amd64) may vary. # See docs/alternative-architectures.md -matrix_architecture: amd64 +matrix_architecture: "{{ 'amd64' if ansible_architecture == 'x86_64' else ('arm64' if ansible_architecture == 'aarch64' else ('arm32' if ansible_architecture.startswith('armv') else '')) }}" # The architecture for Debian packages. # See: https://wiki.debian.org/SupportedArchitectures @@ -110,13 +132,9 @@ matrix_user_gid: ~ matrix_base_data_path: "/matrix" matrix_base_data_path_mode: "750" -matrix_static_files_base_path: "{{ matrix_base_data_path }}/static-files" +matrix_bin_path: "{{ matrix_base_data_path }}/bin" -# This is now unused. We keep it so that cleanup tasks can use it. -# To be removed in the future. -matrix_cron_path: "/etc/cron.d" - -matrix_local_bin_path: "/usr/local/bin" +matrix_static_files_base_path: "{{ matrix_base_data_path }}/static-files" matrix_host_command_sleep: "/usr/bin/env sleep" matrix_host_command_chown: "/usr/bin/env chown" @@ -148,17 +166,25 @@ matrix_client_element_jitsi_preferredDomain: '' # noqa var-naming # Controls whether Element should use End-to-End Encryption by default. # Setting this to false will update `/.well-known/matrix/client` and tell Element clients to avoid E2EE. # See: https://github.com/vector-im/element-web/blob/develop/docs/e2ee.md -matrix_client_element_e2ee_default: true +matrix_well_known_matrix_client_io_element_e2ee_default: true # Controls whether Element should require a secure backup set up before Element can be used. # Setting this to true will update `/.well-known/matrix/client` and tell Element require a secure backup. # See: https://github.com/vector-im/element-web/blob/develop/docs/e2ee.md -matrix_client_element_e2ee_secure_backup_required: false +matrix_well_known_matrix_client_io_element_e2ee_secure_backup_required: false # Controls which backup methods from ["key", "passphrase"] should be used, both is the default. # Setting this to other then empty will update `/.well-known/matrix/client` and tell Element which method to use # See: https://github.com/vector-im/element-web/blob/develop/docs/e2ee.md -matrix_client_element_e2ee_secure_backup_setup_methods: [] +matrix_well_known_matrix_client_io_element_e2ee_secure_backup_setup_methods: [] + +# Controls whether element related entries should be added to the client well-known. Override this to false to hide +# element related well-known entries. +# By default if any of the following change from their default this is set to true: +# `matrix_well_known_matrix_client_io_element_e2ee_default` +# `matrix_well_known_matrix_client_io_element_e2ee_secure_backup_required` +# `matrix_well_known_matrix_client_io_element_e2ee_secure_backup_setup_methods` +matrix_well_known_matrix_client_io_element_e2ee_entries_enabled: "{{ not matrix_well_known_matrix_client_io_element_e2ee_default or matrix_well_known_matrix_client_io_element_e2ee_secure_backup_required or matrix_well_known_matrix_client_io_element_e2ee_secure_backup_setup_methods | length > 0 }}" # Default `/.well-known/matrix/client` configuration - it covers the generic use case. # You can customize it by controlling the various variables inside the template file that it references. @@ -256,13 +282,55 @@ matrix_well_known_matrix_server_enabled: true # See `matrix_homeserver_admin_contacts`, `matrix_homeserver_support_url`, etc. matrix_well_known_matrix_support_enabled: false -# Controls whether Docker is automatically installed. -# If you change this to false you must install and update Docker manually. You also need to install the docker (https://pypi.org/project/docker/) Python package. -matrix_docker_installation_enabled: true +matrix_homeserver_container_extra_arguments_auto: [] +matrix_homeserver_app_service_config_files_auto: [] -# Controls the Docker package that is installed. -# Possible values are "docker-ce" (default) and "docker.io" (Debian). -matrix_docker_package_name: docker-ce +# Specifies the type of reverse-proxy used by the playbook. +# +# Changing this has an effect on whether a reverse-proxy is installed at all and what its type is, +# as well as how all other services are configured. +# +# Valid options and a description of their behavior: +# +# - `playbook-managed-traefik` +# - the playbook will run a managed Traefik instance (matrix-traefik) +# - Traefik will do SSL termination, unless you disable it (e.g. `devture_traefik_config_entrypoint_web_secure_enabled: false`) +# - if SSL termination is enabled (as it is by default), you need to populate: `devture_traefik_config_certificatesResolvers_acme_email` +# - it will also install matrix-nginx-proxy in local-only mode, while we migrate the rest of the services to a Traefik-native mode of working +# +# - `playbook-managed-nginx` +# - the playbook will install matrix-nginx-proxy +# - matrix-nginx-proxy will do SSL termination with Certbot, unless you change that (see `matrix_ssl_retrieval_method`) +# - if SSL termination is enabled (as it is by default), you need to populate: `matrix_ssl_lets_encrypt_support_email` +# +# - `other-traefik-container` +# - this playbook will not install Traefik +# - nevertheless, the playbook expects that you would install Traefik yourself via other means +# - you should make sure your Traefik configuration is compatible with what the playbook would have configured (web, web-secure, matrix-federation entrypoints, etc.) +# - you need to set `matrix_playbook_reverse_proxyable_services_additional_network` to the name of your Traefik network +# - Traefik certs dumper will be enabled by default (`devture_traefik_certs_dumper_enabled`). You need to point it to your Traefik's SSL certificates (`devture_traefik_certs_dumper_ssl_dir_path`) +# +# - `other-nginx-non-container` +# - the playbook will not install matrix-nginx-proxy +# - however, it will still dump some nginx configuration in /matrix/nginx/conf.d +# - these configs are meant to be included into a locally-installed (without a container) nginx server +# - all container services are exposed locally (e.g. `-p 127.0.0.1:8080:8080`) +# +# - `other-on-same-host` +# - like other-nginx-non-container, but supposedly won't generate useless configuration in /matrix/nginx/conf.d in the future +# +# - `other-on-another-host` +# - like other-on-same-host, but services are exposed on all interfaces (e.g. `-p 0.0.0.0:8080:8080`) +# - configurable via `matrix_playbook_service_host_bind_interface_prefix` +# +# - `none` +# - no reverse-proxy will be installed +# - no nginx configuration will be dumped in /matrix/nginx/conf.d +# - no port exposure will be done for any of the container services +# - it's up to you to expose the ports you want, etc. +matrix_playbook_reverse_proxy_type: '' + +matrix_playbook_service_host_bind_interface_prefix: "{{ '' if matrix_playbook_reverse_proxy_type not in ['other-nginx-non-container', 'other-on-same-host', 'other-on-another-host'] else ('0.0.0.0:' if matrix_playbook_reverse_proxy_type == 'other-on-another-host' else '127.0.0.1:') }}" # Variables to Control which parts of our roles run. run_postgres_import: true diff --git a/roles/custom/matrix-base/tasks/clean_up_old_files.yml b/roles/custom/matrix-base/tasks/clean_up_old_files.yml deleted file mode 100644 index b79c01b3f..000000000 --- a/roles/custom/matrix-base/tasks/clean_up_old_files.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- - -- name: Get rid of old files and directories - ansible.builtin.file: - path: "{{ item }}" - state: absent - with_items: - - "{{ matrix_base_data_path }}/environment-variables" - - "{{ matrix_base_data_path }}/scratchpad" diff --git a/roles/custom/matrix-base/tasks/main.yml b/roles/custom/matrix-base/tasks/main.yml index 2205056d8..13ef11d5c 100644 --- a/roles/custom/matrix-base/tasks/main.yml +++ b/roles/custom/matrix-base/tasks/main.yml @@ -1,37 +1,39 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/sanity_check.yml" - tags: - - always - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/clean_up_old_files.yml" - when: run_setup | bool - tags: - - setup-all - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/server_base/setup.yml" - when: run_setup | bool - tags: +- tags: - setup-all + - install-all + block: + - ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" # This needs to always run, because it populates `matrix_user_uid` and `matrix_user_gid`, # which are required by many other roles. -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_matrix_user.yml" - when: run_setup | bool - tags: +- tags: - always - setup-system-user + - common + block: + - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_matrix_user.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_matrix_base.yml" - when: run_setup | bool - tags: +- tags: - setup-all + - install-all + - common + block: + - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_matrix_base.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_well_known.yml" - when: run_setup | bool - tags: +- tags: - setup-all - setup-ma1sd - setup-synapse - setup-dendrite + - setup-conduit - setup-nginx-proxy + - install-all + - install-ma1sd + - install-synapse + - install-dendrite + - install-conduit + - install-nginx-proxy + block: + - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_well_known.yml" diff --git a/roles/custom/matrix-base/tasks/server_base/setup.yml b/roles/custom/matrix-base/tasks/server_base/setup.yml deleted file mode 100644 index d0b9f0b95..000000000 --- a/roles/custom/matrix-base/tasks/server_base/setup.yml +++ /dev/null @@ -1,41 +0,0 @@ ---- - -- ansible.builtin.include_tasks: "{{ role_path }}/tasks/server_base/setup_redhat.yml" - when: ansible_os_family == 'RedHat' and ansible_distribution_major_version | int < 8 - -- ansible.builtin.include_tasks: "{{ role_path }}/tasks/server_base/setup_redhat8.yml" - when: ansible_os_family == 'RedHat' and ansible_distribution_major_version | int > 7 and ansible_distribution_major_version | int < 30 - -- ansible.builtin.include_tasks: "{{ role_path }}/tasks/server_base/setup_fedora.yml" - when: ansible_os_family == 'RedHat' and ansible_distribution_major_version | int > 30 - -- when: ansible_os_family == 'Debian' - block: - # ansible_lsb is only available if lsb-release is installed. - - name: Ensure lsb-release installed - ansible.builtin.apt: - name: - - lsb-release - state: present - update_cache: true - register: lsb_release_installation_result - - - name: Reread ansible_lsb facts if lsb-release got installed - ansible.builtin.setup: - filter: ansible_lsb* - when: lsb_release_installation_result.changed - - - ansible.builtin.include_tasks: "{{ role_path }}/tasks/server_base/setup_debian.yml" - when: (ansible_os_family == 'Debian') and (ansible_lsb.id != 'Raspbian') - - - ansible.builtin.include_tasks: "{{ role_path }}/tasks/server_base/setup_raspbian.yml" - when: (ansible_os_family == 'Debian') and (ansible_lsb.id == 'Raspbian') - -- ansible.builtin.include_tasks: "{{ role_path }}/tasks/server_base/setup_archlinux.yml" - when: ansible_distribution == 'Archlinux' - -- name: Ensure Docker is started and autoruns - ansible.builtin.service: - name: docker - state: started - enabled: true diff --git a/roles/custom/matrix-base/tasks/server_base/setup_archlinux.yml b/roles/custom/matrix-base/tasks/server_base/setup_archlinux.yml deleted file mode 100644 index a93136148..000000000 --- a/roles/custom/matrix-base/tasks/server_base/setup_archlinux.yml +++ /dev/null @@ -1,16 +0,0 @@ ---- - -- name: Install host dependencies - community.general.pacman: - name: - - python-docker - - python-dnspython - state: present - update_cache: true - -- name: Ensure Docker is installed - community.general.pacman: - name: - - docker - state: present - when: matrix_docker_installation_enabled | bool diff --git a/roles/custom/matrix-base/tasks/server_base/setup_debian.yml b/roles/custom/matrix-base/tasks/server_base/setup_debian.yml deleted file mode 100644 index 412a11d02..000000000 --- a/roles/custom/matrix-base/tasks/server_base/setup_debian.yml +++ /dev/null @@ -1,34 +0,0 @@ ---- - -- name: Ensure APT usage dependencies are installed - ansible.builtin.apt: - name: - - apt-transport-https - - ca-certificates - - gnupg - state: present - update_cache: true - -- name: Ensure Docker's APT key is trusted - ansible.builtin.apt_key: - url: "https://download.docker.com/linux/{{ ansible_distribution | lower }}/gpg" - id: 9DC858229FC7DD38854AE2D88D81803C0EBFCD88 - state: present - register: add_repository_key - ignore_errors: true - when: matrix_docker_installation_enabled | bool and matrix_docker_package_name == 'docker-ce' - -- name: Ensure Docker repository is enabled - ansible.builtin.apt_repository: - repo: "deb [arch={{ matrix_debian_arch }}] https://download.docker.com/linux/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} stable" - state: present - update_cache: true - when: matrix_docker_installation_enabled | bool and matrix_docker_package_name == 'docker-ce' - -- name: Ensure Docker is installed - ansible.builtin.apt: - name: - - "{{ matrix_docker_package_name }}" - - "python{{ '3' if ansible_python.version.major == 3 else '' }}-docker" - state: present - when: matrix_docker_installation_enabled | bool diff --git a/roles/custom/matrix-base/tasks/server_base/setup_fedora.yml b/roles/custom/matrix-base/tasks/server_base/setup_fedora.yml deleted file mode 100644 index 19d465718..000000000 --- a/roles/custom/matrix-base/tasks/server_base/setup_fedora.yml +++ /dev/null @@ -1,32 +0,0 @@ ---- - -- name: Ensure Docker repository is enabled - ansible.builtin.template: - src: "{{ role_path }}/files/yum.repos.d/{{ item }}" - dest: "/etc/yum.repos.d/docker-ce.repo" - owner: "root" - group: "root" - mode: 0644 - with_items: - - docker-ce-fedora.repo - when: matrix_docker_installation_enabled | bool and matrix_docker_package_name == 'docker-ce' - -- name: Ensure Docker's RPM key is trusted - ansible.builtin.rpm_key: - state: present - key: https://download.docker.com/linux/fedora/gpg - when: matrix_docker_installation_enabled | bool and matrix_docker_package_name == 'docker-ce' - -- name: Ensure Docker is installed - ansible.builtin.yum: - name: - - "{{ matrix_docker_package_name }}" - - python3-pip - state: present - when: matrix_docker_installation_enabled | bool - -- name: Ensure Docker-Py is installed - ansible.builtin.pip: - name: docker-py - state: present - when: matrix_docker_installation_enabled | bool diff --git a/roles/custom/matrix-base/tasks/server_base/setup_raspbian.yml b/roles/custom/matrix-base/tasks/server_base/setup_raspbian.yml deleted file mode 100644 index 6959b39c8..000000000 --- a/roles/custom/matrix-base/tasks/server_base/setup_raspbian.yml +++ /dev/null @@ -1,34 +0,0 @@ ---- - -- name: Ensure APT usage dependencies are installed - ansible.builtin.apt: - name: - - apt-transport-https - - ca-certificates - - gnupg - state: present - update_cache: true - -- name: Ensure Docker's APT key is trusted - ansible.builtin.apt_key: - url: https://download.docker.com/linux/raspbian/gpg - id: 9DC858229FC7DD38854AE2D88D81803C0EBFCD88 - state: present - register: add_repository_key - ignore_errors: true - when: matrix_docker_installation_enabled | bool and matrix_docker_package_name == 'docker-ce' - -- name: Ensure Docker repository is enabled - ansible.builtin.apt_repository: - repo: "deb [arch={{ matrix_debian_arch }}] https://download.docker.com/linux/raspbian {{ ansible_distribution_release }} stable" - state: present - update_cache: true - when: matrix_docker_installation_enabled | bool and matrix_docker_package_name == 'docker-ce' - -- name: Ensure Docker is installed - ansible.builtin.apt: - name: - - "{{ matrix_docker_package_name }}" - - "python{{ '3' if ansible_python.version.major == 3 else '' }}-docker" - state: present - when: matrix_docker_installation_enabled | bool diff --git a/roles/custom/matrix-base/tasks/server_base/setup_redhat.yml b/roles/custom/matrix-base/tasks/server_base/setup_redhat.yml deleted file mode 100644 index dbddd9130..000000000 --- a/roles/custom/matrix-base/tasks/server_base/setup_redhat.yml +++ /dev/null @@ -1,24 +0,0 @@ ---- - -- name: Ensure Docker repository is enabled - ansible.builtin.template: - src: "{{ role_path }}/files/yum.repos.d/docker-ce-centos.repo" - dest: "/etc/yum.repos.d/docker-ce.repo" - owner: "root" - group: "root" - mode: 0644 - when: matrix_docker_installation_enabled | bool and matrix_docker_package_name == 'docker-ce' - -- name: Ensure Docker's RPM key is trusted - ansible.builtin.rpm_key: - state: present - key: https://download.docker.com/linux/centos/gpg - when: matrix_docker_installation_enabled | bool and matrix_docker_package_name == 'docker-ce' - -- name: Ensure Docker is installed - ansible.builtin.yum: - name: - - "{{ matrix_docker_package_name }}" - - docker-python - state: present - when: matrix_docker_installation_enabled | bool diff --git a/roles/custom/matrix-base/tasks/server_base/setup_redhat8.yml b/roles/custom/matrix-base/tasks/server_base/setup_redhat8.yml deleted file mode 100644 index c303abb8f..000000000 --- a/roles/custom/matrix-base/tasks/server_base/setup_redhat8.yml +++ /dev/null @@ -1,37 +0,0 @@ ---- - -- name: Ensure Docker repository is enabled - ansible.builtin.template: - src: "{{ role_path }}/files/yum.repos.d/docker-ce-centos.repo" - dest: "/etc/yum.repos.d/docker-ce.repo" - owner: "root" - group: "root" - mode: 0644 - when: matrix_docker_installation_enabled | bool and matrix_docker_package_name == 'docker-ce' - -- name: Ensure Docker's RPM key is trusted - ansible.builtin.rpm_key: - state: present - key: https://download.docker.com/linux/centos/gpg - when: matrix_docker_installation_enabled | bool and matrix_docker_package_name == 'docker-ce' - -- name: Ensure EPEL is installed - ansible.builtin.yum: - name: - - epel-release - state: present - update_cache: true - -- name: Ensure Docker is installed - ansible.builtin.yum: - name: - - "{{ matrix_docker_package_name }}" - - python3-pip - state: present - when: matrix_docker_installation_enabled | bool - -- name: Ensure Docker-Py is installed - ansible.builtin.pip: - name: docker-py - state: present - when: matrix_docker_installation_enabled | bool diff --git a/roles/custom/matrix-base/tasks/setup_matrix_base.yml b/roles/custom/matrix-base/tasks/setup_matrix_base.yml index f954bd796..3d95af020 100644 --- a/roles/custom/matrix-base/tasks/setup_matrix_base.yml +++ b/roles/custom/matrix-base/tasks/setup_matrix_base.yml @@ -1,6 +1,6 @@ --- -- name: Ensure Matrix base path exists +- name: Ensure Matrix base paths exists ansible.builtin.file: path: "{{ item }}" state: directory @@ -9,14 +9,15 @@ group: "{{ matrix_user_groupname }}" with_items: - "{{ matrix_base_data_path }}" + - "{{ matrix_bin_path }}" - name: Ensure Matrix network is created in Docker community.docker.docker_network: name: "{{ matrix_docker_network }}" driver: bridge -- name: Ensure matrix-remove-all script created +- name: Ensure remove-all script created ansible.builtin.template: - src: "{{ role_path }}/templates/usr-local-bin/matrix-remove-all.j2" - dest: "{{ matrix_local_bin_path }}/matrix-remove-all" + src: "{{ role_path }}/templates/bin/remove-all.j2" + dest: "{{ matrix_bin_path }}/remove-all" mode: 0750 diff --git a/roles/custom/matrix-base/tasks/setup_matrix_user.yml b/roles/custom/matrix-base/tasks/setup_matrix_user.yml index 0435b7a3c..0c9086e59 100644 --- a/roles/custom/matrix-base/tasks/setup_matrix_user.yml +++ b/roles/custom/matrix-base/tasks/setup_matrix_user.yml @@ -7,10 +7,6 @@ state: present register: matrix_group -- name: Set Matrix Group GID Variable - ansible.builtin.set_fact: - matrix_user_gid: "{{ matrix_group.gid }}" - - name: Ensure Matrix user is created ansible.builtin.user: name: "{{ matrix_user_username }}" @@ -22,6 +18,7 @@ system: true register: matrix_user -- name: Set Matrix Group UID Variable +- name: Initialize matrix_user_uid and matrix_user_gid ansible.builtin.set_fact: matrix_user_uid: "{{ matrix_user.uid }}" + matrix_user_gid: "{{ matrix_group.gid }}" diff --git a/roles/custom/matrix-base/tasks/sanity_check.yml b/roles/custom/matrix-base/tasks/validate_config.yml similarity index 66% rename from roles/custom/matrix-base/tasks/sanity_check.yml rename to roles/custom/matrix-base/tasks/validate_config.yml index 5104ba434..c663ab2ee 100644 --- a/roles/custom/matrix-base/tasks/sanity_check.yml +++ b/roles/custom/matrix-base/tasks/validate_config.yml @@ -5,21 +5,6 @@ msg: "You need to set a valid homeserver implementation in `matrix_homeserver_implementation`" when: "matrix_homeserver_implementation not in ['synapse', 'dendrite', 'conduit']" -# We generally support Ansible 2.7.1 and above. -- name: Fail if running on Ansible < 2.7.1 - ansible.builtin.fail: - msg: "You are running on Ansible {{ ansible_version.string }}, which is not supported. See our guide about Ansible: https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/ansible.md" - when: - - "(ansible_version.major < 2) or (ansible_version.major == 2 and ansible_version.minor < 7) or (ansible_version.major == 2 and ansible_version.minor == 7 and ansible_version.revision < 1)" - -# Though we do not support Ansible 2.9.6 which is buggy -- name: Fail if running on Ansible 2.9.6 on Ubuntu - ansible.builtin.fail: - msg: "You are running on Ansible {{ ansible_version.string }}, which is not supported. See our guide about Ansible: https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/ansible.md" - when: - - ansible_distribution == 'Ubuntu' - - "ansible_version.major == 2 and ansible_version.minor == 9 and ansible_version.revision == 6" - - name: (Deprecation) Catch and report renamed settings ansible.builtin.fail: msg: >- @@ -32,6 +17,10 @@ - {'old': 'hostname_matrix', 'new': 'matrix_server_fqn_matrix'} - {'old': 'hostname_riot', 'new': 'matrix_server_fqn_element'} - {'old': 'matrix_server_fqn_riot', 'new': 'matrix_server_fqn_element'} + - {'old': 'matrix_local_bin_path', 'new': ''} + - {'old': 'matrix_client_element_e2ee_default', 'new': 'matrix_well_known_matrix_client_io_element_e2ee_default'} + - {'old': 'matrix_client_element_e2ee_secure_backup_required', 'new': 'matrix_well_known_matrix_client_io_element_e2ee_secure_backup_required'} + - {'old': 'matrix_client_element_e2ee_secure_backup_setup_methods', 'new': 'matrix_well_known_matrix_client_io_element_e2ee_secure_backup_setup_methods'} # We have a dedicated check for this variable, because we'd like to have a custom (friendlier) message. - name: Fail if matrix_homeserver_generic_secret_key is undefined @@ -40,6 +29,8 @@ The `matrix_homeserver_generic_secret_key` variable must be defined and have a non-null and non-empty value. If you're observing this error on a new installation, you should ensure that the `matrix_homeserver_generic_secret_key` is defined. + If you think you've defined it, but are still getting this error, then it's likely that you have a typo + in your domain name in `inventory/hosts` or in one of the directories leading up to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file. If you're observing this error on an existing homeserver installation, you can fix it easily and in a backward-compatible way by adding `{% raw %}matrix_homeserver_generic_secret_key: "{{ matrix_synapse_macaroon_secret_key }}"{% endraw %}` @@ -55,8 +46,27 @@ - {'var': matrix_server_fqn_element, 'value': "{{ matrix_server_fqn_element | default('') }}"} - {'var': matrix_homeserver_container_url, 'value': "{{ matrix_homeserver_container_url | default('') }}"} - {'var': matrix_homeserver_container_federation_url, 'value': "{{ matrix_homeserver_container_federation_url | default('') }}"} + - {'var': matrix_architecture, 'value': "{{ matrix_architecture | default('') }}"} when: "item.value is none or item.value == ''" +- name: Fail if matrix_architecture is set incorrectly + ansible.builtin.fail: + msg: "Detected that variable matrix_architecture {{ matrix_architecture }} appears to be set incorrectly. See docs/alternative-architectures.md. Server appears to be {{ ansible_architecture }}." + when: matrix_architecture not in ['amd64', 'arm32', 'arm64'] + +- name: Fail if matrix_playbook_reverse_proxy_type is set incorrectly + ansible.builtin.fail: + msg: | + You have not explicitly specified the type of reverse-proxy you'd like to use (with a `matrix_playbook_reverse_proxy_type` variable in your configuration). + The playbook used to default to nginx (matrix-nginx-proxy), but things are changing with Traefik being the new default reverse-proxy. + Learn more here: https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/CHANGELOG.md#traefik-is-the-default-reverse-proxy-now + when: matrix_playbook_reverse_proxy_type == '' + +- name: Fail if matrix_playbook_reverse_proxy_type is set incorrectly + ansible.builtin.fail: + msg: "Detected that variable matrix_playbook_reverse_proxy_type (current value: `{{ matrix_playbook_reverse_proxy_type }}`) appears to be set incorrectly. See roles/custom/matrix-base/defaults/main.yml for valid choices." + when: matrix_playbook_reverse_proxy_type not in ['playbook-managed-traefik', 'playbook-managed-nginx', 'other-traefik-container', 'other-nginx-non-container', 'other-on-same-host', 'other-on-another-host', 'none'] + - name: Fail if uppercase domain used ansible.builtin.fail: msg: "Detected that you're using an uppercase domain name - `{{ item }}`. This will cause trouble. Please use all-lowercase!" @@ -66,20 +76,6 @@ - "{{ matrix_server_fqn_element }}" when: "item != item | lower" -- name: Fail if using python2 on Archlinux - ansible.builtin.fail: - msg: "Detected that you're using python2 when installing onto Archlinux. Archlinux by default only supports python3." - when: - - ansible_distribution == 'Archlinux' - - ansible_python.version.major != 3 - -- name: Fail if architecture is set incorrectly - ansible.builtin.fail: - msg: "Detected that variable matrix_architecture {{ matrix_architecture }} appears to be set incorrectly. See docs/alternative-architectures.md. Server appears to be {{ ansible_architecture }}." - when: (ansible_architecture == "x86_64" and matrix_architecture != "amd64") or - (ansible_architecture == "aarch64" and matrix_architecture != "arm64") or - (ansible_architecture.startswith("armv") and matrix_architecture != "arm32") - - name: Fail if encountering usage of removed role (mx-puppet-skype) ansible.builtin.fail: msg: >- diff --git a/roles/custom/matrix-base/templates/usr-local-bin/matrix-remove-all.j2 b/roles/custom/matrix-base/templates/bin/remove-all.j2 similarity index 86% rename from roles/custom/matrix-base/templates/usr-local-bin/matrix-remove-all.j2 rename to roles/custom/matrix-base/templates/bin/remove-all.j2 index f9b174e57..2733ad784 100644 --- a/roles/custom/matrix-base/templates/usr-local-bin/matrix-remove-all.j2 +++ b/roles/custom/matrix-base/templates/bin/remove-all.j2 @@ -23,12 +23,14 @@ else systemctl daemon-reload - echo "Remove matrix scripts" - find {{ matrix_local_bin_path }}/ -name "matrix-*" -delete echo "Remove unused Docker images and resources" docker system prune -af + echo "Remove Docker matrix network (should be gone already, but ..)" docker network rm {{ matrix_docker_network }} + + echo "This playbook creates a lot of matrix-* networks. Consider removing them manually ('docker network ls', followed by 'docker network rm NETWORK_NAME')" + echo "Remove {{ matrix_base_data_path }} directory" rm -fr "{{ matrix_base_data_path }}" exit 0 diff --git a/roles/custom/matrix-base/templates/static-files/well-known/matrix-client.j2 b/roles/custom/matrix-base/templates/static-files/well-known/matrix-client.j2 index a4356d1d8..e3a3172e6 100644 --- a/roles/custom/matrix-base/templates/static-files/well-known/matrix-client.j2 +++ b/roles/custom/matrix-base/templates/static-files/well-known/matrix-client.j2 @@ -20,19 +20,32 @@ {% endif %} {% if matrix_client_element_jitsi_preferredDomain %}, "io.element.jitsi": { - "preferredDomain": {{ matrix_client_element_jitsi_preferredDomain|to_json }} + "preferred_domain": {{ matrix_client_element_jitsi_preferredDomain|to_json }} }, "im.vector.riot.jitsi": { - "preferredDomain": {{ matrix_client_element_jitsi_preferredDomain|to_json }} + "preferred_domain": {{ matrix_client_element_jitsi_preferredDomain|to_json }} } {% endif %} - , + {% if matrix_sliding_sync_enabled %}, + "org.matrix.msc3575.proxy": { + "url": "{{ matrix_sliding_sync_base_url }}" + } + {% endif %} + {% if matrix_client_element_location_sharing_enabled %}, + "m.tile_server": { + "map_style_url": "https://{{ matrix_server_fqn_element }}/map_style.json" + } + {% endif %} + {% if matrix_well_known_matrix_client_io_element_e2ee_entries_enabled %}, "io.element.e2ee": { - "default": {{ matrix_client_element_e2ee_default|to_json }}, - "secure_backup_required": {{ matrix_client_element_e2ee_secure_backup_required|to_json }}, - "secure_backup_setup_methods": {{ matrix_client_element_e2ee_secure_backup_setup_methods|to_json }} - }, + "default": {{ matrix_well_known_matrix_client_io_element_e2ee_default|to_json }}, + "secure_backup_required": {{ matrix_well_known_matrix_client_io_element_e2ee_secure_backup_required|to_json }}, + "secure_backup_setup_methods": {{ matrix_well_known_matrix_client_io_element_e2ee_secure_backup_setup_methods|to_json }} + } + {% endif %} + {% if matrix_well_known_matrix_client_io_element_e2ee_entries_enabled %}, "im.vector.riot.e2ee": { - "default": {{ matrix_client_element_e2ee_default|to_json }} + "default": {{ matrix_well_known_matrix_client_io_element_e2ee_default|to_json }} } + {% endif %} } diff --git a/roles/custom/matrix-base/vars/main.yml b/roles/custom/matrix-base/vars/main.yml deleted file mode 100644 index 3578666f3..000000000 --- a/roles/custom/matrix-base/vars/main.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- -# This will contain a list of enabled services that the playbook is managing. -# Each component is expected to append its service name to this list. -matrix_systemd_services_list: [] - -matrix_homeserver_container_runtime_injected_arguments: [] -matrix_homeserver_app_service_runtime_injected_config_files: [] diff --git a/roles/custom/matrix-bot-buscarron/defaults/main.yml b/roles/custom/matrix-bot-buscarron/defaults/main.yml index 21d9a4a39..7a31514b9 100644 --- a/roles/custom/matrix-bot-buscarron/defaults/main.yml +++ b/roles/custom/matrix-bot-buscarron/defaults/main.yml @@ -1,23 +1,85 @@ --- -# buscarron is a helpdesk bot + +# buscarron is a Web forms (HTTP POST) to Matrix service. # Project source code URL: https://gitlab.com/etke.cc/buscarron matrix_bot_buscarron_enabled: true +matrix_bot_buscarron_version: v1.3.1 + +# The hostname at which Buscarron is served. +matrix_bot_buscarron_hostname: '' + +# The path at which Buscarron is exposed. +# This value must either be `/` or not end with a slash (e.g. `/buscarron`). +matrix_bot_buscarron_path_prefix: / + +# The path at which Buscarron will expose metrics +# This value must either be `/` or not end with a slash (e.g. `/metrics`). +matrix_bot_buscarron_metrics_path: /metrics + +matrix_bot_buscarron_base_path: "{{ matrix_base_data_path }}/buscarron" +matrix_bot_buscarron_config_path: "{{ matrix_bot_buscarron_base_path }}/config" +matrix_bot_buscarron_data_path: "{{ matrix_bot_buscarron_base_path }}/data" +matrix_bot_buscarron_data_store_path: "{{ matrix_bot_buscarron_data_path }}/store" + matrix_bot_buscarron_container_image_self_build: false matrix_bot_buscarron_docker_repo: "https://gitlab.com/etke.cc/buscarron.git" matrix_bot_buscarron_docker_repo_version: "{{ matrix_bot_buscarron_version }}" matrix_bot_buscarron_docker_src_files_path: "{{ matrix_base_data_path }}/buscarron/docker-src" -matrix_bot_buscarron_version: v1.3.0 -matrix_bot_buscarron_docker_image: "{{ matrix_bot_buscarron_docker_image_name_prefix }}buscarron:{{ matrix_bot_buscarron_version }}" -matrix_bot_buscarron_docker_image_name_prefix: "{{ 'localhost/' if matrix_bot_buscarron_container_image_self_build else 'registry.gitlab.com/etke.cc/' }}" +matrix_bot_buscarron_docker_image: "{{ matrix_bot_buscarron_docker_image_name_prefix }}etke.cc/buscarron:{{ matrix_bot_buscarron_version }}" +matrix_bot_buscarron_docker_image_name_prefix: "{{ 'localhost/' if matrix_bot_buscarron_container_image_self_build else 'registry.gitlab.com/' }}" matrix_bot_buscarron_docker_image_force_pull: "{{ matrix_bot_buscarron_docker_image.endswith(':latest') }}" -matrix_bot_buscarron_base_path: "{{ matrix_base_data_path }}/buscarron" -matrix_bot_buscarron_config_path: "{{ matrix_bot_buscarron_base_path }}/config" -matrix_bot_buscarron_data_path: "{{ matrix_bot_buscarron_base_path }}/data" -matrix_bot_buscarron_data_store_path: "{{ matrix_bot_buscarron_data_path }}/store" +# The base container network. It will be auto-created by this role if it doesn't exist already. +matrix_bot_buscarron_container_network: matrix-bot-buscarron + +# A list of additional container networks that the container would be connected to. +# The role does not create these networks, so make sure they already exist. +# Use this to expose this container to another reverse proxy, which runs in a different container network. +matrix_bot_buscarron_container_additional_networks: [] + +# enable basic auth for metrics +matrix_bot_buscarron_basicauth_enabled: false +# temporary file name on the host that runs ansible +matrix_bot_buscarron_basicauth_file: "/tmp/matrix_bot_buscarron_htpasswd" +# username +matrix_bot_buscarron_basicauth_user: '' +# password +matrix_bot_buscarron_basicauth_password: '' + +# matrix_bot_buscarron_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container. +# See `../templates/labels.j2` for details. +# +# To inject your own other container labels, see `matrix_bot_buscarron_container_labels_additional_labels`. +matrix_bot_buscarron_container_labels_traefik_enabled: true +matrix_bot_buscarron_container_labels_traefik_docker_network: "{{ matrix_bot_buscarron_container_network }}" +matrix_bot_buscarron_container_labels_traefik_hostname: "{{ matrix_bot_buscarron_hostname }}" +# The path prefix must either be `/` or not end with a slash (e.g. `/buscarron`). +matrix_bot_buscarron_container_labels_traefik_path_prefix: "{{ matrix_bot_buscarron_path_prefix }}" +matrix_bot_buscarron_container_labels_traefik_rule: "Host(`{{ matrix_bot_buscarron_container_labels_traefik_hostname }}`){% if matrix_bot_buscarron_container_labels_traefik_path_prefix != '/' %} && PathPrefix(`{{ matrix_bot_buscarron_container_labels_traefik_path_prefix }}`){% endif %}" +matrix_bot_buscarron_container_labels_traefik_metrics_path: "{{ matrix_bot_buscarron_metrics_path }}" +matrix_bot_buscarron_container_labels_traefik_metrics_rule: "Host(`{{ matrix_bot_buscarron_container_labels_traefik_hostname }}`) && Path(`{{ matrix_bot_buscarron_container_labels_traefik_metrics_path }}`)" +matrix_bot_buscarron_container_labels_traefik_priority: 0 +matrix_bot_buscarron_container_labels_traefik_entrypoints: web-secure +matrix_bot_buscarron_container_labels_traefik_tls: "{{ matrix_bot_buscarron_container_labels_traefik_entrypoints != 'web' }}" +matrix_bot_buscarron_container_labels_traefik_tls_certResolver: default # noqa var-naming + +# Controls which additional headers to attach to all HTTP responses. +# To add your own headers, use `matrix_bot_buscarron_container_labels_traefik_additional_response_headers_custom` +matrix_bot_buscarron_container_labels_traefik_additional_response_headers: "{{ matrix_bot_buscarron_container_labels_traefik_additional_response_headers_auto | combine(matrix_bot_buscarron_container_labels_traefik_additional_response_headers_custom) }}" +matrix_bot_buscarron_container_labels_traefik_additional_response_headers_auto: {} +matrix_bot_buscarron_container_labels_traefik_additional_response_headers_custom: {} + +# matrix_bot_buscarron_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file. +# See `../templates/labels.j2` for details. +# +# Example: +# matrix_bot_buscarron_container_labels_additional_labels: | +# my.label=1 +# another.label="here" +matrix_bot_buscarron_container_labels_additional_labels: '' # A list of extra arguments to pass to the container matrix_bot_buscarron_container_extra_arguments: [] @@ -43,7 +105,7 @@ matrix_bot_buscarron_sqlite_database_path_in_container: "/data/bot.db" matrix_bot_buscarron_database_username: 'buscarron' matrix_bot_buscarron_database_password: 'some-password' -matrix_bot_buscarron_database_hostname: 'matrix-postgres' +matrix_bot_buscarron_database_hostname: '' matrix_bot_buscarron_database_port: 5432 matrix_bot_buscarron_database_name: 'buscarron' diff --git a/roles/custom/matrix-bot-buscarron/tasks/init.yml b/roles/custom/matrix-bot-buscarron/tasks/init.yml deleted file mode 100644 index a1f5751db..000000000 --- a/roles/custom/matrix-bot-buscarron/tasks/init.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-bot-buscarron.service'] }}" - when: matrix_bot_buscarron_enabled | bool diff --git a/roles/custom/matrix-bot-buscarron/tasks/main.yml b/roles/custom/matrix-bot-buscarron/tasks/main.yml index e6712262f..fbf5c96ac 100644 --- a/roles/custom/matrix-bot-buscarron/tasks/main.yml +++ b/roles/custom/matrix-bot-buscarron/tasks/main.yml @@ -1,23 +1,20 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup | bool and matrix_bot_buscarron_enabled | bool" - tags: +- tags: - setup-all - setup-bot-buscarron + - install-all + - install-bot-buscarron + block: + - ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" + when: "run_setup | bool and matrix_bot_buscarron_enabled | bool" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_install.yml" - when: "run_setup | bool and matrix_bot_buscarron_enabled | bool" - tags: - - setup-all - - setup-bot-buscarron + - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" + when: "run_setup | bool and matrix_bot_buscarron_enabled | bool" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - when: "run_setup | bool and not matrix_bot_buscarron_enabled | bool" - tags: +- tags: - setup-all - setup-bot-buscarron + block: + - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" + when: "run_setup | bool and not matrix_bot_buscarron_enabled | bool" diff --git a/roles/custom/matrix-bot-buscarron/tasks/setup_install.yml b/roles/custom/matrix-bot-buscarron/tasks/setup_install.yml index 156813def..0559efec1 100644 --- a/roles/custom/matrix-bot-buscarron/tasks/setup_install.yml +++ b/roles/custom/matrix-bot-buscarron/tasks/setup_install.yml @@ -11,8 +11,11 @@ - when: "matrix_bot_buscarron_sqlite_database_path_local_stat_result.stat.exists | bool" block: - - ansible.builtin.set_fact: - matrix_postgres_db_migration_request: + - ansible.builtin.include_role: + name: galaxy/com.devture.ansible.role.postgres + tasks_from: migrate_db_to_postgres + vars: + devture_postgres_db_migration_request: src: "{{ matrix_bot_buscarron_sqlite_database_path_local }}" dst: "{{ matrix_bot_buscarron_database_connection_string }}" caller: "{{ role_path | basename }}" @@ -20,10 +23,6 @@ engine_old: 'sqlite' systemd_services_to_stop: ['matrix-bot-buscarron.service'] - - ansible.builtin.import_role: - name: custom/matrix-postgres - tasks_from: migrate_db_to_postgres - - ansible.builtin.set_fact: matrix_bot_buscarron_requires_restart: true @@ -41,13 +40,39 @@ - {path: "{{ matrix_bot_buscarron_docker_src_files_path }}", when: true} when: "item.when | bool" -- name: Ensure buscarron environment variables file created +- name: Determine basicauth filename + ansible.builtin.set_fact: + matrix_bot_buscarron_basicauth_file_tmp: "{{ matrix_bot_buscarron_basicauth_file }}_{{ inventory_hostname }}" + when: matrix_bot_buscarron_basicauth_enabled | bool + +- name: Generate basic auth file + community.general.htpasswd: + path: "{{ matrix_bot_buscarron_basicauth_file }}" + name: "{{ matrix_bot_buscarron_basicauth_user }}" + password: "{{ matrix_bot_buscarron_basicauth_password }}" + mode: 0640 + become: false + delegate_to: 127.0.0.1 + when: matrix_bot_buscarron_basicauth_enabled | bool + +- name: Ensure buscarron support files installed ansible.builtin.template: - src: "{{ role_path }}/templates/env.j2" - dest: "{{ matrix_bot_buscarron_config_path }}/env" + src: "{{ role_path }}/templates/{{ item }}.j2" + dest: "{{ matrix_bot_buscarron_config_path }}/{{ item }}" owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" mode: 0640 + with_items: + - env + - labels + +- name: Ensure temporary basic auth file is removed + ansible.builtin.file: + path: "{{ matrix_bot_buscarron_basicauth_file }}" + state: absent + become: false + delegate_to: 127.0.0.1 + when: matrix_bot_buscarron_basicauth_enabled | bool - name: Ensure buscarron image is pulled community.docker.docker_image: @@ -89,15 +114,15 @@ src: "{{ role_path }}/templates/systemd/matrix-bot-buscarron.service.j2" dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-bot-buscarron.service" mode: 0644 - register: matrix_bot_buscarron_systemd_service_result -- name: Ensure systemd reloaded after matrix-bot-buscarron.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_bot_buscarron_systemd_service_result.changed | bool" +- name: Ensure buscarron container network is created + community.general.docker_network: + name: "{{ matrix_bot_buscarron_container_network }}" + driver: bridge - name: Ensure matrix-bot-buscarron.service restarted, if necessary ansible.builtin.service: name: "matrix-bot-buscarron.service" state: restarted + daemon_reload: true when: "matrix_bot_buscarron_requires_restart | bool" diff --git a/roles/custom/matrix-bot-buscarron/tasks/setup_uninstall.yml b/roles/custom/matrix-bot-buscarron/tasks/setup_uninstall.yml index cb3333bf2..26d920f48 100644 --- a/roles/custom/matrix-bot-buscarron/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-bot-buscarron/tasks/setup_uninstall.yml @@ -5,32 +5,21 @@ path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-bot-buscarron.service" register: matrix_bot_buscarron_service_stat -- name: Ensure matrix-buscarron is stopped - ansible.builtin.service: - name: matrix-bot-buscarron - state: stopped - enabled: false - daemon_reload: true - register: stopping_result - when: "matrix_bot_buscarron_service_stat.stat.exists | bool" +- when: matrix_bot_buscarron_service_stat.stat.exists | bool + block: + - name: Ensure matrix-buscarron is stopped + ansible.builtin.service: + name: matrix-bot-buscarron + state: stopped + enabled: false + daemon_reload: true -- name: Ensure matrix-bot-buscarron.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-bot-buscarron.service" - state: absent - when: "matrix_bot_buscarron_service_stat.stat.exists | bool" - -- name: Ensure systemd reloaded after matrix-bot-buscarron.service removal - ansible.builtin.service: - daemon_reload: true - when: "matrix_bot_buscarron_service_stat.stat.exists | bool" - -- name: Ensure Matrix buscarron paths don't exist - ansible.builtin.file: - path: "{{ matrix_bot_buscarron_base_path }}" - state: absent + - name: Ensure matrix-bot-buscarron.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-bot-buscarron.service" + state: absent -- name: Ensure buscarron Docker image doesn't exist - community.docker.docker_image: - name: "{{ matrix_bot_buscarron_docker_image }}" - state: absent + - name: Ensure Matrix buscarron paths don't exist + ansible.builtin.file: + path: "{{ matrix_bot_buscarron_base_path }}" + state: absent diff --git a/roles/custom/matrix-bot-buscarron/tasks/validate_config.yml b/roles/custom/matrix-bot-buscarron/tasks/validate_config.yml index 04238012a..51102b73e 100644 --- a/roles/custom/matrix-bot-buscarron/tasks/validate_config.yml +++ b/roles/custom/matrix-bot-buscarron/tasks/validate_config.yml @@ -1,9 +1,11 @@ --- -- name: Fail if required settings not defined +- name: Fail if required Buscarron settings not defined ansible.builtin.fail: msg: >- - You need to define a required configuration setting (`{{ item }}`). - when: "vars[item] == ''" + You need to define a required configuration setting (`{{ item.name }}`). + when: "item.when | bool and vars[item.name] == ''" with_items: - - "matrix_bot_buscarron_password" + - {'name': 'matrix_bot_buscarron_password', when: true} + - {'name': 'matrix_bot_buscarron_hostname', when: true} + - {'name': 'matrix_bot_buscarron_database_hostname', when: "{{ matrix_bot_buscarron_database_engine == 'postgres' }}"} diff --git a/roles/custom/matrix-bot-buscarron/templates/labels.j2 b/roles/custom/matrix-bot-buscarron/templates/labels.j2 new file mode 100644 index 000000000..6a1ead33d --- /dev/null +++ b/roles/custom/matrix-bot-buscarron/templates/labels.j2 @@ -0,0 +1,66 @@ +{% if matrix_bot_buscarron_container_labels_traefik_enabled %} +traefik.enable=true + +{% if matrix_bot_buscarron_container_labels_traefik_docker_network %} +traefik.docker.network={{ matrix_bot_buscarron_container_labels_traefik_docker_network }} +{% endif %} + +{% set middlewares = [] %} +{% set middlewares_metrics = [] %} + +{% if matrix_bot_buscarron_container_labels_traefik_path_prefix != '/' %} +traefik.http.middlewares.matrix-bot-buscarron-slashless-redirect.redirectregex.regex=({{ matrix_bot_buscarron_container_labels_traefik_path_prefix | quote }})$ +traefik.http.middlewares.matrix-bot-buscarron-slashless-redirect.redirectregex.replacement=${1}/ +{% set middlewares = middlewares + ['matrix-bot-buscarron-slashless-redirect'] %} +{% endif %} + +{% if matrix_bot_buscarron_container_labels_traefik_path_prefix != '/' %} +traefik.http.middlewares.matrix-bot-buscarron-strip-prefix.stripprefix.prefixes={{ matrix_bot_buscarron_container_labels_traefik_path_prefix }} +{% set middlewares = middlewares + ['matrix-bot-buscarron-strip-prefix'] %} +{% endif %} + +{% if matrix_bot_buscarron_basicauth_enabled %} +traefik.http.middlewares.matrix-bot-buscarron-auth.basicauth.users={{ lookup('ansible.builtin.file', matrix_bot_buscarron_basicauth_file) }} +{% set middlewares_metrics = middlewares + ['matrix-bot-buscarron-auth'] %} +{% endif %} + +{% if matrix_bot_buscarron_container_labels_traefik_additional_response_headers.keys() | length > 0 %} +{% for name, value in matrix_bot_buscarron_container_labels_traefik_additional_response_headers.items() %} +traefik.http.middlewares.matrix-bot-buscarron-add-headers.headers.customresponseheaders.{{ name }}={{ value }} +{% endfor %} +{% set middlewares = middlewares + ['matrix-bot-buscarron-add-headers'] %} +{% endif %} + +traefik.http.routers.matrix-bot-buscarron.rule={{ matrix_bot_buscarron_container_labels_traefik_rule }} +{% if matrix_bot_buscarron_container_labels_traefik_priority | int > 0 %} +traefik.http.routers.matrix-bot-buscarron.priority={{ matrix_bot_buscarron_container_labels_traefik_priority }} +{% endif %} +traefik.http.routers.matrix-bot-buscarron.service=matrix-bot-buscarron +{% if middlewares | length > 0 %} +traefik.http.routers.matrix-bot-buscarron.middlewares={{ middlewares | join(',') }} +{% endif %} +traefik.http.routers.matrix-bot-buscarron.entrypoints={{ matrix_bot_buscarron_container_labels_traefik_entrypoints }} +traefik.http.routers.matrix-bot-buscarron.tls={{ matrix_bot_buscarron_container_labels_traefik_tls | to_json }} +{% if matrix_bot_buscarron_container_labels_traefik_tls %} +traefik.http.routers.matrix-bot-buscarron.tls.certResolver={{ matrix_bot_buscarron_container_labels_traefik_tls_certResolver }} +{% endif %} +traefik.http.services.matrix-bot-buscarron.loadbalancer.server.port=8080 + +{% if middlewares_metrics | length > 0 %} +traefik.http.routers.matrix-bot-buscarron-metrics.rule={{ matrix_bot_buscarron_container_labels_traefik_metrics_rule }} +{% if matrix_bot_buscarron_container_labels_traefik_priority | int > 0 %} +traefik.http.routers.matrix-bot-buscarron-metrics.priority={{ matrix_bot_buscarron_container_labels_traefik_priority }} +{% endif %} +traefik.http.routers.matrix-bot-buscarron-metrics.service=matrix-bot-buscarron +traefik.http.routers.matrix-bot-buscarron-metrics.middlewares={{ middlewares_metrics | join(',') }} +traefik.http.routers.matrix-bot-buscarron-metrics.entrypoints={{ matrix_bot_buscarron_container_labels_traefik_entrypoints }} +traefik.http.routers.matrix-bot-buscarron-metrics.tls={{ matrix_bot_buscarron_container_labels_traefik_tls | to_json }} +{% if matrix_bot_buscarron_container_labels_traefik_tls %} +traefik.http.routers.matrix-bot-buscarron-metrics.tls.certResolver={{ matrix_bot_buscarron_container_labels_traefik_tls_certResolver }} +{% endif %} +traefik.http.services.matrix-bot-buscarron-metrics.loadbalancer.server.port=8080 +{% endif %} + +{% endif %} + +{{ matrix_bot_buscarron_container_labels_additional_labels }} diff --git a/roles/custom/matrix-bot-buscarron/templates/systemd/matrix-bot-buscarron.service.j2 b/roles/custom/matrix-bot-buscarron/templates/systemd/matrix-bot-buscarron.service.j2 index 60909dc91..49c699488 100644 --- a/roles/custom/matrix-bot-buscarron/templates/systemd/matrix-bot-buscarron.service.j2 +++ b/roles/custom/matrix-bot-buscarron/templates/systemd/matrix-bot-buscarron.service.j2 @@ -16,21 +16,31 @@ Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-bot-buscarron 2>/dev/null || true' ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-bot-buscarron 2>/dev/null || true' -ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-bot-buscarron \ +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ + --rm \ + --name=matrix-bot-buscarron \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ --read-only \ - --network={{ matrix_docker_network }} \ + --network={{ matrix_bot_buscarron_container_network }} \ --env-file={{ matrix_bot_buscarron_config_path }}/env \ + --label-file={{ matrix_bot_buscarron_config_path }}/labels \ --mount type=bind,src={{ matrix_bot_buscarron_data_path }},dst=/data \ {% for arg in matrix_bot_buscarron_container_extra_arguments %} {{ arg }} \ {% endfor %} {{ matrix_bot_buscarron_docker_image }} +{% for network in matrix_bot_buscarron_container_additional_networks %} +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-bot-buscarron +{% endfor %} + +ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-bot-buscarron + ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-bot-buscarron 2>/dev/null || true' ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-bot-buscarron 2>/dev/null || true' + Restart=always RestartSec=30 SyslogIdentifier=matrix-bot-buscarron diff --git a/roles/custom/matrix-bot-chatgpt/defaults/main.yml b/roles/custom/matrix-bot-chatgpt/defaults/main.yml new file mode 100644 index 000000000..298437ca3 --- /dev/null +++ b/roles/custom/matrix-bot-chatgpt/defaults/main.yml @@ -0,0 +1,92 @@ +--- +# chatgpt is a bot for chatting to openAI chatgpt matrix bot +# Project source code URL: https://github.com/matrixgpt/matrix-chatgpt-bot + +matrix_bot_chatgpt_enabled: true + +matrix_bot_chatgpt_version: 3.1.2 + +matrix_bot_chatgpt_container_image_self_build: false +matrix_bot_chatgpt_container_image_self_build_repo: "https://github.com/matrixgpt/matrix-chatgpt-bot" +matrix_bot_chatgpt_container_image_self_build_repo_version: "{{ 'main' if matrix_bot_chatgpt_version == 'latest' else matrix_bot_chatgpt_version }}" + +matrix_bot_chatgpt_container_image: "{{ matrix_bot_chatgpt_container_image_name_prefix }}matrixgpt/matrix-chatgpt-bot:{{ matrix_bot_chatgpt_container_image_tag }}" +matrix_bot_chatgpt_container_image_name_prefix: "{{ 'localhost/' if matrix_bot_chatgpt_container_image_self_build else matrix_bot_chatgpt_container_image_registry_prefix }}" +matrix_bot_chatgpt_container_image_tag: "{{ matrix_bot_chatgpt_version }}" +matrix_bot_chatgpt_container_image_force_pull: "{{ matrix_bot_chatgpt_container_image.endswith(':latest') }}" +matrix_bot_chatgpt_container_image_registry_prefix: ghcr.io/ + +matrix_bot_chatgpt_base_path: "{{ matrix_base_data_path }}/chatgpt" +matrix_bot_chatgpt_config_path: "{{ matrix_bot_chatgpt_base_path }}/config" +matrix_bot_chatgpt_data_path: "{{ matrix_bot_chatgpt_base_path }}/data" +matrix_bot_chatgpt_container_src_path: "{{ matrix_bot_chatgpt_base_path }}/container-src" + +# A list of extra arguments to pass to the container +matrix_bot_chatgpt_container_extra_arguments: [] + +# List of systemd services that matrix-bot-chatgpt.service depends on +matrix_bot_chatgpt_systemd_required_services_list: ['docker.service'] + +# List of systemd services that matrix-bot-chatgpt.service wants +matrix_bot_chatgpt_systemd_wanted_services_list: [] + +# ChatGPT Settings +matrix_bot_chatgpt_openai_api_key: '' +matrix_bot_chatgpt_api_model: 'gpt-3.5-turbo' +matrix_bot_chatgpt_context: 'thread' # CHATGPT_CONTEXT="thread" + +matrix_bot_chatgpt_keyv_backend: 'file' +matrix_bot_chatgpt_keyv_url: '' +matrix_bot_chatgpt_keyv_bot_encryption: false +matrix_bot_chatgpt_keyv_bot_storage: true + +# Matrix Static Settings (required, see notes) +# Defaults to "https://matrix.org" +matrix_bot_chatgpt_matrix_homeserver_url: "{{ matrix_homeserver_container_url }}" # MATRIX_HOMESERVER_URL= +# With the @ and :DOMAIN, ie @SOMETHING:DOMAIN, needs to be set, created manually beforehand. +matrix_bot_chatgpt_matrix_bot_username_localpart: 'bot.chatgpt' +matrix_bot_chatgpt_matrix_bot_username: "@{{ matrix_bot_chatgpt_matrix_bot_username_localpart }}:{{ matrix_domain }}" # MATRIX_BOT_USERNAME= +# Set `MATRIX_BOT_PASSWORD` the bot will print an `MATRIX_ACCESS_TOKEN` to the terminal +# or https://webapps.stackexchange.com/questions/131056/how-to-get-an-access-token-for-element-riot-matrix +matrix_bot_chatgpt_matrix_access_token: '' # MATRIX_ACCESS_TOKEN= +# Once `MATRIX_BOT_ACCESS_TOKEN` is set this is no longer used. +matrix_bot_chatgpt_matrix_bot_password: '' # MATRIX_BOT_PASSWORD= + +# Matrix Configurable Settings Defaults (optional) +matrix_bot_chatgpt_matrix_default_prefix: "!chatgpt " # MATRIX_DEFAULT_PREFIX= Leave prefix blank to reply to all messages, trailing space matters +matrix_bot_chatgpt_matrix_default_prefix_reply: false # MATRIX_DEFAULT_PREFIX_REPLY= + +# Matrix Access Control (optional) +# +# Lists of space-separated entries. Example: +# matrix_bot_chatgpt_matrix_whitelist: ":{{ matrix_domain }} :second-domain.com :third-domain.com" +matrix_bot_chatgpt_matrix_blacklist: '' +matrix_bot_chatgpt_matrix_whitelist: ':{{ matrix_domain }}' + +# Matrix Feature Flags (optional) +matrix_bot_chatgpt_matrix_autojoin: true # MATRIX_AUTOJOIN=true +matrix_bot_chatgpt_matrix_encryption: true # MATRIX_ENCRYPTION=true +matrix_bot_chatgpt_matrix_threads: true # MATRIX_THREADS=true +matrix_bot_chatgpt_matrix_rich_text: true # MATRIX_RICH_TEXT=true + + +# A list of admins +# Example set of rules: +# matrix_bot_chatgpt_admins: +# - @someone:example.com +# - @another:example.com +# - @bot.*:example.com +# - @*:another.com +# matrix_bot_chatgpt_admins: "{{ [matrix_admin] if matrix_admin else [] }}" + +# Additional environment variables to pass to the chatgpt container +# +# You can discover additional environment variables from: +# https://github.com/matrixgpt/matrix-chatgpt-bot/blob/main/src/env.ts +# +# Example: +# matrix_bot_chatgpt_environment_variables_extension: | +# chatgpt_TEXT_DONE=Done +matrix_bot_chatgpt_environment_variables_extension: '' + +matrix_bot_chatgpt_matrix_bot_prompt_prefix: 'Instructions:\nYou are ChatGPT, a large language model trained by OpenAI.' diff --git a/roles/custom/matrix-bot-chatgpt/tasks/install.yml b/roles/custom/matrix-bot-chatgpt/tasks/install.yml new file mode 100644 index 000000000..ef31df066 --- /dev/null +++ b/roles/custom/matrix-bot-chatgpt/tasks/install.yml @@ -0,0 +1,63 @@ +--- + +- name: Ensure chatgpt paths exist + ansible.builtin.file: + path: "{{ item.path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - {path: "{{ matrix_bot_chatgpt_config_path }}", when: true} + - {path: "{{ matrix_bot_chatgpt_data_path }}", when: true} + - {path: "{{ matrix_bot_chatgpt_container_src_path }}", when: matrix_bot_chatgpt_container_image_self_build} + when: "item.when | bool" + +- name: Ensure chatgpt environment variables file created + ansible.builtin.template: + src: "{{ role_path }}/templates/env.j2" + dest: "{{ matrix_bot_chatgpt_config_path }}/env" + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + mode: 0640 + +- name: Ensure chatgpt container image is pulled + community.docker.docker_image: + name: "{{ matrix_bot_chatgpt_container_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_bot_chatgpt_container_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_bot_chatgpt_container_image_force_pull }}" + when: "not matrix_bot_chatgpt_container_image_self_build | bool" + register: result + retries: "{{ devture_playbook_help_container_retries_count }}" + delay: "{{ devture_playbook_help_container_retries_delay }}" + until: result is not failed + +- when: matrix_bot_chatgpt_container_image_self_build | bool + block: + - name: Ensure chatgpt repository is present on self-build + ansible.builtin.git: + repo: "{{ matrix_bot_chatgpt_container_image_self_build_repo }}" + version: "{{ matrix_bot_chatgpt_container_image_self_build_repo_version }}" + dest: "{{ matrix_bot_chatgpt_container_src_path }}" + force: "yes" + become: true + become_user: "{{ matrix_user_username }}" + register: matrix_bot_chatgpt_git_pull_results + + - name: Ensure chatgpt container image is built + community.docker.docker_image: + name: "{{ matrix_bot_chatgpt_container_image }}" + source: build + force_source: "{{ matrix_bot_chatgpt_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mailer_git_pull_results.changed }}" + build: + dockerfile: Dockerfile + path: "{{ matrix_bot_chatgpt_container_src_path }}" + pull: true + +- name: Ensure matrix-bot-chatgpt.service installed + ansible.builtin.template: + src: "{{ role_path }}/templates/systemd/matrix-bot-chatgpt.service.j2" + dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-bot-chatgpt.service" + mode: 0644 diff --git a/roles/custom/matrix-bot-chatgpt/tasks/main.yml b/roles/custom/matrix-bot-chatgpt/tasks/main.yml new file mode 100644 index 000000000..3f5a7b7ec --- /dev/null +++ b/roles/custom/matrix-bot-chatgpt/tasks/main.yml @@ -0,0 +1,21 @@ +--- + +- + tags: + - setup-all + - setup-bot-chatgpt + - install-all + - install-bot-chatgpt + block: + - when: matrix_bot_chatgpt_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" + + - when: matrix_bot_chatgpt_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/install.yml" + +- tags: + - setup-all + - setup-bot-chatgpt + block: + - when: not matrix_bot_chatgpt_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/uninstall.yml" diff --git a/roles/custom/matrix-bot-chatgpt/tasks/uninstall.yml b/roles/custom/matrix-bot-chatgpt/tasks/uninstall.yml new file mode 100644 index 000000000..4a50d7337 --- /dev/null +++ b/roles/custom/matrix-bot-chatgpt/tasks/uninstall.yml @@ -0,0 +1,25 @@ +--- + +- name: Check existence of matrix-chatgpt service + ansible.builtin.stat: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-bot-chatgpt.service" + register: matrix_bot_chatgpt_service_stat + +- when: matrix_bot_chatgpt_service_stat.stat.exists | bool + block: + - name: Ensure matrix-chatgpt is stopped + ansible.builtin.service: + name: matrix-bot-chatgpt + state: stopped + enabled: false + daemon_reload: true + + - name: Ensure matrix-bot-chatgpt.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-bot-chatgpt.service" + state: absent + + - name: Ensure Matrix chatgpt paths don't exist + ansible.builtin.file: + path: "{{ matrix_bot_chatgpt_base_path }}" + state: absent diff --git a/roles/custom/matrix-bot-chatgpt/tasks/validate_config.yml b/roles/custom/matrix-bot-chatgpt/tasks/validate_config.yml new file mode 100644 index 000000000..c6771823e --- /dev/null +++ b/roles/custom/matrix-bot-chatgpt/tasks/validate_config.yml @@ -0,0 +1,35 @@ +--- + +- name: Fail if required Chatgpt settings not defined + ansible.builtin.fail: + msg: >- + You need to define a required configuration setting (`{{ item.name }}`). + when: "item.when | bool and vars[item.name] == ''" + with_items: + - {'name': 'matrix_bot_chatgpt_openai_api_key', when: true} + - {'name': 'matrix_bot_chatgpt_matrix_bot_username', when: true} + +- name: Fail if OpenAI configuration not up-to-date. + ansible.builtin.fail: + msg: >- + Your configuration contains a varible that is no longer used. + Please change your configuration to remove the variable (`{{ item.name }}`). + when: "item.name in vars" + with_items: + - {'name': 'matrix_bot_chatgpt_openai_email'} + - {'name': 'matrix_bot_chatgpt_openai_password'} + - {'name': 'matrix_bot_chatgpt_openai_login_type'} + +- name: (Deprecation) Catch and report renamed ChatGPT settings + ansible.builtin.fail: + msg: >- + Your configuration contains a variable, which now has a different name. + Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`). + when: "item.old in vars" + with_items: + - {'old': 'matrix_bot_chatgpt_docker_image', 'new': 'matrix_bot_chatgpt_container_image'} + - {'old': 'matrix_bot_chatgpt_docker_image_name_prefix', 'new': 'matrix_bot_chatgpt_container_image_name_prefix'} + - {'old': 'matrix_bot_chatgpt_docker_image_force_pull', 'new': 'matrix_bot_chatgpt_container_image_force_pull'} + - {'old': 'matrix_bot_chatgpt_docker_repo', 'new': 'matrix_bot_chatgpt_container_image_self_build_repo'} + - {'old': 'matrix_bot_chatgpt_docker_repo_version', 'new': 'matrix_bot_chatgpt_container_image_self_build_repo_version'} + - {'old': 'matrix_bot_chatgpt_docker_src_files_path', 'new': 'matrix_bot_chatgpt_container_src_path'} diff --git a/roles/custom/matrix-bot-chatgpt/templates/env.j2 b/roles/custom/matrix-bot-chatgpt/templates/env.j2 new file mode 100644 index 000000000..d9ca2d50c --- /dev/null +++ b/roles/custom/matrix-bot-chatgpt/templates/env.j2 @@ -0,0 +1,32 @@ +MATRIX_HOMESERVER_URL={{ matrix_bot_chatgpt_matrix_homeserver_url }} +MATRIX_ACCESS_TOKEN={{ matrix_bot_chatgpt_matrix_access_token }} + +OPENAI_API_KEY={{ matrix_bot_chatgpt_openai_api_key }} +CHATGPT_CONTEXT={{ matrix_bot_chatgpt_context }} +CHATGPT_API_MODEL={{ matrix_bot_chatgpt_api_model }} + +KEYV_BACKEND={{ matrix_bot_chatgpt_keyv_backend }} +KEYV_URL={{ matrix_bot_chatgpt_keyv_url }} +KEYV_BOT_ENCRYPTION={{ matrix_bot_chatgpt_keyv_bot_encryption|lower }} +KEYV_BOT_STORAGE={{ matrix_bot_chatgpt_keyv_bot_storage|lower }} + +# With the @ and :DOMAIN, ie @SOMETHING:DOMAIN +MATRIX_BOT_USERNAME={{ matrix_bot_chatgpt_matrix_bot_username }} +MATRIX_BOT_PASSWORD={{ matrix_bot_chatgpt_matrix_bot_password }} + +MATRIX_DEFAULT_PREFIX={{ matrix_bot_chatgpt_matrix_default_prefix }} +MATRIX_DEFAULT_PREFIX_REPLY={{ matrix_bot_chatgpt_matrix_default_prefix_reply|lower }} + +MATRIX_BLACKLIST={{ matrix_bot_chatgpt_matrix_blacklist }} +MATRIX_WHITELIST={{ matrix_bot_chatgpt_matrix_whitelist }} + +MATRIX_AUTOJOIN={{ matrix_bot_chatgpt_matrix_autojoin|lower }} +MATRIX_ENCRYPTION={{ matrix_bot_chatgpt_matrix_encryption|lower }} +MATRIX_THREADS={{ matrix_bot_chatgpt_matrix_threads|lower }} +MATRIX_RICH_TEXT={{ matrix_bot_chatgpt_matrix_rich_text|lower }} + +CHATGPT_PROMPT_PREFIX={{ matrix_bot_chatgpt_matrix_bot_prompt_prefix }} + +DATA_PATH=/data/ + +{{ matrix_bot_chatgpt_environment_variables_extension }} diff --git a/roles/custom/matrix-grafana/templates/systemd/matrix-grafana.service.j2 b/roles/custom/matrix-bot-chatgpt/templates/systemd/matrix-bot-chatgpt.service.j2 similarity index 60% rename from roles/custom/matrix-grafana/templates/systemd/matrix-grafana.service.j2 rename to roles/custom/matrix-bot-chatgpt/templates/systemd/matrix-bot-chatgpt.service.j2 index fd48b01eb..c8fa06c19 100644 --- a/roles/custom/matrix-grafana/templates/systemd/matrix-grafana.service.j2 +++ b/roles/custom/matrix-bot-chatgpt/templates/systemd/matrix-bot-chatgpt.service.j2 @@ -1,11 +1,11 @@ #jinja2: lstrip_blocks: "True" [Unit] -Description=matrix-grafana -{% for service in matrix_grafana_systemd_required_services_list %} +Description=Matrix chatgpt bot +{% for service in matrix_bot_chatgpt_systemd_required_services_list %} Requires={{ service }} After={{ service }} {% endfor %} -{% for service in matrix_grafana_systemd_wanted_services_list %} +{% for service in matrix_bot_chatgpt_systemd_wanted_services_list %} Wants={{ service }} {% endfor %} DefaultDependencies=no @@ -13,31 +13,31 @@ DefaultDependencies=no [Service] Type=simple Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" -ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-grafana 2>/dev/null || true' -ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-grafana 2>/dev/null || true' +ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-bot-chatgpt 2>/dev/null || true' +ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-bot-chatgpt 2>/dev/null || true' - -ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-grafana \ +ExecStart={{ devture_systemd_docker_base_host_command_docker }} run \ + --rm \ + --name=matrix-bot-chatgpt \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ --read-only \ + --tmpfs /tmp \ --network={{ matrix_docker_network }} \ - {% if matrix_grafana_container_http_host_bind_port %} - -p {{ matrix_grafana_container_http_host_bind_port }}:3000 \ - {% endif %} - -v {{ matrix_grafana_config_path }}:/etc/grafana:z \ - -v {{ matrix_grafana_data_path }}:/var/lib/grafana:z \ - {% for arg in matrix_grafana_container_extra_arguments %} + --env-file={{ matrix_bot_chatgpt_config_path }}/env \ + --mount type=bind,src={{ matrix_bot_chatgpt_data_path }},dst=/data \ + --env HOME=/data/home \ + {% for arg in matrix_bot_chatgpt_container_extra_arguments %} {{ arg }} \ {% endfor %} - {{ matrix_grafana_docker_image }} + {{ matrix_bot_chatgpt_container_image }} -ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-grafana 2>/dev/null || true' -ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-grafana 2>/dev/null || true' +ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-bot-chatgpt 2>/dev/null || true' +ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-bot-chatgpt 2>/dev/null || true' Restart=always RestartSec=30 -SyslogIdentifier=matrix-grafana +SyslogIdentifier=matrix-bot-chatgpt [Install] WantedBy=multi-user.target diff --git a/roles/custom/matrix-bot-draupnir/defaults/main.yml b/roles/custom/matrix-bot-draupnir/defaults/main.yml new file mode 100644 index 000000000..bd0e2defa --- /dev/null +++ b/roles/custom/matrix-bot-draupnir/defaults/main.yml @@ -0,0 +1,59 @@ +--- +# A moderation tool for Matrix +# Project source code URL: https://github.com/Gnuxie/Draupnir + +matrix_bot_draupnir_enabled: true + +matrix_bot_draupnir_version: "v1.83.0" + +matrix_bot_draupnir_container_image_self_build: false +matrix_bot_draupnir_container_image_self_build_repo: "https://github.com/Gnuxie/Draupnir.git" + +matrix_bot_draupnir_docker_image: "{{ matrix_bot_draupnir_docker_image_name_prefix }}gnuxie/draupnir:{{ matrix_bot_draupnir_version }}" +matrix_bot_draupnir_docker_image_name_prefix: "{{ 'localhost/' if matrix_bot_draupnir_container_image_self_build else matrix_container_global_registry_prefix }}" +matrix_bot_draupnir_docker_image_force_pull: "{{ matrix_bot_draupnir_docker_image.endswith(':latest') }}" + +matrix_bot_draupnir_base_path: "{{ matrix_base_data_path }}/draupnir" +matrix_bot_draupnir_config_path: "{{ matrix_bot_draupnir_base_path }}/config" +matrix_bot_draupnir_data_path: "{{ matrix_bot_draupnir_base_path }}/data" +matrix_bot_draupnir_docker_src_files_path: "{{ matrix_bot_draupnir_base_path }}/docker-src" + +# A list of extra arguments to pass to the container +matrix_bot_draupnir_container_extra_arguments: [] + +# List of systemd services that matrix-bot-draupnir.service depends on +matrix_bot_draupnir_systemd_required_services_list: ['docker.service'] + +# List of systemd services that matrix-bot-draupnir.service wants +matrix_bot_draupnir_systemd_wanted_services_list: [] + +# The access token for the bot user +matrix_bot_draupnir_access_token: "" + +# The room ID where people can use the bot. The bot has no access controls, so +# anyone in this room can use the bot - secure your room! +# This should be a room alias or room ID - not a matrix.to URL. +# Note: draupnir is fairly verbose - expect a lot of messages from it. +matrix_bot_draupnir_management_room: "" + +# Default configuration template which covers the generic use case. +# You can customize it by controlling the various variables inside it. +# +# For a more advanced customization, you can extend the default (see `matrix_bot_draupnir_configuration_extension_yaml`) +# or completely replace this variable with your own template. +matrix_bot_draupnir_configuration_yaml: "{{ lookup('template', 'templates/production.yaml.j2') }}" + +matrix_bot_draupnir_configuration_extension_yaml: | + # Your custom YAML configuration goes here. + # This configuration extends the default starting configuration (`matrix_bot_draupnir_configuration_yaml`). + # + # You can override individual variables from the default configuration, or introduce new ones. + # + # If you need something more special, you can take full control by + # completely redefining `matrix_bot_draupnir_configuration_yaml`. + +matrix_bot_draupnir_configuration_extension: "{{ matrix_bot_draupnir_configuration_extension_yaml | from_yaml if matrix_bot_draupnir_configuration_extension_yaml | from_yaml is mapping else {} }}" + +# Holds the final configuration (a combination of the default and its extension). +# You most likely don't need to touch this variable. Instead, see `matrix_bot_draupnir_configuration_yaml`. +matrix_bot_draupnir_configuration: "{{ matrix_bot_draupnir_configuration_yaml | from_yaml | combine(matrix_bot_draupnir_configuration_extension, recursive=True) }}" diff --git a/roles/custom/matrix-bot-draupnir/tasks/main.yml b/roles/custom/matrix-bot-draupnir/tasks/main.yml new file mode 100644 index 000000000..66c7cd06e --- /dev/null +++ b/roles/custom/matrix-bot-draupnir/tasks/main.yml @@ -0,0 +1,20 @@ +--- + +- tags: + - setup-all + - setup-bot-draupnir + - install-all + - install-bot-draupnir + block: + - when: matrix_bot_draupnir_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" + + - when: matrix_bot_draupnir_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" + +- tags: + - setup-all + - setup-bot-draupnir + block: + - when: not matrix_bot_draupnir_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" diff --git a/roles/custom/matrix-bot-draupnir/tasks/setup_install.yml b/roles/custom/matrix-bot-draupnir/tasks/setup_install.yml new file mode 100644 index 000000000..4808f71fc --- /dev/null +++ b/roles/custom/matrix-bot-draupnir/tasks/setup_install.yml @@ -0,0 +1,74 @@ +--- + +- ansible.builtin.set_fact: + matrix_bot_draupnir_requires_restart: false + +- name: Ensure matrix-bot-draupnir paths exist + ansible.builtin.file: + path: "{{ item.path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - {path: "{{ matrix_bot_draupnir_base_path }}", when: true} + - {path: "{{ matrix_bot_draupnir_config_path }}", when: true} + - {path: "{{ matrix_bot_draupnir_data_path }}", when: true} + - {path: "{{ matrix_bot_draupnir_docker_src_files_path }}", when: "{{ matrix_bot_draupnir_container_image_self_build }}"} + when: "item.when | bool" + +- name: Ensure draupnir Docker image is pulled + community.docker.docker_image: + name: "{{ matrix_bot_draupnir_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_bot_draupnir_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_bot_draupnir_docker_image_force_pull }}" + when: "not matrix_bot_draupnir_container_image_self_build | bool" + register: result + retries: "{{ devture_playbook_help_container_retries_count }}" + delay: "{{ devture_playbook_help_container_retries_delay }}" + until: result is not failed + +- name: Ensure draupnir repository is present on self-build + ansible.builtin.git: + repo: "{{ matrix_bot_draupnir_container_image_self_build_repo }}" + dest: "{{ matrix_bot_draupnir_docker_src_files_path }}" + version: "{{ matrix_bot_draupnir_docker_image.split(':')[1] }}" + force: "yes" + become: true + become_user: "{{ matrix_user_username }}" + register: matrix_bot_draupnir_git_pull_results + when: "matrix_bot_draupnir_container_image_self_build | bool" + +- name: Ensure draupnir Docker image is built + community.docker.docker_image: + name: "{{ matrix_bot_draupnir_docker_image }}" + source: build + force_source: "{{ matrix_bot_draupnir_git_pull_results.changed }}" + build: + dockerfile: Dockerfile + path: "{{ matrix_bot_draupnir_docker_src_files_path }}" + pull: true + when: "matrix_bot_draupnir_container_image_self_build | bool" + +- name: Ensure matrix-bot-draupnir config installed + ansible.builtin.copy: + content: "{{ matrix_bot_draupnir_configuration | to_nice_yaml(indent=2, width=999999) }}" + dest: "{{ matrix_bot_draupnir_config_path }}/production.yaml" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure matrix-bot-draupnir.service installed + ansible.builtin.template: + src: "{{ role_path }}/templates/systemd/matrix-bot-draupnir.service.j2" + dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-bot-draupnir.service" + mode: 0644 + register: matrix_bot_draupnir_systemd_service_result + +- name: Ensure matrix-bot-draupnir.service restarted, if necessary + ansible.builtin.service: + name: "matrix-bot-draupnir.service" + state: restarted + daemon_reload: true + when: "matrix_bot_draupnir_requires_restart | bool" diff --git a/roles/custom/matrix-bot-draupnir/tasks/setup_uninstall.yml b/roles/custom/matrix-bot-draupnir/tasks/setup_uninstall.yml new file mode 100644 index 000000000..10583a0bc --- /dev/null +++ b/roles/custom/matrix-bot-draupnir/tasks/setup_uninstall.yml @@ -0,0 +1,25 @@ +--- + +- name: Check existence of matrix-bot-draupnir service + ansible.builtin.stat: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-bot-draupnir.service" + register: matrix_bot_draupnir_service_stat + +- when: matrix_bot_draupnir_service_stat.stat.exists | bool + block: + - name: Ensure matrix-bot-draupnir is stopped + ansible.builtin.service: + name: matrix-bot-draupnir + state: stopped + enabled: false + daemon_reload: true + + - name: Ensure matrix-bot-draupnir.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-bot-draupnir.service" + state: absent + + - name: Ensure matrix-bot-draupnir paths don't exist + ansible.builtin.file: + path: "{{ matrix_bot_draupnir_base_path }}" + state: absent diff --git a/roles/custom/matrix-bot-draupnir/tasks/validate_config.yml b/roles/custom/matrix-bot-draupnir/tasks/validate_config.yml new file mode 100644 index 000000000..b38281899 --- /dev/null +++ b/roles/custom/matrix-bot-draupnir/tasks/validate_config.yml @@ -0,0 +1,9 @@ +--- + +- name: Fail if required variables are undefined + ansible.builtin.fail: + msg: "The `{{ item }}` variable must be defined and have a non-null value." + with_items: + - "matrix_bot_draupnir_access_token" + - "matrix_bot_draupnir_management_room" + when: "vars[item] == '' or vars[item] is none" diff --git a/roles/custom/matrix-bot-draupnir/templates/production.yaml.j2 b/roles/custom/matrix-bot-draupnir/templates/production.yaml.j2 new file mode 100644 index 000000000..95acbd356 --- /dev/null +++ b/roles/custom/matrix-bot-draupnir/templates/production.yaml.j2 @@ -0,0 +1,256 @@ +# Endpoint URL that Draupnir uses to interact with the matrix homeserver (client-server API), +# set this to the pantalaimon URL if you're using that. +homeserverUrl: "{{ matrix_homeserver_url }}" + +# Endpoint URL that Draupnir could use to fetch events related to reports (client-server API and /_synapse/), +# only set this to the public-internet homeserver client API URL, do NOT set this to the pantalaimon URL. +rawHomeserverUrl: "{{ matrix_homeserver_url }}" + +# Matrix Access Token to use, Draupnir will only use this if pantalaimon.use is false. +accessToken: "{{ matrix_bot_draupnir_access_token }}" + +# Options related to Pantalaimon (https://github.com/matrix-org/pantalaimon) +#pantalaimon: +# # Whether or not Draupnir will use pantalaimon to access the matrix homeserver, +# # set to `true` if you're using pantalaimon. +# # +# # Be sure to point homeserverUrl to the pantalaimon instance. +# # +# # Draupnir will log in using the given username and password once, +# # then store the resulting access token in a file under dataPath. +# use: false +# +# # The username to login with. +# username: draupnir +# +# # The password Draupnir will login with. +# # +# # After successfully logging in once, this will be ignored, so this value can be blanked after first startup. +# password: your_password + +# The path Draupnir will store its state/data in, leave default ("/data/storage") when using containers. +dataPath: "/data" + +# If true (the default), Draupnir will only accept invites from users present in managementRoom. +autojoinOnlyIfManager: true + +# If `autojoinOnlyIfManager` is false, only the members in this space can invite +# the bot to new rooms. +#acceptInvitesFromSpace: "!example:example.org" + +# Whether Draupnir should report ignored invites to the management room (if autojoinOnlyIfManager is true). +recordIgnoredInvites: false + +# The room ID (or room alias) of the management room, anyone in this room can issue commands to Draupnir. +# +# Draupnir has no more granular access controls other than this, be sure you trust everyone in this room - secure it! +# +# This should be a room alias or room ID - not a matrix.to URL. +# +# Note: By default, Draupnir is fairly verbose - expect a lot of messages in this room. +# (see verboseLogging to adjust this a bit.) +managementRoom: "{{ matrix_bot_draupnir_management_room }}" + +# Whether Draupnir should log a lot more messages in the room, +# mainly involves "all-OK" messages, and debugging messages for when Draupnir checks bans in a room. +verboseLogging: false + +# The log level of terminal (or container) output, +# can be one of DEBUG, INFO, WARN and ERROR, in increasing order of importance and severity. +# +# This should be at INFO or DEBUG in order to get support for Draupnir problems. +logLevel: "INFO" + +# Whether or not Draupnir should synchronize policy lists immediately after startup. +# Equivalent to running '!draupnir sync'. +syncOnStartup: true + +# Whether or not Draupnir should check moderation permissions in all protected rooms on startup. +# Equivalent to running `!draupnir verify`. +verifyPermissionsOnStartup: true + +# Whether or not Draupnir should actually apply bans and policy lists, +# turn on to trial some untrusted configuration or lists. +noop: false + +# Whether Draupnir should check member lists quicker (by using a different endpoint), +# keep in mind that enabling this will miss invited (but not joined) users. +# +# Turn on if your bot is in (very) large rooms, or in large amounts of rooms. +fasterMembershipChecks: false + +# A case-insensitive list of ban reasons to have the bot also automatically redact the user's messages for. +# +# If the bot sees you ban a user with a reason that is an (exact case-insensitive) match to this list, +# it will also remove the user's messages automatically. +# +# Typically this is useful to avoid having to give two commands to the bot. +# Advanced: Use asterisks to have the reason match using "globs" +# (f.e. "spam*testing" would match "spam for testing" as well as "spamtesting"). +# +# See here for more info: https://www.digitalocean.com/community/tools/glob +# Note: Keep in mind that glob is NOT regex! +automaticallyRedactForReasons: + - "spam" + - "advertising" + +# A list of rooms to protect. Draupnir will add this to the list it knows from its account data. +# +# It won't, however, add it to the account data. +# Manually add the room via '!draupnir rooms add' to have it stay protected regardless if this config value changes. +# +# Note: These must be matrix.to URLs +#protectedRooms: +# - "https://matrix.to/#/#yourroom:example.org" + +# Whether or not to add all joined rooms to the "protected rooms" list +# (excluding the management room and watched policy list rooms, see below). +# +# Note that this effectively makes the protectedRooms and associated commands useless +# for regular rooms. +# +# Note: the management room is *excluded* from this condition. +# Explicitly add it as a protected room to protect it. +# +# Note: Ban list rooms the bot is watching but didn't create will not be protected. +# Explicitly add these rooms as a protected room list if you want them protected. +protectAllJoinedRooms: false + +# Increase this delay to have Draupnir wait longer between two consecutive backgrounded +# operations. The total duration of operations will be longer, but the homeserver won't +# be affected as much. Conversely, decrease this delay to have Draupnir chain operations +# faster. The total duration of operations will generally be shorter, but the performance +# of the homeserver may be more impacted. +backgroundDelayMS: 500 + +# Server administration commands, these commands will only work if Draupnir is +# a global server administrator, and the bot's server is a Synapse instance. +admin: + # Whether or not Draupnir can temporarily take control of any eligible account from the local homeserver who's in the room + # (with enough permissions) to "make" a user an admin. + # + # This only works if a local user with enough admin permissions is present in the room. + enableMakeRoomAdminCommand: false + +# Misc options for command handling and commands +commands: + # Whether or not the `!draupnir` prefix is necessary to submit commands. + # + # If `true`, will allow commands like `!ban`, `!help`, etc. + # + # Note: Draupnir can also be pinged by display name instead of having to use + # the !draupnir prefix. For example, "my_moderator_bot: ban @spammer:example.org" + # will address only my_moderator_bot. + allowNoPrefix: false + + # Any additional bot prefixes that Draupnir will listen to. i.e. adding `mod` will allow `!mod help`. + additionalPrefixes: + - "draupnir-bot" + - "draupnir_bot" + - "draupnir" + + # Whether or not commands with a wildcard (*) will require an additional `--force` argument + # in the command to be able to be submitted. + confirmWildcardBan: true + + # The default reasons to be prompted with if the reason is missing from a ban command. + ban: + defaultReasons: + - "spam" + - "brigading" + - "harassment" + - "disagreement" + +# Configuration specific to certain toggle-able protections +#protections: +# # Configuration for the wordlist plugin, which can ban users based if they say certain +# # blocked words shortly after joining. +# wordlist: +# # A list of case-insensitive keywords that the WordList protection will watch for from new users. +# # +# # WordList will ban users who use these words when first joining a room, so take caution when selecting them. +# # +# # For advanced usage, regex can also be used, see the following links for more information; +# # - https://www.digitalocean.com/community/tutorials/an-introduction-to-regular-expressions +# # - https://regexr.com/ +# # - https://regexone.com/ +# words: +# - "LoReM" +# - "IpSuM" +# - "DoLoR" +# - "aMeT" +# +# # For how long (in minutes) the user is "new" to the WordList plugin. +# # +# # After this time, the user will no longer be banned for using a word in the above wordlist. +# # +# # Set to zero to disable the timeout and make users *always* appear "new". +# # (users will always be banned if they say a bad word) +# minutesBeforeTrusting: 20 + +# Options for advanced monitoring of the health of the bot. +health: + # healthz options. These options are best for use in container environments + # like Kubernetes to detect how healthy the service is. The bot will report + # that it is unhealthy until it is able to process user requests. Typically + # this means that it'll flag itself as unhealthy for a number of minutes + # before saying "Now monitoring rooms" and flagging itself healthy. + # + # Health is flagged through HTTP status codes, defined below. + healthz: + # Whether the healthz integration should be enabled (default false) + enabled: false + + # The port to expose the webserver on. Defaults to 8080. + port: 8080 + + # The address to listen for requests on. Defaults to all addresses. + address: "0.0.0.0" + + # The path to expose the monitoring endpoint at. Defaults to `/healthz` + endpoint: "/healthz" + + # The HTTP status code which reports that the bot is healthy/ready to + # process requests. Typically this should not be changed. Defaults to + # 200. + healthyStatus: 200 + + # The HTTP status code which reports that the bot is not healthy/ready. + # Defaults to 418. + unhealthyStatus: 418 + +# Options for exposing web APIs. +#web: +# # Whether to enable web APIs. +# enabled: false +# +# # The port to expose the webserver on. Defaults to 8080. +# port: 8080 +# +# # The address to listen for requests on. Defaults to only the current +# # computer. +# address: localhost +# +# # Alternative setting to open to the entire web. Be careful, +# # as this will increase your security perimeter: +# # +# # address: "0.0.0.0" +# +# # A web API designed to intercept Matrix API +# # POST /_matrix/client/r0/rooms/{roomId}/report/{eventId} +# # and display readable abuse reports in the moderation room. +# # +# # If you wish to take advantage of this feature, you will need +# # to configure a reverse proxy, see e.g. test/nginx.conf +# abuseReporting: +# # Whether to enable this feature. +# enabled: false + +# Whether or not to actively poll synapse for abuse reports, to be used +# instead of intercepting client calls to synapse's abuse endpoint, when that +# isn't possible/practical. +pollReports: false + +# Whether or not new reports, received either by webapi or polling, +# should be printed to our managementRoom. +displayReports: false diff --git a/roles/custom/matrix-prometheus/templates/systemd/matrix-prometheus.service.j2 b/roles/custom/matrix-bot-draupnir/templates/systemd/matrix-bot-draupnir.service.j2 similarity index 57% rename from roles/custom/matrix-prometheus/templates/systemd/matrix-prometheus.service.j2 rename to roles/custom/matrix-bot-draupnir/templates/systemd/matrix-bot-draupnir.service.j2 index 584557344..6995bcc39 100644 --- a/roles/custom/matrix-prometheus/templates/systemd/matrix-prometheus.service.j2 +++ b/roles/custom/matrix-bot-draupnir/templates/systemd/matrix-bot-draupnir.service.j2 @@ -1,11 +1,11 @@ #jinja2: lstrip_blocks: "True" [Unit] -Description=matrix-prometheus -{% for service in matrix_prometheus_systemd_required_services_list %} +Description=Matrix Draupnir bot +{% for service in matrix_bot_draupnir_systemd_required_services_list %} Requires={{ service }} After={{ service }} {% endfor %} -{% for service in matrix_prometheus_systemd_wanted_services_list %} +{% for service in matrix_bot_draupnir_systemd_required_services_list %} Wants={{ service }} {% endfor %} DefaultDependencies=no @@ -13,31 +13,30 @@ DefaultDependencies=no [Service] Type=simple Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" -ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-prometheus 2>/dev/null || true' -ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-prometheus 2>/dev/null || true' +ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-bot-draupnir 2>/dev/null || true' +ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-bot-draupnir 2>/dev/null || true' +# Intentional delay, so that the homeserver (we likely depend on) can manage to start. +ExecStartPre={{ matrix_host_command_sleep }} 5 -ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-prometheus \ +ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-bot-draupnir \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ --read-only \ --network={{ matrix_docker_network }} \ - {% if matrix_prometheus_container_http_host_bind_port %} - -p {{ matrix_prometheus_container_http_host_bind_port }}:9090 \ - {% endif %} - -v {{ matrix_prometheus_config_path }}:/etc/prometheus:z \ - -v {{ matrix_prometheus_data_path }}:/prometheus:z \ - {% for arg in matrix_prometheus_container_extra_arguments %} + --mount type=bind,src={{ matrix_bot_draupnir_config_path }},dst=/data/config,ro \ + --mount type=bind,src={{ matrix_bot_draupnir_data_path }},dst=/data \ + {% for arg in matrix_bot_draupnir_container_extra_arguments %} {{ arg }} \ {% endfor %} - {{ matrix_prometheus_docker_image }} {{ matrix_prometheus_process_arguments|join(' ') }} + {{ matrix_bot_draupnir_docker_image }} -ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-prometheus 2>/dev/null || true' -ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-prometheus 2>/dev/null || true' +ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-bot-draupnir 2>/dev/null || true' +ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-bot-draupnir 2>/dev/null || true' Restart=always RestartSec=30 -SyslogIdentifier=matrix-prometheus +SyslogIdentifier=matrix-bot-draupnir [Install] WantedBy=multi-user.target diff --git a/roles/custom/matrix-bot-go-neb/defaults/main.yml b/roles/custom/matrix-bot-go-neb/defaults/main.yml index 61c5d54d4..39b97b088 100644 --- a/roles/custom/matrix-bot-go-neb/defaults/main.yml +++ b/roles/custom/matrix-bot-go-neb/defaults/main.yml @@ -1,11 +1,22 @@ --- + # Go-NEB is a Matrix bot written in Go. It is the successor to Matrix-NEB, the original Matrix bot written in Python. # Project source code URL: https://github.com/matrix-org/go-neb matrix_bot_go_neb_enabled: true + matrix_bot_go_neb_version: latest -matrix_bot_go_neb_docker_image: "matrixdotorg/go-neb:{{ matrix_bot_go_neb_version }}" -matrix_bot_go_neb_docker_image_force_pull: "{{ matrix_bot_go_neb_docker_image.endswith(':latest') }}" + +matrix_bot_go_neb_scheme: https + +# The hostname at which Go-NEB is served. +matrix_bot_go_neb_hostname: '' + +# The path at which Go-NEB is exposed. +# This value must either be `/` or not end with a slash (e.g. `/go-neb`). +matrix_bot_go_neb_path_prefix: / + +matrix_bot_go_neb_base_url: "{{ matrix_bot_go_neb_scheme }}://{{ matrix_bot_go_neb_hostname }}{{ matrix_bot_go_neb_path_prefix }}{{ '' if matrix_bot_go_neb_path_prefix == '/' else '/' }}" matrix_bot_go_neb_base_path: "{{ matrix_base_data_path }}/go-neb" matrix_bot_go_neb_config_path: "{{ matrix_bot_go_neb_base_path }}/config" @@ -13,11 +24,63 @@ matrix_bot_go_neb_config_path_in_container: "/config/config.yaml" matrix_bot_go_neb_data_path: "{{ matrix_bot_go_neb_base_path }}/data" matrix_bot_go_neb_data_store_path: "{{ matrix_bot_go_neb_data_path }}/store" +matrix_bot_go_neb_container_image: "{{ matrix_bot_go_neb_container_image_registry_prefix }}matrixdotorg/go-neb:{{ matrix_bot_go_neb_container_image_tag }}" +matrix_bot_go_neb_container_image_tag: "{{ matrix_bot_go_neb_version }}" +matrix_bot_go_neb_container_image_force_pull: "{{ matrix_bot_go_neb_container_image.endswith(':latest') }}" +matrix_bot_go_neb_container_image_registry_prefix: docker.io/ + +# The base container network. It will be auto-created by this role if it doesn't exist already. +matrix_bot_go_neb_container_network: matrix-bot-go-neb + +# A list of additional container networks that the container would be connected to. +# The role does not create these networks, so make sure they already exist. +# Use this to expose this container to another reverse proxy, which runs in a different container network. +matrix_bot_go_neb_container_additional_networks: [] + # Controls whether the matrix-bot-go-neb container exposes its HTTP port (tcp/4050 in the container). # # Takes an ":" or "" value (e.g. "127.0.0.1:4050"), or empty string to not expose. matrix_bot_go_neb_container_http_host_bind_port: '' +# matrix_bot_go_neb_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container. +# See `../templates/labels.j2` for details. +# +# To inject your own other container labels, see `matrix_bot_go_neb_container_labels_additional_labels`. +matrix_bot_go_neb_container_labels_traefik_enabled: true +matrix_bot_go_neb_container_labels_traefik_docker_network: "{{ matrix_bot_go_neb_container_network }}" +matrix_bot_go_neb_container_labels_traefik_hostname: "{{ matrix_bot_go_neb_hostname }}" +# The path prefix must either be `/` or not end with a slash (e.g. `/go-neb`). +matrix_bot_go_neb_container_labels_traefik_path_prefix: "{{ matrix_bot_go_neb_path_prefix }}" +matrix_bot_go_neb_container_labels_traefik_rule: "Host(`{{ matrix_bot_go_neb_container_labels_traefik_hostname }}`){% if matrix_bot_go_neb_container_labels_traefik_path_prefix != '/' %} && PathPrefix(`{{ matrix_bot_go_neb_container_labels_traefik_path_prefix }}`){% endif %}" +matrix_bot_go_neb_container_labels_traefik_priority: 0 +matrix_bot_go_neb_container_labels_traefik_entrypoints: web-secure +matrix_bot_go_neb_container_labels_traefik_tls: "{{ matrix_bot_go_neb_container_labels_traefik_entrypoints != 'web' }}" +matrix_bot_go_neb_container_labels_traefik_tls_certResolver: default # noqa var-naming + +# Controls which additional headers to attach to all HTTP responses. +# To add your own headers, use `matrix_bot_go_neb_container_labels_traefik_additional_response_headers_custom` +matrix_bot_go_neb_container_labels_traefik_additional_response_headers: "{{ matrix_bot_go_neb_container_labels_traefik_additional_response_headers_auto | combine(matrix_bot_go_neb_container_labels_traefik_additional_response_headers_custom) }}" +matrix_bot_go_neb_container_labels_traefik_additional_response_headers_auto: | + {{ + {} + | combine ({'X-XSS-Protection': matrix_bot_go_neb_http_header_xss_protection} if matrix_bot_go_neb_http_header_xss_protection else {}) + | combine ({'X-Frame-Options': matrix_bot_go_neb_http_header_frame_options} if matrix_bot_go_neb_http_header_frame_options else {}) + | combine ({'X-Content-Type-Options': matrix_bot_go_neb_http_header_content_type_options} if matrix_bot_go_neb_http_header_content_type_options else {}) + | combine ({'Content-Security-Policy': matrix_bot_go_neb_http_header_content_security_policy} if matrix_bot_go_neb_http_header_content_security_policy else {}) + | combine ({'Permission-Policy': matrix_bot_go_neb_http_header_content_permission_policy} if matrix_bot_go_neb_http_header_content_permission_policy else {}) + | combine ({'Strict-Transport-Security': matrix_bot_go_neb_http_header_strict_transport_security} if matrix_bot_go_neb_http_header_strict_transport_security and matrix_bot_go_neb_container_labels_traefik_tls else {}) + }} +matrix_bot_go_neb_container_labels_traefik_additional_response_headers_custom: {} + +# matrix_bot_go_neb_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file. +# See `../templates/labels.j2` for details. +# +# Example: +# matrix_bot_go_neb_container_labels_additional_labels: | +# my.label=1 +# another.label="here" +matrix_bot_go_neb_container_labels_additional_labels: '' + # A list of extra arguments to pass to the container matrix_bot_go_neb_container_extra_arguments: [] @@ -27,6 +90,57 @@ matrix_bot_go_neb_systemd_required_services_list: ['docker.service'] # List of systemd services that matrix-bot-go-neb.service wants matrix_bot_go_neb_systemd_wanted_services_list: [] +# Specifies the value of the `X-XSS-Protection` header +# Stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. +# +# Learn more about it is here: +# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection +# - https://portswigger.net/web-security/cross-site-scripting/reflected +matrix_bot_go_neb_http_header_xss_protection: "1; mode=block" + +# Specifies the value of the `X-Frame-Options` header which controls whether framing can happen. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options +matrix_bot_go_neb_http_header_frame_options: SAMEORIGIN + +# Specifies the value of the `X-Content-Type-Options` header. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options +matrix_bot_go_neb_http_header_content_type_options: nosniff + +# Specifies the value of the `Content-Security-Policy` header. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy +matrix_bot_go_neb_http_header_content_security_policy: frame-ancestors 'self' + +# Specifies the value of the `Permission-Policy` header. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permission-Policy +matrix_bot_go_neb_http_header_content_permission_policy: "{{ 'interest-cohort=()' if matrix_bot_go_neb_floc_optout_enabled else '' }}" + +# Specifies the value of the `Strict-Transport-Security` header. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security +matrix_bot_go_neb_http_header_strict_transport_security: "max-age=31536000; includeSubDomains{{ '; preload' if matrix_bot_go_neb_hsts_preload_enabled else '' }}" + +# Controls whether to send a "Permissions-Policy interest-cohort=();" header along with all responses +# +# Learn more about what it is here: +# - https://www.eff.org/deeplinks/2021/03/googles-floc-terrible-idea +# - https://paramdeo.com/blog/opting-your-website-out-of-googles-floc-network +# - https://amifloced.org/ +# +# Of course, a better solution is to just stop using browsers (like Chrome), which participate in such tracking practices. +# See: `matrix_bot_go_neb_content_permission_policy` +matrix_bot_go_neb_floc_optout_enabled: true + +# Controls if HSTS preloading is enabled +# +# In its strongest and recommended form, the [HSTS policy](https://www.chromium.org/hsts) includes all subdomains, and +# indicates a willingness to be "preloaded" into browsers: +# `Strict-Transport-Security: max-age=31536000; includeSubDomains; preload` +# For more information visit: +# - https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security +# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security +# - https://hstspreload.org/#opt-in +# See: `matrix_bot_go_neb_http_header_strict_transport_security` +matrix_bot_go_neb_hsts_preload_enabled: false + # Database-related configuration fields. # # MUST be "sqlite3". No other type is supported. diff --git a/roles/custom/matrix-bot-go-neb/tasks/init.yml b/roles/custom/matrix-bot-go-neb/tasks/init.yml deleted file mode 100644 index 9d5b4f896..000000000 --- a/roles/custom/matrix-bot-go-neb/tasks/init.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-bot-go-neb.service'] }}" - when: matrix_bot_go_neb_enabled | bool diff --git a/roles/custom/matrix-bot-go-neb/tasks/setup_install.yml b/roles/custom/matrix-bot-go-neb/tasks/install.yml similarity index 62% rename from roles/custom/matrix-bot-go-neb/tasks/setup_install.yml rename to roles/custom/matrix-bot-go-neb/tasks/install.yml index 70aec14ad..9cb85db39 100644 --- a/roles/custom/matrix-bot-go-neb/tasks/setup_install.yml +++ b/roles/custom/matrix-bot-go-neb/tasks/install.yml @@ -1,8 +1,5 @@ --- -- ansible.builtin.set_fact: - matrix_bot_go_neb_requires_restart: false - - name: Ensure go-neb paths exist ansible.builtin.file: path: "{{ item.path }}" @@ -16,17 +13,6 @@ - {path: "{{ matrix_bot_go_neb_data_store_path }}", when: true} when: "item.when | bool" -- name: Ensure go-neb image is pulled - community.docker.docker_image: - name: "{{ matrix_bot_go_neb_docker_image }}" - source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_bot_go_neb_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_bot_go_neb_docker_image_force_pull }}" - register: result - retries: "{{ devture_playbook_help_container_retries_count }}" - delay: "{{ devture_playbook_help_container_retries_delay }}" - until: result is not failed - - name: Ensure go-neb config installed ansible.builtin.copy: content: "{{ matrix_bot_go_neb_configuration | to_nice_yaml(indent=2, width=999999) }}" @@ -35,20 +21,35 @@ owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" +- name: Ensure go-neb support files installed + ansible.builtin.template: + src: "{{ role_path }}/templates/{{ item }}.j2" + dest: "{{ matrix_bot_go_neb_base_path }}/{{ item }}" + mode: 0640 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - env + - labels + +- name: Ensure go-neb container network is created + community.general.docker_network: + name: "{{ matrix_bot_go_neb_container_network }}" + driver: bridge + +- name: Ensure go-neb container image is pulled + community.docker.docker_image: + name: "{{ matrix_bot_go_neb_container_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_bot_go_neb_container_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_bot_go_neb_container_image_force_pull }}" + register: result + retries: "{{ devture_playbook_help_container_retries_count }}" + delay: "{{ devture_playbook_help_container_retries_delay }}" + until: result is not failed + - name: Ensure matrix-bot-go-neb.service installed ansible.builtin.template: src: "{{ role_path }}/templates/systemd/matrix-bot-go-neb.service.j2" dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-bot-go-neb.service" mode: 0644 - register: matrix_bot_go_neb_systemd_service_result - -- name: Ensure systemd reloaded after matrix-bot-go-neb.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_bot_go_neb_systemd_service_result.changed | bool" - -- name: Ensure matrix-bot-go-neb.service restarted, if necessary - ansible.builtin.service: - name: "matrix-bot-go-neb.service" - state: restarted - when: "matrix_bot_go_neb_requires_restart | bool" diff --git a/roles/custom/matrix-bot-go-neb/tasks/main.yml b/roles/custom/matrix-bot-go-neb/tasks/main.yml index 27487ac53..9367419da 100644 --- a/roles/custom/matrix-bot-go-neb/tasks/main.yml +++ b/roles/custom/matrix-bot-go-neb/tasks/main.yml @@ -1,23 +1,20 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup | bool and matrix_bot_go_neb_enabled | bool" - tags: +- tags: - setup-all - setup-bot-go-neb + - install-all + - install-bot-go-neb + block: + - ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" + when: "run_setup | bool and matrix_bot_go_neb_enabled | bool" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_install.yml" - when: "run_setup | bool and matrix_bot_go_neb_enabled | bool" - tags: - - setup-all - - setup-bot-go-neb + - ansible.builtin.include_tasks: "{{ role_path }}/tasks/install.yml" + when: "run_setup | bool and matrix_bot_go_neb_enabled | bool" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - when: "run_setup | bool and not matrix_bot_go_neb_enabled | bool" - tags: +- tags: - setup-all - setup-bot-go-neb + block: + - ansible.builtin.include_tasks: "{{ role_path }}/tasks/uninstall.yml" + when: "run_setup | bool and not matrix_bot_go_neb_enabled | bool" diff --git a/roles/custom/matrix-bot-go-neb/tasks/setup_uninstall.yml b/roles/custom/matrix-bot-go-neb/tasks/setup_uninstall.yml deleted file mode 100644 index d5caa86b7..000000000 --- a/roles/custom/matrix-bot-go-neb/tasks/setup_uninstall.yml +++ /dev/null @@ -1,36 +0,0 @@ ---- - -- name: Check existence of matrix-go-neb service - ansible.builtin.stat: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-bot-go-neb.service" - register: matrix_bot_go_neb_service_stat - -- name: Ensure matrix-go-neb is stopped - ansible.builtin.service: - name: matrix-bot-go-neb - state: stopped - enabled: false - daemon_reload: true - register: stopping_result - when: "matrix_bot_go_neb_service_stat.stat.exists | bool" - -- name: Ensure matrix-bot-go-neb.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-bot-go-neb.service" - state: absent - when: "matrix_bot_go_neb_service_stat.stat.exists | bool" - -- name: Ensure systemd reloaded after matrix-bot-go-neb.service removal - ansible.builtin.service: - daemon_reload: true - when: "matrix_bot_go_neb_service_stat.stat.exists | bool" - -- name: Ensure Matrix go-neb paths don't exist - ansible.builtin.file: - path: "{{ matrix_bot_go_neb_base_path }}" - state: absent - -- name: Ensure go-neb Docker image doesn't exist - community.docker.docker_image: - name: "{{ matrix_bot_go_neb_docker_image }}" - state: absent diff --git a/roles/custom/matrix-bot-go-neb/tasks/uninstall.yml b/roles/custom/matrix-bot-go-neb/tasks/uninstall.yml new file mode 100644 index 000000000..cc5f9fa57 --- /dev/null +++ b/roles/custom/matrix-bot-go-neb/tasks/uninstall.yml @@ -0,0 +1,25 @@ +--- + +- name: Check existence of matrix-go-neb service + ansible.builtin.stat: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-bot-go-neb.service" + register: matrix_bot_go_neb_service_stat + +- when: matrix_bot_go_neb_service_stat.stat.exists | bool + block: + - name: Ensure matrix-go-neb is stopped + ansible.builtin.service: + name: matrix-bot-go-neb + state: stopped + enabled: false + daemon_reload: true + + - name: Ensure matrix-bot-go-neb.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-bot-go-neb.service" + state: absent + + - name: Ensure Matrix go-neb paths don't exist + ansible.builtin.file: + path: "{{ matrix_bot_go_neb_base_path }}" + state: absent diff --git a/roles/custom/matrix-bot-go-neb/templates/env.j2 b/roles/custom/matrix-bot-go-neb/templates/env.j2 new file mode 100644 index 000000000..22e605e5c --- /dev/null +++ b/roles/custom/matrix-bot-go-neb/templates/env.j2 @@ -0,0 +1,8 @@ +BIND_ADDRESS=:4050 + +DATABASE_TYPE={{ matrix_bot_go_neb_database_engine }} +DATABASE_URL={{ matrix_bot_go_neb_storage_database }} + +BASE_URL={{ matrix_bot_go_neb_base_url }} + +CONFIG_FILE={{ matrix_bot_go_neb_config_path_in_container }} diff --git a/roles/custom/matrix-bot-go-neb/templates/labels.j2 b/roles/custom/matrix-bot-go-neb/templates/labels.j2 new file mode 100644 index 000000000..54aa25835 --- /dev/null +++ b/roles/custom/matrix-bot-go-neb/templates/labels.j2 @@ -0,0 +1,45 @@ +{% if matrix_bot_go_neb_container_labels_traefik_enabled %} +traefik.enable=true + +{% if matrix_bot_go_neb_container_labels_traefik_docker_network %} +traefik.docker.network={{ matrix_bot_go_neb_container_labels_traefik_docker_network }} +{% endif %} + +{% set middlewares = [] %} + +{% if matrix_bot_go_neb_container_labels_traefik_path_prefix != '/' %} +traefik.http.middlewares.matrix-bot-go-neb-slashless-redirect.redirectregex.regex=({{ matrix_bot_go_neb_container_labels_traefik_path_prefix | quote }})$ +traefik.http.middlewares.matrix-bot-go-neb-slashless-redirect.redirectregex.replacement=${1}/ +{% set middlewares = middlewares + ['matrix-bot-go-neb-slashless-redirect'] %} +{% endif %} + +{% if matrix_bot_go_neb_container_labels_traefik_path_prefix != '/' %} +traefik.http.middlewares.matrix-bot-go-neb-strip-prefix.stripprefix.prefixes={{ matrix_bot_go_neb_container_labels_traefik_path_prefix }} +{% set middlewares = middlewares + ['matrix-bot-go-neb-strip-prefix'] %} +{% endif %} + +{% if matrix_bot_go_neb_container_labels_traefik_additional_response_headers.keys() | length > 0 %} +{% for name, value in matrix_bot_go_neb_container_labels_traefik_additional_response_headers.items() %} +traefik.http.middlewares.matrix-bot-go-neb-add-headers.headers.customresponseheaders.{{ name }}={{ value }} +{% endfor %} +{% set middlewares = middlewares + ['matrix-bot-go-neb-add-headers'] %} +{% endif %} + +traefik.http.routers.matrix-bot-go-neb.rule={{ matrix_bot_go_neb_container_labels_traefik_rule }} +{% if matrix_bot_go_neb_container_labels_traefik_priority | int > 0 %} +traefik.http.routers.matrix-bot-go-neb.priority={{ matrix_bot_go_neb_container_labels_traefik_priority }} +{% endif %} +traefik.http.routers.matrix-bot-go-neb.service=matrix-bot-go-neb +{% if middlewares | length > 0 %} +traefik.http.routers.matrix-bot-go-neb.middlewares={{ middlewares | join(',') }} +{% endif %} +traefik.http.routers.matrix-bot-go-neb.entrypoints={{ matrix_bot_go_neb_container_labels_traefik_entrypoints }} +traefik.http.routers.matrix-bot-go-neb.tls={{ matrix_bot_go_neb_container_labels_traefik_tls | to_json }} +{% if matrix_bot_go_neb_container_labels_traefik_tls %} +traefik.http.routers.matrix-bot-go-neb.tls.certResolver={{ matrix_bot_go_neb_container_labels_traefik_tls_certResolver }} +{% endif %} + +traefik.http.services.matrix-bot-go-neb.loadbalancer.server.port=4050 +{% endif %} + +{{ matrix_bot_go_neb_container_labels_additional_labels }} diff --git a/roles/custom/matrix-bot-go-neb/templates/systemd/matrix-bot-go-neb.service.j2 b/roles/custom/matrix-bot-go-neb/templates/systemd/matrix-bot-go-neb.service.j2 index a57df57e2..150cd665f 100644 --- a/roles/custom/matrix-bot-go-neb/templates/systemd/matrix-bot-go-neb.service.j2 +++ b/roles/custom/matrix-bot-go-neb/templates/systemd/matrix-bot-go-neb.service.j2 @@ -16,31 +16,37 @@ Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-bot-go-neb 2>/dev/null || true' ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-bot-go-neb 2>/dev/null || true' -ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-bot-go-neb \ +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ + --rm \ + --name=matrix-bot-go-neb \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ --read-only \ - --network={{ matrix_docker_network }} \ + --network={{ matrix_bot_go_neb_container_network }} \ {% if matrix_bot_go_neb_container_http_host_bind_port %} -p {{ matrix_bot_go_neb_container_http_host_bind_port }}:4050 \ {% endif %} - -e 'BIND_ADDRESS=:4050' \ - -e 'DATABASE_TYPE={{ matrix_bot_go_neb_database_engine }}' \ - -e 'BASE_URL=https://{{ matrix_server_fqn_bot_go_neb }}' \ - -e 'CONFIG_FILE={{ matrix_bot_go_neb_config_path_in_container }}' \ - -e 'DATABASE_URL={{ matrix_bot_go_neb_storage_database }}' \ + --env-file={{ matrix_bot_go_neb_base_path }}/env \ + --label-file={{ matrix_bot_go_neb_base_path }}/labels \ --mount type=bind,src={{ matrix_bot_go_neb_config_path }},dst=/config,ro \ --mount type=bind,src={{ matrix_bot_go_neb_data_path }},dst=/data \ --entrypoint=/bin/sh \ {% for arg in matrix_bot_go_neb_container_extra_arguments %} {{ arg }} \ {% endfor %} - {{ matrix_bot_go_neb_docker_image }} \ + {{ matrix_bot_go_neb_container_image }} \ -c "go-neb /config/config.yaml" +{% for network in matrix_bot_go_neb_container_additional_networks %} +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-bot-go-neb +{% endfor %} + +ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-bot-go-neb + ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-bot-go-neb 2>/dev/null || true' ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-bot-go-neb 2>/dev/null || true' + Restart=always RestartSec=30 SyslogIdentifier=matrix-bot-go-neb diff --git a/roles/custom/matrix-bot-honoroit/defaults/main.yml b/roles/custom/matrix-bot-honoroit/defaults/main.yml index 3510f4732..90ffa0c64 100644 --- a/roles/custom/matrix-bot-honoroit/defaults/main.yml +++ b/roles/custom/matrix-bot-honoroit/defaults/main.yml @@ -4,14 +4,25 @@ matrix_bot_honoroit_enabled: true +# The hostname at which honoroit is served. +matrix_bot_honoroit_hostname: '' + +# The path at which honoroit is exposed. +# This value must either be `/` or not end with a slash (e.g. `/honoroit`). +matrix_bot_honoroit_path_prefix: / + +# The path at which honoroit will expose metrics +# This value must either be `/` or not end with a slash (e.g. `/metrics`). +matrix_bot_honoroit_metrics_path: /metrics + matrix_bot_honoroit_container_image_self_build: false matrix_bot_honoroit_docker_repo: "https://gitlab.com/etke.cc/honoroit.git" matrix_bot_honoroit_docker_repo_version: "{{ matrix_bot_honoroit_version }}" matrix_bot_honoroit_docker_src_files_path: "{{ matrix_base_data_path }}/honoroit/docker-src" -matrix_bot_honoroit_version: v0.9.16 -matrix_bot_honoroit_docker_image: "{{ matrix_bot_honoroit_docker_image_name_prefix }}honoroit:{{ matrix_bot_honoroit_version }}" -matrix_bot_honoroit_docker_image_name_prefix: "{{ 'localhost/' if matrix_bot_honoroit_container_image_self_build else 'registry.gitlab.com/etke.cc/' }}" +matrix_bot_honoroit_version: v0.9.17 +matrix_bot_honoroit_docker_image: "{{ matrix_bot_honoroit_docker_image_name_prefix }}etke.cc/honoroit:{{ matrix_bot_honoroit_version }}" +matrix_bot_honoroit_docker_image_name_prefix: "{{ 'localhost/' if matrix_bot_honoroit_container_image_self_build else 'registry.gitlab.com/' }}" matrix_bot_honoroit_docker_image_force_pull: "{{ matrix_bot_honoroit_docker_image.endswith(':latest') }}" matrix_bot_honoroit_base_path: "{{ matrix_base_data_path }}/honoroit" @@ -19,6 +30,54 @@ matrix_bot_honoroit_config_path: "{{ matrix_bot_honoroit_base_path }}/config" matrix_bot_honoroit_data_path: "{{ matrix_bot_honoroit_base_path }}/data" matrix_bot_honoroit_data_store_path: "{{ matrix_bot_honoroit_data_path }}/store" +# The base container network. It will be auto-created by this role if it doesn't exist already. +matrix_bot_honoroit_container_network: matrix-bot-honoroit + +# A list of additional container networks that the container would be connected to. +# The role does not create these networks, so make sure they already exist. +# Use this to expose this container to another reverse proxy, which runs in a different container network. +matrix_bot_honoroit_container_additional_networks: [] + +# enable basic auth for metrics +matrix_bot_honoroit_basicauth_enabled: false +# temporary file name on the host that runs ansible +matrix_bot_honoroit_basicauth_file: "/tmp/matrix_bot_honoroit_htpasswd" +# username +matrix_bot_honoroit_basicauth_user: '' +# password +matrix_bot_honoroit_basicauth_password: '' + +# matrix_bot_honoroit_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container. +# See `../templates/labels.j2` for details. +# +# To inject your own other container labels, see `matrix_bot_honoroit_container_labels_additional_labels`. +matrix_bot_honoroit_container_labels_traefik_enabled: true +matrix_bot_honoroit_container_labels_traefik_docker_network: "{{ matrix_bot_honoroit_container_network }}" +matrix_bot_honoroit_container_labels_traefik_hostname: "{{ matrix_bot_honoroit_hostname }}" +# The path prefix must either be `/` or not end with a slash (e.g. `/honoroit`). +matrix_bot_honoroit_container_labels_traefik_path_prefix: "{{ matrix_bot_honoroit_path_prefix }}" +matrix_bot_honoroit_container_labels_traefik_metrics_path: "{{ '' if matrix_bot_honoroit_path_prefix == '/' else matrix_bot_honoroit_path_prefix }}{{ matrix_bot_honoroit_metrics_path }}" +matrix_bot_honoroit_container_labels_traefik_metrics_rule: "Host(`{{ matrix_bot_honoroit_container_labels_traefik_hostname }}`) && Path(`{{ matrix_bot_honoroit_container_labels_traefik_metrics_path }}`)" +matrix_bot_honoroit_container_labels_traefik_priority: 0 +matrix_bot_honoroit_container_labels_traefik_entrypoints: web-secure +matrix_bot_honoroit_container_labels_traefik_tls: "{{ matrix_bot_honoroit_container_labels_traefik_entrypoints != 'web' }}" +matrix_bot_honoroit_container_labels_traefik_tls_certResolver: default # noqa var-naming + +# Controls which additional headers to attach to all HTTP responses. +# To add your own headers, use `matrix_bot_honoroit_container_labels_traefik_additional_response_headers_custom` +matrix_bot_honoroit_container_labels_traefik_additional_response_headers: "{{ matrix_bot_honoroit_container_labels_traefik_additional_response_headers_auto | combine(matrix_bot_honoroit_container_labels_traefik_additional_response_headers_custom) }}" +matrix_bot_honoroit_container_labels_traefik_additional_response_headers_auto: {} +matrix_bot_honoroit_container_labels_traefik_additional_response_headers_custom: {} + +# matrix_bot_honoroit_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file. +# See `../templates/labels.j2` for details. +# +# Example: +# matrix_bot_honoroit_container_labels_additional_labels: | +# my.label=1 +# another.label="here" +matrix_bot_honoroit_container_labels_additional_labels: '' + # A list of extra arguments to pass to the container matrix_bot_honoroit_container_extra_arguments: [] @@ -43,7 +102,7 @@ matrix_bot_honoroit_sqlite_database_path_in_container: "/data/bot.db" matrix_bot_honoroit_database_username: 'honoroit' matrix_bot_honoroit_database_password: 'some-password' -matrix_bot_honoroit_database_hostname: 'matrix-postgres' +matrix_bot_honoroit_database_hostname: '' matrix_bot_honoroit_database_port: 5432 matrix_bot_honoroit_database_name: 'honoroit' diff --git a/roles/custom/matrix-bot-honoroit/tasks/init.yml b/roles/custom/matrix-bot-honoroit/tasks/init.yml deleted file mode 100644 index 1b03373c8..000000000 --- a/roles/custom/matrix-bot-honoroit/tasks/init.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-bot-honoroit.service'] }}" - when: matrix_bot_honoroit_enabled | bool diff --git a/roles/custom/matrix-bot-honoroit/tasks/main.yml b/roles/custom/matrix-bot-honoroit/tasks/main.yml index 5de468fe7..9b4e29089 100644 --- a/roles/custom/matrix-bot-honoroit/tasks/main.yml +++ b/roles/custom/matrix-bot-honoroit/tasks/main.yml @@ -1,23 +1,20 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup | bool and matrix_bot_honoroit_enabled | bool" - tags: +- tags: - setup-all - setup-bot-honoroit + - install-all + - install-bot-honoroit + block: + - ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" + when: "run_setup | bool and matrix_bot_honoroit_enabled | bool" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_install.yml" - when: "run_setup | bool and matrix_bot_honoroit_enabled | bool" - tags: - - setup-all - - setup-bot-honoroit + - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" + when: "run_setup | bool and matrix_bot_honoroit_enabled | bool" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - when: "run_setup | bool and not matrix_bot_honoroit_enabled | bool" - tags: +- tags: - setup-all - setup-bot-honoroit + block: + - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" + when: "run_setup | bool and not matrix_bot_honoroit_enabled | bool" diff --git a/roles/custom/matrix-bot-honoroit/tasks/setup_install.yml b/roles/custom/matrix-bot-honoroit/tasks/setup_install.yml index 05dcd7c7c..12d3ff1fd 100644 --- a/roles/custom/matrix-bot-honoroit/tasks/setup_install.yml +++ b/roles/custom/matrix-bot-honoroit/tasks/setup_install.yml @@ -11,8 +11,11 @@ - when: "matrix_bot_honoroit_sqlite_database_path_local_stat_result.stat.exists | bool" block: - - ansible.builtin.set_fact: - matrix_postgres_db_migration_request: + - ansible.builtin.include_role: + name: galaxy/com.devture.ansible.role.postgres + tasks_from: migrate_db_to_postgres + vars: + devture_postgres_db_migration_request: src: "{{ matrix_bot_honoroit_sqlite_database_path_local }}" dst: "{{ matrix_bot_honoroit_database_connection_string }}" caller: "{{ role_path | basename }}" @@ -20,10 +23,6 @@ engine_old: 'sqlite' systemd_services_to_stop: ['matrix-bot-honoroit.service'] - - ansible.builtin.import_role: - name: custom/matrix-postgres - tasks_from: migrate_db_to_postgres - - ansible.builtin.set_fact: matrix_bot_honoroit_requires_restart: true @@ -41,13 +40,39 @@ - {path: "{{ matrix_bot_honoroit_docker_src_files_path }}", when: true} when: "item.when | bool" -- name: Ensure honoroit environment variables file created +- name: Determine basicauth filename + ansible.builtin.set_fact: + matrix_bot_honoroit_basicauth_file_tmp: "{{ matrix_bot_honoroit_basicauth_file }}_{{ inventory_hostname }}" + when: matrix_bot_honoroit_basicauth_enabled | bool + +- name: Generate basic auth file + community.general.htpasswd: + path: "{{ matrix_bot_honoroit_basicauth_file }}" + name: "{{ matrix_bot_honoroit_basicauth_user }}" + password: "{{ matrix_bot_honoroit_basicauth_password }}" + mode: 0640 + become: false + delegate_to: 127.0.0.1 + when: matrix_bot_honoroit_basicauth_enabled | bool + +- name: Ensure honoroit support files installed ansible.builtin.template: - src: "{{ role_path }}/templates/env.j2" - dest: "{{ matrix_bot_honoroit_config_path }}/env" + src: "{{ role_path }}/templates/{{ item }}.j2" + dest: "{{ matrix_bot_honoroit_config_path }}/{{ item }}" owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" mode: 0640 + with_items: + - env + - labels + +- name: Ensure temporary basic auth file is removed + ansible.builtin.file: + path: "{{ matrix_bot_honoroit_basicauth_file }}" + state: absent + become: false + delegate_to: 127.0.0.1 + when: matrix_bot_honoroit_basicauth_enabled | bool - name: Ensure honoroit image is pulled community.docker.docker_image: @@ -84,6 +109,11 @@ pull: true when: "matrix_bot_honoroit_container_image_self_build | bool" +- name: Ensure honoroit container network is created + community.general.docker_network: + name: "{{ matrix_bot_honoroit_container_network }}" + driver: bridge + - name: Ensure matrix-bot-honoroit.service installed ansible.builtin.template: src: "{{ role_path }}/templates/systemd/matrix-bot-honoroit.service.j2" @@ -91,13 +121,9 @@ mode: 0644 register: matrix_bot_honoroit_systemd_service_result -- name: Ensure systemd reloaded after matrix-bot-honoroit.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_bot_honoroit_systemd_service_result.changed | bool" - - name: Ensure matrix-bot-honoroit.service restarted, if necessary ansible.builtin.service: name: "matrix-bot-honoroit.service" state: restarted + daemon_reload: true when: "matrix_bot_honoroit_requires_restart | bool" diff --git a/roles/custom/matrix-bot-honoroit/tasks/setup_uninstall.yml b/roles/custom/matrix-bot-honoroit/tasks/setup_uninstall.yml index 0fa83a02d..757345861 100644 --- a/roles/custom/matrix-bot-honoroit/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-bot-honoroit/tasks/setup_uninstall.yml @@ -5,32 +5,21 @@ path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-bot-honoroit.service" register: matrix_bot_honoroit_service_stat -- name: Ensure matrix-honoroit is stopped - ansible.builtin.service: - name: matrix-bot-honoroit - state: stopped - enabled: false - daemon_reload: true - register: stopping_result - when: "matrix_bot_honoroit_service_stat.stat.exists | bool" +- when: matrix_bot_honoroit_service_stat.stat.exists | bool + block: + - name: Ensure matrix-honoroit is stopped + ansible.builtin.service: + name: matrix-bot-honoroit + state: stopped + enabled: false + daemon_reload: true -- name: Ensure matrix-bot-honoroit.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-bot-honoroit.service" - state: absent - when: "matrix_bot_honoroit_service_stat.stat.exists | bool" - -- name: Ensure systemd reloaded after matrix-bot-honoroit.service removal - ansible.builtin.service: - daemon_reload: true - when: "matrix_bot_honoroit_service_stat.stat.exists | bool" - -- name: Ensure Matrix honoroit paths don't exist - ansible.builtin.file: - path: "{{ matrix_bot_honoroit_base_path }}" - state: absent + - name: Ensure matrix-bot-honoroit.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-bot-honoroit.service" + state: absent -- name: Ensure honoroit Docker image doesn't exist - community.docker.docker_image: - name: "{{ matrix_bot_honoroit_docker_image }}" - state: absent + - name: Ensure Matrix honoroit paths don't exist + ansible.builtin.file: + path: "{{ matrix_bot_honoroit_base_path }}" + state: absent diff --git a/roles/custom/matrix-bot-honoroit/tasks/validate_config.yml b/roles/custom/matrix-bot-honoroit/tasks/validate_config.yml index 0057e3c2c..228db8abc 100644 --- a/roles/custom/matrix-bot-honoroit/tasks/validate_config.yml +++ b/roles/custom/matrix-bot-honoroit/tasks/validate_config.yml @@ -1,10 +1,11 @@ --- -- name: Fail if required settings not defined +- name: Fail if required honoroit settings not defined ansible.builtin.fail: msg: >- - You need to define a required configuration setting (`{{ item }}`). - when: "vars[item] == ''" + You need to define a required configuration setting (`{{ item.name }}`). + when: "item.when | bool and vars[item.name] == ''" with_items: - - "matrix_bot_honoroit_password" - - "matrix_bot_honoroit_roomid" + - {'name': 'matrix_bot_honoroit_password', when: true} + - {'name': 'matrix_bot_honoroit_roomid', when: true} + - {'name': 'matrix_bot_honoroit_database_hostname', when: "{{ matrix_bot_honoroit_database_engine == 'postgres' }}"} diff --git a/roles/custom/matrix-bot-honoroit/templates/labels.j2 b/roles/custom/matrix-bot-honoroit/templates/labels.j2 new file mode 100644 index 000000000..8e20ea459 --- /dev/null +++ b/roles/custom/matrix-bot-honoroit/templates/labels.j2 @@ -0,0 +1,51 @@ +{% if matrix_bot_honoroit_container_labels_traefik_enabled %} +traefik.enable=true + +{% if matrix_bot_honoroit_container_labels_traefik_docker_network %} +traefik.docker.network={{ matrix_bot_honoroit_container_labels_traefik_docker_network }} +{% endif %} + +{% set middlewares = [] %} +{% set middlewares_metrics = [] %} + +{% if matrix_bot_honoroit_container_labels_traefik_path_prefix != '/' %} +traefik.http.middlewares.matrix-bot-honoroit-slashless-redirect.redirectregex.regex=({{ matrix_bot_honoroit_container_labels_traefik_path_prefix | quote }})$ +traefik.http.middlewares.matrix-bot-honoroit-slashless-redirect.redirectregex.replacement=${1}/ +{% set middlewares = middlewares + ['matrix-bot-honoroit-slashless-redirect'] %} +{% endif %} + +{% if matrix_bot_honoroit_container_labels_traefik_path_prefix != '/' %} +traefik.http.middlewares.matrix-bot-honoroit-strip-prefix.stripprefix.prefixes={{ matrix_bot_honoroit_container_labels_traefik_path_prefix }} +{% set middlewares = middlewares + ['matrix-bot-honoroit-strip-prefix'] %} +{% endif %} + +{% if matrix_bot_honoroit_container_labels_traefik_additional_response_headers.keys() | length > 0 %} +{% for name, value in matrix_bot_honoroit_container_labels_traefik_additional_response_headers.items() %} +traefik.http.middlewares.matrix-bot-honoroit-add-headers.headers.customresponseheaders.{{ name }}={{ value }} +{% endfor %} +{% set middlewares = middlewares + ['matrix-bot-honoroit-add-headers'] %} +{% endif %} + +{% if matrix_bot_honoroit_basicauth_enabled %} +traefik.http.middlewares.matrix-bot-honoroit-auth.basicauth.users={{ lookup('ansible.builtin.file', matrix_bot_honoroit_basicauth_file) }} +{% set middlewares_metrics = middlewares + ['matrix-bot-honoroit-auth'] %} +{% endif %} + +{% if middlewares_metrics | length > 0 %} +traefik.http.routers.matrix-bot-honoroit-metrics.rule={{ matrix_bot_honoroit_container_labels_traefik_metrics_rule }} +{% if matrix_bot_honoroit_container_labels_traefik_priority | int > 0 %} +traefik.http.routers.matrix-bot-honoroit-metrics.priority={{ matrix_bot_honoroit_container_labels_traefik_priority }} +{% endif %} +traefik.http.routers.matrix-bot-honoroit-metrics.service=matrix-bot-honoroit-metrics +traefik.http.routers.matrix-bot-honoroit-metrics.middlewares={{ middlewares_metrics | join(',') }} +traefik.http.routers.matrix-bot-honoroit-metrics.entrypoints={{ matrix_bot_honoroit_container_labels_traefik_entrypoints }} +traefik.http.routers.matrix-bot-honoroit-metrics.tls={{ matrix_bot_honoroit_container_labels_traefik_tls | to_json }} +{% if matrix_bot_honoroit_container_labels_traefik_tls %} +traefik.http.routers.matrix-bot-honoroit-metrics.tls.certResolver={{ matrix_bot_honoroit_container_labels_traefik_tls_certResolver }} +{% endif %} +traefik.http.services.matrix-bot-honoroit-metrics.loadbalancer.server.port=8080 +{% endif %} + +{% endif %} + +{{ matrix_bot_honoroit_container_labels_additional_labels }} diff --git a/roles/custom/matrix-bot-honoroit/templates/systemd/matrix-bot-honoroit.service.j2 b/roles/custom/matrix-bot-honoroit/templates/systemd/matrix-bot-honoroit.service.j2 index 2cce62da5..9bbc7d10b 100644 --- a/roles/custom/matrix-bot-honoroit/templates/systemd/matrix-bot-honoroit.service.j2 +++ b/roles/custom/matrix-bot-honoroit/templates/systemd/matrix-bot-honoroit.service.j2 @@ -16,19 +16,28 @@ Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-bot-honoroit 2>/dev/null || true' ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-bot-honoroit 2>/dev/null || true' -ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-bot-honoroit \ +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ + --rm \ + --name=matrix-bot-honoroit \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ --read-only \ - --network={{ matrix_docker_network }} \ + --network={{ matrix_bot_honoroit_container_network }} \ --env-file={{ matrix_bot_honoroit_config_path }}/env \ + --label-file={{ matrix_bot_honoroit_config_path }}/labels \ --mount type=bind,src={{ matrix_bot_honoroit_data_path }},dst=/data \ {% for arg in matrix_bot_honoroit_container_extra_arguments %} {{ arg }} \ {% endfor %} {{ matrix_bot_honoroit_docker_image }} +{% for network in matrix_bot_honoroit_container_additional_networks %} +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-bot-honoroit +{% endfor %} + +ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-bot-honoroit + ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-bot-honoroit 2>/dev/null || true' ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-bot-honoroit 2>/dev/null || true' Restart=always diff --git a/roles/custom/matrix-bot-matrix-registration-bot/defaults/main.yml b/roles/custom/matrix-bot-matrix-registration-bot/defaults/main.yml index d8e52b719..41143566a 100644 --- a/roles/custom/matrix-bot-matrix-registration-bot/defaults/main.yml +++ b/roles/custom/matrix-bot-matrix-registration-bot/defaults/main.yml @@ -8,8 +8,10 @@ matrix_bot_matrix_registration_bot_docker_repo: "https://github.com/moan0s/matri matrix_bot_matrix_registration_bot_docker_repo_version: "{{ matrix_bot_matrix_registration_bot_version if matrix_bot_matrix_registration_bot_version != 'latest' else 'main' }}" matrix_bot_matrix_registration_bot_docker_src_files_path: "{{ matrix_bot_matrix_registration_bot_base_path }}/docker-src" -matrix_bot_matrix_registration_bot_version: latest -matrix_bot_matrix_registration_bot_docker_image: "{{ matrix_container_global_registry_prefix }}moanos/matrix-registration-bot:{{ matrix_bot_matrix_registration_bot_version }}" +matrix_bot_matrix_registration_bot_version: 1.3.0 +matrix_bot_matrix_registration_bot_docker_iteration: 0 +matrix_bot_matrix_registration_bot_docker_tag: "{{ matrix_bot_matrix_registration_bot_version }}-{{ matrix_bot_matrix_registration_bot_docker_iteration}}" +matrix_bot_matrix_registration_bot_docker_image: "{{ matrix_container_global_registry_prefix }}moanos/matrix-registration-bot:{{ matrix_bot_matrix_registration_bot_docker_tag }}" matrix_bot_matrix_registration_bot_docker_image_force_pull: "{{ matrix_bot_matrix_registration_bot_docker_image.endswith(':latest') }}" matrix_bot_matrix_registration_bot_base_path: "{{ matrix_base_data_path }}/matrix-registration-bot" @@ -19,15 +21,15 @@ matrix_bot_matrix_registration_bot_data_path: "{{ matrix_bot_matrix_registration matrix_bot_matrix_registration_bot_bot_server: "https://{{ matrix_server_fqn_matrix }}" matrix_bot_matrix_registration_bot_api_base_url: "https://{{ matrix_server_fqn_matrix }}" -# The access token that the bot uses to communicate in Matrix chats -# This does not necessarily need to be a privileged (admin) access token. -matrix_bot_matrix_registration_bot_bot_access_token: '' -# The access token that the bot uses to call the Matrix API for creating registration tokens. -# This needs to be a privileged (admin) access token. -# By default, we assume `matrix_bot_matrix_registration_bot_bot_access_token` is such a privileged token and we use it as is. -# If necessary, you can define your own other access token here, which might even be for a different Matrix user. -matrix_bot_matrix_registration_bot_api_token: "{{ matrix_bot_matrix_registration_bot_bot_access_token }}" +# The bot's password (can also be used to login via a client like element) +matrix_bot_matrix_registration_bot_bot_password: '' + +# Optional variable that only needs to be set if the bot account is not admin +# Needs to be a valid access token of an admin account +matrix_bot_matrix_registration_bot_api_token: '' + +matrix_bot_matrix_registration_bot_device_id: "matrix-docker-ansible-deploy" matrix_bot_matrix_registration_bot_logging_level: info matrix_bot_matrix_registration_environment_variables_extension: '' diff --git a/roles/custom/matrix-bot-matrix-registration-bot/tasks/clean_cache.yml b/roles/custom/matrix-bot-matrix-registration-bot/tasks/clean_cache.yml new file mode 100644 index 000000000..ae4433b8f --- /dev/null +++ b/roles/custom/matrix-bot-matrix-registration-bot/tasks/clean_cache.yml @@ -0,0 +1,12 @@ +--- + +- name: Delete cache files + ansible.builtin.file: + state: "{{ item }}" + path: "{{ matrix_bot_matrix_registration_bot_data_path }}" + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - absent + - directory diff --git a/roles/custom/matrix-bot-matrix-registration-bot/tasks/init.yml b/roles/custom/matrix-bot-matrix-registration-bot/tasks/init.yml deleted file mode 100644 index 91b1f095d..000000000 --- a/roles/custom/matrix-bot-matrix-registration-bot/tasks/init.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-bot-matrix-registration-bot.service'] }}" - when: matrix_bot_matrix_registration_bot_enabled | bool diff --git a/roles/custom/matrix-bot-matrix-registration-bot/tasks/main.yml b/roles/custom/matrix-bot-matrix-registration-bot/tasks/main.yml index cc162e991..cd11c1d5d 100644 --- a/roles/custom/matrix-bot-matrix-registration-bot/tasks/main.yml +++ b/roles/custom/matrix-bot-matrix-registration-bot/tasks/main.yml @@ -1,23 +1,26 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup | bool and matrix_bot_matrix_registration_bot_enabled | bool" - tags: +- tags: - setup-all - setup-bot-matrix-registration-bot + - install-all + - install-bot-matrix-registration-bot + block: + - when: matrix_bot_matrix_registration_bot_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_install.yml" - when: "run_setup | bool and matrix_bot_matrix_registration_bot_enabled | bool" - tags: - - setup-all - - setup-bot-matrix-registration-bot + - when: matrix_bot_matrix_registration_bot_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - when: "run_setup | bool and not matrix_bot_matrix_registration_bot_enabled | bool" - tags: +- tags: - setup-all - setup-bot-matrix-registration-bot + block: + - when: not matrix_bot_matrix_registration_bot_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" + +- tags: + - bot-matrix-registration-bot-clean-cache + block: + - when: matrix_bot_matrix_registration_bot_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/clean_cache.yml" diff --git a/roles/custom/matrix-bot-matrix-registration-bot/tasks/setup_install.yml b/roles/custom/matrix-bot-matrix-registration-bot/tasks/setup_install.yml index 3838fa079..655f3d275 100644 --- a/roles/custom/matrix-bot-matrix-registration-bot/tasks/setup_install.yml +++ b/roles/custom/matrix-bot-matrix-registration-bot/tasks/setup_install.yml @@ -9,7 +9,7 @@ group: "{{ matrix_user_groupname }}" with_items: - {path: "{{ matrix_bot_matrix_registration_bot_config_path }}", when: true} - - - {path: "{{ matrix_bot_matrix_registration_bot_data_path }}", when: true} + - {path: "{{ matrix_bot_matrix_registration_bot_data_path }}", when: true} - {path: "{{ matrix_bot_matrix_registration_bot_docker_src_files_path }}", when: true} when: "item.when | bool" @@ -61,14 +61,3 @@ src: "{{ role_path }}/templates/systemd/matrix-bot-matrix-registration-bot.service.j2" dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-bot-matrix-registration-bot.service" mode: 0644 - register: matrix_bot_matrix_registration_bot_systemd_service_result - -- name: Ensure systemd reloaded after matrix-bot-matrix-registration-bot.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_bot_matrix_registration_bot_systemd_service_result.changed | bool" - -- name: Ensure matrix-bot-matrix-registration-bot.service restarted, if necessary - ansible.builtin.service: - name: "matrix-bot-matrix-registration-bot.service" - state: restarted diff --git a/roles/custom/matrix-bot-matrix-registration-bot/tasks/setup_uninstall.yml b/roles/custom/matrix-bot-matrix-registration-bot/tasks/setup_uninstall.yml index c7ee13652..b83ea783b 100644 --- a/roles/custom/matrix-bot-matrix-registration-bot/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-bot-matrix-registration-bot/tasks/setup_uninstall.yml @@ -5,32 +5,21 @@ path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-bot-matrix-registration-bot.service" register: matrix_bot_matrix_registration_bot_service_stat -- name: Ensure matrix-matrix-registration-bot is stopped - ansible.builtin.service: - name: matrix-bot-matrix-registration-bot - state: stopped - enabled: false - daemon_reload: true - register: stopping_result - when: "matrix_bot_matrix_registration_bot_service_stat.stat.exists | bool" +- when: matrix_bot_matrix_registration_bot_service_stat.stat.exists | bool + block: + - name: Ensure matrix-matrix-registration-bot is stopped + ansible.builtin.service: + name: matrix-bot-matrix-registration-bot + state: stopped + enabled: false + daemon_reload: true -- name: Ensure matrix-bot-matrix-registration-bot.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-bot-matrix-registration-bot.service" - state: absent - when: "matrix_bot_matrix_registration_bot_service_stat.stat.exists | bool" - -- name: Ensure systemd reloaded after matrix-bot-matrix-registration-bot.service removal - ansible.builtin.service: - daemon_reload: true - when: "matrix_bot_matrix_registration_bot_service_stat.stat.exists | bool" - -- name: Ensure Matrix matrix-registration-bot paths don't exist - ansible.builtin.file: - path: "{{ matrix_bot_matrix_registration_bot_base_path }}" - state: absent + - name: Ensure matrix-bot-matrix-registration-bot.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-bot-matrix-registration-bot.service" + state: absent -- name: Ensure matrix-registration-bot Docker image doesn't exist - community.docker.docker_image: - name: "{{ matrix_bot_matrix_registration_bot_docker_image }}" - state: absent + - name: Ensure Matrix matrix-registration-bot paths don't exist + ansible.builtin.file: + path: "{{ matrix_bot_matrix_registration_bot_base_path }}" + state: absent diff --git a/roles/custom/matrix-bot-matrix-registration-bot/tasks/validate_config.yml b/roles/custom/matrix-bot-matrix-registration-bot/tasks/validate_config.yml index 39e97cde2..b7a475639 100644 --- a/roles/custom/matrix-bot-matrix-registration-bot/tasks/validate_config.yml +++ b/roles/custom/matrix-bot-matrix-registration-bot/tasks/validate_config.yml @@ -5,6 +5,13 @@ msg: >- You need to define a required configuration setting (`{{ item }}`). when: "vars[item] == ''" + with_items: + - "matrix_bot_matrix_registration_bot_bot_password" + +- name: (Deprecation) Catch and report old settings + ansible.builtin.fail: + msg: >- + Your configuration contains a variable, which is deprecated - Please check the documentation on how to configure the matrix-registration-bot. + when: "item in vars" with_items: - "matrix_bot_matrix_registration_bot_bot_access_token" - - "matrix_bot_matrix_registration_bot_api_token" diff --git a/roles/custom/matrix-bot-matrix-registration-bot/templates/config/config.yml.j2 b/roles/custom/matrix-bot-matrix-registration-bot/templates/config/config.yml.j2 index 756efb018..4a2242aa2 100644 --- a/roles/custom/matrix-bot-matrix-registration-bot/templates/config/config.yml.j2 +++ b/roles/custom/matrix-bot-matrix-registration-bot/templates/config/config.yml.j2 @@ -1,12 +1,16 @@ bot: server: {{ matrix_bot_matrix_registration_bot_bot_server|to_json }} username: {{ matrix_bot_matrix_registration_bot_matrix_user_id_localpart|to_json }} - access_token: {{ matrix_bot_matrix_registration_bot_bot_access_token|to_json }} + password: {{ matrix_bot_matrix_registration_bot_bot_password|to_json }} + api: # API endpoint of the registration tokens base_url: {{ matrix_bot_matrix_registration_bot_api_base_url|to_json }} # Access token of an administrator on the server +{% if matrix_bot_matrix_registration_bot_api_token | length > 0 %} token: {{ matrix_bot_matrix_registration_bot_api_token|to_json }} +{% endif %} + logging: level: {{ matrix_bot_matrix_registration_bot_logging_level|to_json }} diff --git a/roles/custom/matrix-bot-matrix-reminder-bot/defaults/main.yml b/roles/custom/matrix-bot-matrix-reminder-bot/defaults/main.yml index 610a43a32..03f117679 100644 --- a/roles/custom/matrix-bot-matrix-reminder-bot/defaults/main.yml +++ b/roles/custom/matrix-bot-matrix-reminder-bot/defaults/main.yml @@ -44,7 +44,7 @@ matrix_bot_matrix_reminder_bot_sqlite_database_path_in_container: "/data/bot.db" matrix_bot_matrix_reminder_bot_database_username: 'matrix_reminder_bot' matrix_bot_matrix_reminder_bot_database_password: 'some-password' -matrix_bot_matrix_reminder_bot_database_hostname: 'matrix-postgres' +matrix_bot_matrix_reminder_bot_database_hostname: '' matrix_bot_matrix_reminder_bot_database_port: 5432 matrix_bot_matrix_reminder_bot_database_name: 'matrix_reminder_bot' diff --git a/roles/custom/matrix-bot-matrix-reminder-bot/tasks/init.yml b/roles/custom/matrix-bot-matrix-reminder-bot/tasks/init.yml deleted file mode 100644 index 0a5ba4821..000000000 --- a/roles/custom/matrix-bot-matrix-reminder-bot/tasks/init.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-bot-matrix-reminder-bot.service'] }}" - when: matrix_bot_matrix_reminder_bot_enabled | bool diff --git a/roles/custom/matrix-bot-matrix-reminder-bot/tasks/main.yml b/roles/custom/matrix-bot-matrix-reminder-bot/tasks/main.yml index 19c3823fa..f475afc06 100644 --- a/roles/custom/matrix-bot-matrix-reminder-bot/tasks/main.yml +++ b/roles/custom/matrix-bot-matrix-reminder-bot/tasks/main.yml @@ -1,23 +1,20 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup | bool and matrix_bot_matrix_reminder_bot_enabled | bool" - tags: +- tags: - setup-all - setup-bot-matrix-reminder-bot + - install-all + - install-bot-matrix-reminder-bot + block: + - when: matrix_bot_matrix_reminder_bot_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_install.yml" - when: "run_setup | bool and matrix_bot_matrix_reminder_bot_enabled | bool" - tags: - - setup-all - - setup-bot-matrix-reminder-bot + - when: matrix_bot_matrix_reminder_bot_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - when: "run_setup | bool and not matrix_bot_matrix_reminder_bot_enabled | bool" - tags: +- tags: - setup-all - setup-bot-matrix-reminder-bot + block: + - when: not matrix_bot_matrix_reminder_bot_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" diff --git a/roles/custom/matrix-bot-matrix-reminder-bot/tasks/setup_install.yml b/roles/custom/matrix-bot-matrix-reminder-bot/tasks/setup_install.yml index 00e25c361..39bf63e64 100644 --- a/roles/custom/matrix-bot-matrix-reminder-bot/tasks/setup_install.yml +++ b/roles/custom/matrix-bot-matrix-reminder-bot/tasks/setup_install.yml @@ -12,8 +12,11 @@ - when: "matrix_bot_matrix_reminder_bot_sqlite_database_path_local_stat_result.stat.exists | bool" block: - - ansible.builtin.set_fact: - matrix_postgres_db_migration_request: + - ansible.builtin.include_role: + name: galaxy/com.devture.ansible.role.postgres + tasks_from: migrate_db_to_postgres + vars: + devture_postgres_db_migration_request: src: "{{ matrix_bot_matrix_reminder_bot_sqlite_database_path_local }}" dst: "{{ matrix_bot_matrix_reminder_bot_database_connection_string }}" caller: "{{ role_path | basename }}" @@ -21,10 +24,6 @@ engine_old: 'sqlite' systemd_services_to_stop: ['matrix-bot-matrix-reminder-bot.service'] - - ansible.builtin.import_role: - name: custom/matrix-postgres - tasks_from: migrate_db_to_postgres - - ansible.builtin.set_fact: matrix_bot_matrix_reminder_bot_requires_restart: true @@ -92,13 +91,9 @@ mode: 0644 register: matrix_bot_matrix_reminder_bot_systemd_service_result -- name: Ensure systemd reloaded after matrix-bot-matrix-reminder-bot.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_bot_matrix_reminder_bot_systemd_service_result.changed | bool" - - name: Ensure matrix-bot-matrix-reminder-bot.service restarted, if necessary ansible.builtin.service: name: "matrix-bot-matrix-reminder-bot.service" state: restarted + daemon_reload: true when: "matrix_bot_matrix_reminder_bot_requires_restart | bool" diff --git a/roles/custom/matrix-bot-matrix-reminder-bot/tasks/setup_uninstall.yml b/roles/custom/matrix-bot-matrix-reminder-bot/tasks/setup_uninstall.yml index 1b940f32e..512c0f2dd 100644 --- a/roles/custom/matrix-bot-matrix-reminder-bot/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-bot-matrix-reminder-bot/tasks/setup_uninstall.yml @@ -5,32 +5,21 @@ path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-bot-matrix-reminder-bot.service" register: matrix_bot_matrix_reminder_bot_service_stat -- name: Ensure matrix-matrix-reminder-bot is stopped - ansible.builtin.service: - name: matrix-bot-matrix-reminder-bot - state: stopped - enabled: false - daemon_reload: true - register: stopping_result - when: "matrix_bot_matrix_reminder_bot_service_stat.stat.exists | bool" +- when: matrix_bot_matrix_reminder_bot_service_stat.stat.exists | bool + block: + - name: Ensure matrix-matrix-reminder-bot is stopped + ansible.builtin.service: + name: matrix-bot-matrix-reminder-bot + state: stopped + enabled: false + daemon_reload: true -- name: Ensure matrix-bot-matrix-reminder-bot.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-bot-matrix-reminder-bot.service" - state: absent - when: "matrix_bot_matrix_reminder_bot_service_stat.stat.exists | bool" - -- name: Ensure systemd reloaded after matrix-bot-matrix-reminder-bot.service removal - ansible.builtin.service: - daemon_reload: true - when: "matrix_bot_matrix_reminder_bot_service_stat.stat.exists | bool" - -- name: Ensure Matrix matrix-reminder-bot paths don't exist - ansible.builtin.file: - path: "{{ matrix_bot_matrix_reminder_bot_base_path }}" - state: absent + - name: Ensure matrix-bot-matrix-reminder-bot.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-bot-matrix-reminder-bot.service" + state: absent -- name: Ensure matrix-reminder-bot Docker image doesn't exist - community.docker.docker_image: - name: "{{ matrix_bot_matrix_reminder_bot_docker_image }}" - state: absent + - name: Ensure Matrix matrix-reminder-bot paths don't exist + ansible.builtin.file: + path: "{{ matrix_bot_matrix_reminder_bot_base_path }}" + state: absent diff --git a/roles/custom/matrix-bot-matrix-reminder-bot/tasks/validate_config.yml b/roles/custom/matrix-bot-matrix-reminder-bot/tasks/validate_config.yml index 54f38dd51..f6e7afdf6 100644 --- a/roles/custom/matrix-bot-matrix-reminder-bot/tasks/validate_config.yml +++ b/roles/custom/matrix-bot-matrix-reminder-bot/tasks/validate_config.yml @@ -1,15 +1,16 @@ --- -- name: Fail if required settings not defined +- name: Fail if required matrix-reminder-bot settings not defined ansible.builtin.fail: msg: >- You need to define a required configuration setting (`{{ item }}`). - when: "vars[item] == ''" + when: "item.when | bool and vars[item.name] == ''" with_items: - - "matrix_bot_matrix_reminder_bot_matrix_user_password" - - "matrix_bot_matrix_reminder_bot_reminders_timezone" + - {'name': 'matrix_bot_matrix_reminder_bot_matrix_user_password', when: true} + - {'name': 'matrix_bot_matrix_reminder_bot_reminders_timezone', when: true} + - {'name': 'matrix_bot_matrix_reminder_bot_database_hostname', when: "{{ matrix_bot_matrix_reminder_bot_database_engine == 'postgres' }}"} -- name: (Deprecation) Catch and report renamed settings +- name: (Deprecation) Catch and report renamed matrix-reminder-bot settings ansible.builtin.fail: msg: >- Your configuration contains a variable, which now has a different name. diff --git a/roles/custom/matrix-bot-maubot/defaults/main.yml b/roles/custom/matrix-bot-maubot/defaults/main.yml index 0a73d92e0..a31d81913 100644 --- a/roles/custom/matrix-bot-maubot/defaults/main.yml +++ b/roles/custom/matrix-bot-maubot/defaults/main.yml @@ -10,8 +10,9 @@ matrix_bot_maubot_docker_src_files_path: "{{ matrix_bot_maubot_base_path }}/dock matrix_bot_maubot_docker_repo_version: "{{ 'master' if matrix_bot_maubot_version == 'latest' else matrix_bot_maubot_version }}" -matrix_bot_maubot_version: v0.3.1 -matrix_bot_maubot_docker_image: "dock.mau.dev/maubot/maubot:{{ matrix_bot_maubot_version }}" +matrix_bot_maubot_version: v0.4.1 +matrix_bot_maubot_docker_image: "{{ matrix_bot_maubot_docker_image_name_prefix }}maubot/maubot:{{ matrix_bot_maubot_version }}" +matrix_bot_maubot_docker_image_name_prefix: "{{ 'localhost/' if matrix_bot_maubot_container_image_self_build else 'dock.mau.dev/' }}" matrix_bot_maubot_docker_image_force_pull: "{{ matrix_bot_maubot_docker_image.endswith(':latest') }}" matrix_bot_maubot_base_path: "{{ matrix_base_data_path }}/maubot" @@ -27,7 +28,7 @@ matrix_bot_maubot_sqlite_database_path_in_container: "/data/maubot.db" matrix_bot_maubot_database_username: matrix_bot_maubot matrix_bot_maubot_database_password: ~ -matrix_bot_maubot_database_hostname: 'matrix-postgres' +matrix_bot_maubot_database_hostname: '' matrix_bot_maubot_database_port: 5432 matrix_bot_maubot_database_name: matrix_bot_maubot diff --git a/roles/custom/matrix-bot-maubot/tasks/init.yml b/roles/custom/matrix-bot-maubot/tasks/inject_into_nginx_proxy.yml similarity index 90% rename from roles/custom/matrix-bot-maubot/tasks/init.yml rename to roles/custom/matrix-bot-maubot/tasks/inject_into_nginx_proxy.yml index ccb5956e6..f7aec6273 100644 --- a/roles/custom/matrix-bot-maubot/tasks/init.yml +++ b/roles/custom/matrix-bot-maubot/tasks/inject_into_nginx_proxy.yml @@ -1,10 +1,5 @@ --- -- name: Add maubot to the systemd service list - ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-bot-maubot.service'] }}" - when: matrix_bot_maubot_enabled | bool - - name: Configure nginx for maubot block: - name: Generate Maubot proxying configuration for matrix-nginx-proxy diff --git a/roles/custom/matrix-bot-maubot/tasks/main.yml b/roles/custom/matrix-bot-maubot/tasks/main.yml index 773f4b9fa..3241795b5 100644 --- a/roles/custom/matrix-bot-maubot/tasks/main.yml +++ b/roles/custom/matrix-bot-maubot/tasks/main.yml @@ -1,23 +1,29 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup|bool and matrix_bot_maubot_enabled|bool" - tags: +- tags: - setup-all - - setup-bot-maubot + - setup-nginx-proxy + - install-all + - install-nginx-proxy + block: + - when: matrix_bot_maubot_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_install.yml" - when: "run_setup|bool and matrix_bot_maubot_enabled|bool" - tags: +- tags: - setup-all - setup-bot-maubot + - install-all + - install-bot-maubot + block: + - when: matrix_bot_maubot_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" + + - when: matrix_bot_maubot_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - when: "run_setup|bool and not matrix_bot_maubot_enabled|bool" - tags: +- tags: - setup-all - setup-bot-maubot + block: + - when: not matrix_bot_maubot_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" diff --git a/roles/custom/matrix-bot-maubot/tasks/setup_install.yml b/roles/custom/matrix-bot-maubot/tasks/setup_install.yml index 22f53b6fe..60b87861e 100644 --- a/roles/custom/matrix-bot-maubot/tasks/setup_install.yml +++ b/roles/custom/matrix-bot-maubot/tasks/setup_install.yml @@ -53,7 +53,7 @@ name: "{{ matrix_bot_maubot_docker_image }}" source: build force_source: "{{ matrix_bot_maubot_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mailer_git_pull_results.changed }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_bot_maubot_git_pull_results.changed }}" build: dockerfile: Dockerfile path: "{{ matrix_bot_maubot_docker_src_files_path }}" @@ -65,9 +65,3 @@ src: "{{ role_path }}/templates/systemd/matrix-bot-maubot.service.j2" dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-bot-maubot.service" mode: 0644 - register: matrix_bot_maubot_systemd_service_result - -- name: Ensure systemd reloaded after matrix-bot-maubot.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_bot_maubot_systemd_service_result.changed|bool" diff --git a/roles/custom/matrix-bot-maubot/tasks/setup_uninstall.yml b/roles/custom/matrix-bot-maubot/tasks/setup_uninstall.yml index 33b8fc149..9d7695763 100644 --- a/roles/custom/matrix-bot-maubot/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-bot-maubot/tasks/setup_uninstall.yml @@ -5,32 +5,21 @@ path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-bot-maubot.service" register: matrix_bot_maubot_service_stat -- name: Ensure matrix-bot-maubot is stopped - ansible.builtin.service: - name: matrix-bot-maubot - state: stopped - enabled: false - daemon_reload: true - register: stopping_result - when: "matrix_bot_maubot_service_stat.stat.exists | bool" +- when: matrix_bot_maubot_service_stat.stat.exists | bool + block: + - name: Ensure matrix-bot-maubot is stopped + ansible.builtin.service: + name: matrix-bot-maubot + state: stopped + enabled: false + daemon_reload: true -- name: Ensure matrix-bot-maubot.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-bot-maubot.service" - state: absent - when: "matrix_bot_maubot_service_stat.stat.exists | bool" - -- name: Ensure systemd reloaded after matrix-bot-maubot.service removal - ansible.builtin.service: - daemon_reload: true - when: "matrix_bot_maubot_service_stat.stat.exists | bool" - -- name: Ensure Matrix maubot paths don't exist - ansible.builtin.file: - path: "{{ matrix_bot_maubot_base_path }}" - state: absent + - name: Ensure matrix-bot-maubot.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-bot-maubot.service" + state: absent -- name: Ensure maubot Docker image doesn't exist - community.docker.docker_image: - name: "{{ matrix_bot_maubot_docker_image }}" - state: absent + - name: Ensure Matrix maubot paths don't exist + ansible.builtin.file: + path: "{{ matrix_bot_maubot_base_path }}" + state: absent diff --git a/roles/custom/matrix-bot-maubot/tasks/validate_config.yml b/roles/custom/matrix-bot-maubot/tasks/validate_config.yml index 5b28d9c0e..d8bac550a 100644 --- a/roles/custom/matrix-bot-maubot/tasks/validate_config.yml +++ b/roles/custom/matrix-bot-maubot/tasks/validate_config.yml @@ -1,10 +1,11 @@ --- -- name: Fail if required settings not defined +- name: Fail if required maubot settings not defined ansible.builtin.fail: msg: >- - You need to define a required configuration setting (`{{ item }}`). - when: "vars[item] == ''" + You need to define a required configuration setting (`{{ item.name }}`). + when: "item.when | bool and vars[item.name] == ''" with_items: - - matrix_bot_maubot_unshared_secret - - matrix_bot_maubot_admins + - {'name': 'matrix_bot_maubot_unshared_secret', when: true} + - {'name': 'matrix_bot_maubot_admins', when: true} + - {'name': 'matrix_bot_maubot_database_hostname', when: "{{ matrix_bot_maubot_database_engine == 'postgres' }}"} diff --git a/roles/custom/matrix-bot-maubot/templates/config/config.yaml.j2 b/roles/custom/matrix-bot-maubot/templates/config/config.yaml.j2 index 49bbcb878..7750ec9a3 100644 --- a/roles/custom/matrix-bot-maubot/templates/config/config.yaml.j2 +++ b/roles/custom/matrix-bot-maubot/templates/config/config.yaml.j2 @@ -60,7 +60,7 @@ server: homeservers: {{ matrix_domain }}: # Client-server API URL - url: "https://{{ matrix_server_fqn_matrix }}" + url: {{ matrix_homeserver_container_url | to_json }} # registration_shared_secret from synapse config # You can leave this empty if you don't have access to the homeserver. # When this is empty, `mbc auth --register` won't work, but `mbc auth` (login) will. diff --git a/roles/custom/matrix-bot-mjolnir/defaults/main.yml b/roles/custom/matrix-bot-mjolnir/defaults/main.yml index 0be97eaec..ecbbdb884 100644 --- a/roles/custom/matrix-bot-mjolnir/defaults/main.yml +++ b/roles/custom/matrix-bot-mjolnir/defaults/main.yml @@ -4,7 +4,7 @@ matrix_bot_mjolnir_enabled: true -matrix_bot_mjolnir_version: "v1.5.0" +matrix_bot_mjolnir_version: "v1.6.4" matrix_bot_mjolnir_container_image_self_build: false matrix_bot_mjolnir_container_image_self_build_repo: "https://github.com/matrix-org/mjolnir.git" diff --git a/roles/custom/matrix-bot-mjolnir/tasks/init.yml b/roles/custom/matrix-bot-mjolnir/tasks/init.yml deleted file mode 100644 index 2b6053428..000000000 --- a/roles/custom/matrix-bot-mjolnir/tasks/init.yml +++ /dev/null @@ -1,11 +0,0 @@ ---- -# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 -# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 -- name: Fail if trying to self-build on Ansible < 2.8 - ansible.builtin.fail: - msg: "To self-build the Mjolnir image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_bot_mjolnir_container_image_self_build and matrix_bot_mjolnir_enabled" - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-bot-mjolnir.service'] }}" - when: matrix_bot_mjolnir_enabled | bool diff --git a/roles/custom/matrix-bot-mjolnir/tasks/main.yml b/roles/custom/matrix-bot-mjolnir/tasks/main.yml index 867201a20..03f5ba905 100644 --- a/roles/custom/matrix-bot-mjolnir/tasks/main.yml +++ b/roles/custom/matrix-bot-mjolnir/tasks/main.yml @@ -1,23 +1,20 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup | bool and matrix_bot_mjolnir_enabled | bool" - tags: +- tags: - setup-all - setup-bot-mjolnir + - install-all + - install-bot-mjolnir + block: + - when: matrix_bot_mjolnir_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_install.yml" - when: "run_setup | bool and matrix_bot_mjolnir_enabled | bool" - tags: - - setup-all - - setup-bot-mjolnir + - when: matrix_bot_mjolnir_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - when: "run_setup | bool and not matrix_bot_mjolnir_enabled | bool" - tags: +- tags: - setup-all - setup-bot-mjolnir + block: + - when: not matrix_bot_mjolnir_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" diff --git a/roles/custom/matrix-bot-mjolnir/tasks/setup_install.yml b/roles/custom/matrix-bot-mjolnir/tasks/setup_install.yml index 995e3b2be..3088fe8bd 100644 --- a/roles/custom/matrix-bot-mjolnir/tasks/setup_install.yml +++ b/roles/custom/matrix-bot-mjolnir/tasks/setup_install.yml @@ -66,13 +66,9 @@ mode: 0644 register: matrix_bot_mjolnir_systemd_service_result -- name: Ensure systemd reloaded after matrix-bot-mjolnir.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_bot_mjolnir_systemd_service_result.changed | bool" - - name: Ensure matrix-bot-mjolnir.service restarted, if necessary ansible.builtin.service: name: "matrix-bot-mjolnir.service" state: restarted + daemon_reload: true when: "matrix_bot_mjolnir_requires_restart | bool" diff --git a/roles/custom/matrix-bot-mjolnir/tasks/setup_uninstall.yml b/roles/custom/matrix-bot-mjolnir/tasks/setup_uninstall.yml index 708a7bb01..06be71e15 100644 --- a/roles/custom/matrix-bot-mjolnir/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-bot-mjolnir/tasks/setup_uninstall.yml @@ -5,32 +5,21 @@ path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-bot-mjolnir.service" register: matrix_bot_mjolnir_service_stat -- name: Ensure matrix-bot-mjolnir is stopped - ansible.builtin.service: - name: matrix-bot-mjolnir - state: stopped - enabled: false - daemon_reload: true - register: stopping_result - when: "matrix_bot_mjolnir_service_stat.stat.exists | bool" +- when: matrix_bot_mjolnir_service_stat.stat.exists | bool + block: + - name: Ensure matrix-bot-mjolnir is stopped + ansible.builtin.service: + name: matrix-bot-mjolnir + state: stopped + enabled: false + daemon_reload: true -- name: Ensure matrix-bot-mjolnir.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-bot-mjolnir.service" - state: absent - when: "matrix_bot_mjolnir_service_stat.stat.exists | bool" - -- name: Ensure systemd reloaded after matrix-bot-mjolnir.service removal - ansible.builtin.service: - daemon_reload: true - when: "matrix_bot_mjolnir_service_stat.stat.exists | bool" - -- name: Ensure matrix-bot-mjolnir paths don't exist - ansible.builtin.file: - path: "{{ matrix_bot_mjolnir_base_path }}" - state: absent + - name: Ensure matrix-bot-mjolnir.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-bot-mjolnir.service" + state: absent -- name: Ensure mjolnir Docker image doesn't exist - community.docker.docker_image: - name: "{{ matrix_bot_mjolnir_docker_image }}" - state: absent + - name: Ensure matrix-bot-mjolnir paths don't exist + ansible.builtin.file: + path: "{{ matrix_bot_mjolnir_base_path }}" + state: absent diff --git a/roles/custom/matrix-bot-postmoogle/defaults/main.yml b/roles/custom/matrix-bot-postmoogle/defaults/main.yml index af6c23ac0..0c9db2d70 100644 --- a/roles/custom/matrix-bot-postmoogle/defaults/main.yml +++ b/roles/custom/matrix-bot-postmoogle/defaults/main.yml @@ -9,9 +9,9 @@ matrix_bot_postmoogle_docker_repo: "https://gitlab.com/etke.cc/postmoogle.git" matrix_bot_postmoogle_docker_repo_version: "{{ 'main' if matrix_bot_postmoogle_version == 'latest' else matrix_bot_postmoogle_version }}" matrix_bot_postmoogle_docker_src_files_path: "{{ matrix_base_data_path }}/postmoogle/docker-src" -matrix_bot_postmoogle_version: v0.9.8 -matrix_bot_postmoogle_docker_image: "{{ matrix_bot_postmoogle_docker_image_name_prefix }}postmoogle:{{ matrix_bot_postmoogle_version }}" -matrix_bot_postmoogle_docker_image_name_prefix: "{{ 'localhost/' if matrix_bot_postmoogle_container_image_self_build else 'registry.gitlab.com/etke.cc/' }}" +matrix_bot_postmoogle_version: v0.9.14 +matrix_bot_postmoogle_docker_image: "{{ matrix_bot_postmoogle_docker_image_name_prefix }}etke.cc/postmoogle:{{ matrix_bot_postmoogle_version }}" +matrix_bot_postmoogle_docker_image_name_prefix: "{{ 'localhost/' if matrix_bot_postmoogle_container_image_self_build else 'registry.gitlab.com/' }}" matrix_bot_postmoogle_docker_image_force_pull: "{{ matrix_bot_postmoogle_docker_image.endswith(':latest') }}" matrix_bot_postmoogle_base_path: "{{ matrix_base_data_path }}/postmoogle" @@ -42,7 +42,7 @@ matrix_bot_postmoogle_sqlite_database_path_in_container: "/data/bot.db" matrix_bot_postmoogle_database_username: 'postmoogle' matrix_bot_postmoogle_database_password: 'some-password' -matrix_bot_postmoogle_database_hostname: 'matrix-postgres' +matrix_bot_postmoogle_database_hostname: '' matrix_bot_postmoogle_database_port: 5432 matrix_bot_postmoogle_database_name: 'postmoogle' @@ -78,38 +78,38 @@ matrix_bot_postmoogle_prefix: '!pm' # Max email size in megabytes, including attachments matrix_bot_postmoogle_maxsize: '1024' -# DEPRECATED, use !pm users instead -# A list of whitelisted users allowed to use the bridge. -# If not defined, everyone is allowed. -# Example set of rules: -# matrix_bot_postmoogle_users: -# - @someone:example.com -# - @another:example.com -# - @bot.*:example.com -# - @*:another.com -matrix_bot_postmoogle_users: - - "@*:{{ matrix_domain }}" - # A list of admins # Example set of rules: # matrix_bot_postmoogle_admins: -# - @someone:example.com -# - @another:example.com -# - @bot.*:example.com -# - @*:another.com +# - '@someone:example.com' +# - '@another:example.com' +# - '@bot.*:example.com' +# - '@*:another.com' matrix_bot_postmoogle_admins: "{{ [matrix_admin] if matrix_admin else [] }}" -# Sentry DSN +# Sentry DSN. Deprecated, use matrix_bot_postmoogle_monitoring_sentry_dsn matrix_bot_postmoogle_sentry: '' +# Sentry integration +matrix_bot_postmoogle_monitoring_sentry_dsn: "{{ matrix_bot_postmoogle_sentry }}" +matrix_bot_postmoogle_monitoring_sentry_rate: 20 + +# healthchecks.io integration +matrix_bot_postmoogle_monitoring_healthchecks_uuid: '' +matrix_bot_postmoogle_monitoring_healthchecks_duration: 60 + # Log level matrix_bot_postmoogle_loglevel: 'INFO' # Disable encryption matrix_bot_postmoogle_noencryption: false +# deprecated, use matrix_bot_postmoogle_domains matrix_bot_postmoogle_domain: "{{ matrix_server_fqn_matrix }}" +matrix_bot_postmoogle_domains: + - "{{ matrix_bot_postmoogle_domain }}" # backward compatibility + # Password (passphrase) to encrypt account data matrix_bot_postmoogle_data_secret: "" @@ -126,15 +126,15 @@ matrix_bot_postmoogle_submission_host_bind_port: '587' matrix_bot_postmoogle_ssl_path: "" ## in-container SSL paths -# matrix_bot_postmoogle_tls_cert is the SSL certificate's certificate. -# This is likely set via group_vars/matrix_servers, so you don't need to set it. +# matrix_bot_postmoogle_tls_cert is the SSL certificates' certificates. +# This var is likely set via group_vars/matrix_servers, so you don't need to set certs manually. # If you do need to set it manually, note that this is an in-container path. # To mount a certificates volumes into the container, use matrix_bot_postmoogle_ssl_path # Example value: /ssl/live/{{ matrix_bot_postmoogle_domain }}/fullchain.pem matrix_bot_postmoogle_tls_cert: "" -# matrix_bot_postmoogle_tls_key is the SSL certificate's key. -# This is likely set via group_vars/matrix_servers, so you don't need to set it. +# matrix_bot_postmoogle_tls_key is the SSL certificates' keys. +# This var is likely set via group_vars/matrix_servers, so you don't need to set keys manually. # If you do need to set it manually, note that this is an in-container path. # To mount a certificates volumes into the container, use matrix_bot_postmoogle_ssl_path # Example value: /ssl/live/{{ matrix_bot_postmoogle_domain }}/privkey.pem @@ -143,6 +143,15 @@ matrix_bot_postmoogle_tls_key: "" # Mandatory TLS, even on plain SMTP port matrix_bot_postmoogle_tls_required: false +# trusted proxies +matrix_bot_postmoogle_proxies: [] + +# reserved mailboxes +matrix_bot_postmoogle_mailboxes_reserved: [] + +# mailbox activation flow +matrix_bot_postmoogle_mailboxes_activation: none + # Additional environment variables to pass to the postmoogle container # # Example: diff --git a/roles/custom/matrix-bot-postmoogle/tasks/init.yml b/roles/custom/matrix-bot-postmoogle/tasks/init.yml deleted file mode 100644 index 16b781713..000000000 --- a/roles/custom/matrix-bot-postmoogle/tasks/init.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-bot-postmoogle.service'] }}" - when: matrix_bot_postmoogle_enabled | bool diff --git a/roles/custom/matrix-bot-postmoogle/tasks/main.yml b/roles/custom/matrix-bot-postmoogle/tasks/main.yml index cbe590e17..b77040392 100644 --- a/roles/custom/matrix-bot-postmoogle/tasks/main.yml +++ b/roles/custom/matrix-bot-postmoogle/tasks/main.yml @@ -1,23 +1,20 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup | bool and matrix_bot_postmoogle_enabled | bool" - tags: +- tags: - setup-all - setup-bot-postmoogle + - install-all + - install-bot-postmoogle + block: + - when: matrix_bot_postmoogle_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_install.yml" - when: "run_setup | bool and matrix_bot_postmoogle_enabled | bool" - tags: - - setup-all - - setup-bot-postmoogle + - when: matrix_bot_postmoogle_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - when: "run_setup | bool and not matrix_bot_postmoogle_enabled | bool" - tags: +- tags: - setup-all - setup-bot-postmoogle + block: + - when: not matrix_bot_postmoogle_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" diff --git a/roles/custom/matrix-bot-postmoogle/tasks/setup_install.yml b/roles/custom/matrix-bot-postmoogle/tasks/setup_install.yml index 993cf8e5b..ed2bcc9d6 100644 --- a/roles/custom/matrix-bot-postmoogle/tasks/setup_install.yml +++ b/roles/custom/matrix-bot-postmoogle/tasks/setup_install.yml @@ -8,8 +8,11 @@ - when: "matrix_bot_postmoogle_sqlite_database_path_local_stat_result.stat.exists | bool" block: - - ansible.builtin.set_fact: - matrix_postgres_db_migration_request: + - ansible.builtin.include_role: + name: galaxy/com.devture.ansible.role.postgres + tasks_from: migrate_db_to_postgres + vars: + devture_postgres_db_migration_request: src: "{{ matrix_bot_postmoogle_sqlite_database_path_local }}" dst: "{{ matrix_bot_postmoogle_database_connection_string }}" caller: "{{ role_path | basename }}" @@ -17,10 +20,6 @@ engine_old: 'sqlite' systemd_services_to_stop: ['matrix-bot-postmoogle.service'] - - ansible.builtin.import_role: - name: custom/matrix-postgres - tasks_from: migrate_db_to_postgres - - ansible.builtin.set_fact: matrix_bot_postmoogle_requires_restart: true @@ -86,8 +85,3 @@ dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-bot-postmoogle.service" mode: 0644 register: matrix_bot_postmoogle_systemd_service_result - -- name: Ensure systemd reloaded after matrix-bot-postmoogle.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_bot_postmoogle_systemd_service_result.changed | bool" diff --git a/roles/custom/matrix-bot-postmoogle/tasks/setup_uninstall.yml b/roles/custom/matrix-bot-postmoogle/tasks/setup_uninstall.yml index 198df7d78..93e00dda2 100644 --- a/roles/custom/matrix-bot-postmoogle/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-bot-postmoogle/tasks/setup_uninstall.yml @@ -5,32 +5,21 @@ path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-bot-postmoogle.service" register: matrix_bot_postmoogle_service_stat -- name: Ensure matrix-postmoogle is stopped - ansible.builtin.service: - name: matrix-bot-postmoogle - state: stopped - enabled: false - daemon_reload: true - register: stopping_result - when: "matrix_bot_postmoogle_service_stat.stat.exists | bool" +- when: matrix_bot_postmoogle_service_stat.stat.exists | bool + block: + - name: Ensure matrix-postmoogle is stopped + ansible.builtin.service: + name: matrix-bot-postmoogle + state: stopped + enabled: false + daemon_reload: true -- name: Ensure matrix-bot-postmoogle.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-bot-postmoogle.service" - state: absent - when: "matrix_bot_postmoogle_service_stat.stat.exists | bool" - -- name: Ensure systemd reloaded after matrix-bot-postmoogle.service removal - ansible.builtin.service: - daemon_reload: true - when: "matrix_bot_postmoogle_service_stat.stat.exists | bool" - -- name: Ensure Matrix postmoogle paths don't exist - ansible.builtin.file: - path: "{{ matrix_bot_postmoogle_base_path }}" - state: absent + - name: Ensure matrix-bot-postmoogle.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-bot-postmoogle.service" + state: absent -- name: Ensure postmoogle Docker image doesn't exist - community.docker.docker_image: - name: "{{ matrix_bot_postmoogle_docker_image }}" - state: absent + - name: Ensure Matrix postmoogle paths don't exist + ansible.builtin.file: + path: "{{ matrix_bot_postmoogle_base_path }}" + state: absent diff --git a/roles/custom/matrix-bot-postmoogle/tasks/validate_config.yml b/roles/custom/matrix-bot-postmoogle/tasks/validate_config.yml index b5d9d1ed2..1e31bd4f6 100644 --- a/roles/custom/matrix-bot-postmoogle/tasks/validate_config.yml +++ b/roles/custom/matrix-bot-postmoogle/tasks/validate_config.yml @@ -1,9 +1,10 @@ --- -- name: Fail if required settings not defined +- name: Fail if required Postmoogle settings not defined ansible.builtin.fail: msg: >- - You need to define a required configuration setting (`{{ item }}`). - when: "vars[item] == ''" + You need to define a required configuration setting (`{{ item.name }}`). + when: "item.when | bool and vars[item.name] == ''" with_items: - - "matrix_bot_postmoogle_password" + - {'name': 'matrix_bot_postmoogle_password', when: true} + - {'name': 'matrix_bot_postmoogle_database_hostname', when: "{{ matrix_bot_postmoogle_database_engine == 'postgres' }}"} diff --git a/roles/custom/matrix-bot-postmoogle/templates/env.j2 b/roles/custom/matrix-bot-postmoogle/templates/env.j2 index c81510534..072d12dad 100644 --- a/roles/custom/matrix-bot-postmoogle/templates/env.j2 +++ b/roles/custom/matrix-bot-postmoogle/templates/env.j2 @@ -1,13 +1,12 @@ POSTMOOGLE_LOGIN={{ matrix_bot_postmoogle_login }} POSTMOOGLE_PASSWORD={{ matrix_bot_postmoogle_password }} POSTMOOGLE_HOMESERVER={{ matrix_bot_postmoogle_homeserver }} -POSTMOOGLE_DOMAIN={{ matrix_bot_postmoogle_domain }} +POSTMOOGLE_DOMAINS={{ matrix_bot_postmoogle_domains | join(' ') }} POSTMOOGLE_PORT={{ matrix_bot_postmoogle_port }} POSTMOOGLE_DB_DSN={{ matrix_bot_postmoogle_database_connection_string }} POSTMOOGLE_DB_DIALECT={{ matrix_bot_postmoogle_database_dialect }} POSTMOOGLE_PREFIX={{ matrix_bot_postmoogle_prefix }} POSTMOOGLE_MAXSIZE={{ matrix_bot_postmoogle_maxsize }} -POSTMOOGLE_SENTRY={{ matrix_bot_postmoogle_sentry }} POSTMOOGLE_LOGLEVEL={{ matrix_bot_postmoogle_loglevel }} POSTMOOGLE_NOENCRYPTION={{ matrix_bot_postmoogle_noencryption }} POSTMOOGLE_ADMINS={{ matrix_bot_postmoogle_admins | join(' ') }} @@ -16,5 +15,12 @@ POSTMOOGLE_TLS_CERT={{ matrix_bot_postmoogle_tls_cert }} POSTMOOGLE_TLS_KEY={{ matrix_bot_postmoogle_tls_key }} POSTMOOGLE_TLS_REQUIRED={{ matrix_bot_postmoogle_tls_required }} POSTMOOGLE_DATA_SECRET={{ matrix_bot_postmoogle_data_secret }} +POSTMOOGLE_PROXIES={{ matrix_bot_postmoogle_proxies | join(' ') }} +POSTMOOGLE_MONITORING_SENTRY_DSN={{ matrix_bot_postmoogle_monitoring_sentry_dsn }} +POSTMOOGLE_MONITORING_SENTRY_RATE={{ matrix_bot_postmoogle_monitoring_sentry_rate }} +POSTMOOGLE_MONITORING_HEALTHCHECKS_UUID={{ matrix_bot_postmoogle_monitoring_healthchecks_uuid }} +POSTMOOGLE_MONITORING_HEALTHCHECKS_DURATION={{ matrix_bot_postmoogle_monitoring_healthchecks_duration }} +POSTMOOGLE_MAILBOXES_RESERVED={{ matrix_bot_postmoogle_mailboxes_reserved | join(' ') }} +POSTMOOGLE_MAILBOXES_ACTIVATION={{ matrix_bot_postmoogle_mailboxes_activation }} {{ matrix_bot_postmoogle_environment_variables_extension }} diff --git a/roles/custom/matrix-bot-postmoogle/templates/systemd/matrix-bot-postmoogle.service.j2 b/roles/custom/matrix-bot-postmoogle/templates/systemd/matrix-bot-postmoogle.service.j2 index f2610600c..ab1177f67 100644 --- a/roles/custom/matrix-bot-postmoogle/templates/systemd/matrix-bot-postmoogle.service.j2 +++ b/roles/custom/matrix-bot-postmoogle/templates/systemd/matrix-bot-postmoogle.service.j2 @@ -1,6 +1,6 @@ #jinja2: lstrip_blocks: "True" [Unit] -Description=Matrix helpdesk bot +Description=Matrix Postmoogle bot {% for service in matrix_bot_postmoogle_systemd_required_services_list %} Requires={{ service }} After={{ service }} diff --git a/roles/custom/matrix-bridge-appservice-discord/defaults/main.yml b/roles/custom/matrix-bridge-appservice-discord/defaults/main.yml index 9e061d678..ec194855e 100644 --- a/roles/custom/matrix-bridge-appservice-discord/defaults/main.yml +++ b/roles/custom/matrix-bridge-appservice-discord/defaults/main.yml @@ -60,7 +60,7 @@ matrix_appservice_discord_sqlite_database_path_in_container: "/data/discord.db" matrix_appservice_discord_database_username: 'matrix_appservice_discord' matrix_appservice_discord_database_password: 'some-password' -matrix_appservice_discord_database_hostname: 'matrix-postgres' +matrix_appservice_discord_database_hostname: '' matrix_appservice_discord_database_port: 5432 matrix_appservice_discord_database_name: 'matrix_appservice_discord' diff --git a/roles/custom/matrix-bridge-appservice-discord/tasks/init.yml b/roles/custom/matrix-bridge-appservice-discord/tasks/init.yml deleted file mode 100644 index 915d73021..000000000 --- a/roles/custom/matrix-bridge-appservice-discord/tasks/init.yml +++ /dev/null @@ -1,29 +0,0 @@ ---- -# If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. -# We don't want to fail in such cases. -- name: Fail if matrix-synapse role already executed - ansible.builtin.fail: - msg: >- - The matrix-bridge-appservice-discord role needs to execute before the matrix-synapse role. - when: "matrix_appservice_discord_enabled and matrix_synapse_role_executed | default(False)" - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-appservice-discord.service'] }}" - when: matrix_appservice_discord_enabled | bool - -# If the matrix-synapse role is not used, these variables may not exist. -- ansible.builtin.set_fact: - matrix_homeserver_container_runtime_injected_arguments: > - {{ - matrix_homeserver_container_runtime_injected_arguments | default([]) - + - ["--mount type=bind,src={{ matrix_appservice_discord_config_path }}/registration.yaml,dst=/matrix-appservice-discord-registration.yaml,ro"] - }} - - matrix_homeserver_app_service_runtime_injected_config_files: > - {{ - matrix_homeserver_app_service_runtime_injected_config_files | default([]) - + - ["/matrix-appservice-discord-registration.yaml"] - }} - when: matrix_appservice_discord_enabled | bool diff --git a/roles/custom/matrix-bridge-appservice-discord/tasks/main.yml b/roles/custom/matrix-bridge-appservice-discord/tasks/main.yml index 7ab8f3a65..88a772204 100644 --- a/roles/custom/matrix-bridge-appservice-discord/tasks/main.yml +++ b/roles/custom/matrix-bridge-appservice-discord/tasks/main.yml @@ -1,23 +1,20 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup | bool and matrix_appservice_discord_enabled | bool" - tags: +- tags: - setup-all - setup-appservice-discord + - install-all + - install-appservice-discord + block: + - when: matrix_appservice_discord_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_install.yml" - when: "run_setup | bool and matrix_appservice_discord_enabled | bool" - tags: - - setup-all - - setup-appservice-discord + - when: matrix_appservice_discord_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - when: "run_setup | bool and not matrix_appservice_discord_enabled | bool" - tags: +- tags: - setup-all - setup-appservice-discord + block: + - when: not matrix_appservice_discord_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" diff --git a/roles/custom/matrix-bridge-appservice-discord/tasks/setup_install.yml b/roles/custom/matrix-bridge-appservice-discord/tasks/setup_install.yml index f04e7f69e..632948bcd 100644 --- a/roles/custom/matrix-bridge-appservice-discord/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-appservice-discord/tasks/setup_install.yml @@ -12,8 +12,11 @@ - when: "matrix_appservice_discord_sqlite_database_path_local_stat_result.stat.exists | bool" block: - - ansible.builtin.set_fact: - matrix_postgres_db_migration_request: + - ansible.builtin.include_role: + name: galaxy/com.devture.ansible.role.postgres + tasks_from: migrate_db_to_postgres + vars: + devture_postgres_db_migration_request: src: "{{ matrix_appservice_discord_sqlite_database_path_local }}" dst: "{{ matrix_appservice_discord_database_connString }}" caller: "{{ role_path | basename }}" @@ -21,10 +24,6 @@ engine_old: 'sqlite' systemd_services_to_stop: ['matrix-appservice-discord.service'] - - ansible.builtin.import_role: - name: custom/matrix-postgres - tasks_from: migrate_db_to_postgres - - ansible.builtin.set_fact: matrix_appservice_discord_requires_restart: true @@ -66,7 +65,10 @@ when: "matrix_appservice_discord_stat_db.stat.exists" - name: (Data relocation) Move AppService Discord discord.db file to ./data directory - ansible.builtin.command: "mv {{ matrix_appservice_discord_base_path }}/{{ item }} {{ matrix_appservice_discord_data_path }}/{{ item }}" + ansible.builtin.command: + cmd: "mv {{ matrix_appservice_discord_base_path }}/{{ item }} {{ matrix_appservice_discord_data_path }}/{{ item }}" + creates: "{{ matrix_appservice_discord_data_path }}/{{ item }}" + removes: "{{ matrix_appservice_discord_base_path }}/{{ item }}" with_items: - discord.db - user-store.db @@ -109,13 +111,9 @@ mode: 0644 register: matrix_appservice_discord_systemd_service_result -- name: Ensure systemd reloaded after matrix-appservice-discord.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_appservice_discord_systemd_service_result.changed" - - name: Ensure matrix-appservice-discord.service restarted, if necessary ansible.builtin.service: name: "matrix-appservice-discord.service" state: restarted + daemon_reload: true when: "matrix_appservice_discord_requires_restart | bool" diff --git a/roles/custom/matrix-bridge-appservice-discord/tasks/setup_uninstall.yml b/roles/custom/matrix-bridge-appservice-discord/tasks/setup_uninstall.yml index 50d108fa5..ca2354c63 100644 --- a/roles/custom/matrix-bridge-appservice-discord/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-bridge-appservice-discord/tasks/setup_uninstall.yml @@ -5,21 +5,16 @@ path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-appservice-discord.service" register: matrix_appservice_discord_service_stat -- name: Ensure matrix-appservice-discord is stopped - ansible.builtin.service: - name: matrix-appservice-discord - state: stopped - enabled: false - daemon_reload: true - when: "matrix_appservice_discord_service_stat.stat.exists" +- when: matrix_appservice_discord_service_stat.stat.exists | bool + block: + - name: Ensure matrix-appservice-discord is stopped + ansible.builtin.service: + name: matrix-appservice-discord + state: stopped + enabled: false + daemon_reload: true -- name: Ensure matrix-appservice-discord.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-appservice-discord.service" - state: absent - when: "matrix_appservice_discord_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-appservice-discord.service removal - ansible.builtin.service: - daemon_reload: true - when: "matrix_appservice_discord_service_stat.stat.exists" + - name: Ensure matrix-appservice-discord.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-appservice-discord.service" + state: absent diff --git a/roles/custom/matrix-bridge-appservice-discord/tasks/validate_config.yml b/roles/custom/matrix-bridge-appservice-discord/tasks/validate_config.yml index e005f162b..fab6a5b6e 100644 --- a/roles/custom/matrix-bridge-appservice-discord/tasks/validate_config.yml +++ b/roles/custom/matrix-bridge-appservice-discord/tasks/validate_config.yml @@ -1,16 +1,17 @@ --- -- name: Fail if required settings not defined +- name: Fail if required appservice-discord settings not defined ansible.builtin.fail: msg: >- - You need to define a required configuration setting (`{{ item }}`). - when: "vars[item] == ''" + You need to define a required configuration setting (`{{ item.name }}`). + when: "item.when | bool and vars[item.name] == ''" with_items: - - "matrix_appservice_discord_client_id" - - "matrix_appservice_discord_bot_token" - - "matrix_appservice_discord_appservice_token" - - "matrix_appservice_discord_homeserver_token" - - "matrix_appservice_discord_homeserver_domain" + - {'name': 'matrix_appservice_discord_client_id', when: true} + - {'name': 'matrix_appservice_discord_bot_token', when: true} + - {'name': 'matrix_appservice_discord_appservice_token', when: true} + - {'name': 'matrix_appservice_discord_homeserver_token', when: true} + - {'name': 'matrix_appservice_discord_homeserver_domain', when: true} + - {'name': 'matrix_appservice_discord_database_hostname', when: "{{ matrix_appservice_discord_database_engine == 'postgres' }}"} - name: (Deprecation) Catch and report renamed appservice-discord variables ansible.builtin.fail: diff --git a/roles/custom/matrix-bridge-appservice-irc/defaults/main.yml b/roles/custom/matrix-bridge-appservice-irc/defaults/main.yml index d54a7685d..b6e6f1195 100644 --- a/roles/custom/matrix-bridge-appservice-irc/defaults/main.yml +++ b/roles/custom/matrix-bridge-appservice-irc/defaults/main.yml @@ -11,7 +11,7 @@ matrix_appservice_irc_docker_src_files_path: "{{ matrix_base_data_path }}/appser # matrix_appservice_irc_version used to contain the full Docker image tag (e.g. `release-X.X.X`). # It's a bare version number now. We try to somewhat retain compatibility below. -matrix_appservice_irc_version: 0.36.0 +matrix_appservice_irc_version: 0.38.0 matrix_appservice_irc_docker_image: "{{ matrix_container_global_registry_prefix }}matrixdotorg/matrix-appservice-irc:{{ matrix_appservice_irc_docker_image_tag }}" matrix_appservice_irc_docker_image_tag: "{{ 'latest' if matrix_appservice_irc_version == 'latest' else ('release-' + matrix_appservice_irc_version) }}" matrix_appservice_irc_docker_image_force_pull: "{{ matrix_appservice_irc_docker_image.endswith(':latest') }}" @@ -29,8 +29,8 @@ matrix_appservice_irc_appservice_address: 'http://matrix-appservice-irc:9999' matrix_appservice_irc_database_engine: nedb matrix_appservice_irc_database_username: matrix_appservice_irc -matrix_appservice_irc_database_password: ~ -matrix_appservice_irc_database_hostname: 'matrix-postgres' +matrix_appservice_irc_database_password: 'some-password' +matrix_appservice_irc_database_hostname: '' matrix_appservice_irc_database_port: 5432 matrix_appservice_irc_database_name: matrix_appservice_irc diff --git a/roles/custom/matrix-bridge-appservice-irc/tasks/init.yml b/roles/custom/matrix-bridge-appservice-irc/tasks/init.yml deleted file mode 100644 index 031271279..000000000 --- a/roles/custom/matrix-bridge-appservice-irc/tasks/init.yml +++ /dev/null @@ -1,36 +0,0 @@ ---- -# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 -# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 -- name: Fail if trying to self-build on Ansible < 2.8 - ansible.builtin.fail: - msg: "To self-build the matrix-appservice-irc image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_appservice_irc_container_image_self_build and matrix_appservice_irc_enabled" - -# If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. -# We don't want to fail in such cases. -- name: Fail if matrix-synapse role already executed - ansible.builtin.fail: - msg: >- - The matrix-bridge-appservice-irc role needs to execute before the matrix-synapse role. - when: "matrix_appservice_irc_enabled | bool and matrix_synapse_role_executed | default(False)" - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-appservice-irc.service'] }}" - when: matrix_appservice_irc_enabled | bool - -# If the matrix-synapse role is not used, these variables may not exist. -- ansible.builtin.set_fact: - matrix_homeserver_container_runtime_injected_arguments: > - {{ - matrix_homeserver_container_runtime_injected_arguments | default([]) - + - ["--mount type=bind,src={{ matrix_appservice_irc_config_path }}/registration.yaml,dst=/matrix-appservice-irc-registration.yaml,ro"] - }} - - matrix_homeserver_app_service_runtime_injected_config_files: > - {{ - matrix_homeserver_app_service_runtime_injected_config_files | default([]) - + - ["/matrix-appservice-irc-registration.yaml"] - }} - when: matrix_appservice_irc_enabled | bool diff --git a/roles/custom/matrix-bridge-appservice-irc/tasks/main.yml b/roles/custom/matrix-bridge-appservice-irc/tasks/main.yml index 41d2017b0..d46698480 100644 --- a/roles/custom/matrix-bridge-appservice-irc/tasks/main.yml +++ b/roles/custom/matrix-bridge-appservice-irc/tasks/main.yml @@ -1,23 +1,20 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup | bool and matrix_appservice_irc_enabled | bool" - tags: +- tags: - setup-all - setup-appservice-irc + - install-all + - install-appservice-irc + block: + - when: matrix_appservice_irc_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_install.yml" - when: "run_setup | bool and matrix_appservice_irc_enabled | bool" - tags: - - setup-all - - setup-appservice-irc + - when: matrix_appservice_irc_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - when: "run_setup | bool and not matrix_appservice_irc_enabled | bool" - tags: +- tags: - setup-all - setup-appservice-irc + block: + - when: not matrix_appservice_irc_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" diff --git a/roles/custom/matrix-bridge-appservice-irc/tasks/migrate_nedb_to_postgres.yml b/roles/custom/matrix-bridge-appservice-irc/tasks/migrate_nedb_to_postgres.yml index 9dda24019..79978ecd3 100644 --- a/roles/custom/matrix-bridge-appservice-irc/tasks/migrate_nedb_to_postgres.yml +++ b/roles/custom/matrix-bridge-appservice-irc/tasks/migrate_nedb_to_postgres.yml @@ -2,8 +2,8 @@ - name: Fail if Postgres not enabled ansible.builtin.fail: - msg: "Postgres via the matrix-postgres role is not enabled (`matrix_postgres_enabled`). Cannot migrate." - when: "not matrix_postgres_enabled | bool" + msg: "Postgres via the com.devture.ansible.role.postgres role is not enabled (`devture_postgres_enabled`). Cannot migrate." + when: "not devture_postgres_enabled | bool" # Defaults @@ -14,19 +14,19 @@ # Actual import work -- name: Ensure matrix-postgres is started +- name: Ensure Postgres is started ansible.builtin.service: - name: matrix-postgres + name: "{{ devture_postgres_identifier }}" state: started daemon_reload: true - register: matrix_postgres_service_start_result + register: postgres_service_start_result - name: Wait a bit, so that Postgres can start ansible.builtin.wait_for: timeout: "{{ postgres_start_wait_time }}" delegate_to: 127.0.0.1 become: false - when: "matrix_postgres_service_start_result.changed | bool" + when: postgres_service_start_result.changed | bool - name: Check existence of matrix-appservice-irc service ansible.builtin.stat: diff --git a/roles/custom/matrix-bridge-appservice-irc/tasks/setup_install.yml b/roles/custom/matrix-bridge-appservice-irc/tasks/setup_install.yml index 32d87408d..69a9aa4c8 100644 --- a/roles/custom/matrix-bridge-appservice-irc/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-appservice-irc/tasks/setup_install.yml @@ -1,6 +1,6 @@ --- -- ansible.builtin.import_role: +- ansible.builtin.include_role: name: custom/matrix-base tasks_from: ensure_openssl_installed @@ -60,7 +60,7 @@ - when: "matrix_appservice_irc_nedb_database_path_local_stat_result.stat.exists | bool" block: - - ansible.builtin.import_tasks: "{{ role_path }}/tasks/migrate_nedb_to_postgres.yml" + - ansible.builtin.include_tasks: "{{ role_path }}/tasks/migrate_nedb_to_postgres.yml" - ansible.builtin.set_fact: matrix_appservice_irc_requires_restart: true @@ -108,16 +108,12 @@ owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" -- name: Check if Appservice IRC passkey exists - ansible.builtin.stat: - path: "{{ matrix_appservice_irc_data_path }}/passkey.pem" - register: irc_passkey_file - - name: Generate Appservice IRC passkey if it doesn't exist - ansible.builtin.shell: "{{ matrix_host_command_openssl }} genpkey -out {{ matrix_appservice_irc_data_path }}/passkey.pem -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:2048" + ansible.builtin.shell: + cmd: "{{ matrix_host_command_openssl }} genpkey -out {{ matrix_appservice_irc_data_path }}/passkey.pem -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:2048" + creates: "{{ matrix_appservice_irc_data_path }}/passkey.pem" become: true become_user: "{{ matrix_user_username }}" - when: "not irc_passkey_file.stat.exists" # In the past, we used to generate the passkey.pem file with root, so permissions may not be okay. # Fix it. @@ -199,13 +195,9 @@ mode: 0644 register: matrix_appservice_irc_systemd_service_result -- name: Ensure systemd reloaded after matrix-appservice-irc.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_appservice_irc_systemd_service_result.changed" - - name: Ensure matrix-appservice-irc.service restarted, if necessary ansible.builtin.service: name: "matrix-appservice-irc.service" state: restarted + daemon_reload: true when: "matrix_appservice_irc_requires_restart | bool" diff --git a/roles/custom/matrix-bridge-appservice-irc/tasks/setup_uninstall.yml b/roles/custom/matrix-bridge-appservice-irc/tasks/setup_uninstall.yml index 8921d48e1..f16d3763f 100644 --- a/roles/custom/matrix-bridge-appservice-irc/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-bridge-appservice-irc/tasks/setup_uninstall.yml @@ -5,21 +5,16 @@ path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-appservice-irc.service" register: matrix_appservice_irc_service_stat -- name: Ensure matrix-appservice-irc is stopped - ansible.builtin.service: - name: matrix-appservice-irc - state: stopped - enabled: false - daemon_reload: true - when: "matrix_appservice_irc_service_stat.stat.exists" +- when: matrix_appservice_irc_service_stat.stat.exists | bool + block: + - name: Ensure matrix-appservice-irc is stopped + ansible.builtin.service: + name: matrix-appservice-irc + state: stopped + enabled: false + daemon_reload: true -- name: Ensure matrix-appservice-irc.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-appservice-irc.service" - state: absent - when: "matrix_appservice_irc_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-appservice-irc.service removal - ansible.builtin.service: - daemon_reload: true - when: "matrix_appservice_irc_service_stat.stat.exists" + - name: Ensure matrix-appservice-irc.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-appservice-irc.service" + state: absent diff --git a/roles/custom/matrix-bridge-appservice-irc/tasks/validate_config.yml b/roles/custom/matrix-bridge-appservice-irc/tasks/validate_config.yml index f0d887c8f..0c4c6c29d 100644 --- a/roles/custom/matrix-bridge-appservice-irc/tasks/validate_config.yml +++ b/roles/custom/matrix-bridge-appservice-irc/tasks/validate_config.yml @@ -3,11 +3,12 @@ - name: Fail if required settings not defined ansible.builtin.fail: msg: >- - You need to define a required configuration setting (`{{ item }}`). - when: "vars[item] == ''" + You need to define a required configuration setting (`{{ item.name }}`). + when: "item.when | bool and vars[item.name] == ''" with_items: - - "matrix_appservice_irc_appservice_token" - - "matrix_appservice_irc_homeserver_token" + - {'name': 'matrix_appservice_irc_appservice_token', when: true} + - {'name': 'matrix_appservice_irc_homeserver_token', when: true} + - {'name': 'matrix_appservice_irc_database_hostname', when: "{{ matrix_appservice_irc_database_engine == 'postgres' }}"} # Our base configuration (`matrix_appservice_irc_configuration_yaml`) is not enough to # let the playbook run without errors. diff --git a/roles/custom/matrix-bridge-appservice-kakaotalk/defaults/main.yml b/roles/custom/matrix-bridge-appservice-kakaotalk/defaults/main.yml index f27f75c55..9f86be5fb 100644 --- a/roles/custom/matrix-bridge-appservice-kakaotalk/defaults/main.yml +++ b/roles/custom/matrix-bridge-appservice-kakaotalk/defaults/main.yml @@ -90,7 +90,7 @@ matrix_appservice_kakaotalk_sqlite_database_path_in_container: "/data/appservice matrix_appservice_kakaotalk_database_username: 'matrix_appservice_kakaotalk' matrix_appservice_kakaotalk_database_password: 'some-password' -matrix_appservice_kakaotalk_database_hostname: 'matrix-postgres' +matrix_appservice_kakaotalk_database_hostname: '' matrix_appservice_kakaotalk_database_port: 5432 matrix_appservice_kakaotalk_database_name: 'matrix_appservice_kakaotalk' @@ -110,6 +110,8 @@ matrix_appservice_kakaotalk_login_shared_secret: '' matrix_appservice_kakaotalk_bridge_login_shared_secret_map: "{{ {matrix_appservice_kakaotalk_homeserver_domain: matrix_appservice_kakaotalk_login_shared_secret} if matrix_appservice_kakaotalk_login_shared_secret else {} }}" +matrix_appservice_kakaotalk_bridge_relay_enabled: "{{ matrix_bridges_relay_enabled }}" + matrix_appservice_kakaotalk_bridge_permissions: | {{ {matrix_appservice_kakaotalk_homeserver_domain: 'user'} @@ -120,7 +122,7 @@ matrix_appservice_kakaotalk_appservice_bot_username: kakaotalkbot matrix_appservice_kakaotalk_user_prefix: 'kakaotalk_' # End-to-bridge encryption configuration -matrix_appservice_kakaotalk_bridge_encryption_allow: false +matrix_appservice_kakaotalk_bridge_encryption_allow: "{{ matrix_bridges_encryption_enabled }}" matrix_appservice_kakaotalk_bridge_encryption_default: "{{ matrix_appservice_kakaotalk_bridge_encryption_allow }}" # Specifies the default log level for all bridge loggers. diff --git a/roles/custom/matrix-bridge-appservice-kakaotalk/tasks/init.yml b/roles/custom/matrix-bridge-appservice-kakaotalk/tasks/init.yml deleted file mode 100644 index 6112b5cce..000000000 --- a/roles/custom/matrix-bridge-appservice-kakaotalk/tasks/init.yml +++ /dev/null @@ -1,28 +0,0 @@ ---- -# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 -# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 -- name: Fail if trying to self-build on Ansible < 2.8 - ansible.builtin.fail: - msg: "To self-build the appservice-kakaotalk image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_appservice_kakaotalk_container_image_self_build and matrix_appservice_kakaotalk_enabled" - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-appservice-kakaotalk.service', 'matrix-appservice-kakaotalk-node.service'] }}" - when: matrix_appservice_kakaotalk_enabled | bool - -# If the matrix-synapse role is not used, these variables may not exist. -- ansible.builtin.set_fact: - matrix_homeserver_container_runtime_injected_arguments: > - {{ - matrix_homeserver_container_runtime_injected_arguments | default([]) - + - ["--mount type=bind,src={{ matrix_appservice_kakaotalk_config_path }}/registration.yaml,dst=/matrix-appservice-kakaotalk-registration.yaml,ro"] - }} - - matrix_homeserver_app_service_runtime_injected_config_files: > - {{ - matrix_homeserver_app_service_runtime_injected_config_files | default([]) - + - ["/matrix-appservice-kakaotalk-registration.yaml"] - }} - when: matrix_appservice_kakaotalk_enabled | bool diff --git a/roles/custom/matrix-bridge-appservice-kakaotalk/tasks/main.yml b/roles/custom/matrix-bridge-appservice-kakaotalk/tasks/main.yml index dfb286f2c..7a360024e 100644 --- a/roles/custom/matrix-bridge-appservice-kakaotalk/tasks/main.yml +++ b/roles/custom/matrix-bridge-appservice-kakaotalk/tasks/main.yml @@ -1,23 +1,20 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup | bool and matrix_appservice_kakaotalk_enabled | bool" - tags: +- tags: - setup-all - setup-appservice-kakaotalk + - install-all + - install-appservice-kakaotalk + block: + - when: matrix_appservice_kakaotalk_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_install.yml" - when: "run_setup | bool and matrix_appservice_kakaotalk_enabled | bool" - tags: - - setup-all - - setup-appservice-kakaotalk + - when: matrix_appservice_kakaotalk_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - when: "run_setup | bool and not matrix_appservice_kakaotalk_enabled | bool" - tags: +- tags: - setup-all - setup-appservice-kakaotalk + block: + - when: not matrix_appservice_kakaotalk_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" diff --git a/roles/custom/matrix-bridge-appservice-kakaotalk/tasks/setup_install.yml b/roles/custom/matrix-bridge-appservice-kakaotalk/tasks/setup_install.yml index 2f5b6be15..bcf213cde 100644 --- a/roles/custom/matrix-bridge-appservice-kakaotalk/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-appservice-kakaotalk/tasks/setup_install.yml @@ -1,13 +1,5 @@ --- -# If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. -# We don't want to fail in such cases. -- name: Fail if matrix-synapse role already executed - ansible.builtin.fail: - msg: >- - The matrix-bridge-matrix-appservice-kakaotalk role needs to execute before the matrix-synapse role. - when: "matrix_synapse_role_executed | default(False)" - - name: Ensure matrix-appservice-kakaotalk image is pulled community.docker.docker_image: name: "{{ matrix_appservice_kakaotalk_docker_image }}" @@ -117,9 +109,3 @@ src: "{{ role_path }}/templates/systemd/matrix-appservice-kakaotalk.service.j2" dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-appservice-kakaotalk.service" mode: 0644 - register: matrix_appservice_kakaotalk_systemd_service_result - -- name: Ensure systemd reloaded after matrix-appservice-kakaotalk.service or matrix-appservice-kakaotalk-node.service installation - ansible.builtin.service: - daemon_reload: true - when: matrix_appservice_kakaotalk_node_systemd_service_result.changed or matrix_appservice_kakaotalk_systemd_service_result.changed diff --git a/roles/custom/matrix-bridge-appservice-kakaotalk/tasks/setup_uninstall.yml b/roles/custom/matrix-bridge-appservice-kakaotalk/tasks/setup_uninstall.yml index 8e46d80f9..e258b9ab2 100644 --- a/roles/custom/matrix-bridge-appservice-kakaotalk/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-bridge-appservice-kakaotalk/tasks/setup_uninstall.yml @@ -11,7 +11,7 @@ state: stopped enabled: false daemon_reload: true - when: "matrix_appservice_kakaotalk_service_stat.stat.exists" + when: matrix_appservice_kakaotalk_service_stat.stat.exists | bool - name: Check existence of matrix-appservice-kakaotalk-node service ansible.builtin.stat: @@ -24,7 +24,7 @@ state: stopped enabled: false daemon_reload: true - when: "matrix_appservice_kakaotalk_node_service_stat.stat.exists" + when: matrix_appservice_kakaotalk_node_service_stat.stat.exists | bool - name: Ensure matrix-appservice-kakaotalk.service files don't exist ansible.builtin.file: @@ -33,9 +33,4 @@ with_items: - "{{ devture_systemd_docker_base_systemd_path }}/matrix-appservice-kakaotalk-node.service" - "{{ devture_systemd_docker_base_systemd_path }}/matrix-appservice-kakaotalk.service" - when: "matrix_appservice_kakaotalk_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-appservice-kakaotalk service files removal - ansible.builtin.service: - daemon_reload: true - when: "matrix_appservice_kakaotalk_service_stat.stat.exists or matrix_appservice_kakaotalk_node_service_stat.stat.exists" + when: matrix_appservice_kakaotalk_service_stat.stat.exists | bool or matrix_appservice_kakaotalk_node_service_stat.stat.exists | bool diff --git a/roles/custom/matrix-bridge-appservice-kakaotalk/tasks/validate_config.yml b/roles/custom/matrix-bridge-appservice-kakaotalk/tasks/validate_config.yml index 4f838e7a5..63b173395 100644 --- a/roles/custom/matrix-bridge-appservice-kakaotalk/tasks/validate_config.yml +++ b/roles/custom/matrix-bridge-appservice-kakaotalk/tasks/validate_config.yml @@ -1,10 +1,11 @@ --- -- name: Fail if required settings not defined +- name: Fail if required appservice-kakaotalk settings not defined ansible.builtin.fail: msg: >- - You need to define a required configuration setting (`{{ item }}`). - when: "vars[item] == ''" + You need to define a required configuration setting (`{{ item.name }}`). + when: "item.when | bool and vars[item.name] == ''" with_items: - - "matrix_appservice_kakaotalk_appservice_token" - - "matrix_appservice_kakaotalk_homeserver_token" + - {'name': 'matrix_appservice_kakaotalk_appservice_token', when: true} + - {'name': 'matrix_appservice_kakaotalk_homeserver_token', when: true} + - {'name': 'matrix_appservice_kakaotalk_database_hostname', when: "{{ matrix_appservice_kakaotalk_database_engine == 'postgres' }}"} diff --git a/roles/custom/matrix-bridge-appservice-kakaotalk/templates/config.yaml.j2 b/roles/custom/matrix-bridge-appservice-kakaotalk/templates/config.yaml.j2 index 1bb87cb41..cf3644a9b 100644 --- a/roles/custom/matrix-bridge-appservice-kakaotalk/templates/config.yaml.j2 +++ b/roles/custom/matrix-bridge-appservice-kakaotalk/templates/config.yaml.j2 @@ -220,7 +220,7 @@ bridge: relay: # Whether relay mode should be allowed. If allowed, `!kt set-relay` can be used to turn any # authenticated user into a relaybot for that chat. - enabled: false + enabled: {{ matrix_appservice_kakaotalk_bridge_relay_enabled }} # The formats to use when sending messages to KakaoTalk via a relay user. # # Available variables: @@ -230,8 +230,8 @@ bridge: # $message - The message content message_formats: m.text: '$sender_displayname: $message' - m.notice: '$sender_displayname: $message' - m.emote: '* $sender_displayname $message' + m.notice: '$sender_displayname: $message' + m.emote: '* $sender_displayname $message' m.file: 'File from $sender_displayname: $message' m.image: 'Image from $sender_displayname: $message' m.audio: 'Audio from $sender_displayname: $message' diff --git a/roles/custom/matrix-bridge-appservice-slack/defaults/main.yml b/roles/custom/matrix-bridge-appservice-slack/defaults/main.yml index b5fbc13f9..6fb6d7e7f 100644 --- a/roles/custom/matrix-bridge-appservice-slack/defaults/main.yml +++ b/roles/custom/matrix-bridge-appservice-slack/defaults/main.yml @@ -11,7 +11,7 @@ matrix_appservice_slack_docker_src_files_path: "{{ matrix_base_data_path }}/apps # matrix_appservice_slack_version used to contain the full Docker image tag (e.g. `release-X.X.X`). # It's a bare version number now. We try to somewhat retain compatibility below. -matrix_appservice_slack_version: 2.0.1 +matrix_appservice_slack_version: 2.0.2 matrix_appservice_slack_docker_image: "{{ matrix_container_global_registry_prefix }}matrixdotorg/matrix-appservice-slack:{{ matrix_appservice_slack_docker_image_tag }}" matrix_appservice_slack_docker_image_tag: "{{ 'latest' if matrix_appservice_slack_version == 'latest' else ('release-' + matrix_appservice_slack_version) }}" matrix_appservice_slack_docker_image_force_pull: "{{ matrix_appservice_slack_docker_image.endswith(':latest') }}" @@ -57,8 +57,8 @@ matrix_appservice_slack_id_token: '' matrix_appservice_slack_database_engine: nedb matrix_appservice_slack_database_username: matrix_appservice_slack -matrix_appservice_slack_database_password: ~ -matrix_appservice_slack_database_hostname: 'matrix-postgres' +matrix_appservice_slack_database_password: 'some-passsword' +matrix_appservice_slack_database_hostname: '' matrix_appservice_slack_database_port: 5432 matrix_appservice_slack_database_name: matrix_appservice_slack diff --git a/roles/custom/matrix-bridge-appservice-slack/tasks/init.yml b/roles/custom/matrix-bridge-appservice-slack/tasks/init.yml deleted file mode 100644 index 5d03b24b9..000000000 --- a/roles/custom/matrix-bridge-appservice-slack/tasks/init.yml +++ /dev/null @@ -1,91 +0,0 @@ ---- -# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 -# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 -- name: Fail if trying to self-build on Ansible < 2.8 - ansible.builtin.fail: - msg: "To self-build the matrix-appservice-slack image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_appservice_slack_container_image_self_build and matrix_appservice_slack_enabled" - -# If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. -# We don't want to fail in such cases. -- name: Fail if matrix-synapse role already executed - ansible.builtin.fail: - msg: >- - The matrix-bridge-appservice-slack role needs to execute before the matrix-synapse role. - when: "matrix_synapse_role_executed | default(False)" - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-appservice-slack.service'] }}" - when: matrix_appservice_slack_enabled | bool - -# If the matrix-synapse role is not used, these variables may not exist. -- ansible.builtin.set_fact: - matrix_homeserver_container_runtime_injected_arguments: > - {{ - matrix_homeserver_container_runtime_injected_arguments | default([]) - + - ["--mount type=bind,src={{ matrix_appservice_slack_config_path }}/slack-registration.yaml,dst=/matrix-appservice-slack-registration.yaml,ro"] - }} - - matrix_homeserver_app_service_runtime_injected_config_files: > - {{ - matrix_homeserver_app_service_runtime_injected_config_files | default([]) - + - ["/matrix-appservice-slack-registration.yaml"] - }} - when: matrix_appservice_slack_enabled | bool - -# If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. -# We don't want to fail in such cases. -- name: Fail if matrix-synapse role already executed - ansible.builtin.fail: - msg: >- - The matrix-bridge-appservice-slack role needs to execute before the matrix-synapse role. - when: "matrix_synapse_role_executed | default(False)" - -- when: matrix_appservice_slack_enabled | bool - tags: - - always - block: - - name: Fail if matrix-nginx-proxy role already executed - ansible.builtin.fail: - msg: >- - Trying to append Slack Appservice's reverse-proxying configuration to matrix-nginx-proxy, - but it's pointless since the matrix-nginx-proxy role had already executed. - To fix this, please change the order of roles in your playbook, - so that the matrix-nginx-proxy role would run after the matrix-bridge-appservice-slack role. - when: matrix_nginx_proxy_role_executed | default(False) | bool - - - name: Generate Matrix Appservice Slack proxying configuration for matrix-nginx-proxy - ansible.builtin.set_fact: - matrix_appservice_slack_matrix_nginx_proxy_configuration: | - location {{ matrix_appservice_slack_public_endpoint }} { - {% if matrix_nginx_proxy_enabled | default(False) %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver 127.0.0.11 valid=5s; - set $backend "{{ matrix_appservice_slack_appservice_url }}:{{ matrix_appservice_slack_slack_port }}"; - proxy_pass $backend; - {% else %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://127.0.0.1:{{ matrix_appservice_slack_slack_port }}; - {% endif %} - } - - - name: Register Slack Appservice proxying configuration with matrix-nginx-proxy - ansible.builtin.set_fact: - matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: | - {{ - matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks | default([]) - + - [matrix_appservice_slack_matrix_nginx_proxy_configuration] - }} - -- name: Warn about reverse-proxying if matrix-nginx-proxy not used - ansible.builtin.debug: - msg: >- - NOTE: You've enabled the Matrix Slack bridge but are not using the matrix-nginx-proxy - reverse proxy. - Please make sure that you're proxying the `{{ matrix_appservice_slack_public_endpoint }}` - URL endpoint to the matrix-appservice-slack container. - You can expose the container's port using the `matrix_appservice_slack_container_http_host_bind_port` variable. - when: "matrix_appservice_slack_enabled | bool and not matrix_nginx_proxy_enabled | default(False) | bool" diff --git a/roles/custom/matrix-bridge-appservice-slack/tasks/inject_into_nginx_proxy.yml b/roles/custom/matrix-bridge-appservice-slack/tasks/inject_into_nginx_proxy.yml new file mode 100644 index 000000000..4ddcb954d --- /dev/null +++ b/roles/custom/matrix-bridge-appservice-slack/tasks/inject_into_nginx_proxy.yml @@ -0,0 +1,44 @@ +--- + +- name: Fail if matrix-nginx-proxy role already executed + ansible.builtin.fail: + msg: >- + Trying to append Slack Appservice's reverse-proxying configuration to matrix-nginx-proxy, + but it's pointless since the matrix-nginx-proxy role had already executed. + To fix this, please change the order of roles in your playbook, + so that the matrix-nginx-proxy role would run after the matrix-bridge-appservice-slack role. + when: matrix_nginx_proxy_role_executed | default(False) | bool + +- name: Generate Matrix Appservice Slack proxying configuration for matrix-nginx-proxy + ansible.builtin.set_fact: + matrix_appservice_slack_matrix_nginx_proxy_configuration: | + location {{ matrix_appservice_slack_public_endpoint }} { + {% if matrix_nginx_proxy_enabled | default(False) %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "{{ matrix_appservice_slack_appservice_url }}:{{ matrix_appservice_slack_slack_port }}"; + proxy_pass $backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://127.0.0.1:{{ matrix_appservice_slack_slack_port }}; + {% endif %} + } + +- name: Register Slack Appservice proxying configuration with matrix-nginx-proxy + ansible.builtin.set_fact: + matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: | + {{ + matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks | default([]) + + + [matrix_appservice_slack_matrix_nginx_proxy_configuration] + }} + +- name: Warn about reverse-proxying if matrix-nginx-proxy not used + ansible.builtin.debug: + msg: >- + NOTE: You've enabled the Matrix Slack bridge but are not using the matrix-nginx-proxy + reverse proxy. + Please make sure that you're proxying the `{{ matrix_appservice_slack_public_endpoint }}` + URL endpoint to the matrix-appservice-slack container. + You can expose the container's port using the `matrix_appservice_slack_container_http_host_bind_port` variable. + when: "matrix_appservice_slack_enabled | bool and not matrix_nginx_proxy_enabled | default(False) | bool" diff --git a/roles/custom/matrix-bridge-appservice-slack/tasks/main.yml b/roles/custom/matrix-bridge-appservice-slack/tasks/main.yml index cd83f61fb..6fb8ac7c9 100644 --- a/roles/custom/matrix-bridge-appservice-slack/tasks/main.yml +++ b/roles/custom/matrix-bridge-appservice-slack/tasks/main.yml @@ -1,23 +1,29 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup | bool and matrix_appservice_slack_enabled | bool" - tags: +- tags: - setup-all - - setup-appservice-slack + - setup-nginx-proxy + - install-all + - install-nginx-proxy + block: + - when: matrix_appservice_slack_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_install.yml" - when: "run_setup | bool and matrix_appservice_slack_enabled | bool" - tags: +- tags: - setup-all - setup-appservice-slack + - install-all + - install-appservice-slack + block: + - when: matrix_appservice_slack_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" + + - when: matrix_appservice_slack_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - when: "run_setup | bool and not matrix_appservice_slack_enabled | bool" - tags: +- tags: - setup-all - setup-appservice-slack + block: + - when: not matrix_appservice_slack_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" diff --git a/roles/custom/matrix-bridge-appservice-slack/tasks/migrate_nedb_to_postgres.yml b/roles/custom/matrix-bridge-appservice-slack/tasks/migrate_nedb_to_postgres.yml index 0ed3e18b2..58c125ab9 100644 --- a/roles/custom/matrix-bridge-appservice-slack/tasks/migrate_nedb_to_postgres.yml +++ b/roles/custom/matrix-bridge-appservice-slack/tasks/migrate_nedb_to_postgres.yml @@ -2,8 +2,8 @@ - name: Fail if Postgres not enabled ansible.builtin.fail: - msg: "Postgres via the matrix-postgres role is not enabled (`matrix_postgres_enabled`). Cannot migrate." - when: "not matrix_postgres_enabled | bool" + msg: "Postgres via the com.devture.ansible.role.postgres role is not enabled (`devture_postgres_enabled`). Cannot migrate." + when: "not devture_postgres_enabled | bool" # Defaults @@ -14,19 +14,19 @@ # Actual import work -- name: Ensure matrix-postgres is started +- name: Ensure Postgres is started ansible.builtin.service: - name: matrix-postgres + name: "{{ devture_postgres_identifier }}" state: started daemon_reload: true - register: matrix_postgres_service_start_result + register: postgres_service_start_result - name: Wait a bit, so that Postgres can start ansible.builtin.wait_for: timeout: "{{ postgres_start_wait_time }}" delegate_to: 127.0.0.1 become: false - when: "matrix_postgres_service_start_result.changed | bool" + when: "postgres_service_start_result.changed | bool" - name: Ensure matrix-appservice-slack is stopped ansible.builtin.service: diff --git a/roles/custom/matrix-bridge-appservice-slack/tasks/setup_install.yml b/roles/custom/matrix-bridge-appservice-slack/tasks/setup_install.yml index 2c7140851..9a72f69d0 100644 --- a/roles/custom/matrix-bridge-appservice-slack/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-appservice-slack/tasks/setup_install.yml @@ -26,7 +26,7 @@ - when: "matrix_appservice_slack_nedb_database_path_local_stat_result.stat.exists | bool" block: - - ansible.builtin.import_tasks: "{{ role_path }}/tasks/migrate_nedb_to_postgres.yml" + - ansible.builtin.include_tasks: "{{ role_path }}/tasks/migrate_nedb_to_postgres.yml" - ansible.builtin.set_fact: matrix_appservice_slack_requires_restart: true @@ -87,15 +87,10 @@ src: "{{ role_path }}/templates/systemd/matrix-appservice-slack.service.j2" dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-appservice-slack.service" mode: 0644 - register: matrix_appservice_slack_systemd_service_result - -- name: Ensure systemd reloaded after matrix-appservice-slack.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_appservice_slack_systemd_service_result.changed" - name: Ensure matrix-appservice-slack.service restarted, if necessary ansible.builtin.service: name: "matrix-appservice-slack.service" state: restarted + daemon_reload: true when: "matrix_appservice_slack_requires_restart | bool" diff --git a/roles/custom/matrix-bridge-appservice-slack/tasks/setup_uninstall.yml b/roles/custom/matrix-bridge-appservice-slack/tasks/setup_uninstall.yml index 434f90676..51c77fef0 100644 --- a/roles/custom/matrix-bridge-appservice-slack/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-bridge-appservice-slack/tasks/setup_uninstall.yml @@ -5,21 +5,16 @@ path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-appservice-slack.service" register: matrix_appservice_slack_service_stat -- name: Ensure matrix-appservice-slack is stopped - ansible.builtin.service: - name: matrix-appservice-slack - state: stopped - enabled: false - daemon_reload: true - when: "matrix_appservice_slack_service_stat.stat.exists" +- when: matrix_appservice_slack_service_stat.stat.exists | bool + block: + - name: Ensure matrix-appservice-slack is stopped + ansible.builtin.service: + name: matrix-appservice-slack + state: stopped + enabled: false + daemon_reload: true -- name: Ensure matrix-appservice-slack.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-appservice-slack.service" - state: absent - when: "matrix_appservice_slack_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-appservice-slack.service removal - ansible.builtin.service: - daemon_reload: true - when: "matrix_appservice_slack_service_stat.stat.exists" + - name: Ensure matrix-appservice-slack.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-appservice-slack.service" + state: absent diff --git a/roles/custom/matrix-bridge-appservice-slack/tasks/validate_config.yml b/roles/custom/matrix-bridge-appservice-slack/tasks/validate_config.yml index e00eb6d4a..ef97635ec 100644 --- a/roles/custom/matrix-bridge-appservice-slack/tasks/validate_config.yml +++ b/roles/custom/matrix-bridge-appservice-slack/tasks/validate_config.yml @@ -1,16 +1,17 @@ --- -- name: Fail if required settings not defined +- name: Fail if required appservice-slack settings not defined ansible.builtin.fail: msg: >- - You need to define a required configuration setting (`{{ item }}`). - when: "vars[item] == ''" + You need to define a required configuration setting (`{{ item.name }}`). + when: "item.when | bool and vars[item.name] == ''" with_items: - - "matrix_appservice_slack_control_room_id" - - "matrix_appservice_slack_appservice_token" - - "matrix_appservice_slack_homeserver_url" - - "matrix_appservice_slack_homeserver_token" - - "matrix_appservice_slack_id_token" + - {'name': 'matrix_appservice_slack_control_room_id', when: true} + - {'name': 'matrix_appservice_slack_appservice_token', when: true} + - {'name': 'matrix_appservice_slack_homeserver_url', when: true} + - {'name': 'matrix_appservice_slack_homeserver_token', when: true} + - {'name': 'matrix_appservice_slack_id_token', when: true} + - {'name': 'matrix_appservice_slack_database_hostname', when: "{{ matrix_appservice_slack_database_engine == 'postgres' }}"} - name: (Deprecation) Catch and report renamed settings ansible.builtin.fail: diff --git a/roles/custom/matrix-bridge-appservice-webhooks/tasks/init.yml b/roles/custom/matrix-bridge-appservice-webhooks/tasks/init.yml deleted file mode 100644 index 1f8ace9e8..000000000 --- a/roles/custom/matrix-bridge-appservice-webhooks/tasks/init.yml +++ /dev/null @@ -1,86 +0,0 @@ ---- -# If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. -# We don't want to fail in such cases. -- name: Fail if matrix-synapse role already executed - ansible.builtin.fail: - msg: >- - The matrix-bridge-appservice-webhooks role needs to execute before the matrix-synapse role. - when: "matrix_synapse_role_executed | default(False)" - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-appservice-webhooks.service'] }}" - when: matrix_appservice_webhooks_enabled | bool - -# If the matrix-synapse role is not used, these variables may not exist. -- ansible.builtin.set_fact: - matrix_homeserver_container_runtime_injected_arguments: > - {{ - matrix_homeserver_container_runtime_injected_arguments | default([]) - + - ["--mount type=bind,src={{ matrix_appservice_webhooks_config_path }}/webhooks-registration.yaml,dst=/matrix-appservice-webhooks-registration.yaml,ro"] - }} - - matrix_homeserver_app_service_runtime_injected_config_files: > - {{ - matrix_homeserver_app_service_runtime_injected_config_files | default([]) - + - ["/matrix-appservice-webhooks-registration.yaml"] - }} - when: matrix_appservice_webhooks_enabled | bool - -# If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. -# We don't want to fail in such cases. -- name: Fail if matrix-synapse role already executed - ansible.builtin.fail: - msg: >- - The matrix-bridge-appservice-webhooks role needs to execute before the matrix-synapse role. - when: "matrix_synapse_role_executed | default(False)" - -- when: matrix_appservice_webhooks_enabled | bool - tags: - - always - block: - - name: Fail if matrix-nginx-proxy role already executed - ansible.builtin.fail: - msg: >- - Trying to append webhooks Appservice's reverse-proxying configuration to matrix-nginx-proxy, - but it's pointless since the matrix-nginx-proxy role had already executed. - To fix this, please change the order of roles in your playbook, - so that the matrix-nginx-proxy role would run after the matrix-bridge-appservice-webhooks role. - when: matrix_nginx_proxy_role_executed | default(False) | bool - - - name: Generate Matrix Appservice webhooks proxying configuration for matrix-nginx-proxy - ansible.builtin.set_fact: - matrix_appservice_webhooks_matrix_nginx_proxy_configuration: | - {% if matrix_nginx_proxy_enabled | default(False) %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - location ~ ^{{ matrix_appservice_webhooks_public_endpoint }}/(.*)$ { - resolver 127.0.0.11 valid=5s; - set $backend "matrix-appservice-webhooks:{{ matrix_appservice_webhooks_matrix_port }}"; - proxy_pass http://$backend/$1; - } - {% else %} - {# Generic configuration for use outside of our container setup #} - location {{ matrix_appservice_webhooks_public_endpoint }}/ { - proxy_pass http://127.0.0.1:{{ matrix_appservice_webhooks_matrix_port }}/; - } - {% endif %} - - - name: Register webhooks Appservice proxying configuration with matrix-nginx-proxy - ansible.builtin.set_fact: - matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: | - {{ - matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks | default([]) - + - [matrix_appservice_webhooks_matrix_nginx_proxy_configuration] - }} - -- name: Warn about reverse-proxying if matrix-nginx-proxy not used - ansible.builtin.debug: - msg: >- - NOTE: You've enabled the Matrix webhooks bridge but are not using the matrix-nginx-proxy - reverse proxy. - Please make sure that you're proxying the `{{ matrix_appservice_webhooks_public_endpoint }}` - URL endpoint to the matrix-appservice-webhooks container. - You can expose the container's port using the `matrix_appservice_webhooks_container_http_host_bind_port` variable. - when: "matrix_appservice_webhooks_enabled | bool and not matrix_nginx_proxy_enabled | default(False) | bool" diff --git a/roles/custom/matrix-bridge-appservice-webhooks/tasks/inject_into_nginx_proxy.yml b/roles/custom/matrix-bridge-appservice-webhooks/tasks/inject_into_nginx_proxy.yml new file mode 100644 index 000000000..2e4ad18e4 --- /dev/null +++ b/roles/custom/matrix-bridge-appservice-webhooks/tasks/inject_into_nginx_proxy.yml @@ -0,0 +1,46 @@ +--- + +- name: Fail if matrix-nginx-proxy role already executed + ansible.builtin.fail: + msg: >- + Trying to append webhooks Appservice's reverse-proxying configuration to matrix-nginx-proxy, + but it's pointless since the matrix-nginx-proxy role had already executed. + To fix this, please change the order of roles in your playbook, + so that the matrix-nginx-proxy role would run after the matrix-bridge-appservice-webhooks role. + when: matrix_nginx_proxy_role_executed | default(False) | bool + +- name: Generate Matrix Appservice webhooks proxying configuration for matrix-nginx-proxy + ansible.builtin.set_fact: + matrix_appservice_webhooks_matrix_nginx_proxy_configuration: | + {% if matrix_nginx_proxy_enabled | default(False) %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + location ~ ^{{ matrix_appservice_webhooks_public_endpoint }}/(.*)$ { + resolver 127.0.0.11 valid=5s; + set $backend "matrix-appservice-webhooks:{{ matrix_appservice_webhooks_matrix_port }}"; + proxy_pass http://$backend/$1; + } + {% else %} + {# Generic configuration for use outside of our container setup #} + location {{ matrix_appservice_webhooks_public_endpoint }}/ { + proxy_pass http://127.0.0.1:{{ matrix_appservice_webhooks_matrix_port }}/; + } + {% endif %} + +- name: Register webhooks Appservice proxying configuration with matrix-nginx-proxy + ansible.builtin.set_fact: + matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: | + {{ + matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks | default([]) + + + [matrix_appservice_webhooks_matrix_nginx_proxy_configuration] + }} + +- name: Warn about reverse-proxying if matrix-nginx-proxy not used + ansible.builtin.debug: + msg: >- + NOTE: You've enabled the Matrix webhooks bridge but are not using the matrix-nginx-proxy + reverse proxy. + Please make sure that you're proxying the `{{ matrix_appservice_webhooks_public_endpoint }}` + URL endpoint to the matrix-appservice-webhooks container. + You can expose the container's port using the `matrix_appservice_webhooks_container_http_host_bind_port` variable. + when: "matrix_appservice_webhooks_enabled | bool and not matrix_nginx_proxy_enabled | default(False) | bool" diff --git a/roles/custom/matrix-bridge-appservice-webhooks/tasks/main.yml b/roles/custom/matrix-bridge-appservice-webhooks/tasks/main.yml index 30f05469c..a40d66ddc 100644 --- a/roles/custom/matrix-bridge-appservice-webhooks/tasks/main.yml +++ b/roles/custom/matrix-bridge-appservice-webhooks/tasks/main.yml @@ -1,23 +1,29 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup | bool and matrix_appservice_webhooks_enabled | bool" - tags: +- tags: - setup-all - - setup-appservice-webhooks + - setup-nginx-proxy + - install-all + - install-nginx-proxy + block: + - when: matrix_appservice_webhooks_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_install.yml" - when: "run_setup | bool and matrix_appservice_webhooks_enabled | bool" - tags: +- tags: - setup-all - setup-appservice-webhooks + - install-all + - install-appservice-webhooks + block: + - when: matrix_appservice_webhooks_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" + + - when: matrix_appservice_webhooks_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - when: "run_setup | bool and not matrix_appservice_webhooks_enabled | bool" - tags: +- tags: - setup-all - setup-appservice-webhooks + block: + - when: not matrix_appservice_webhooks_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" diff --git a/roles/custom/matrix-bridge-appservice-webhooks/tasks/setup_install.yml b/roles/custom/matrix-bridge-appservice-webhooks/tasks/setup_install.yml index 734b6e60c..194ef0176 100644 --- a/roles/custom/matrix-bridge-appservice-webhooks/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-appservice-webhooks/tasks/setup_install.yml @@ -86,9 +86,3 @@ src: "{{ role_path }}/templates/systemd/matrix-appservice-webhooks.service.j2" dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-appservice-webhooks.service" mode: 0644 - register: matrix_appservice_webhooks_systemd_service_result - -- name: Ensure systemd reloaded after matrix-appservice-webhooks.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_appservice_webhooks_systemd_service_result.changed" diff --git a/roles/custom/matrix-bridge-appservice-webhooks/tasks/setup_uninstall.yml b/roles/custom/matrix-bridge-appservice-webhooks/tasks/setup_uninstall.yml index 960fe58b0..c47b724cf 100644 --- a/roles/custom/matrix-bridge-appservice-webhooks/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-bridge-appservice-webhooks/tasks/setup_uninstall.yml @@ -5,21 +5,16 @@ path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-appservice-webhooks.service" register: matrix_appservice_webhooks_service_stat -- name: Ensure matrix-appservice-webhooks is stopped - ansible.builtin.service: - name: matrix-appservice-webhooks - state: stopped - enabled: false - daemon_reload: true - when: "matrix_appservice_webhooks_service_stat.stat.exists" +- when: matrix_appservice_webhooks_service_stat.stat.exists | bool + block: + - name: Ensure matrix-appservice-webhooks is stopped + ansible.builtin.service: + name: matrix-appservice-webhooks + state: stopped + enabled: false + daemon_reload: true -- name: Ensure matrix-appservice-webhooks.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-appservice-webhooks.service" - state: absent - when: "matrix_appservice_webhooks_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-appservice-webhooks.service removal - ansible.builtin.service: - daemon_reload: true - when: "matrix_appservice_webhooks_service_stat.stat.exists" + - name: Ensure matrix-appservice-webhooks.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-appservice-webhooks.service" + state: absent diff --git a/roles/custom/matrix-bridge-beeper-linkedin/defaults/main.yml b/roles/custom/matrix-bridge-beeper-linkedin/defaults/main.yml index 4f3d554b3..75e9de550 100644 --- a/roles/custom/matrix-bridge-beeper-linkedin/defaults/main.yml +++ b/roles/custom/matrix-bridge-beeper-linkedin/defaults/main.yml @@ -4,7 +4,7 @@ matrix_beeper_linkedin_enabled: true -matrix_beeper_linkedin_version: v0.5.3 +matrix_beeper_linkedin_version: v0.5.4 # See: https://github.com/beeper/linkedin/pkgs/container/linkedin matrix_beeper_linkedin_docker_image: "{{ matrix_beeper_linkedin_docker_image_name_prefix }}beeper/linkedin:{{ matrix_beeper_linkedin_docker_image_tag }}" @@ -27,6 +27,8 @@ matrix_beeper_linkedin_appservice_address: "http://matrix-beeper-linkedin:29319" matrix_beeper_linkedin_bridge_presence: true +matrix_beeper_linkedin_bridge_space_support_enable: true + matrix_beeper_linkedin_command_prefix: "!li" matrix_beeper_linkedin_bridge_permissions: | @@ -55,8 +57,8 @@ matrix_beeper_linkedin_appservice_bot_username: linkedinbot matrix_beeper_linkedin_database_engine: "postgres" matrix_beeper_linkedin_database_username: 'matrix_beeper_linkedin' -matrix_beeper_linkedin_database_password: "" -matrix_beeper_linkedin_database_hostname: 'matrix-postgres' +matrix_beeper_linkedin_database_password: 'some-password' +matrix_beeper_linkedin_database_hostname: '' matrix_beeper_linkedin_database_port: 5432 matrix_beeper_linkedin_database_name: 'matrix_beeper_linkedin' @@ -81,6 +83,11 @@ matrix_beeper_linkedin_login_shared_secret: '' # Specifies the default log level for all bridge loggers. matrix_beeper_linkedin_logging_level: WARNING +# Enable End-to-bridge encryption +matrix_beeper_linkedin_bridge_encryption_allow: "{{ matrix_bridges_encryption_enabled }}" +matrix_beeper_linkedin_bridge_encryption_default: "{{ matrix_beeper_linkedin_bridge_encryption_allow }}" +matrix_beeper_linkedin_bridge_encryption_key_sharing_allow: "{{ matrix_beeper_linkedin_bridge_encryption_allow }}" + # Default beeper-linkedin configuration template which covers the generic use case. # You can customize it by controlling the various variables inside it. # @@ -104,7 +111,7 @@ matrix_beeper_linkedin_configuration_extension: "{{ matrix_beeper_linkedin_confi matrix_beeper_linkedin_configuration: "{{ matrix_beeper_linkedin_configuration_yaml | from_yaml | combine(matrix_beeper_linkedin_configuration_extension, recursive=True) }}" matrix_beeper_linkedin_registration_yaml: | - id: linkedin + id: beeper_linkedin url: {{ matrix_beeper_linkedin_appservice_address }} as_token: "{{ matrix_beeper_linkedin_appservice_token }}" hs_token: "{{ matrix_beeper_linkedin_homeserver_token }}" diff --git a/roles/custom/matrix-bridge-beeper-linkedin/tasks/init.yml b/roles/custom/matrix-bridge-beeper-linkedin/tasks/init.yml deleted file mode 100644 index 1208f185b..000000000 --- a/roles/custom/matrix-bridge-beeper-linkedin/tasks/init.yml +++ /dev/null @@ -1,22 +0,0 @@ ---- - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-beeper-linkedin.service'] }}" - when: matrix_beeper_linkedin_enabled | bool - -# If the matrix-synapse role is not used, these variables may not exist. -- ansible.builtin.set_fact: - matrix_homeserver_container_runtime_injected_arguments: > - {{ - matrix_homeserver_container_runtime_injected_arguments | default([]) - + - ["--mount type=bind,src={{ matrix_beeper_linkedin_config_path }}/registration.yaml,dst=/matrix-beeper-linkedin-registration.yaml,ro"] - }} - - matrix_homeserver_app_service_runtime_injected_config_files: > - {{ - matrix_homeserver_app_service_runtime_injected_config_files | default([]) - + - ["/matrix-beeper-linkedin-registration.yaml"] - }} - when: matrix_beeper_linkedin_enabled | bool diff --git a/roles/custom/matrix-bridge-beeper-linkedin/tasks/main.yml b/roles/custom/matrix-bridge-beeper-linkedin/tasks/main.yml index 8f295d2ca..56eb91e52 100644 --- a/roles/custom/matrix-bridge-beeper-linkedin/tasks/main.yml +++ b/roles/custom/matrix-bridge-beeper-linkedin/tasks/main.yml @@ -1,23 +1,20 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup | bool and matrix_beeper_linkedin_enabled | bool" - tags: +- tags: - setup-all - setup-beeper-linkedin + - install-all + - install-beeper-linkedin + block: + - when: matrix_beeper_linkedin_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_install.yml" - when: "run_setup and matrix_beeper_linkedin_enabled" - tags: - - setup-all - - setup-beeper-linkedin + - when: matrix_beeper_linkedin_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - when: "run_setup and not matrix_beeper_linkedin_enabled" - tags: +- tags: - setup-all - setup-beeper-linkedin + block: + - when: not matrix_beeper_linkedin_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" diff --git a/roles/custom/matrix-bridge-beeper-linkedin/tasks/setup_install.yml b/roles/custom/matrix-bridge-beeper-linkedin/tasks/setup_install.yml index 8784b6311..e553b9122 100644 --- a/roles/custom/matrix-bridge-beeper-linkedin/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-beeper-linkedin/tasks/setup_install.yml @@ -1,12 +1,5 @@ --- -# If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. -# We don't want to fail in such cases. -- name: Fail if matrix-synapse role already executed - ansible.builtin.fail: - msg: >- - The matrix-bridge-beeper-linkedin role needs to execute before the matrix-synapse role. - when: "matrix_synapse_role_executed | default(False)" - name: Ensure Beeper LinkedIn paths exists ansible.builtin.file: path: "{{ item.path }}" @@ -95,9 +88,3 @@ src: "{{ role_path }}/templates/systemd/matrix-beeper-linkedin.service.j2" dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-beeper-linkedin.service" mode: 0644 - register: matrix_beeper_linkedin_systemd_service_result - -- name: Ensure systemd reloaded after matrix-beeper-linkedin.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_beeper_linkedin_systemd_service_result.changed" diff --git a/roles/custom/matrix-bridge-beeper-linkedin/tasks/setup_uninstall.yml b/roles/custom/matrix-bridge-beeper-linkedin/tasks/setup_uninstall.yml index 4a75a4c7a..4d3334692 100644 --- a/roles/custom/matrix-bridge-beeper-linkedin/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-bridge-beeper-linkedin/tasks/setup_uninstall.yml @@ -5,21 +5,16 @@ path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-beeper-linkedin.service" register: matrix_beeper_linkedin_service_stat -- name: Ensure matrix-beeper-linkedin is stopped - ansible.builtin.service: - name: matrix-beeper-linkedin - state: stopped - enabled: false - daemon_reload: true - when: "matrix_beeper_linkedin_service_stat.stat.exists" +- when: matrix_beeper_linkedin_service_stat.stat.exists | bool + block: + - name: Ensure matrix-beeper-linkedin is stopped + ansible.builtin.service: + name: matrix-beeper-linkedin + state: stopped + enabled: false + daemon_reload: true -- name: Ensure matrix-beeper-linkedin.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-beeper-linkedin.service" - state: absent - when: "matrix_beeper_linkedin_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-beeper-linkedin.service removal - ansible.builtin.service: - daemon_reload: true - when: "matrix_beeper_linkedin_service_stat.stat.exists" + - name: Ensure matrix-beeper-linkedin.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-beeper-linkedin.service" + state: absent diff --git a/roles/custom/matrix-bridge-beeper-linkedin/tasks/validate_config.yml b/roles/custom/matrix-bridge-beeper-linkedin/tasks/validate_config.yml index 61489b7c6..59d56ca85 100644 --- a/roles/custom/matrix-bridge-beeper-linkedin/tasks/validate_config.yml +++ b/roles/custom/matrix-bridge-beeper-linkedin/tasks/validate_config.yml @@ -1,10 +1,11 @@ --- -- name: Fail if required settings not defined +- name: Fail if required beeper-linkedin settings not defined ansible.builtin.fail: msg: >- - You need to define a required configuration setting (`{{ item }}`). - when: "vars[item] == ''" + You need to define a required configuration setting (`{{ item.name }}`). + when: "item.when | bool and vars[item.name] == ''" with_items: - - "matrix_beeper_linkedin_appservice_token" - - "matrix_beeper_linkedin_homeserver_token" + - {'name': 'matrix_beeper_linkedin_appservice_token', when: true} + - {'name': 'matrix_beeper_linkedin_homeserver_token', when: true} + - {'name': 'matrix_beeper_linkedin_database_hostname', when: "{{ matrix_beeper_linkedin_database_engine == 'postgres' }}"} diff --git a/roles/custom/matrix-bridge-beeper-linkedin/templates/config.yaml.j2 b/roles/custom/matrix-bridge-beeper-linkedin/templates/config.yaml.j2 index a30f24253..c5a01535f 100644 --- a/roles/custom/matrix-bridge-beeper-linkedin/templates/config.yaml.j2 +++ b/roles/custom/matrix-bridge-beeper-linkedin/templates/config.yaml.j2 @@ -88,15 +88,15 @@ manhole: # Bridge config bridge: # Localpart template of MXIDs for LinkedIn users. + # {userid} is replaced with the user ID of the LinkedIn user username_template: "linkedin_{userid}" - # Displayname template for LinkedIn users. - # Localpart template for per-user room grouping community IDs. - # The bridge will create these communities and add all of the specific user's portals to the community. - # {localpart} is the MXID localpart and {server} is the MXID server part of the user. - # (Note that, by default, non-admins might not have your homeserver's permission to create - # communities. You should set `enable_group_creation: true` in homeserver.yaml to fix this.) - # `linkedin_{localpart}={server}` is a good value. - community_template: null + # Settings for creating a space for every user. + space_support: + # Whether or not to enable creating a space per user and inviting the + # user (as well as all of the puppets) to that space. + enable: {{ matrix_beeper_linkedin_bridge_space_support_enable|to_json }} + # The name of the space + name: "LinkedIn" # Displayname template for LinkedIn users. # {displayname} is replaced with the display name of the LinkedIn user @@ -156,15 +156,15 @@ bridge: # application service. encryption: # Allow encryption, work in group chat rooms with e2ee enabled - allow: false + allow: {{ matrix_beeper_linkedin_bridge_encryption_allow|to_json }} # Default to encryption, force-enable encryption in all portals the bridge creates # This will cause the bridge bot to be in private chats for the encryption to work properly. - default: false + default: {{ matrix_beeper_linkedin_bridge_encryption_default|to_json }} # Options for automatic key sharing. key_sharing: # Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled. # You must use a client that supports requesting keys from other users to use this feature. - allow: false + allow: {{ matrix_beeper_linkedin_bridge_encryption_key_sharing_allow|to_json }} # Require the requesting device to have a valid cross-signing signature? # This doesn't require that the bridge has verified the device, only that the user has verified it. # Not yet implemented. diff --git a/roles/custom/matrix-bridge-go-skype-bridge/defaults/main.yml b/roles/custom/matrix-bridge-go-skype-bridge/defaults/main.yml index a6f7aa9d3..477f21274 100644 --- a/roles/custom/matrix-bridge-go-skype-bridge/defaults/main.yml +++ b/roles/custom/matrix-bridge-go-skype-bridge/defaults/main.yml @@ -56,7 +56,7 @@ matrix_go_skype_bridge_sqlite_database_path_in_container: "/data/go-skype-bridge matrix_go_skype_bridge_database_username: 'matrix_go_skype_bridge' matrix_go_skype_bridge_database_password: 'some-password' -matrix_go_skype_bridge_database_hostname: 'matrix-postgres' +matrix_go_skype_bridge_database_hostname: '' matrix_go_skype_bridge_database_port: 5432 matrix_go_skype_bridge_database_name: 'matrix_go_skype_bridge' @@ -86,7 +86,7 @@ matrix_go_skype_bridge_bridge_double_puppet_server_map: "{{ matrix_go_skype_bridge_homeserver_domain : matrix_go_skype_bridge_homeserver_address }}" # Enable End-to-bridge encryption -matrix_go_skype_bridge_bridge_encryption_allow: false +matrix_go_skype_bridge_bridge_encryption_allow: "{{ matrix_bridges_encryption_enabled }}" matrix_go_skype_bridge_bridge_encryption_default: "{{ matrix_go_skype_bridge_bridge_encryption_allow }}" # Minimum severity of journal log messages. diff --git a/roles/custom/matrix-bridge-go-skype-bridge/tasks/init.yml b/roles/custom/matrix-bridge-go-skype-bridge/tasks/init.yml deleted file mode 100644 index 58808454f..000000000 --- a/roles/custom/matrix-bridge-go-skype-bridge/tasks/init.yml +++ /dev/null @@ -1,21 +0,0 @@ ---- -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-go-skype-bridge.service'] }}" - when: matrix_go_skype_bridge_enabled | bool - -# If the matrix-synapse role is not used, these variables may not exist. -- ansible.builtin.set_fact: - matrix_homeserver_container_runtime_injected_arguments: > - {{ - matrix_homeserver_container_runtime_injected_arguments | default([]) - + - ["--mount type=bind,src={{ matrix_go_skype_bridge_config_path }}/registration.yaml,dst=/matrix-go-skype-bridge-registration.yaml,ro"] - }} - - matrix_homeserver_app_service_runtime_injected_config_files: > - {{ - matrix_homeserver_app_service_runtime_injected_config_files | default([]) - + - ["/matrix-go-skype-bridge-registration.yaml"] - }} - when: matrix_go_skype_bridge_enabled | bool diff --git a/roles/custom/matrix-bridge-go-skype-bridge/tasks/main.yml b/roles/custom/matrix-bridge-go-skype-bridge/tasks/main.yml index 39f4b2e52..7ba914213 100644 --- a/roles/custom/matrix-bridge-go-skype-bridge/tasks/main.yml +++ b/roles/custom/matrix-bridge-go-skype-bridge/tasks/main.yml @@ -1,23 +1,20 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup | bool and matrix_go_skype_bridge_enabled | bool" - tags: +- tags: - setup-all - setup-go-skype-bridge + - install-all + - install-go-skype-bridge + block: + - when: matrix_go_skype_bridge_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_install.yml" - when: "run_setup | bool and matrix_go_skype_bridge_enabled | bool" - tags: - - setup-all - - setup-go-skype-bridge + - when: matrix_go_skype_bridge_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - when: "run_setup | bool and not matrix_go_skype_bridge_enabled | bool" - tags: +- tags: - setup-all - setup-go-skype-bridge + block: + - when: not matrix_go_skype_bridge_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" diff --git a/roles/custom/matrix-bridge-go-skype-bridge/tasks/setup_install.yml b/roles/custom/matrix-bridge-go-skype-bridge/tasks/setup_install.yml index 68718ccf3..7d8ccd8dd 100644 --- a/roles/custom/matrix-bridge-go-skype-bridge/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-go-skype-bridge/tasks/setup_install.yml @@ -1,13 +1,5 @@ --- -# If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. -# We don't want to fail in such cases. -- name: Fail if matrix-synapse role already executed - ansible.builtin.fail: - msg: >- - The matrix-bridge-go-skype-bridge role needs to execute before the matrix-synapse role. - when: "matrix_synapse_role_executed | default(False)" - - ansible.builtin.set_fact: matrix_go_skype_bridge_requires_restart: false @@ -20,8 +12,11 @@ - when: "matrix_go_skype_bridge_sqlite_database_path_local_stat_result.stat.exists | bool" block: - - ansible.builtin.set_fact: - matrix_postgres_db_migration_request: + - ansible.builtin.include_role: + name: galaxy/com.devture.ansible.role.postgres + tasks_from: migrate_db_to_postgres + vars: + devture_postgres_db_migration_request: src: "{{ matrix_go_skype_bridge_sqlite_database_path_local }}" dst: "{{ matrix_go_skype_bridge_database_connection_string }}" caller: "{{ role_path | basename }}" @@ -30,10 +25,6 @@ systemd_services_to_stop: ['matrix-go-skype-bridge.service'] pgloader_options: ['--with "quote identifiers"'] - - ansible.builtin.import_role: - name: custom/matrix-postgres - tasks_from: migrate_db_to_postgres - - ansible.builtin.set_fact: matrix_go_skype_bridge_requires_restart: true @@ -106,11 +97,17 @@ when: "matrix_go_skype_bridge_stat_database.stat.exists" - name: (Data relocation) Move go-skype-bridge database file to ./data directory - ansible.builtin.command: "mv {{ matrix_go_skype_bridge_base_path }}/go-skype-bridge.db {{ matrix_go_skype_bridge_data_path }}/go-skype-bridge.db" + ansible.builtin.command: + cmd: "mv {{ matrix_go_skype_bridge_base_path }}/go-skype-bridge.db {{ matrix_go_skype_bridge_data_path }}/go-skype-bridge.db" + creates: "{{ matrix_go_skype_bridge_data_path }}/go-skype-bridge.db" + removes: "{{ matrix_go_skype_bridge_base_path }}/go-skype-bridge.db" when: "matrix_go_skype_bridge_stat_database.stat.exists" - name: (Data relocation) Move go-skype-bridge mx-state file to ./data directory - ansible.builtin.command: "mv {{ matrix_go_skype_bridge_base_path }}/mx-state.json {{ matrix_go_skype_bridge_data_path }}/mx-state.json" + ansible.builtin.command: + cmd: "mv {{ matrix_go_skype_bridge_base_path }}/mx-state.json {{ matrix_go_skype_bridge_data_path }}/mx-state.json" + creates: "{{ matrix_go_skype_bridge_data_path }}/mx-state.json" + removes: "{{ matrix_go_skype_bridge_base_path }}/mx-state.json" when: "matrix_go_skype_bridge_stat_mx_state.stat.exists" - name: Ensure go-skype-bridge config.yaml installed @@ -136,13 +133,9 @@ mode: 0644 register: matrix_go_skype_bridge_systemd_service_result -- name: Ensure systemd reloaded after matrix-go-skype-bridge.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_go_skype_bridge_systemd_service_result.changed" - - name: Ensure matrix-go-skype-bridge.service restarted, if necessary ansible.builtin.service: name: "matrix-go-skype-bridge.service" state: restarted + daemon_reload: true when: "matrix_go_skype_bridge_requires_restart | bool" diff --git a/roles/custom/matrix-bridge-go-skype-bridge/tasks/setup_uninstall.yml b/roles/custom/matrix-bridge-go-skype-bridge/tasks/setup_uninstall.yml index 975b25ab4..d7b5999a1 100644 --- a/roles/custom/matrix-bridge-go-skype-bridge/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-bridge-go-skype-bridge/tasks/setup_uninstall.yml @@ -5,21 +5,16 @@ path: "/etc/systemd/system/matrix-go-skype-bridge.service" register: matrix_go_skype_bridge_service_stat -- name: Ensure matrix-go-skype-bridge is stopped - ansible.builtin.service: - name: matrix-go-skype-bridge - state: stopped - enabled: false - daemon_reload: true - when: "matrix_go_skype_bridge_service_stat.stat.exists" +- when: matrix_go_skype_bridge_service_stat.stat.exists | bool + block: + - name: Ensure matrix-go-skype-bridge is stopped + ansible.builtin.service: + name: matrix-go-skype-bridge + state: stopped + enabled: false + daemon_reload: true -- name: Ensure matrix-go-skype-bridge.service doesn't exist - ansible.builtin.file: - path: "/etc/systemd/system/matrix-go-skype-bridge.service" - state: absent - when: "matrix_go_skype_bridge_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-go-skype-bridge.service removal - ansible.builtin.service: - daemon_reload: true - when: "matrix_go_skype_bridge_service_stat.stat.exists" + - name: Ensure matrix-go-skype-bridge.service doesn't exist + ansible.builtin.file: + path: "/etc/systemd/system/matrix-go-skype-bridge.service" + state: absent diff --git a/roles/custom/matrix-bridge-go-skype-bridge/tasks/validate_config.yml b/roles/custom/matrix-bridge-go-skype-bridge/tasks/validate_config.yml index d681299f2..c9b3c2ffd 100644 --- a/roles/custom/matrix-bridge-go-skype-bridge/tasks/validate_config.yml +++ b/roles/custom/matrix-bridge-go-skype-bridge/tasks/validate_config.yml @@ -1,10 +1,11 @@ --- -- name: Fail if required settings not defined +- name: Fail if required go-skype-bridge settings not defined ansible.builtin.fail: msg: >- - You need to define a required configuration setting (`{{ item }}`). - when: "vars[item] == ''" + You need to define a required configuration setting (`{{ item.name }}`). + when: "item.when | bool and vars[item.name] == ''" with_items: - - "matrix_go_skype_bridge_appservice_token" - - "matrix_go_skype_bridge_homeserver_token" + - {'name': 'matrix_go_skype_bridge_appservice_token', when: true} + - {'name': 'matrix_go_skype_bridge_homeserver_token', when: true} + - {'name': 'matrix_go_skype_bridge_database_hostname', when: "{{ matrix_go_skype_bridge_database_engine == 'postgres' }}"} diff --git a/roles/custom/matrix-bridge-heisenbridge/defaults/main.yml b/roles/custom/matrix-bridge-heisenbridge/defaults/main.yml index 48101db1d..5dfe38105 100644 --- a/roles/custom/matrix-bridge-heisenbridge/defaults/main.yml +++ b/roles/custom/matrix-bridge-heisenbridge/defaults/main.yml @@ -4,7 +4,7 @@ matrix_heisenbridge_enabled: true -matrix_heisenbridge_version: 1.14.0 +matrix_heisenbridge_version: 1.14.3 matrix_heisenbridge_docker_image: "{{ matrix_container_global_registry_prefix }}hif1/heisenbridge:{{ matrix_heisenbridge_version }}" matrix_heisenbridge_docker_image_force_pull: "{{ matrix_heisenbridge_docker_image.endswith(':latest') }}" diff --git a/roles/custom/matrix-bridge-heisenbridge/tasks/init.yml b/roles/custom/matrix-bridge-heisenbridge/tasks/init.yml deleted file mode 100644 index dd3d4c7d0..000000000 --- a/roles/custom/matrix-bridge-heisenbridge/tasks/init.yml +++ /dev/null @@ -1,29 +0,0 @@ ---- -# If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. -# We don't want to fail in such cases. -- name: Fail if matrix-synapse role already executed - ansible.builtin.fail: - msg: >- - The matrix-bridge-heisenbridge role needs to execute before the matrix-synapse role. - when: "matrix_heisenbridge_enabled and matrix_synapse_role_executed | default(False)" - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-heisenbridge.service'] }}" - when: matrix_heisenbridge_enabled | bool - -# If the matrix-synapse role is not used, these variables may not exist. -- ansible.builtin.set_fact: - matrix_homeserver_container_runtime_injected_arguments: > - {{ - matrix_homeserver_container_runtime_injected_arguments | default([]) - + - ["--mount type=bind,src={{ matrix_heisenbridge_base_path }}/registration.yaml,dst=/heisenbridge-registration.yaml,ro"] - }} - - matrix_homeserver_app_service_runtime_injected_config_files: > - {{ - matrix_homeserver_app_service_runtime_injected_config_files | default([]) - + - ["/heisenbridge-registration.yaml"] - }} - when: matrix_heisenbridge_enabled | bool diff --git a/roles/custom/matrix-bridge-heisenbridge/tasks/main.yml b/roles/custom/matrix-bridge-heisenbridge/tasks/main.yml index 6af9813ec..5b92520d1 100644 --- a/roles/custom/matrix-bridge-heisenbridge/tasks/main.yml +++ b/roles/custom/matrix-bridge-heisenbridge/tasks/main.yml @@ -1,17 +1,17 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_install.yml" - when: "run_setup | bool and matrix_heisenbridge_enabled | bool" - tags: +- tags: - setup-all - setup-heisenbridge + - install-all + - install-heisenbridge + block: + - when: matrix_heisenbridge_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - when: "run_setup | bool and not matrix_heisenbridge_enabled | bool" - tags: +- tags: - setup-all - setup-heisenbridge + block: + - when: not matrix_heisenbridge_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" diff --git a/roles/custom/matrix-bridge-heisenbridge/tasks/setup_install.yml b/roles/custom/matrix-bridge-heisenbridge/tasks/setup_install.yml index 9a0cac354..23b7de5d9 100644 --- a/roles/custom/matrix-bridge-heisenbridge/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-heisenbridge/tasks/setup_install.yml @@ -34,9 +34,3 @@ src: "{{ role_path }}/templates/systemd/matrix-heisenbridge.service.j2" dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-heisenbridge.service" mode: 0644 - register: matrix_heisenbridge_systemd_service_result - -- name: Ensure systemd reloaded after matrix-heisenbridge.service installation - ansible.builtin.service: - daemon_reload: true - when: matrix_heisenbridge_systemd_service_result.changed diff --git a/roles/custom/matrix-bridge-heisenbridge/tasks/setup_uninstall.yml b/roles/custom/matrix-bridge-heisenbridge/tasks/setup_uninstall.yml index 688ff9d47..090427ca3 100644 --- a/roles/custom/matrix-bridge-heisenbridge/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-bridge-heisenbridge/tasks/setup_uninstall.yml @@ -5,21 +5,16 @@ path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-heisenbridge.service" register: matrix_heisenbridge_service_stat -- name: Ensure matrix-heisenbridge is stopped - ansible.builtin.service: - name: matrix-heisenbridge - state: stopped - enabled: false - daemon_reload: true - when: "matrix_heisenbridge_service_stat.stat.exists" +- when: matrix_heisenbridge_service_stat.stat.exists | bool + block: + - name: Ensure matrix-heisenbridge is stopped + ansible.builtin.service: + name: matrix-heisenbridge + state: stopped + enabled: false + daemon_reload: true -- name: Ensure matrix-heisenbridge.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-heisenbridge.service" - state: absent - when: "matrix_heisenbridge_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-heisenbridge.service removal - ansible.builtin.service: - daemon_reload: true - when: "matrix_heisenbridge_service_stat.stat.exists" + - name: Ensure matrix-heisenbridge.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-heisenbridge.service" + state: absent diff --git a/roles/custom/matrix-bridge-hookshot/defaults/main.yml b/roles/custom/matrix-bridge-hookshot/defaults/main.yml index 4e6965847..3c1ba5193 100644 --- a/roles/custom/matrix-bridge-hookshot/defaults/main.yml +++ b/roles/custom/matrix-bridge-hookshot/defaults/main.yml @@ -10,7 +10,7 @@ matrix_hookshot_container_image_self_build: false matrix_hookshot_container_image_self_build_repo: "https://github.com/matrix-org/matrix-hookshot.git" matrix_hookshot_container_image_self_build_branch: "{{ 'main' if matrix_hookshot_version == 'latest' else matrix_hookshot_version }}" -matrix_hookshot_version: 2.4.0 +matrix_hookshot_version: 4.4.0 matrix_hookshot_docker_image: "{{ matrix_hookshot_docker_image_name_prefix }}halfshot/matrix-hookshot:{{ matrix_hookshot_version }}" matrix_hookshot_docker_image_name_prefix: "{{ 'localhost/' if matrix_hookshot_container_image_self_build else matrix_container_global_registry_prefix }}" @@ -52,7 +52,7 @@ matrix_hookshot_webhook_endpoint: "{{ matrix_hookshot_public_endpoint }}/webhook # You need to create a GitHub app to enable this and fill in the empty variables below # https://matrix-org.github.io/matrix-hookshot/setup/github.html matrix_hookshot_github_enabled: false -matrix_hookshot_github_appid: '' +matrix_hookshot_github_auth_id: '' # Set this variable to the contents of the generated and downloaded GitHub private key: # matrix_hookshot_github_private_key: | # -----BEGIN RSA PRIVATE KEY----- @@ -61,22 +61,25 @@ matrix_hookshot_github_appid: '' # Alternatively, leave it empty and do it manually or use matrix-aux instead, see docs/matrix-bridge-hookshot.md for info. matrix_hookshot_github_private_key: '' matrix_hookshot_github_private_key_file: 'private-key.pem' -matrix_hookshot_github_secret: '' # "Webhook secret" on the GitHub App page +matrix_hookshot_github_webhook_secret: '' # "Webhook secret" on the GitHub App page matrix_hookshot_github_oauth_enabled: false # You need to configure oauth settings only when you have enabled oauth (optional) -matrix_hookshot_github_oauth_id: '' # "Client ID" on the GitHub App page -matrix_hookshot_github_oauth_secret: '' # "Client Secret" on the GitHub App page +matrix_hookshot_github_oauth_client_id: '' # "Client ID" on the GitHub App page +matrix_hookshot_github_oauth_client_secret: '' # "Client Secret" on the GitHub App page # Default value of matrix_hookshot_github_oauth_endpoint: "/hookshot/webhooks/oauth" matrix_hookshot_github_oauth_endpoint: "{{ matrix_hookshot_webhook_endpoint }}/oauth" -matrix_hookshot_github_oauth_uri: "{{ matrix_hookshot_urlprefix }}{{ matrix_hookshot_github_oauth_endpoint }}" +matrix_hookshot_github_oauth_redirect_uri: "{{ matrix_hookshot_urlprefix }}{{ matrix_hookshot_github_oauth_endpoint }}" + # These are the default settings mentioned here and don't need to be modified: https://matrix-org.github.io/matrix-hookshot/usage/room_configuration/github_repo.html#configuration -matrix_hookshot_github_ignore_hooks: "{}" -matrix_hookshot_github_command_prefix: '!gh' -matrix_hookshot_github_showIssueRoomLink: false # noqa var-naming -matrix_hookshot_github_pr_diff: "{enabled: false, maxLines: 5}" -matrix_hookshot_github_including_labels: '' -matrix_hookshot_github_excluding_labels: '' -matrix_hookshot_github_hotlink_prefix: "#" +matrix_hookshot_github_defaultOptions_ignoreHooks: {} # noqa var-naming +matrix_hookshot_github_defaultOptions_commandPrefix: '!gh' # noqa var-naming +matrix_hookshot_github_defaultOptions_showIssueRoomLink: false # noqa var-naming +matrix_hookshot_github_defaultOptions_prDiff: # noqa var-naming + enabled: false + maxLines: 5 +matrix_hookshot_github_defaultOptions_includingLabels: '' # noqa var-naming +matrix_hookshot_github_defaultOptions_excludingLabels: '' # noqa var-naming +matrix_hookshot_github_defaultOptions_hotlinkIssues_prefix: "#" # noqa var-naming matrix_hookshot_gitlab_enabled: true @@ -91,7 +94,7 @@ matrix_hookshot_gitlab_instances: url: https://gitlab.com # This will be the "Secret token" you have to enter into all GitLab instances for authentication -matrix_hookshot_gitlab_secret: '' +matrix_hookshot_gitlab_webhook_secret: '' matrix_hookshot_figma_enabled: false @@ -104,33 +107,35 @@ matrix_hookshot_figma_publicUrl: "{{ matrix_hookshot_urlprefix }}{{ matrix_hooks # teamId: your-team-id # accessToken: your-personal-access-token # passcode: your-webhook-passcode - +matrix_hookshot_figma_instances: {} matrix_hookshot_jira_enabled: false # Get the these values from https://matrix-org.github.io/matrix-hookshot/setup/jira.html#jira-oauth -matrix_hookshot_jira_secret: '' +matrix_hookshot_jira_webhook_secret: '' matrix_hookshot_jira_oauth_enabled: false -matrix_hookshot_jira_oauth_id: '' -matrix_hookshot_jira_oauth_secret: '' +matrix_hookshot_jira_oauth_client_id: '' +matrix_hookshot_jira_oauth_client_secret: '' # Default value of matrix_hookshot_jira_oauth_endpoint: "/hookshot/webhooks/jira/oauth" matrix_hookshot_jira_oauth_endpoint: "{{ matrix_hookshot_webhook_endpoint }}/jira/oauth" -matrix_hookshot_jira_oauth_uri: "{{ matrix_hookshot_urlprefix }}{{ matrix_hookshot_jira_oauth_endpoint }}" +matrix_hookshot_jira_oauth_redirect_uri: "{{ matrix_hookshot_urlprefix }}{{ matrix_hookshot_jira_oauth_endpoint }}" # No need to change these matrix_hookshot_generic_enabled: true +matrix_hookshot_generic_enableHttpGet: false # noqa var-naming # Default value of matrix_hookshot_generic_endpoint: "/hookshot/webhooks" matrix_hookshot_generic_endpoint: "{{ matrix_hookshot_webhook_endpoint }}" # urlprefix gets updated with protocol & port in group_vars/matrix_servers -matrix_hookshot_generic_urlprefix: "{{ matrix_hookshot_urlprefix }}{{ matrix_hookshot_generic_endpoint }}" -matrix_hookshot_generic_allow_js_transformation_functions: false +matrix_hookshot_generic_urlPrefix: "{{ matrix_hookshot_urlprefix }}{{ matrix_hookshot_generic_endpoint }}" # noqa var-naming # If you're also using matrix-appservice-webhooks, take care that these prefixes don't overlap -matrix_hookshot_generic_user_id_prefix: '_webhooks_' +matrix_hookshot_generic_userIdPrefix: '_webhooks_' # noqa var-naming +matrix_hookshot_generic_allowJsTransformationFunctions: false # noqa var-naming +matrix_hookshot_generic_waitForComplete: false # noqa var-naming matrix_hookshot_feeds_enabled: true matrix_hookshot_feeds_pollIntervalSeconds: 600 # noqa var-naming -matrix_hookshot_feeds_pollTimeoutSeconds: 10 # noqa var-naming +matrix_hookshot_feeds_pollTimeoutSeconds: 30 # noqa var-naming # There is no need to edit ports. use matrix_hookshot_container_http_host_bind_ports below to expose ports instead. @@ -141,6 +146,8 @@ matrix_hookshot_provisioning_enabled: false matrix_hookshot_provisioning_internal: "/v1" matrix_hookshot_provisioning_endpoint: "{{ matrix_hookshot_public_endpoint }}{{ matrix_hookshot_provisioning_internal }}" +# Valid logging levels are: debug, info, warn, error +matrix_hookshot_logging_level: warn matrix_hookshot_widgets_enabled: true matrix_hookshot_widgets_port: 9003 @@ -193,6 +200,8 @@ matrix_hookshot_permissions: [] matrix_hookshot_bot_displayname: Hookshot Bot matrix_hookshot_bot_avatar: 'mxc://half-shot.uk/2876e89ccade4cb615e210c458e2a7a6883fe17d' +matrix_hookshot_container_network: "{{ matrix_docker_network }}" + # A list of extra arguments to pass to the container matrix_hookshot_container_extra_arguments: [] diff --git a/roles/custom/matrix-bridge-hookshot/tasks/init.yml b/roles/custom/matrix-bridge-hookshot/tasks/init.yml deleted file mode 100644 index 63921f311..000000000 --- a/roles/custom/matrix-bridge-hookshot/tasks/init.yml +++ /dev/null @@ -1,141 +0,0 @@ ---- -# If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. -# We don't want to fail in such cases. -- name: Fail if matrix-synapse role already executed - ansible.builtin.fail: - msg: >- - The matrix-bridge-hookshot role needs to execute before the matrix-synapse role. - when: "matrix_hookshot_enabled and matrix_synapse_role_executed | default(False)" - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-hookshot.service'] }}" - when: matrix_hookshot_enabled | bool - -# If the matrix-synapse role is not used, these variables may not exist. -- ansible.builtin.set_fact: - matrix_homeserver_container_runtime_injected_arguments: > - {{ - matrix_homeserver_container_runtime_injected_arguments | default([]) - + - ["--mount type=bind,src={{ matrix_hookshot_base_path }}/registration.yml,dst=/hookshot-registration.yml,ro"] - }} - - matrix_homeserver_app_service_runtime_injected_config_files: > - {{ - matrix_homeserver_app_service_runtime_injected_config_files | default([]) - + - ["/hookshot-registration.yml"] - }} - when: matrix_hookshot_enabled | bool - -- when: matrix_hookshot_enabled | bool - block: - - name: Fail if matrix-nginx-proxy role already executed - ansible.builtin.fail: - msg: >- - Trying to append hookshot's reverse-proxying configuration to matrix-nginx-proxy, - but it's pointless since the matrix-nginx-proxy role had already executed. - To fix this, please change the order of roles in your playbook, - so that the matrix-nginx-proxy role would run after the matrix-bridge-hookshot role. - when: matrix_nginx_proxy_role_executed | default(False) | bool - - - name: Generate Matrix hookshot proxying configuration for matrix-nginx-proxy - ansible.builtin.set_fact: - matrix_hookshot_matrix_nginx_proxy_configuration: | - location ~ ^{{ matrix_hookshot_appservice_endpoint }}/(.*)$ { - {% if matrix_nginx_proxy_enabled | default(False) %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver 127.0.0.11 valid=5s; - set $backend "{{ matrix_hookshot_container_url }}:{{ matrix_hookshot_appservice_port }}"; - proxy_pass http://$backend/$1; - {% else %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://127.0.0.1:{{ matrix_hookshot_appservice_port }}/$1; - {% endif %} - proxy_set_header Host $host; - } - {% if matrix_hookshot_provisioning_enabled %} - location ~ ^{{ matrix_hookshot_provisioning_endpoint }}/(.*)$ { - {% if matrix_nginx_proxy_enabled | default(False) %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver 127.0.0.11 valid=5s; - set $backend "{{ matrix_hookshot_container_url }}:{{ matrix_hookshot_provisioning_port }}"; - proxy_pass http://$backend{{ matrix_hookshot_provisioning_internal }}/$1$is_args$args; - {% else %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://127.0.0.1:{{ matrix_hookshot_provisioning_port }}{{ matrix_hookshot_provisioning_internal }}/$1$is_args$args; - {% endif %} - proxy_set_header Host $host; - } - {% endif %} - {% if matrix_hookshot_widgets_enabled %} - location ~ ^{{ matrix_hookshot_widgets_endpoint }}/(.*)$ { - {% if matrix_nginx_proxy_enabled | default(False) %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver 127.0.0.11 valid=5s; - set $backend "{{ matrix_hookshot_container_url }}:{{ matrix_hookshot_widgets_port }}"; - proxy_pass http://$backend{{ matrix_hookshot_widgets_internal }}/$1$is_args$args; - {% else %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://127.0.0.1:{{ matrix_hookshot_widgets_port }}{{ matrix_hookshot_widgets_internal }}/$1$is_args$args; - {% endif %} - proxy_set_header Host $host; - } - {% endif %} - location ~ ^{{ matrix_hookshot_webhook_endpoint }}/(.*)$ { - {% if matrix_nginx_proxy_enabled | default(False) %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver 127.0.0.11 valid=5s; - set $backend "{{ matrix_hookshot_container_url }}:{{ matrix_hookshot_webhook_port }}"; - proxy_pass http://$backend/$1$is_args$args; - {% else %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://127.0.0.1:{{ matrix_hookshot_webhook_port }}/$1$is_args$args; - {% endif %} - proxy_set_header Host $host; - } - - - name: Register hookshot proxying configuration with matrix-nginx-proxy - ansible.builtin.set_fact: - matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: | - {{ - matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks | default([]) - + - [matrix_hookshot_matrix_nginx_proxy_configuration] - }} - - - name: Generate hookshot metrics proxying configuration for matrix-nginx-proxy (matrix.DOMAIN/metrics/hookshot) - ansible.builtin.set_fact: - matrix_hookshot_matrix_nginx_proxy_metrics_configuration_matrix_domain: | - location /metrics/hookshot { - {% if matrix_nginx_proxy_enabled | default(False) %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver 127.0.0.11 valid=5s; - set $backend "{{ matrix_hookshot_container_url }}:{{ matrix_hookshot_metrics_port }}"; - proxy_pass http://$backend/metrics; - {% else %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://127.0.0.1:{{ matrix_hookshot_metrics_port }}/metrics; - {% endif %} - } - when: matrix_hookshot_metrics_enabled | bool and matrix_hookshot_metrics_proxying_enabled | bool - - - name: Register hookshot metrics proxying configuration with matrix-nginx-proxy (matrix.DOMAIN/metrics/hookshot) - ansible.builtin.set_fact: - matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks: | - {{ - matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks | default([]) - + - [matrix_hookshot_matrix_nginx_proxy_metrics_configuration_matrix_domain] - }} - when: matrix_hookshot_metrics_enabled | bool and matrix_hookshot_metrics_proxying_enabled | bool - -- name: Warn about reverse-proxying if matrix-nginx-proxy not used - ansible.builtin.debug: - msg: >- - NOTE: You've enabled the hookshot bridge but are not using the matrix-nginx-proxy - reverse proxy. - Please make sure that you're proxying the `{{ matrix_hookshot_public_endpoint }}` - URL endpoint to the matrix-hookshot container. - You can expose the container's ports using the `matrix_hookshot_container_http_host_bind_ports` variable. - when: "matrix_hookshot_enabled | bool and not matrix_nginx_proxy_enabled | default(False) | bool" diff --git a/roles/custom/matrix-bridge-hookshot/tasks/inject_into_nginx_proxy.yml b/roles/custom/matrix-bridge-hookshot/tasks/inject_into_nginx_proxy.yml new file mode 100644 index 000000000..5712489c3 --- /dev/null +++ b/roles/custom/matrix-bridge-hookshot/tasks/inject_into_nginx_proxy.yml @@ -0,0 +1,111 @@ +--- + +- name: Fail if matrix-nginx-proxy role already executed + ansible.builtin.fail: + msg: >- + Trying to append hookshot's reverse-proxying configuration to matrix-nginx-proxy, + but it's pointless since the matrix-nginx-proxy role had already executed. + To fix this, please change the order of roles in your playbook, + so that the matrix-nginx-proxy role would run after the matrix-bridge-hookshot role. + when: matrix_nginx_proxy_role_executed | default(False) | bool + +- name: Generate Matrix hookshot proxying configuration for matrix-nginx-proxy + ansible.builtin.set_fact: + matrix_hookshot_matrix_nginx_proxy_configuration: | + location ~ ^{{ matrix_hookshot_appservice_endpoint }}/(.*)$ { + {% if matrix_nginx_proxy_enabled | default(False) %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "{{ matrix_hookshot_container_url }}:{{ matrix_hookshot_appservice_port }}"; + proxy_pass http://$backend/$1; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://127.0.0.1:{{ matrix_hookshot_appservice_port }}/$1; + {% endif %} + proxy_set_header Host $host; + } + {% if matrix_hookshot_provisioning_enabled %} + location ~ ^{{ matrix_hookshot_provisioning_endpoint }}/(.*)$ { + {% if matrix_nginx_proxy_enabled | default(False) %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "{{ matrix_hookshot_container_url }}:{{ matrix_hookshot_provisioning_port }}"; + proxy_pass http://$backend{{ matrix_hookshot_provisioning_internal }}/$1$is_args$args; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://127.0.0.1:{{ matrix_hookshot_provisioning_port }}{{ matrix_hookshot_provisioning_internal }}/$1$is_args$args; + {% endif %} + proxy_set_header Host $host; + } + {% endif %} + {% if matrix_hookshot_widgets_enabled %} + location ~ ^{{ matrix_hookshot_widgets_endpoint }}/(.*)$ { + {% if matrix_nginx_proxy_enabled | default(False) %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "{{ matrix_hookshot_container_url }}:{{ matrix_hookshot_widgets_port }}"; + proxy_pass http://$backend{{ matrix_hookshot_widgets_internal }}/$1$is_args$args; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://127.0.0.1:{{ matrix_hookshot_widgets_port }}{{ matrix_hookshot_widgets_internal }}/$1$is_args$args; + {% endif %} + proxy_set_header Host $host; + } + {% endif %} + location ~ ^{{ matrix_hookshot_webhook_endpoint }}/(.*)$ { + {% if matrix_nginx_proxy_enabled | default(False) %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "{{ matrix_hookshot_container_url }}:{{ matrix_hookshot_webhook_port }}"; + proxy_pass http://$backend/$1$is_args$args; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://127.0.0.1:{{ matrix_hookshot_webhook_port }}/$1$is_args$args; + {% endif %} + proxy_set_header Host $host; + } + +- name: Register hookshot proxying configuration with matrix-nginx-proxy + ansible.builtin.set_fact: + matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: | + {{ + matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks | default([]) + + + [matrix_hookshot_matrix_nginx_proxy_configuration] + }} + +- name: Generate hookshot metrics proxying configuration for matrix-nginx-proxy (matrix.DOMAIN/metrics/hookshot) + ansible.builtin.set_fact: + matrix_hookshot_matrix_nginx_proxy_metrics_configuration_matrix_domain: | + location /metrics/hookshot { + {% if matrix_nginx_proxy_enabled | default(False) %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "{{ matrix_hookshot_container_url }}:{{ matrix_hookshot_metrics_port }}"; + proxy_pass http://$backend/metrics; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://127.0.0.1:{{ matrix_hookshot_metrics_port }}/metrics; + {% endif %} + } + when: matrix_hookshot_metrics_enabled | bool and matrix_hookshot_metrics_proxying_enabled | bool + +- name: Register hookshot metrics proxying configuration with matrix-nginx-proxy (matrix.DOMAIN/metrics/hookshot) + ansible.builtin.set_fact: + matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks: | + {{ + matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks | default([]) + + + [matrix_hookshot_matrix_nginx_proxy_metrics_configuration_matrix_domain] + }} + when: matrix_hookshot_metrics_enabled | bool and matrix_hookshot_metrics_proxying_enabled | bool + +- name: Warn about reverse-proxying if matrix-nginx-proxy not used + ansible.builtin.debug: + msg: >- + NOTE: You've enabled the hookshot bridge but are not using the matrix-nginx-proxy + reverse proxy. + Please make sure that you're proxying the `{{ matrix_hookshot_public_endpoint }}` + URL endpoint to the matrix-hookshot container. + You can expose the container's ports using the `matrix_hookshot_container_http_host_bind_ports` variable. + when: "not matrix_nginx_proxy_enabled | default(False) | bool" diff --git a/roles/custom/matrix-bridge-hookshot/tasks/main.yml b/roles/custom/matrix-bridge-hookshot/tasks/main.yml index 99febe114..e2fa9936a 100644 --- a/roles/custom/matrix-bridge-hookshot/tasks/main.yml +++ b/roles/custom/matrix-bridge-hookshot/tasks/main.yml @@ -1,23 +1,29 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup | bool and matrix_hookshot_enabled | bool" - tags: +- tags: - setup-all - - setup-hookshot + - setup-nginx-proxy + - install-all + - install-nginx-proxy + block: + - when: matrix_hookshot_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_install.yml" - when: "run_setup | bool and matrix_hookshot_enabled | bool" - tags: +- tags: - setup-all - setup-hookshot + - install-all + - install-hookshot + block: + - when: matrix_hookshot_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" + + - when: matrix_hookshot_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - when: "run_setup | bool and not matrix_hookshot_enabled | bool" - tags: +- tags: - setup-all - setup-hookshot + block: + - when: not matrix_hookshot_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" diff --git a/roles/custom/matrix-bridge-hookshot/tasks/setup_install.yml b/roles/custom/matrix-bridge-hookshot/tasks/setup_install.yml index e13af1986..05e5cb856 100644 --- a/roles/custom/matrix-bridge-hookshot/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-hookshot/tasks/setup_install.yml @@ -1,6 +1,6 @@ --- -- ansible.builtin.import_role: +- ansible.builtin.include_role: name: custom/matrix-base tasks_from: ensure_openssl_installed @@ -57,7 +57,9 @@ register: hookshot_passkey_file - name: Generate hookshot passkey if it doesn't exist - ansible.builtin.shell: "{{ matrix_host_command_openssl }} genpkey -out {{ matrix_hookshot_base_path }}/passkey.pem -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:4096" + ansible.builtin.shell: + cmd: "{{ matrix_host_command_openssl }} genpkey -out {{ matrix_hookshot_base_path }}/passkey.pem -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:4096" + creates: "{{ matrix_hookshot_base_path }}/passkey.pem" become: true become_user: "{{ matrix_user_username }}" when: "not hookshot_passkey_file.stat.exists" @@ -79,7 +81,7 @@ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} --cap-drop=ALL -v {{ matrix_hookshot_base_path }}/config.yml:/config.yml - {{ matrix_hookshot_docker_image }} node Config/Config.js /config.yml + {{ matrix_hookshot_docker_image }} node config/Config.js /config.yml register: hookshot_config_validation_result changed_when: false @@ -105,14 +107,13 @@ group: "{{ matrix_user_groupname }}" when: matrix_hookshot_github_enabled | bool and matrix_hookshot_github_private_key|length > 0 +- name: Ensure matrix-hookshot container network is created + community.general.docker_network: + name: "{{ matrix_hookshot_container_network }}" + driver: bridge + - name: Ensure matrix-hookshot.service installed ansible.builtin.template: src: "{{ role_path }}/templates/systemd/matrix-hookshot.service.j2" dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-hookshot.service" mode: 0644 - register: matrix_hookshot_systemd_service_result - -- name: Ensure systemd reloaded after matrix-hookshot.service installation - ansible.builtin.service: - daemon_reload: true - when: matrix_hookshot_systemd_service_result.changed diff --git a/roles/custom/matrix-bridge-hookshot/tasks/setup_uninstall.yml b/roles/custom/matrix-bridge-hookshot/tasks/setup_uninstall.yml index 2028a34e1..b4c72d38a 100644 --- a/roles/custom/matrix-bridge-hookshot/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-bridge-hookshot/tasks/setup_uninstall.yml @@ -5,21 +5,16 @@ path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-hookshot.service" register: matrix_hookshot_service_stat -- name: Ensure matrix-hookshot is stopped - ansible.builtin.service: - name: matrix-hookshot - state: stopped - enabled: false - daemon_reload: true - when: "matrix_hookshot_service_stat.stat.exists" +- when: matrix_hookshot_service_stat.stat.exists | bool + block: + - name: Ensure matrix-hookshot is stopped + ansible.builtin.service: + name: matrix-hookshot + state: stopped + enabled: false + daemon_reload: true -- name: Ensure matrix-hookshot.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-hookshot.service" - state: absent - when: "matrix_hookshot_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-hookshot.service removal - ansible.builtin.service: - daemon_reload: true - when: "matrix_hookshot_service_stat.stat.exists" + - name: Ensure matrix-hookshot.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-hookshot.service" + state: absent diff --git a/roles/custom/matrix-bridge-hookshot/tasks/validate_config.yml b/roles/custom/matrix-bridge-hookshot/tasks/validate_config.yml index 3392f1b64..91d29eceb 100644 --- a/roles/custom/matrix-bridge-hookshot/tasks/validate_config.yml +++ b/roles/custom/matrix-bridge-hookshot/tasks/validate_config.yml @@ -1,5 +1,34 @@ --- +- name: (Deprecation) Catch and report renamed Hookshot variables + ansible.builtin.fail: + msg: >- + Your configuration contains a variable, which now has a different name. + Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`). + when: "item.old in vars" + with_items: + - {'old': 'matrix_hookshot_feeds_interval', 'new': 'matrix_hookshot_feeds_pollIntervalSeconds'} + - {'old': 'matrix_hookshot_generic_urlprefix', 'new': 'matrix_hookshot_generic_urlPrefix'} + - {'old': 'matrix_hookshot_generic_allow_js_transformation_functions', 'new': 'matrix_hookshot_generic_allowJsTransformationFunctions'} + - {'old': 'matrix_hookshot_generic_user_id_prefix', 'new': 'matrix_hookshot_generic_userIdPrefix'} + - {'old': 'matrix_hookshot_github_secret', 'new': 'matrix_hookshot_github_webhook_secret'} + - {'old': 'matrix_hookshot_github_appid', 'new': 'matrix_hookshot_github_auth_id'} + - {'old': 'matrix_hookshot_github_oauth_id', 'new': 'matrix_hookshot_github_oauth_client_id'} + - {'old': 'matrix_hookshot_github_oauth_secret', 'new': 'matrix_hookshot_github_oauth_client_secret'} + - {'old': 'matrix_hookshot_github_oauth_uri', 'new': 'matrix_hookshot_github_oauth_redirect_uri'} + - {'old': 'matrix_hookshot_github_ignore_hooks', 'new': 'matrix_hookshot_github_defaultOptions_ignoreHooks'} + - {'old': 'matrix_hookshot_github_command_prefix', 'new': 'matrix_hookshot_github_defaultOptions_commandPrefix'} + - {'old': 'matrix_hookshot_github_showIssueRoomLink', 'new': 'matrix_hookshot_github_defaultOptions_showIssueRoomLink'} + - {'old': 'matrix_hookshot_github_pr_diff', 'new': 'matrix_hookshot_github_defaultOptions_prDiff'} + - {'old': 'matrix_hookshot_github_including_labels', 'new': 'matrix_hookshot_github_defaultOptions_includingLabels'} + - {'old': 'matrix_hookshot_github_excluding_labels', 'new': 'matrix_hookshot_github_defaultOptions_excludingLabels'} + - {'old': 'matrix_hookshot_github_hotlink_prefix', 'new': 'matrix_hookshot_github_defaultOptions_hotlinkIssues_prefix'} + - {'old': 'matrix_hookshot_jira_secret', 'new': 'matrix_hookshot_jira_webhook_secret'} + - {'old': 'matrix_hookshot_jira_oauth_id', 'new': 'matrix_hookshot_jira_oauth_client_id'} + - {'old': 'matrix_hookshot_jira_oauth_secret', 'new': 'matrix_hookshot_jira_oauth_client_secret'} + - {'old': 'matrix_hookshot_jira_oauth_uri', 'new': 'matrix_hookshot_jira_oauth_client_secret'} + - {'old': 'matrix_hookshot_gitlab_secret', 'new': 'matrix_hookshot_gitlab_webhook_secret'} + - name: Fail if required settings not defined ansible.builtin.fail: msg: >- @@ -15,8 +44,8 @@ You need to define a required configuration setting (`{{ item }}`) to enable GitHub. when: "matrix_hookshot_github_enabled and vars[item] == ''" with_items: - - "matrix_hookshot_github_appid" - - "matrix_hookshot_github_secret" + - "matrix_hookshot_github_auth_id" + - "matrix_hookshot_github_webhook_secret" - name: Fail if required GitHub OAuth settings not defined ansible.builtin.fail: @@ -24,8 +53,8 @@ You need to define a required configuration setting (`{{ item }}`) to enable GitHub OAuth. when: "matrix_hookshot_github_oauth_enabled and vars[item] == ''" with_items: - - "matrix_hookshot_github_oauth_id" - - "matrix_hookshot_github_oauth_secret" + - "matrix_hookshot_github_oauth_client_id" + - "matrix_hookshot_github_oauth_client_secret" - name: Fail if required Jira settings not defined ansible.builtin.fail: @@ -33,7 +62,7 @@ You need to define a required configuration setting (`{{ item }}`) to enable Jira. when: "matrix_hookshot_jira_enabled and vars[item] == ''" with_items: - - "matrix_hookshot_jira_secret" + - "matrix_hookshot_jira_webhook_secret" - name: Fail if required Jira OAuth settings not defined ansible.builtin.fail: @@ -41,14 +70,14 @@ You need to define a required configuration setting (`{{ item }}`) to enable Jira OAuth. when: "matrix_hookshot_jira_oauth_enabled and vars[item] == ''" with_items: - - "matrix_hookshot_jira_oauth_id" - - "matrix_hookshot_jira_oauth_secret" + - "matrix_hookshot_jira_oauth_client_id" + - "matrix_hookshot_jira_oauth_client_secret" - name: Fail if required Figma settings not defined ansible.builtin.fail: msg: >- - You need to define at least one Figma instance to enable Figma. - when: "matrix_hookshot_figma_enabled and matrix_hookshot_figma_instances is undefined" + You need to define at least one Figma instance in `matrix_hookshot_figma_instances` to enable Figma. + when: "matrix_hookshot_figma_enabled and matrix_hookshot_figma_instances | length == 0" - name: Fail if required provisioning settings not defined ansible.builtin.fail: @@ -58,15 +87,6 @@ with_items: - "matrix_hookshot_provisioning_secret" -- name: (Deprecation) Catch and report renamed Hookshot variables - ansible.builtin.fail: - msg: >- - Your configuration contains a variable, which now has a different name. - Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`). - when: "item.old in vars" - with_items: - - {'old': 'matrix_hookshot_feeds_interval', 'new': 'matrix_hookshot_feeds_pollIntervalSeconds'} - - name: (Deprecation) Catch and report old metrics usage ansible.builtin.fail: msg: >- diff --git a/roles/custom/matrix-bridge-hookshot/templates/config.yml.j2 b/roles/custom/matrix-bridge-hookshot/templates/config.yml.j2 index 527afafaf..c3b0bbd48 100644 --- a/roles/custom/matrix-bridge-hookshot/templates/config.yml.j2 +++ b/roles/custom/matrix-bridge-hookshot/templates/config.yml.j2 @@ -14,69 +14,70 @@ github: auth: # Authentication for the GitHub App. # - id: {{ matrix_hookshot_github_appid }} + id: {{ matrix_hookshot_github_auth_id | to_json }} privateKeyFile: /data/{{ matrix_hookshot_github_private_key_file }} webhook: # Webhook settings for the GitHub app. # - secret: {{ matrix_hookshot_github_secret|to_json }} + secret: {{ matrix_hookshot_github_webhook_secret | to_json }} {% if matrix_hookshot_github_oauth_enabled %} oauth: # (Optional) Settings for allowing users to sign in via OAuth. # - client_id: {{ matrix_hookshot_github_oauth_id }} - client_secret: {{ matrix_hookshot_github_oauth_secret|to_json }} - redirect_uri: {{ matrix_hookshot_github_oauth_uri }} + client_id: {{ matrix_hookshot_github_oauth_client_id | to_json }} + client_secret: {{ matrix_hookshot_github_oauth_client_secret | to_json }} + redirect_uri: {{ matrix_hookshot_github_oauth_redirect_uri | to_json }} {% endif %} defaultOptions: # (Optional) Default options for GitHub connections. # - ignoreHooks: {{ matrix_hookshot_github_ignore_hooks }} - commandPrefix: "{{ matrix_hookshot_github_command_prefix }}" - showIssueRoomLink: {{ matrix_hookshot_github_showIssueRoomLink }} - prDiff: {{ matrix_hookshot_github_pr_diff }} - includingLabels:{{ matrix_hookshot_github_including_labels }} - excludingLabels: {{ matrix_hookshot_github_excluding_labels }} + ignoreHooks: {{ matrix_hookshot_github_defaultOptions_ignoreHooks | to_json }} + commandPrefix: {{ matrix_hookshot_github_defaultOptions_commandPrefix | to_json }} + showIssueRoomLink: {{ matrix_hookshot_github_defaultOptions_showIssueRoomLink | to_json }} + prDiff: {{ matrix_hookshot_github_defaultOptions_prDiff | to_json }} + includingLabels: {{ matrix_hookshot_github_defaultOptions_includingLabels | to_json }} + excludingLabels: {{ matrix_hookshot_github_defaultOptions_excludingLabels | to_json }} hotlinkIssues: - prefix: "{{ matrix_hookshot_github_hotlink_prefix }}" + prefix: {{ matrix_hookshot_github_defaultOptions_hotlinkIssues_prefix | to_json }} {% endif %} {% if matrix_hookshot_gitlab_enabled %} gitlab: # (Optional) Configure this to enable GitLab support # - instances: - {{ matrix_hookshot_gitlab_instances }} + instances: {{ matrix_hookshot_gitlab_instances | to_json }} webhook: - secret: {{ matrix_hookshot_gitlab_secret|to_json }} + secret: {{ matrix_hookshot_gitlab_webhook_secret | to_json }} {% endif %} {% if matrix_hookshot_figma_enabled %} figma: # (Optional) Configure this to enable Figma support # - publicUrl: {{ matrix_hookshot_figma_publicUrl }} - instances: {{ matrix_hookshot_figma_instances }} + publicUrl: {{ matrix_hookshot_figma_publicUrl | to_json }} + instances: {{ matrix_hookshot_figma_instances | to_json }} {% endif %} {% if matrix_hookshot_jira_enabled %} jira: # (Optional) Configure this to enable Jira support # webhook: - secret: {{ matrix_hookshot_jira_secret|to_json }} + secret: {{ matrix_hookshot_jira_webhook_secret | to_json }} {% if matrix_hookshot_jira_oauth_enabled %} oauth: - client_id: {{ matrix_hookshot_jira_oauth_id|to_json }} - client_secret: {{ matrix_hookshot_jira_oauth_secret|to_json }} - redirect_uri: {{ matrix_hookshot_jira_oauth_uri }} + client_id: {{ matrix_hookshot_jira_oauth_client_id | to_json }} + client_secret: {{ matrix_hookshot_jira_oauth_client_secret | to_json }} + redirect_uri: {{ matrix_hookshot_jira_oauth_redirect_uri | to_json }} {% endif %} {% endif %} {% if matrix_hookshot_generic_enabled %} generic: # (Optional) Support for generic webhook events. `allowJsTransformationFunctions` will allow users to write short transformation snippets in code, and thus is unsafe in untrusted environments # - enabled: {{ matrix_hookshot_generic_enabled }} - urlPrefix: {{ matrix_hookshot_generic_urlprefix }} - allowJsTransformationFunctions: {{ matrix_hookshot_generic_allow_js_transformation_functions }} - userIdPrefix: {{ matrix_hookshot_generic_user_id_prefix|to_json }} + enabled: {{ matrix_hookshot_generic_enabled | to_json }} + enableHttpGet: {{ matrix_hookshot_generic_enableHttpGet | to_json }} + urlPrefix: {{ matrix_hookshot_generic_urlPrefix | to_json }} + userIdPrefix: {{ matrix_hookshot_generic_userIdPrefix | to_json }} + allowJsTransformationFunctions: {{ matrix_hookshot_generic_allowJsTransformationFunctions | to_json }} + waitForComplete: {{ matrix_hookshot_generic_waitForComplete | to_json }} {% endif %} {% if matrix_hookshot_feeds_enabled %} feeds: @@ -90,7 +91,7 @@ feeds: provisioning: # (Optional) Provisioning API for integration managers # - secret: {{ matrix_hookshot_provisioning_secret|to_json }} + secret: {{ matrix_hookshot_provisioning_secret | to_json }} {% endif %} passFile: # A passkey used to encrypt tokens stored inside the bridge. @@ -100,34 +101,34 @@ passFile: bot: # (Optional) Define profile information for the bot user # - displayname: {{ matrix_hookshot_bot_displayname }} - avatar: {{ matrix_hookshot_bot_avatar }} + displayname: {{ matrix_hookshot_bot_displayname | to_json }} + avatar: {{ matrix_hookshot_bot_avatar | to_json }} metrics: # (Optional) Prometheus metrics support # - enabled: {{ matrix_hookshot_metrics_enabled }} + enabled: {{ matrix_hookshot_metrics_enabled | to_json }} logging: # (Optional) Logging settings. You can have a severity debug,info,warn,error # - level: warn + level: {{ matrix_hookshot_logging_level | to_json }} {% if matrix_hookshot_widgets_enabled %} widgets: # (Optional) EXPERIMENTAL support for complimentary widgets # - addToAdminRooms: {{ matrix_hookshot_widgets_addToAdminRooms }} + addToAdminRooms: {{ matrix_hookshot_widgets_addToAdminRooms | to_json }} {% if matrix_hookshot_widgets_roomSetupWidget_enabled %} roomSetupWidget: - addOnInvite: {{ matrix_hookshot_widgets_roomSetupWidget_addOnInvite }} + addOnInvite: {{ matrix_hookshot_widgets_roomSetupWidget_addOnInvite | to_json }} {% endif %} {% if not matrix_hookshot_widgets_disallowedIpRanges is in [None, ''] %} - disallowedIpRanges: {{ matrix_hookshot_widgets_disallowedIpRanges }} + disallowedIpRanges: {{ matrix_hookshot_widgets_disallowedIpRanges | to_json }} {% endif %} - publicUrl: {{ matrix_hookshot_widgets_publicUrl }} + publicUrl: {{ matrix_hookshot_widgets_publicUrl | to_json }} branding: - widgetTitle: {{ matrix_hookshot_widgets_branding_widgetTitle }} + widgetTitle: {{ matrix_hookshot_widgets_branding_widgetTitle | to_json }} {% endif %} {% if matrix_hookshot_permissions %} -permissions: {{ matrix_hookshot_permissions }} +permissions: {{ matrix_hookshot_permissions | to_json }} {% endif %} listeners: # (Optional) HTTP Listener configuration. diff --git a/roles/custom/matrix-bridge-hookshot/templates/registration.yml.j2 b/roles/custom/matrix-bridge-hookshot/templates/registration.yml.j2 index d076ea108..87509a127 100644 --- a/roles/custom/matrix-bridge-hookshot/templates/registration.yml.j2 +++ b/roles/custom/matrix-bridge-hookshot/templates/registration.yml.j2 @@ -18,7 +18,7 @@ namespaces: exclusive: true {% endif %} {% if matrix_hookshot_generic_enabled %} - - regex: "@{{ matrix_hookshot_generic_user_id_prefix }}.*:{{ matrix_domain }}" # Where foobar is your homeserver's domain // depending on userIdPrefix setting in conf + - regex: "@{{ matrix_hookshot_generic_userIdPrefix }}.*:{{ matrix_domain }}" # Where foobar is your homeserver's domain // depending on userIdPrefix setting in conf exclusive: true {% endif %} aliases: diff --git a/roles/custom/matrix-bridge-hookshot/templates/systemd/matrix-hookshot.service.j2 b/roles/custom/matrix-bridge-hookshot/templates/systemd/matrix-hookshot.service.j2 index 7ebd08b6c..713c7a9fd 100644 --- a/roles/custom/matrix-bridge-hookshot/templates/systemd/matrix-hookshot.service.j2 +++ b/roles/custom/matrix-bridge-hookshot/templates/systemd/matrix-hookshot.service.j2 @@ -20,8 +20,8 @@ ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ - --network={{ matrix_docker_network }} \ - -v {{ matrix_hookshot_base_path }}:/data:z \ + --network={{ matrix_hookshot_container_network }} \ + --mount type=bind,src={{ matrix_hookshot_base_path }},dst=/data \ {% for port in matrix_hookshot_container_http_host_bind_ports %} -p {{ port }} \ {% endfor %} diff --git a/roles/custom/matrix-bridge-mautrix-discord/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-discord/defaults/main.yml index 7163954a4..f9b853bc6 100644 --- a/roles/custom/matrix-bridge-mautrix-discord/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-discord/defaults/main.yml @@ -8,7 +8,7 @@ matrix_mautrix_discord_container_image_self_build: false matrix_mautrix_discord_container_image_self_build_repo: "https://mau.dev/mautrix/discord.git" matrix_mautrix_discord_container_image_self_build_branch: "{{ 'main' if matrix_mautrix_discord_version == 'latest' else matrix_mautrix_discord_version }}" -matrix_mautrix_discord_version: latest +matrix_mautrix_discord_version: v0.6.0 # See: https://mau.dev/mautrix/discord/container_registry matrix_mautrix_discord_docker_image: "{{ matrix_mautrix_discord_docker_image_name_prefix }}mautrix/discord:{{ matrix_mautrix_discord_version }}" matrix_mautrix_discord_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_discord_container_image_self_build else 'dock.mau.dev/' }}" @@ -67,7 +67,7 @@ matrix_mautrix_discord_sqlite_database_path_in_container: "/data/mautrix-discord matrix_mautrix_discord_database_username: 'matrix_mautrix_discord' matrix_mautrix_discord_database_password: 'some-password' -matrix_mautrix_discord_database_hostname: 'matrix-postgres' +matrix_mautrix_discord_database_hostname: '' matrix_mautrix_discord_database_port: 5432 matrix_mautrix_discord_database_name: 'matrix_mautrix_discord' @@ -137,10 +137,10 @@ matrix_mautrix_discord_registration_yaml: | matrix_mautrix_discord_registration: "{{ matrix_mautrix_discord_registration_yaml | from_yaml }}" # Enable End-to-bridge encryption -matrix_mautrix_discord_bridge_encryption_allow: false +matrix_mautrix_discord_bridge_encryption_allow: "{{ matrix_bridges_encryption_enabled }}" matrix_mautrix_discord_bridge_encryption_default: "{{ matrix_mautrix_discord_bridge_encryption_allow }}" matrix_mautrix_discord_bridge_encryption_key_sharing_allow: "{{ matrix_mautrix_discord_bridge_encryption_allow }}" -# On conduit this option may prevent you from joining spaces created by the bridge. -# Setting this to false fixes the issue. +# On conduit versions before 0.5.0 this option prevented users from joining spaces created by the bridge. +# Setting this to false fixed the issue. matrix_mautrix_discord_bridge_restricted_rooms: true diff --git a/roles/custom/matrix-bridge-mautrix-discord/tasks/init.yml b/roles/custom/matrix-bridge-mautrix-discord/tasks/init.yml deleted file mode 100644 index 3f94a73ad..000000000 --- a/roles/custom/matrix-bridge-mautrix-discord/tasks/init.yml +++ /dev/null @@ -1,21 +0,0 @@ ---- -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-discord.service'] }}" - when: matrix_mautrix_discord_enabled | bool - -# If the matrix-synapse role is not used, these variables may not exist. -- ansible.builtin.set_fact: - matrix_homeserver_container_runtime_injected_arguments: > - {{ - matrix_homeserver_container_runtime_injected_arguments | default([]) - + - ["--mount type=bind,src={{ matrix_mautrix_discord_config_path }}/registration.yaml,dst=/matrix-mautrix-discord-registration.yaml,ro"] - }} - - matrix_homeserver_app_service_runtime_injected_config_files: > - {{ - matrix_homeserver_app_service_runtime_injected_config_files | default([]) - + - ["/matrix-mautrix-discord-registration.yaml"] - }} - when: matrix_mautrix_discord_enabled | bool diff --git a/roles/custom/matrix-bridge-mautrix-discord/tasks/main.yml b/roles/custom/matrix-bridge-mautrix-discord/tasks/main.yml index 9eaadf684..19698f9f1 100644 --- a/roles/custom/matrix-bridge-mautrix-discord/tasks/main.yml +++ b/roles/custom/matrix-bridge-mautrix-discord/tasks/main.yml @@ -1,22 +1,20 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup | bool and matrix_mautrix_discord_enabled | bool" - tags: +- tags: - setup-all - setup-mautrix-discord + - install-all + - install-mautrix-discord + block: + - when: matrix_mautrix_discord_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_install.yml" - when: "run_setup and matrix_mautrix_discord_enabled" - tags: - - setup-all - - setup-mautrix-discord + - when: matrix_mautrix_discord_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - when: "run_setup and not matrix_mautrix_discord_enabled" - tags: +- tags: - setup-all - setup-mautrix-discord + block: + - when: not matrix_mautrix_discord_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" diff --git a/roles/custom/matrix-bridge-mautrix-discord/tasks/setup_install.yml b/roles/custom/matrix-bridge-mautrix-discord/tasks/setup_install.yml index 06bae8dd0..f16422f7a 100644 --- a/roles/custom/matrix-bridge-mautrix-discord/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-mautrix-discord/tasks/setup_install.yml @@ -1,13 +1,5 @@ --- -# If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. -# We don't want to fail in such cases. -- name: Fail if matrix-synapse role already executed - ansible.builtin.fail: - msg: >- - The matrix-bridge-mautrix-discord role needs to execute before the matrix-synapse role. - when: "matrix_synapse_role_executed | default(False)" - - ansible.builtin.set_fact: matrix_mautrix_discord_requires_restart: false @@ -20,8 +12,11 @@ - when: "matrix_mautrix_discord_sqlite_database_path_local_stat_result.stat.exists | bool" block: - - ansible.builtin.set_fact: - matrix_postgres_db_migration_request: + - ansible.builtin.include_role: + name: galaxy/com.devture.ansible.role.postgres + tasks_from: migrate_db_to_postgres + vars: + devture_postgres_db_migration_request: src: "{{ matrix_mautrix_discord_sqlite_database_path_local }}" dst: "{{ matrix_mautrix_discord_database_connection_string }}" caller: "{{ role_path | basename }}" @@ -30,10 +25,6 @@ systemd_services_to_stop: ['matrix-mautrix-discord.service'] pgloader_options: ['--with "quote identifiers"'] - - ansible.builtin.import_role: - name: custom/matrix-postgres - tasks_from: migrate_db_to_postgres - - ansible.builtin.set_fact: matrix_mautrix_discord_requires_restart: true @@ -109,13 +100,9 @@ mode: 0644 register: matrix_mautrix_discord_systemd_service_result -- name: Ensure systemd reloaded after matrix-mautrix-discord.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_mautrix_discord_systemd_service_result.changed" - - name: Ensure matrix-mautrix-discord.service restarted, if necessary ansible.builtin.service: name: "matrix-mautrix-discord.service" state: restarted + daemon_reload: true when: "matrix_mautrix_discord_requires_restart | bool" diff --git a/roles/custom/matrix-bridge-mautrix-discord/tasks/setup_uninstall.yml b/roles/custom/matrix-bridge-mautrix-discord/tasks/setup_uninstall.yml index d75f51647..ade37c2f8 100644 --- a/roles/custom/matrix-bridge-mautrix-discord/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-bridge-mautrix-discord/tasks/setup_uninstall.yml @@ -5,21 +5,16 @@ path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-discord.service" register: matrix_mautrix_discord_service_stat -- name: Ensure matrix-mautrix-discord is stopped - ansible.builtin.service: - name: matrix-mautrix-discord - state: stopped - enabled: false - daemon_reload: true - when: "matrix_mautrix_discord_service_stat.stat.exists" +- when: matrix_mautrix_discord_service_stat.stat.exists | bool + block: + - name: Ensure matrix-mautrix-discord is stopped + ansible.builtin.service: + name: matrix-mautrix-discord + state: stopped + enabled: false + daemon_reload: true -- name: Ensure matrix-mautrix-discord.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-discord.service" - state: absent - when: "matrix_mautrix_discord_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-mautrix-discord.service removal - ansible.builtin.service: - daemon_reload: true - when: "matrix_mautrix_discord_service_stat.stat.exists" + - name: Ensure matrix-mautrix-discord.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-discord.service" + state: absent diff --git a/roles/custom/matrix-bridge-mautrix-discord/tasks/validate_config.yml b/roles/custom/matrix-bridge-mautrix-discord/tasks/validate_config.yml index 4ba7e1270..8f4fe29e4 100644 --- a/roles/custom/matrix-bridge-mautrix-discord/tasks/validate_config.yml +++ b/roles/custom/matrix-bridge-mautrix-discord/tasks/validate_config.yml @@ -1,10 +1,11 @@ --- -- name: Fail if required settings not defined +- name: Fail if required mautrix-discord settings not defined ansible.builtin.fail: msg: >- - You need to define a required configuration setting (`{{ item }}`). - when: "vars[item] == ''" + You need to define a required configuration setting (`{{ item.name }}`). + when: "item.when | bool and vars[item.name] == ''" with_items: - - "matrix_mautrix_discord_appservice_token" - - "matrix_mautrix_discord_homeserver_token" + - {'name': 'matrix_mautrix_discord_appservice_token', when: true} + - {'name': 'matrix_mautrix_discord_homeserver_token', when: true} + - {'name': 'matrix_mautrix_discord_database_hostname', when: "{{ matrix_mautrix_discord_database_engine == 'postgres' }}"} diff --git a/roles/custom/matrix-bridge-mautrix-facebook/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-facebook/defaults/main.yml index 719c86dc0..0b48aaad5 100644 --- a/roles/custom/matrix-bridge-mautrix-facebook/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-facebook/defaults/main.yml @@ -7,7 +7,7 @@ matrix_mautrix_facebook_enabled: true matrix_mautrix_facebook_container_image_self_build: false matrix_mautrix_facebook_container_image_self_build_repo: "https://mau.dev/mautrix/facebook.git" -matrix_mautrix_facebook_version: v0.4.0 +matrix_mautrix_facebook_version: v0.5.0 matrix_mautrix_facebook_docker_image: "{{ matrix_mautrix_facebook_docker_image_name_prefix }}mautrix/facebook:{{ matrix_mautrix_facebook_version }}" matrix_mautrix_facebook_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_facebook_container_image_self_build else 'dock.mau.dev/' }}" matrix_mautrix_facebook_docker_image_force_pull: "{{ matrix_mautrix_facebook_docker_image.endswith(':latest') }}" @@ -46,6 +46,16 @@ matrix_mautrix_facebook_homeserver_token: '' # If false, created portal rooms will never be federated. matrix_mautrix_facebook_federate_rooms: true +# Whether or not metrics endpoint should be enabled. +# Enabling them is usually enough for a local (in-container) Prometheus to consume them. +# If metrics need to be consumed by another (external) Prometheus server, consider exposing them via `matrix_mautrix_facebook_metrics_proxying_enabled`. +matrix_mautrix_facebook_metrics_enabled: false + +# Controls whether metrics should be proxied (exposed) on `matrix.DOMAIN/metrics/mautrix-facebook`. +# This will only work take effect if `matrix_nginx_proxy_proxy_matrix_metrics_enabled: true`. +# See the `matrix-nginx-proxy` role for details about enabling `matrix_nginx_proxy_proxy_matrix_metrics_enabled`. +matrix_mautrix_facebook_metrics_proxying_enabled: false + matrix_mautrix_facebook_bridge_permissions: | {{ {matrix_mautrix_facebook_homeserver_domain: 'user'} @@ -74,7 +84,7 @@ matrix_mautrix_facebook_sqlite_database_path_in_container: "/data/mautrix-facebo matrix_mautrix_facebook_database_username: 'matrix_mautrix_facebook' matrix_mautrix_facebook_database_password: 'some-password' -matrix_mautrix_facebook_database_hostname: 'matrix-postgres' +matrix_mautrix_facebook_database_hostname: '' matrix_mautrix_facebook_database_port: 5432 matrix_mautrix_facebook_database_name: 'matrix_mautrix_facebook' @@ -93,6 +103,9 @@ matrix_mautrix_facebook_login_shared_secret: '' matrix_mautrix_facebook_bridge_login_shared_secret_map: "{{ {matrix_mautrix_facebook_homeserver_domain: matrix_mautrix_facebook_login_shared_secret} if matrix_mautrix_facebook_login_shared_secret else {} }}" +# Enable bridge relay bot functionality +matrix_mautrix_facebook_relay_enabled: "{{ matrix_bridges_relay_enabled }}" + matrix_mautrix_facebook_appservice_bot_username: facebookbot matrix_mautrix_facebook_bridge_presence: true @@ -139,3 +152,8 @@ matrix_mautrix_facebook_registration_yaml: | de.sorunome.msc2409.push_ephemeral: true matrix_mautrix_facebook_registration: "{{ matrix_mautrix_facebook_registration_yaml | from_yaml }}" + +# Enable End-to-bridge encryption +matrix_mautrix_facebook_bridge_encryption_allow: "{{ matrix_bridges_encryption_enabled }}" +matrix_mautrix_facebook_bridge_encryption_default: "{{ matrix_mautrix_facebook_bridge_encryption_allow }}" +matrix_mautrix_facebook_bridge_encryption_key_sharing_allow: "{{ matrix_mautrix_facebook_bridge_encryption_allow }}" diff --git a/roles/custom/matrix-bridge-mautrix-facebook/tasks/init.yml b/roles/custom/matrix-bridge-mautrix-facebook/tasks/init.yml deleted file mode 100644 index 5565689f4..000000000 --- a/roles/custom/matrix-bridge-mautrix-facebook/tasks/init.yml +++ /dev/null @@ -1,75 +0,0 @@ ---- -# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 -# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 -- name: Fail if trying to self-build on Ansible < 2.8 - ansible.builtin.fail: - msg: "To self-build the Mautrix-Facebook image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mautrix_facebook_container_image_self_build and matrix_mautrix_facebook_enabled" - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-facebook.service'] }}" - when: matrix_mautrix_facebook_enabled | bool - -# If the matrix-synapse role is not used, these variables may not exist. -- ansible.builtin.set_fact: - matrix_homeserver_container_runtime_injected_arguments: > - {{ - matrix_homeserver_container_runtime_injected_arguments | default([]) - + - ["--mount type=bind,src={{ matrix_mautrix_facebook_config_path }}/registration.yaml,dst=/matrix-mautrix-facebook-registration.yaml,ro"] - }} - - matrix_homeserver_app_service_runtime_injected_config_files: > - {{ - matrix_homeserver_app_service_runtime_injected_config_files | default([]) - + - ["/matrix-mautrix-facebook-registration.yaml"] - }} - when: matrix_mautrix_facebook_enabled | bool - -- when: matrix_mautrix_facebook_enabled | bool and matrix_mautrix_facebook_appservice_public_enabled | bool - tags: - - always - block: - - name: Fail if matrix-nginx-proxy role already executed - ansible.builtin.fail: - msg: >- - Trying to append Mautrix Facebook's reverse-proxying configuration to matrix-nginx-proxy, - but it's pointless since the matrix-nginx-proxy role had already executed. - To fix this, please change the order of roles in your playbook, - so that the matrix-nginx-proxy role would run after the matrix-bridge-mautrix-facebook role. - when: matrix_nginx_proxy_role_executed | default(False) | bool - - - name: Generate Mautrix Facebook proxying configuration for matrix-nginx-proxy - ansible.builtin.set_fact: - matrix_mautrix_facebook_matrix_nginx_proxy_configuration: | - location {{ matrix_mautrix_facebook_public_endpoint }} { - {% if matrix_nginx_proxy_enabled | default(False) %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver 127.0.0.11 valid=5s; - set $backend "matrix-mautrix-facebook:29319"; - proxy_pass http://$backend; - {% else %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://127.0.0.1:9008; - {% endif %} - } - - - name: Register Mautrix Facebook proxying configuration with matrix-nginx-proxy - ansible.builtin.set_fact: - matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: | - {{ - matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks | default([]) - + - [matrix_mautrix_facebook_matrix_nginx_proxy_configuration] - }} - - - name: Warn about reverse-proxying if matrix-nginx-proxy not used - ansible.builtin.debug: - msg: >- - NOTE: You've enabled the Mautrix Facebook bridge but are not using the matrix-nginx-proxy - reverse proxy. - Please make sure that you're proxying the `{{ matrix_mautrix_facebook_public_endpoint }}` - URL endpoint to the matrix-mautrix-facebook container. - You can expose the container's port using the `matrix_mautrix_facebook_container_http_host_bind_port` variable. - when: "not matrix_nginx_proxy_enabled | default(False) | bool" diff --git a/roles/custom/matrix-bridge-mautrix-facebook/tasks/inject_into_nginx_proxy.yml b/roles/custom/matrix-bridge-mautrix-facebook/tasks/inject_into_nginx_proxy.yml new file mode 100644 index 000000000..17e2b138d --- /dev/null +++ b/roles/custom/matrix-bridge-mautrix-facebook/tasks/inject_into_nginx_proxy.yml @@ -0,0 +1,69 @@ +--- + +- name: Fail if matrix-nginx-proxy role already executed + ansible.builtin.fail: + msg: >- + Trying to append Mautrix Facebook's reverse-proxying configuration to matrix-nginx-proxy, + but it's pointless since the matrix-nginx-proxy role had already executed. + To fix this, please change the order of roles in your playbook, + so that the matrix-nginx-proxy role would run after the matrix-bridge-mautrix-facebook role. + when: matrix_nginx_proxy_role_executed | default(False) | bool + +- name: Generate Mautrix Facebook proxying configuration for matrix-nginx-proxy + ansible.builtin.set_fact: + matrix_mautrix_facebook_matrix_nginx_proxy_configuration: | + location {{ matrix_mautrix_facebook_public_endpoint }} { + {% if matrix_nginx_proxy_enabled | default(False) %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "matrix-mautrix-facebook:29319"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://127.0.0.1:9008; + {% endif %} + } + +- name: Register Mautrix Facebook proxying configuration with matrix-nginx-proxy + ansible.builtin.set_fact: + matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: | + {{ + matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks | default([]) + + + [matrix_mautrix_facebook_matrix_nginx_proxy_configuration] + }} + +- name: Warn about reverse-proxying if matrix-nginx-proxy not used + ansible.builtin.debug: + msg: >- + NOTE: You've enabled the Mautrix Facebook bridge but are not using the matrix-nginx-proxy + reverse proxy. + Please make sure that you're proxying the `{{ matrix_mautrix_facebook_public_endpoint }}` + URL endpoint to the matrix-mautrix-facebook container. + You can expose the container's port using the `matrix_mautrix_facebook_container_http_host_bind_port` variable. + when: "not matrix_nginx_proxy_enabled | default(False) | bool" + +- when: matrix_mautrix_facebook_metrics_proxying_enabled | bool + block: + - name: Generate mautrix-facebook metrics proxying configuration for matrix-nginx-proxy (matrix.DOMAIN/metrics/mautrix-facebook) + ansible.builtin.set_fact: + matrix_mautrix_facebook_nginx_metrics_configuration_block: | + location /metrics/mautrix-facebook { + {% if matrix_nginx_proxy_enabled | default(False) %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "matrix-mautrix-facebook:8000"; + proxy_pass http://$backend/metrics; + {% else %} + return 404 "matrix-nginx-proxy is disabled and no host port was bound to the container, so metrics are unavailable"; + {% endif %} + } + + - name: Register mautrix-facebook metrics proxying configuration with matrix-nginx-proxy (matrix.DOMAIN/metrics/mautrix-facebook) + ansible.builtin.set_fact: + matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks: | + {{ + matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks | default([]) + + + [matrix_mautrix_facebook_nginx_metrics_configuration_block] + }} diff --git a/roles/custom/matrix-bridge-mautrix-facebook/tasks/main.yml b/roles/custom/matrix-bridge-mautrix-facebook/tasks/main.yml index 3ef2cb233..110346682 100644 --- a/roles/custom/matrix-bridge-mautrix-facebook/tasks/main.yml +++ b/roles/custom/matrix-bridge-mautrix-facebook/tasks/main.yml @@ -1,23 +1,29 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup | bool and matrix_mautrix_facebook_enabled | bool" - tags: +- tags: - setup-all - - setup-mautrix-facebook + - setup-nginx-proxy + - install-all + - install-nginx-proxy + block: + - when: matrix_mautrix_facebook_enabled | bool and matrix_mautrix_facebook_appservice_public_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_install.yml" - when: "run_setup | bool and matrix_mautrix_facebook_enabled | bool" - tags: +- tags: - setup-all - setup-mautrix-facebook + - install-all + - install-mautrix-facebook + block: + - when: matrix_mautrix_facebook_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" + + - when: matrix_mautrix_facebook_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - when: "run_setup | bool and not matrix_mautrix_facebook_enabled | bool" - tags: +- tags: - setup-all - setup-mautrix-facebook + block: + - when: not matrix_mautrix_facebook_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" diff --git a/roles/custom/matrix-bridge-mautrix-facebook/tasks/setup_install.yml b/roles/custom/matrix-bridge-mautrix-facebook/tasks/setup_install.yml index 50a024270..fac1d1d2b 100644 --- a/roles/custom/matrix-bridge-mautrix-facebook/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-mautrix-facebook/tasks/setup_install.yml @@ -1,13 +1,5 @@ --- -# If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. -# We don't want to fail in such cases. -- name: Fail if matrix-synapse role already executed - ansible.builtin.fail: - msg: >- - The matrix-bridge-mautrix-facebook role needs to execute before the matrix-synapse role. - when: "matrix_synapse_role_executed | default(False)" - - ansible.builtin.set_fact: matrix_mautrix_facebook_requires_restart: false @@ -20,8 +12,11 @@ - when: "matrix_mautrix_facebook_sqlite_database_path_local_stat_result.stat.exists | bool" block: - - ansible.builtin.set_fact: - matrix_postgres_db_migration_request: + - ansible.builtin.include_role: + name: galaxy/com.devture.ansible.role.postgres + tasks_from: migrate_db_to_postgres + vars: + devture_postgres_db_migration_request: src: "{{ matrix_mautrix_facebook_sqlite_database_path_local }}" dst: "{{ matrix_mautrix_facebook_database_connection_string }}" caller: "{{ role_path | basename }}" @@ -29,10 +24,6 @@ engine_old: 'sqlite' systemd_services_to_stop: ['matrix-mautrix-facebook.service'] - - ansible.builtin.import_role: - name: custom/matrix-postgres - tasks_from: migrate_db_to_postgres - - ansible.builtin.set_fact: matrix_mautrix_facebook_requires_restart: true @@ -100,7 +91,10 @@ when: "matrix_mautrix_facebook_stat_database.stat.exists" - name: (Data relocation) Move mautrix-facebook database file to ./data directory - ansible.builtin.command: "mv {{ matrix_mautrix_facebook_base_path }}/mautrix-facebook.db {{ matrix_mautrix_facebook_data_path }}/mautrix-facebook.db" + ansible.builtin.command: + cmd: "mv {{ matrix_mautrix_facebook_base_path }}/mautrix-facebook.db {{ matrix_mautrix_facebook_data_path }}/mautrix-facebook.db" + creates: "{{ matrix_mautrix_facebook_data_path }}/mautrix-facebook.db" + removes: "{{ matrix_mautrix_facebook_base_path }}/mautrix-facebook.db" when: "matrix_mautrix_facebook_stat_database.stat.exists" - name: Ensure mautrix-facebook config.yaml installed @@ -124,15 +118,10 @@ src: "{{ role_path }}/templates/systemd/matrix-mautrix-facebook.service.j2" dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-facebook.service" mode: 0644 - register: matrix_mautrix_facebook_systemd_service_result - -- name: Ensure systemd reloaded after matrix-mautrix-facebook.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_mautrix_facebook_systemd_service_result.changed" - name: Ensure matrix-mautrix-facebook.service restarted, if necessary ansible.builtin.service: name: "matrix-mautrix-facebook.service" state: restarted + daemon_reload: true when: "matrix_mautrix_facebook_requires_restart | bool" diff --git a/roles/custom/matrix-bridge-mautrix-facebook/tasks/setup_uninstall.yml b/roles/custom/matrix-bridge-mautrix-facebook/tasks/setup_uninstall.yml index fb235b54a..566da5b71 100644 --- a/roles/custom/matrix-bridge-mautrix-facebook/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-bridge-mautrix-facebook/tasks/setup_uninstall.yml @@ -5,21 +5,16 @@ path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-facebook.service" register: matrix_mautrix_facebook_service_stat -- name: Ensure matrix-mautrix-facebook is stopped - ansible.builtin.service: - name: matrix-mautrix-facebook - state: stopped - enabled: false - daemon_reload: true - when: "matrix_mautrix_facebook_service_stat.stat.exists" +- when: matrix_mautrix_facebook_service_stat.stat.exists | bool + block: + - name: Ensure matrix-mautrix-facebook is stopped + ansible.builtin.service: + name: matrix-mautrix-facebook + state: stopped + enabled: false + daemon_reload: true -- name: Ensure matrix-mautrix-facebook.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-facebook.service" - state: absent - when: "matrix_mautrix_facebook_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-mautrix-facebook.service removal - ansible.builtin.service: - daemon_reload: true - when: "matrix_mautrix_facebook_service_stat.stat.exists" + - name: Ensure matrix-mautrix-facebook.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-facebook.service" + state: absent diff --git a/roles/custom/matrix-bridge-mautrix-facebook/tasks/validate_config.yml b/roles/custom/matrix-bridge-mautrix-facebook/tasks/validate_config.yml index 04e45c319..d61981a67 100644 --- a/roles/custom/matrix-bridge-mautrix-facebook/tasks/validate_config.yml +++ b/roles/custom/matrix-bridge-mautrix-facebook/tasks/validate_config.yml @@ -1,14 +1,15 @@ --- -- name: Fail if required settings not defined +- name: Fail if required mautrix-facebook settings not defined ansible.builtin.fail: msg: >- - You need to define a required configuration setting (`{{ item }}`). - when: "vars[item] == ''" + You need to define a required configuration setting (`{{ item.name }}`). + when: "item.when | bool and vars[item.name] == ''" with_items: - - "matrix_mautrix_facebook_public_endpoint" - - "matrix_mautrix_facebook_appservice_token" - - "matrix_mautrix_facebook_homeserver_token" + - {'name': 'matrix_mautrix_facebook_public_endpoint', when: true} + - {'name': 'matrix_mautrix_facebook_appservice_token', when: true} + - {'name': 'matrix_mautrix_facebook_homeserver_token', when: true} + - {'name': 'matrix_mautrix_facebook_database_hostname', when: "{{ matrix_mautrix_facebook_database_engine == 'postgres' }}"} - when: "matrix_mautrix_facebook_database_engine == 'sqlite' and matrix_mautrix_facebook_docker_image.endswith(':da1b4ec596e334325a1589e70829dea46e73064b')" block: diff --git a/roles/custom/matrix-bridge-mautrix-facebook/templates/config.yaml.j2 b/roles/custom/matrix-bridge-mautrix-facebook/templates/config.yaml.j2 index 3318255dc..7ec9342a2 100644 --- a/roles/custom/matrix-bridge-mautrix-facebook/templates/config.yaml.j2 +++ b/roles/custom/matrix-bridge-mautrix-facebook/templates/config.yaml.j2 @@ -62,7 +62,7 @@ appservice: # Prometheus telemetry config. Requires prometheus-client to be installed. metrics: - enabled: false + enabled: {{ matrix_mautrix_facebook_metrics_enabled | to_json }} listen_port: 8000 # Bridge config @@ -126,15 +126,15 @@ bridge: # application service. encryption: # Allow encryption, work in group chat rooms with e2ee enabled - allow: false + allow: {{ matrix_mautrix_facebook_bridge_encryption_allow|to_json }} # Default to encryption, force-enable encryption in all portals the bridge creates # This will cause the bridge bot to be in private chats for the encryption to work properly. - default: false + default: {{ matrix_mautrix_facebook_bridge_encryption_default|to_json }} # Options for automatic key sharing. key_sharing: # Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled. # You must use a client that supports requesting keys from other users to use this feature. - allow: false + allow_key_sharing: {{ matrix_mautrix_facebook_bridge_encryption_key_sharing_allow|to_json }} # Require the requesting device to have a valid cross-signing signature? # This doesn't require that the bridge has verified the device, only that the user has verified it. # Not yet implemented. @@ -206,7 +206,7 @@ bridge: relay: # Whether relay mode should be allowed. If allowed, `!fb set-relay` can be used to turn any # authenticated user into a relaybot for that chat. - enabled: false + enabled: {{ matrix_mautrix_facebook_relay_enabled }} # The formats to use when sending messages to Messenger via a relay user. # # Available variables: @@ -216,8 +216,8 @@ bridge: # $message - The message content message_formats: m.text: '$sender_displayname: $message' - m.notice: '$sender_displayname: $message' - m.emote: '* $sender_displayname $message' + m.notice: '$sender_displayname: $message' + m.emote: '* $sender_displayname $message' m.file: '$sender_displayname sent a file' m.image: '$sender_displayname sent an image' m.audio: '$sender_displayname sent an audio file' diff --git a/roles/custom/matrix-bridge-mautrix-gmessages/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-gmessages/defaults/main.yml new file mode 100644 index 000000000..6a6c14b0a --- /dev/null +++ b/roles/custom/matrix-bridge-mautrix-gmessages/defaults/main.yml @@ -0,0 +1,151 @@ +--- +# mautrix-gmessages is a Matrix <-> gmessages bridge +# Project source code URL: https://github.com/mautrix/gmessages + +matrix_mautrix_gmessages_enabled: true + +matrix_mautrix_gmessages_container_image_self_build: false +matrix_mautrix_gmessages_container_image_self_build_repo: "https://github.com/mautrix/gmessages.git" +matrix_mautrix_gmessages_container_image_self_build_branch: "{{ 'master' if matrix_mautrix_gmessages_version == 'latest' else matrix_mautrix_gmessages_version }}" + +matrix_mautrix_gmessages_version: latest +# See: https://mau.dev/mautrix/gmessages/container_registry +matrix_mautrix_gmessages_docker_image: "{{ matrix_mautrix_gmessages_docker_image_name_prefix }}mautrix/gmessages:{{ matrix_mautrix_gmessages_version }}" +matrix_mautrix_gmessages_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_gmessages_container_image_self_build else 'dock.mau.dev/' }}" +matrix_mautrix_gmessages_docker_image_force_pull: "{{ matrix_mautrix_gmessages_docker_image.endswith(':latest') }}" + +matrix_mautrix_gmessages_base_path: "{{ matrix_base_data_path }}/mautrix-gmessages" +matrix_mautrix_gmessages_config_path: "{{ matrix_mautrix_gmessages_base_path }}/config" +matrix_mautrix_gmessages_data_path: "{{ matrix_mautrix_gmessages_base_path }}/data" +matrix_mautrix_gmessages_docker_src_files_path: "{{ matrix_mautrix_gmessages_base_path }}/docker-src" + +matrix_mautrix_gmessages_homeserver_address: "{{ matrix_homeserver_container_url }}" +matrix_mautrix_gmessages_homeserver_domain: "{{ matrix_domain }}" +matrix_mautrix_gmessages_appservice_address: "http://matrix-mautrix-gmessages:8080" + +matrix_mautrix_gmessages_command_prefix: "!gm" + +# A list of extra arguments to pass to the container +matrix_mautrix_gmessages_container_extra_arguments: [] + +# List of systemd services that matrix-mautrix-gmessages.service depends on. +matrix_mautrix_gmessages_systemd_required_services_list: ['docker.service'] + +# List of systemd services that matrix-mautrix-gmessages.service wants +matrix_mautrix_gmessages_systemd_wanted_services_list: [] + +matrix_mautrix_gmessages_appservice_token: '' +matrix_mautrix_gmessages_homeserver_token: '' + +matrix_mautrix_gmessages_appservice_bot_username: gmessagesbot + +# Minimum severity of journal log messages. +# Options: debug, info, warn, error, fatal +matrix_mautrix_gmessages_logging_level: 'warn' + +# Whether or not created rooms should have federation enabled. +# If false, created portal rooms will never be federated. +matrix_mautrix_gmessages_federate_rooms: true + +# Whether or not metrics endpoint should be enabled. +# Enabling them is usually enough for a local (in-container) Prometheus to consume them. +# If metrics need to be consumed by another (external) Prometheus server, consider exposing them via `matrix_mautrix_gmessages_metrics_proxying_enabled`. +matrix_mautrix_gmessages_metrics_enabled: false + +# Controls whether metrics should be proxied (exposed) on `matrix.DOMAIN/metrics/mautrix-gmessages`. +# This will only work take effect if `matrix_nginx_proxy_proxy_matrix_metrics_enabled: true`. +# See the `matrix-nginx-proxy` role for details about enabling `matrix_nginx_proxy_proxy_matrix_metrics_enabled`. +matrix_mautrix_gmessages_metrics_proxying_enabled: false + +# Database-related configuration fields. +# +# To use SQLite, stick to these defaults. +# +# To use Postgres: +# - change the engine (`matrix_mautrix_gmessages_database_engine: 'postgres'`) +# - adjust your database credentials via the `matrix_mautrix_gmessages_database_*` variables +matrix_mautrix_gmessages_database_engine: 'sqlite' + +matrix_mautrix_gmessages_sqlite_database_path_local: "{{ matrix_mautrix_gmessages_data_path }}/mautrix-gmessages.db" +matrix_mautrix_gmessages_sqlite_database_path_in_container: "/data/mautrix-gmessages.db" + +matrix_mautrix_gmessages_database_username: 'matrix_mautrix_gmessages' +matrix_mautrix_gmessages_database_password: 'some-password' +matrix_mautrix_gmessages_database_hostname: '' +matrix_mautrix_gmessages_database_port: 5432 +matrix_mautrix_gmessages_database_name: 'matrix_mautrix_gmessages' + +matrix_mautrix_gmessages_database_connection_string: 'postgresql://{{ matrix_mautrix_gmessages_database_username }}:{{ matrix_mautrix_gmessages_database_password }}@{{ matrix_mautrix_gmessages_database_hostname }}:{{ matrix_mautrix_gmessages_database_port }}/{{ matrix_mautrix_gmessages_database_name }}?sslmode=disable' + +matrix_mautrix_gmessages_appservice_database_type: "{{ + { + 'sqlite': 'sqlite3', + 'postgres':'postgres', + }[matrix_mautrix_gmessages_database_engine] +}}" + +matrix_mautrix_gmessages_appservice_database_uri: "{{ + { + 'sqlite': matrix_mautrix_gmessages_sqlite_database_path_in_container, + 'postgres': matrix_mautrix_gmessages_database_connection_string, + }[matrix_mautrix_gmessages_database_engine] +}}" + +# Can be set to enable automatic double-puppeting via Shared Secret Auth (https://github.com/devture/matrix-synapse-shared-secret-auth). +matrix_mautrix_gmessages_login_shared_secret: '' +matrix_mautrix_gmessages_bridge_login_shared_secret_map: + "{{ {matrix_mautrix_gmessages_homeserver_domain: matrix_mautrix_gmessages_login_shared_secret} if matrix_mautrix_gmessages_login_shared_secret else {} }}" + +# Enable End-to-bridge encryption +matrix_mautrix_gmessages_bridge_encryption_allow: "{{ matrix_bridges_encryption_enabled }}" +matrix_mautrix_gmessages_bridge_encryption_default: "{{ matrix_mautrix_gmessages_bridge_encryption_allow }}" +matrix_mautrix_gmessages_bridge_encryption_key_sharing_allow: "{{ matrix_mautrix_gmessages_bridge_encryption_allow }}" + +matrix_mautrix_gmessages_bridge_personal_filtering_spaces: true +matrix_mautrix_gmessages_bridge_mute_bridging: true + +matrix_mautrix_gmessages_bridge_permissions: | + {{ + {matrix_mautrix_gmessages_homeserver_domain: 'user'} + | combine({matrix_admin: 'admin'} if matrix_admin else {}) + }} + +# Default mautrix-gmessages configuration template which covers the generic use case. +# You can customize it by controlling the various variables inside it. +# +# For a more advanced customization, you can extend the default (see `matrix_mautrix_gmessages_configuration_extension_yaml`) +# or completely replace this variable with your own template. +matrix_mautrix_gmessages_configuration_yaml: "{{ lookup('template', 'templates/config.yaml.j2') }}" + +matrix_mautrix_gmessages_configuration_extension_yaml: | + # Your custom YAML configuration goes here. + # This configuration extends the default starting configuration (`matrix_mautrix_gmessages_configuration_yaml`). + # + # You can override individual variables from the default configuration, or introduce new ones. + # + # If you need something more special, you can take full control by + # completely redefining `matrix_mautrix_gmessages_configuration_yaml`. + +matrix_mautrix_gmessages_configuration_extension: "{{ matrix_mautrix_gmessages_configuration_extension_yaml | from_yaml if matrix_mautrix_gmessages_configuration_extension_yaml | from_yaml is mapping else {} }}" + +# Holds the final configuration (a combination of the default and its extension). +# You most likely don't need to touch this variable. Instead, see `matrix_mautrix_gmessages_configuration_yaml`. +matrix_mautrix_gmessages_configuration: "{{ matrix_mautrix_gmessages_configuration_yaml | from_yaml | combine(matrix_mautrix_gmessages_configuration_extension, recursive=True) }}" + +matrix_mautrix_gmessages_registration_yaml: | + id: gmessages + url: {{ matrix_mautrix_gmessages_appservice_address }} + as_token: "{{ matrix_mautrix_gmessages_appservice_token }}" + hs_token: "{{ matrix_mautrix_gmessages_homeserver_token }}" + # See https://github.com/mautrix/signal/issues/43 + sender_localpart: _bot_{{ matrix_mautrix_gmessages_appservice_bot_username }} + rate_limited: false + namespaces: + users: + - regex: '^@gmessages_.+:{{ matrix_mautrix_gmessages_homeserver_domain | regex_escape }}$' + exclusive: true + - exclusive: true + regex: '^@{{ matrix_mautrix_gmessages_appservice_bot_username | regex_escape }}:{{ matrix_mautrix_gmessages_homeserver_domain | regex_escape }}$' + de.sorunome.msc2409.push_ephemeral: true + +matrix_mautrix_gmessages_registration: "{{ matrix_mautrix_gmessages_registration_yaml | from_yaml }}" diff --git a/roles/custom/matrix-bridge-mautrix-gmessages/tasks/inject_into_nginx_proxy.yml b/roles/custom/matrix-bridge-mautrix-gmessages/tasks/inject_into_nginx_proxy.yml new file mode 100644 index 000000000..c5cb1ba8a --- /dev/null +++ b/roles/custom/matrix-bridge-mautrix-gmessages/tasks/inject_into_nginx_proxy.yml @@ -0,0 +1,35 @@ +--- + +- name: Fail if matrix-nginx-proxy role already executed + ansible.builtin.fail: + msg: >- + Trying to append mautrix-gmessages-metrics's reverse-proxying configuration to matrix-nginx-proxy, + but it's pointless since the matrix-nginx-proxy role had already executed. + To fix this, please change the order of roles in your playbook, + so that the matrix-nginx-proxy role would run after the matrix-bridge-mautrix-gmessages role. + when: matrix_nginx_proxy_role_executed | default(False) | bool + +- when: matrix_mautrix_gmessages_metrics_proxying_enabled | bool + block: + - name: Generate mautrix-gmessages metrics proxying configuration for matrix-nginx-proxy (matrix.DOMAIN/metrics/mautrix-gmessages) + ansible.builtin.set_fact: + matrix_mautrix_gmessages_nginx_metrics_configuration_block: | + location /metrics/mautrix-gmessages { + {% if matrix_nginx_proxy_enabled | default(False) %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "matrix-mautrix-gmessages:8001"; + proxy_pass http://$backend/metrics; + {% else %} + return 404 "matrix-nginx-proxy is disabled and no host port was bound to the container, so metrics are unavailable"; + {% endif %} + } + + - name: Register mautrix-gmessages metrics proxying configuration with matrix-nginx-proxy (matrix.DOMAIN/metrics/mautrix-gmessages) + ansible.builtin.set_fact: + matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks: | + {{ + matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks | default([]) + + + [matrix_mautrix_gmessages_nginx_metrics_configuration_block] + }} diff --git a/roles/custom/matrix-bridge-mautrix-gmessages/tasks/main.yml b/roles/custom/matrix-bridge-mautrix-gmessages/tasks/main.yml new file mode 100644 index 000000000..45da31da8 --- /dev/null +++ b/roles/custom/matrix-bridge-mautrix-gmessages/tasks/main.yml @@ -0,0 +1,29 @@ +--- + +- tags: + - setup-all + - setup-nginx-proxy + - install-all + - install-nginx-proxy + block: + - when: matrix_mautrix_gmessages_enabled | bool and matrix_mautrix_gmessages_metrics_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" + +- tags: + - setup-all + - setup-mautrix-gmessages + - install-all + - install-mautrix-gmessages + block: + - when: matrix_mautrix_gmessages_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" + + - when: matrix_mautrix_gmessages_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" + +- tags: + - setup-all + - setup-mautrix-gmessages + block: + - when: not matrix_mautrix_gmessages_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" diff --git a/roles/custom/matrix-bridge-mautrix-gmessages/tasks/setup_install.yml b/roles/custom/matrix-bridge-mautrix-gmessages/tasks/setup_install.yml new file mode 100644 index 000000000..73038c4c1 --- /dev/null +++ b/roles/custom/matrix-bridge-mautrix-gmessages/tasks/setup_install.yml @@ -0,0 +1,140 @@ +--- + +- ansible.builtin.set_fact: + matrix_mautrix_gmessages_requires_restart: false + +- when: "matrix_mautrix_gmessages_database_engine == 'postgres'" + block: + - name: Check if an SQLite database already exists + ansible.builtin.stat: + path: "{{ matrix_mautrix_gmessages_sqlite_database_path_local }}" + register: matrix_mautrix_gmessages_sqlite_database_path_local_stat_result + + - when: "matrix_mautrix_gmessages_sqlite_database_path_local_stat_result.stat.exists | bool" + block: + - ansible.builtin.include_role: + name: galaxy/com.devture.ansible.role.postgres + tasks_from: migrate_db_to_postgres + vars: + devture_postgres_db_migration_request: + src: "{{ matrix_mautrix_gmessages_sqlite_database_path_local }}" + dst: "{{ matrix_mautrix_gmessages_database_connection_string }}" + caller: "{{ role_path | basename }}" + engine_variable_name: 'matrix_mautrix_gmessages_database_engine' + engine_old: 'sqlite' + systemd_services_to_stop: ['matrix-mautrix-gmessages.service'] + pgloader_options: ['--with "quote identifiers"'] + + - ansible.builtin.set_fact: + matrix_mautrix_gmessages_requires_restart: true + +- name: Ensure Mautrix gmessages paths exists + ansible.builtin.file: + path: "{{ item.path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - {path: "{{ matrix_mautrix_gmessages_base_path }}", when: true} + - {path: "{{ matrix_mautrix_gmessages_config_path }}", when: true} + - {path: "{{ matrix_mautrix_gmessages_data_path }}", when: true} + - {path: "{{ matrix_mautrix_gmessages_docker_src_files_path }}", when: "{{ matrix_mautrix_gmessages_container_image_self_build }}"} + when: item.when | bool + +- name: Ensure Mautrix gmessages image is pulled + community.docker.docker_image: + name: "{{ matrix_mautrix_gmessages_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_mautrix_gmessages_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_gmessages_docker_image_force_pull }}" + when: not matrix_mautrix_gmessages_container_image_self_build + register: result + retries: "{{ devture_playbook_help_container_retries_count }}" + delay: "{{ devture_playbook_help_container_retries_delay }}" + until: result is not failed + +- name: Ensure Mautrix gmessages repository is present on self-build + ansible.builtin.git: + repo: "{{ matrix_mautrix_gmessages_container_image_self_build_repo }}" + dest: "{{ matrix_mautrix_gmessages_docker_src_files_path }}" + version: "{{ matrix_mautrix_gmessages_container_image_self_build_branch }}" + force: "yes" + become: true + become_user: "{{ matrix_user_username }}" + register: matrix_mautrix_gmessages_git_pull_results + when: "matrix_mautrix_gmessages_container_image_self_build | bool" + +- name: Ensure Mautrix gmessages Docker image is built + community.docker.docker_image: + name: "{{ matrix_mautrix_gmessages_docker_image }}" + source: build + force_source: "{{ matrix_mautrix_gmessages_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_gmessages_git_pull_results.changed }}" + build: + dockerfile: Dockerfile + path: "{{ matrix_mautrix_gmessages_docker_src_files_path }}" + pull: true + when: "matrix_mautrix_gmessages_container_image_self_build | bool" + +- name: Check if an old database file exists + ansible.builtin.stat: + path: "{{ matrix_mautrix_gmessages_base_path }}/mautrix-gmessages.db" + register: matrix_mautrix_gmessages_stat_database + +- name: Check if an old matrix state file exists + ansible.builtin.stat: + path: "{{ matrix_mautrix_gmessages_base_path }}/mx-state.json" + register: matrix_mautrix_gmessages_stat_mx_state + +- name: (Data relocation) Ensure matrix-mautrix-gmessages.service is stopped + ansible.builtin.service: + name: matrix-mautrix-gmessages + state: stopped + enabled: false + daemon_reload: true + failed_when: false + when: "matrix_mautrix_gmessages_stat_database.stat.exists" + +- name: (Data relocation) Move mautrix-gmessages database file to ./data directory + ansible.builtin.command: + cmd: "mv {{ matrix_mautrix_gmessages_base_path }}/mautrix-gmessages.db {{ matrix_mautrix_gmessages_data_path }}/mautrix-gmessages.db" + creates: "{{ matrix_mautrix_gmessages_data_path }}/mautrix-gmessages.db" + removes: "{{ matrix_mautrix_gmessages_base_path }}/mautrix-gmessages.db" + when: "matrix_mautrix_gmessages_stat_database.stat.exists" + +- name: (Data relocation) Move mautrix-gmessages mx-state file to ./data directory + ansible.builtin.command: + cmd: "mv {{ matrix_mautrix_gmessages_base_path }}/mx-state.json {{ matrix_mautrix_gmessages_data_path }}/mx-state.json" + creates: "{{ matrix_mautrix_gmessages_data_path }}/mx-state.json" + removes: "{{ matrix_mautrix_gmessages_base_path }}/mx-state.json" + when: "matrix_mautrix_gmessages_stat_mx_state.stat.exists" + +- name: Ensure mautrix-gmessages config.yaml installed + ansible.builtin.copy: + content: "{{ matrix_mautrix_gmessages_configuration | to_nice_yaml(indent=2, width=999999) }}" + dest: "{{ matrix_mautrix_gmessages_config_path }}/config.yaml" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure mautrix-gmessages registration.yaml installed + ansible.builtin.copy: + content: "{{ matrix_mautrix_gmessages_registration | to_nice_yaml(indent=2, width=999999) }}" + dest: "{{ matrix_mautrix_gmessages_config_path }}/registration.yaml" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure matrix-mautrix-gmessages.service installed + ansible.builtin.template: + src: "{{ role_path }}/templates/systemd/matrix-mautrix-gmessages.service.j2" + dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-gmessages.service" + mode: 0644 + +- name: Ensure matrix-mautrix-gmessages.service restarted, if necessary + ansible.builtin.service: + name: "matrix-mautrix-gmessages.service" + state: restarted + daemon_reload: true + when: "matrix_mautrix_gmessages_requires_restart | bool" diff --git a/roles/custom/matrix-bridge-mautrix-gmessages/tasks/setup_uninstall.yml b/roles/custom/matrix-bridge-mautrix-gmessages/tasks/setup_uninstall.yml new file mode 100644 index 000000000..e324a523e --- /dev/null +++ b/roles/custom/matrix-bridge-mautrix-gmessages/tasks/setup_uninstall.yml @@ -0,0 +1,20 @@ +--- + +- name: Check existence of matrix-mautrix-gmessages service + ansible.builtin.stat: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-gmessages.service" + register: matrix_mautrix_gmessages_service_stat + +- when: matrix_mautrix_gmessages_service_stat.stat.exists | bool + block: + - name: Ensure matrix-mautrix-gmessages is stopped + ansible.builtin.service: + name: matrix-mautrix-gmessages + state: stopped + enabled: false + daemon_reload: true + + - name: Ensure matrix-mautrix-gmessages.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-gmessages.service" + state: absent diff --git a/roles/custom/matrix-bridge-mautrix-gmessages/tasks/validate_config.yml b/roles/custom/matrix-bridge-mautrix-gmessages/tasks/validate_config.yml new file mode 100644 index 000000000..acfffa75e --- /dev/null +++ b/roles/custom/matrix-bridge-mautrix-gmessages/tasks/validate_config.yml @@ -0,0 +1,20 @@ +--- + +- name: Fail if required mautrix-gmessages settings not defined + ansible.builtin.fail: + msg: >- + You need to define a required configuration setting (`{{ item.name }}`). + when: "item.when | bool and vars[item.name] == ''" + with_items: + - {'name': 'matrix_mautrix_gmessages_appservice_token', when: true} + - {'name': 'matrix_mautrix_gmessages_homeserver_token', when: true} + - {'name': 'matrix_mautrix_gmessages_database_hostname', when: "{{ matrix_mautrix_gmessages_database_engine == 'postgres' }}"} + +- name: (Deprecation) Catch and report renamed settings + ansible.builtin.fail: + msg: >- + Your configuration contains a variable, which now has a different name. + Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`). + when: "item.old in vars" + with_items: + - {'old': 'matrix_mautrix_gmessages_log_level', 'new': 'matrix_mautrix_gmessages_logging_level'} diff --git a/roles/custom/matrix-bridge-mautrix-gmessages/templates/config.yaml.j2 b/roles/custom/matrix-bridge-mautrix-gmessages/templates/config.yaml.j2 new file mode 100644 index 000000000..6dc136bb4 --- /dev/null +++ b/roles/custom/matrix-bridge-mautrix-gmessages/templates/config.yaml.j2 @@ -0,0 +1,292 @@ +#jinja2: lstrip_blocks: "True" +# Homeserver details. +homeserver: + # The address that this appservice can use to connect to the homeserver. + address: {{ matrix_mautrix_gmessages_homeserver_address }} + # The domain of the homeserver (also known as server_name, used for MXIDs, etc). + domain: {{ matrix_mautrix_gmessages_homeserver_domain }} + + # What software is the homeserver running? + # Standard Matrix homeservers like Synapse, Dendrite and Conduit should just use "standard" here. + software: standard + # The URL to push real-time bridge status to. + # If set, the bridge will make POST requests to this URL whenever a user's google messages connection state changes. + # The bridge will use the appservice as_token to authorize requests. + status_endpoint: null + # Endpoint for reporting per-message status. + message_send_checkpoint_endpoint: null + # Does the homeserver support https://github.com/matrix-org/matrix-spec-proposals/pull/2246? + async_media: false + + # Should the bridge use a websocket for connecting to the homeserver? + # The server side is currently not documented anywhere and is only implemented by mautrix-wsproxy, + # mautrix-asmux (deprecated), and hungryserv (proprietary). + websocket: false + # How often should the websocket be pinged? Pinging will be disabled if this is zero. + ping_interval_seconds: 0 + +# Application service host/registration related details. +# Changing these values requires regeneration of the registration. +appservice: + # The address that the homeserver can use to connect to this appservice. + address: {{ matrix_mautrix_gmessages_appservice_address }} + + # The hostname and port where this appservice should listen. + hostname: 0.0.0.0 + port: 8080 + + # Database config. + database: + # The database type. "sqlite3-fk-wal" and "postgres" are supported. + type: postgres + # The database URI. + # SQLite: A raw file path is supported, but `file:?_txlock=immediate` is recommended. + # https://github.com/mattn/go-sqlite3#connection-string + # Postgres: Connection string. For example, postgres://user:password@host/database?sslmode=disable + # To connect via Unix socket, use something like postgres:///dbname?host=/var/run/postgresql + uri: {{ matrix_mautrix_gmessages_appservice_database_uri|to_json }} + # Maximum number of connections. Mostly relevant for Postgres. + max_open_conns: 20 + max_idle_conns: 2 + # Maximum connection idle time and lifetime before they're closed. Disabled if null. + # Parsed with https://pkg.go.dev/time#ParseDuration + max_conn_idle_time: null + max_conn_lifetime: null + + # The unique ID of this appservice. + id: gmessages + # Appservice bot details. + bot: + # Username of the appservice bot. + username: {{ matrix_mautrix_gmessages_appservice_bot_username|to_json }} + # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty + # to leave display name/avatar as-is. + displayname: Google Messages bridge bot + avatar: mxc://maunium.net/yGOdcrJcwqARZqdzbfuxfhzb + + # Whether or not to receive ephemeral events via appservice transactions. + # Requires MSC2409 support (i.e. Synapse 1.22+). + ephemeral_events: true + + # Should incoming events be handled asynchronously? + # This may be necessary for large public instances with lots of messages going through. + # However, messages will not be guaranteed to be bridged in the same order they were sent in. + async_transactions: false + + # Authentication tokens for AS <-> HS communication. Autogenerated; do not modify. + as_token: "{{ matrix_mautrix_gmessages_appservice_token }}" + hs_token: "{{ matrix_mautrix_gmessages_homeserver_token }}" + +# Segment API key to track some events, like provisioning API login and encryption errors. +segment_key: null +# Optional user_id to use when sending Segment events. If null, defaults to using mxID. +segment_user_id: null + +# Prometheus config. +metrics: + # Enable prometheus metrics? + enabled: {{ matrix_mautrix_gmessages_metrics_enabled | to_json }} + # IP and port where the metrics listener should be. The path is always /metrics + listen: 127.0.0.1:8001 + +google_messages: + # OS name to tell the phone. This is the name that shows up in the paired devices list. + os: mautrix-gmessages + # Browser type to tell the phone. This decides which icon is shown. + # Valid types: OTHER, CHROME, FIREFOX, SAFARI, OPERA, IE, EDGE + browser: OTHER + + # Should the bridge aggressively set itself as the active device if the user opens Google Messages in a browser? + # If this is disabled, the user must manually use the `reconnect` command to reactivate the bridge. + aggressive_reconnect: false + +# Bridge config +bridge: + # Localpart template of MXIDs for SMS users. + # {{ '{{.}}' }} is replaced with an identifier of the recipient. + username_template: "{{ 'gmessages_{{.}}' }}" + # Displayname template for SMS users. + # {{ '{{.FullName}}' }} - Full name provided by the phone + # {{ '{{.FirstName}}' }} - First name provided by the phone + # {{ '{{.PhoneNumber}}' }} - Formatted phone number provided by the phone + displayname_template: "{{ '{{or .FullName .PhoneNumber}}' }}" + # Should the bridge create a space for each logged-in user and add bridged rooms to it? + personal_filtering_spaces: {{ matrix_mautrix_gmessages_bridge_personal_filtering_spaces | to_json }} + # Should the bridge send a read receipt from the bridge bot when a message has been sent to the phone? + delivery_receipts: false + # Whether the bridge should send the message status as a custom com.beeper.message_send_status event. + message_status_events: false + # Whether the bridge should send error notices via m.notice events when a message fails to bridge. + message_error_notices: true + + portal_message_buffer: 128 + + # Should the bridge update the m.direct account data event when double puppeting is enabled. + # Note that updating the m.direct event is not atomic (except with mautrix-asmux) + # and is therefore prone to race conditions. + sync_direct_chat_list: false + # Number of chats to sync when connecting to Google Messages. + initial_chat_sync_count: 25 + # Backfill settings + backfill: + # Number of messages to backfill in new chats. + initial_limit: 50 + # Number of messages to backfill on startup if the last message ID in the chat sync doesn't match the last bridged message. + missed_limit: 100 + + # Servers to always allow double puppeting from + double_puppet_server_map: + "{{ matrix_mautrix_gmessages_homeserver_domain }}": {{ matrix_mautrix_gmessages_homeserver_address }} + # Allow using double puppeting from any server with a valid client .well-known file. + double_puppet_allow_discovery: false + # Shared secrets for https://github.com/devture/matrix-synapse-shared-secret-auth + # + # If set, double puppeting will be enabled automatically for local users + # instead of users having to find an access token and run `login-matrix` + # manually. + login_shared_secret_map: {{ matrix_mautrix_gmessages_bridge_login_shared_secret_map|to_json }} + + # Whether to explicitly set the avatar and room name for private chat portal rooms. + # If set to `default`, this will be enabled in encrypted rooms and disabled in unencrypted rooms. + # If set to `always`, all DM rooms will have explicit names and avatars set. + # If set to `never`, DM rooms will never have names and avatars set. + private_chat_portal_meta: default + # Should Matrix m.notice-type messages be bridged? + bridge_notices: true + # Set this to true to tell the bridge to re-send m.bridge events to all rooms on the next run. + # This field will automatically be changed back to false after it, except if the config file is not writable. + resend_bridge_info: false + # When using double puppeting, should muted chats be muted in Matrix? + mute_bridging: {{ matrix_mautrix_gmessages_bridge_mute_bridging | to_json }} + # When using double puppeting, should archived chats be moved to a specific tag in Matrix? + # This can be set to a tag (e.g. m.lowpriority), or null to disable. + archive_tag: null + # Same as above, but for pinned chats. The favorite tag is called m.favourite + pinned_tag: null + # Should mute status and tags only be bridged when the portal room is created? + tag_only_on_create: true + # Whether or not created rooms should have federation enabled. + # If false, created portal rooms will never be federated. + federate_rooms: {{ matrix_mautrix_gmessages_federate_rooms|to_json }} + # Should the bridge never send alerts to the bridge management room? + # These are mostly things like the user being logged out. + disable_bridge_alerts: false + # Send captions in the same message as images. This will send data compatible with both MSC2530 and MSC3552. + # This is currently not supported in most clients. + caption_in_message: false + + # The prefix for commands. Only required in non-management rooms. + command_prefix: "!gm" + + # Messages sent upon joining a management room. + # Markdown is supported. The defaults are listed below. + management_room_text: + # Sent when joining a room. + welcome: "Hello, I'm a Google Messages bridge bot." + # Sent when joining a management room and the user is already logged in. + welcome_connected: "Use `help` for help." + # Sent when joining a management room and the user is not logged in. + welcome_unconnected: "Use `help` for help or `login` to log in." + # Optional extra text sent when joining a management room. + additional_help: "" + + # End-to-bridge encryption support options. + # + # See https://docs.mau.fi/bridges/general/end-to-bridge-encryption.html for more info. + encryption: + # Allow encryption, work in group chat rooms with e2ee enabled + allow: {{ matrix_mautrix_gmessages_bridge_encryption_allow|to_json }} + # Default to encryption, force-enable encryption in all portals the bridge creates + # This will cause the bridge bot to be in private chats for the encryption to work properly. + default: {{ matrix_mautrix_gmessages_bridge_encryption_default|to_json }} + # Whether to use MSC2409/MSC3202 instead of /sync long polling for receiving encryption-related data. + appservice: false + # Require encryption, drop any unencrypted messages. + require: false + # Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled. + # You must use a client that supports requesting keys from other users to use this feature. + allow_key_sharing: {{ matrix_mautrix_gmessages_bridge_encryption_key_sharing_allow|to_json }} + # Options for deleting megolm sessions from the bridge. + delete_keys: + # Beeper-specific: delete outbound sessions when hungryserv confirms + # that the user has uploaded the key to key backup. + delete_outbound_on_ack: false + # Don't store outbound sessions in the inbound table. + dont_store_outbound: false + # Ratchet megolm sessions forward after decrypting messages. + ratchet_on_decrypt: false + # Delete fully used keys (index >= max_messages) after decrypting messages. + delete_fully_used_on_decrypt: false + # Delete previous megolm sessions from same device when receiving a new one. + delete_prev_on_new_session: false + # Delete megolm sessions received from a device when the device is deleted. + delete_on_device_delete: false + # Periodically delete megolm sessions when 2x max_age has passed since receiving the session. + periodically_delete_expired: false + # Delete inbound megolm sessions that don't have the received_at field used for + # automatic ratcheting and expired session deletion. This is meant as a migration + # to delete old keys prior to the bridge update. + delete_outdated_inbound: false + # What level of device verification should be required from users? + # + # Valid levels: + # unverified - Send keys to all device in the room. + # cross-signed-untrusted - Require valid cross-signing, but trust all cross-signing keys. + # cross-signed-tofu - Require valid cross-signing, trust cross-signing keys on first use (and reject changes). + # cross-signed-verified - Require valid cross-signing, plus a valid user signature from the bridge bot. + # Note that creating user signatures from the bridge bot is not currently possible. + # verified - Require manual per-device verification + # (currently only possible by modifying the `trust` column in the `crypto_device` database table). + verification_levels: + # Minimum level for which the bridge should send keys to when bridging messages from SMS to Matrix. + receive: unverified + # Minimum level that the bridge should accept for incoming Matrix messages. + send: unverified + # Minimum level that the bridge should require for accepting key requests. + share: cross-signed-tofu + # Options for Megolm room key rotation. These options allow you to + # configure the m.room.encryption event content. See: + # https://spec.matrix.org/v1.3/client-server-api/#mroomencryption for + # more information about that event. + rotation: + # Enable custom Megolm room key rotation settings. Note that these + # settings will only apply to rooms created after this option is + # set. + enable_custom: false + # The maximum number of milliseconds a session should be used + # before changing it. The Matrix spec recommends 604800000 (a week) + # as the default. + milliseconds: 604800000 + # The maximum number of messages that should be sent with a given a + # session before changing it. The Matrix spec recommends 100 as the + # default. + messages: 100 + + # Disable rotating keys when a user's devices change? + # You should not enable this option unless you understand all the implications. + disable_device_change_key_rotation: false + + # Settings for provisioning API + provisioning: + # Prefix for the provisioning API paths. + prefix: /_matrix/provision + # Shared secret for authentication. If set to "generate", a random secret will be generated, + # or if set to "disable", the provisioning API will be disabled. + shared_secret: generate + + # Permissions for using the bridge. + # Permitted values: + # user - Access to use the bridge to link their own Google Messages on android. + # admin - User level and some additional administration tools + # Permitted keys: + # * - All Matrix users + # domain - All users on that homeserver + # mxid - Specific user + permissions: {{ matrix_mautrix_gmessages_bridge_permissions|to_json }} + +# Logging config. See https://github.com/tulir/zeroconfig for details. +logging: + min_level: {{ matrix_mautrix_gmessages_logging_level }} + writers: + - type: stdout + format: pretty-colored diff --git a/roles/custom/matrix-prometheus-postgres-exporter/templates/systemd/matrix-prometheus-postgres-exporter.service.j2 b/roles/custom/matrix-bridge-mautrix-gmessages/templates/systemd/matrix-mautrix-gmessages.service.j2 similarity index 53% rename from roles/custom/matrix-prometheus-postgres-exporter/templates/systemd/matrix-prometheus-postgres-exporter.service.j2 rename to roles/custom/matrix-bridge-mautrix-gmessages/templates/systemd/matrix-mautrix-gmessages.service.j2 index 5c3fbac6f..fb34e95b9 100644 --- a/roles/custom/matrix-prometheus-postgres-exporter/templates/systemd/matrix-prometheus-postgres-exporter.service.j2 +++ b/roles/custom/matrix-bridge-mautrix-gmessages/templates/systemd/matrix-mautrix-gmessages.service.j2 @@ -1,11 +1,11 @@ #jinja2: lstrip_blocks: "True" [Unit] -Description=matrix-prometheus-postgres-exporter -{% for service in matrix_prometheus_postgres_exporter_systemd_required_services_list %} +Description=Matrix Mautrix gmessages bridge +{% for service in matrix_mautrix_gmessages_systemd_required_services_list %} Requires={{ service }} After={{ service }} {% endfor %} -{% for service in matrix_prometheus_postgres_exporter_systemd_wanted_services_list %} +{% for service in matrix_mautrix_gmessages_systemd_wanted_services_list %} Wants={{ service }} {% endfor %} DefaultDependencies=no @@ -13,30 +13,31 @@ DefaultDependencies=no [Service] Type=simple Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" -ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-prometheus-postgres-exporter 2>/dev/null || true' -ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-prometheus-postgres-exporter 2>/dev/null || true' +ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-mautrix-gmessages 2>/dev/null || true' +ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-mautrix-gmessages 2>/dev/null || true' +# Intentional delay, so that the homeserver (we likely depend on) can manage to start. +ExecStartPre={{ matrix_host_command_sleep }} 5 -ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-prometheus-postgres-exporter \ +ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-mautrix-gmessages \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ - --read-only \ - {% for arg in matrix_prometheus_postgres_exporter_container_extra_arguments %} + --network={{ matrix_docker_network }} \ + -v {{ matrix_mautrix_gmessages_config_path }}:/config:z \ + -v {{ matrix_mautrix_gmessages_data_path }}:/data:z \ + --workdir=/data \ + {% for arg in matrix_mautrix_gmessages_container_extra_arguments %} {{ arg }} \ {% endfor %} - --network={{ matrix_docker_network }} \ - {% if matrix_prometheus_postgres_exporter_container_http_host_bind_port %} - -p {{ matrix_prometheus_postgres_exporter_container_http_host_bind_port }}:{{matrix_prometheus_postgres_exporter_port}} \ - {% endif %} - --pid=host \ - {{ matrix_prometheus_postgres_exporter_docker_image }} + {{ matrix_mautrix_gmessages_docker_image }} \ + /usr/bin/mautrix-gmessages -c /config/config.yaml -r /config/registration.yaml -ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-prometheus-postgres-exporter 2>/dev/null || true' -ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-prometheus-postgres-exporter 2>/dev/null || true' +ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-mautrix-gmessages 2>/dev/null || true' +ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-mautrix-gmessages 2>/dev/null || true' Restart=always RestartSec=30 -SyslogIdentifier=matrix-prometheus-postgres-exporter +SyslogIdentifier=matrix-mautrix-gmessages [Install] WantedBy=multi-user.target diff --git a/roles/custom/matrix-bridge-mautrix-googlechat/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-googlechat/defaults/main.yml index a4b1438b0..de0123043 100644 --- a/roles/custom/matrix-bridge-mautrix-googlechat/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-googlechat/defaults/main.yml @@ -8,7 +8,7 @@ matrix_mautrix_googlechat_container_image_self_build: false matrix_mautrix_googlechat_container_image_self_build_repo: "https://github.com/mautrix/googlechat.git" matrix_mautrix_googlechat_container_image_self_build_repo_version: "{{ 'master' if matrix_mautrix_googlechat_version == 'latest' else matrix_mautrix_googlechat_version }}" -matrix_mautrix_googlechat_version: v0.3.3 +matrix_mautrix_googlechat_version: v0.5.0 # See: https://mau.dev/mautrix/googlechat/container_registry matrix_mautrix_googlechat_docker_image: "{{ matrix_mautrix_googlechat_docker_image_name_prefix }}mautrix/googlechat:{{ matrix_mautrix_googlechat_version }}" matrix_mautrix_googlechat_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_googlechat_container_image_self_build else 'dock.mau.dev/' }}" @@ -68,7 +68,7 @@ matrix_mautrix_googlechat_sqlite_database_path_in_container: "/data/mautrix-goog matrix_mautrix_googlechat_database_username: 'matrix_mautrix_googlechat' matrix_mautrix_googlechat_database_password: 'some-password' -matrix_mautrix_googlechat_database_hostname: 'matrix-postgres' +matrix_mautrix_googlechat_database_hostname: '' matrix_mautrix_googlechat_database_port: 5432 matrix_mautrix_googlechat_database_name: 'matrix_mautrix_googlechat' @@ -129,3 +129,7 @@ matrix_mautrix_googlechat_registration_yaml: | de.sorunome.msc2409.push_ephemeral: true matrix_mautrix_googlechat_registration: "{{ matrix_mautrix_googlechat_registration_yaml | from_yaml }}" + +# Enable End-to-bridge encryption +matrix_mautrix_googlechat_bridge_encryption_allow: "{{ matrix_bridges_encryption_enabled }}" +matrix_mautrix_googlechat_bridge_encryption_default: "{{ matrix_mautrix_googlechat_bridge_encryption_allow }}" diff --git a/roles/custom/matrix-bridge-mautrix-googlechat/tasks/init.yml b/roles/custom/matrix-bridge-mautrix-googlechat/tasks/init.yml deleted file mode 100644 index c4ae920c4..000000000 --- a/roles/custom/matrix-bridge-mautrix-googlechat/tasks/init.yml +++ /dev/null @@ -1,74 +0,0 @@ ---- -# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 -# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 -- name: Fail if trying to self-build on Ansible < 2.8 - ansible.builtin.fail: - msg: "To self-build the Mautrix-Google Chat image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mautrix_googlechat_container_image_self_build and matrix_mautrix_googlechat_enabled" - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-googlechat.service'] }}" - when: matrix_mautrix_googlechat_enabled | bool - -# If the matrix-synapse role is not used, these variables may not exist. -- ansible.builtin.set_fact: - matrix_homeserver_container_runtime_injected_arguments: > - {{ - matrix_homeserver_container_runtime_injected_arguments | default([]) - + - ["--mount type=bind,src={{ matrix_mautrix_googlechat_config_path }}/registration.yaml,dst=/matrix-mautrix-googlechat-registration.yaml,ro"] - }} - - matrix_homeserver_app_service_runtime_injected_config_files: > - {{ - matrix_homeserver_app_service_runtime_injected_config_files | default([]) - + - ["/matrix-mautrix-googlechat-registration.yaml"] - }} - when: matrix_mautrix_googlechat_enabled | bool - -- when: matrix_mautrix_googlechat_enabled | bool - tags: - - always - block: - - name: Fail if matrix-nginx-proxy role already executed - ansible.builtin.fail: - msg: >- - Trying to append Mautrix googlechat's reverse-proxying configuration to matrix-nginx-proxy, - but it's pointless since the matrix-nginx-proxy role had already executed. - To fix this, please change the order of roles in your playbook, - so that the matrix-nginx-proxy role would run after the matrix-bridge-mautrix-googlechat role. - when: matrix_nginx_proxy_role_executed | default(False) | bool - - - name: Generate Mautrix googlechat proxying configuration for matrix-nginx-proxy - ansible.builtin.set_fact: - matrix_mautrix_googlechat_matrix_nginx_proxy_configuration: | - location {{ matrix_mautrix_googlechat_public_endpoint }} { - {% if matrix_nginx_proxy_enabled | default(False) %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver 127.0.0.11 valid=5s; - set $backend "matrix-mautrix-googlechat:8080"; - proxy_pass http://$backend; - {% else %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://127.0.0.1:9007; - {% endif %} - } - - name: Register Mautrix googlechat proxying configuration with matrix-nginx-proxy - ansible.builtin.set_fact: - matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: | - {{ - matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks | default([]) - + - [matrix_mautrix_googlechat_matrix_nginx_proxy_configuration] - }} - -- name: Warn about reverse-proxying if matrix-nginx-proxy not used - ansible.builtin.debug: - msg: >- - NOTE: You've enabled the Mautrix googlechat bridge but are not using the matrix-nginx-proxy - reverse proxy. - Please make sure that you're proxying the `{{ matrix_mautrix_googlechat_public_endpoint }}` - URL endpoint to the matrix-mautrix-googlechat container. - You can expose the container's port using the `matrix_mautrix_googlechat_container_http_host_bind_port` variable. - when: "matrix_mautrix_googlechat_enabled | bool and not matrix_nginx_proxy_enabled | default(False) | bool" diff --git a/roles/custom/matrix-bridge-mautrix-googlechat/tasks/inject_into_nginx_proxy.yml b/roles/custom/matrix-bridge-mautrix-googlechat/tasks/inject_into_nginx_proxy.yml new file mode 100644 index 000000000..6a417b61e --- /dev/null +++ b/roles/custom/matrix-bridge-mautrix-googlechat/tasks/inject_into_nginx_proxy.yml @@ -0,0 +1,43 @@ +--- + +- name: Fail if matrix-nginx-proxy role already executed + ansible.builtin.fail: + msg: >- + Trying to append Mautrix googlechat's reverse-proxying configuration to matrix-nginx-proxy, + but it's pointless since the matrix-nginx-proxy role had already executed. + To fix this, please change the order of roles in your playbook, + so that the matrix-nginx-proxy role would run after the matrix-bridge-mautrix-googlechat role. + when: matrix_nginx_proxy_role_executed | default(False) | bool + +- name: Generate Mautrix googlechat proxying configuration for matrix-nginx-proxy + ansible.builtin.set_fact: + matrix_mautrix_googlechat_matrix_nginx_proxy_configuration: | + location {{ matrix_mautrix_googlechat_public_endpoint }} { + {% if matrix_nginx_proxy_enabled | default(False) %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "matrix-mautrix-googlechat:8080"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://127.0.0.1:9007; + {% endif %} + } +- name: Register Mautrix googlechat proxying configuration with matrix-nginx-proxy + ansible.builtin.set_fact: + matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: | + {{ + matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks | default([]) + + + [matrix_mautrix_googlechat_matrix_nginx_proxy_configuration] + }} + +- name: Warn about reverse-proxying if matrix-nginx-proxy not used + ansible.builtin.debug: + msg: >- + NOTE: You've enabled the Mautrix googlechat bridge but are not using the matrix-nginx-proxy + reverse proxy. + Please make sure that you're proxying the `{{ matrix_mautrix_googlechat_public_endpoint }}` + URL endpoint to the matrix-mautrix-googlechat container. + You can expose the container's port using the `matrix_mautrix_googlechat_container_http_host_bind_port` variable. + when: "matrix_mautrix_googlechat_enabled | bool and not matrix_nginx_proxy_enabled | default(False) | bool" diff --git a/roles/custom/matrix-bridge-mautrix-googlechat/tasks/main.yml b/roles/custom/matrix-bridge-mautrix-googlechat/tasks/main.yml index 070abfcd9..a23923b50 100644 --- a/roles/custom/matrix-bridge-mautrix-googlechat/tasks/main.yml +++ b/roles/custom/matrix-bridge-mautrix-googlechat/tasks/main.yml @@ -1,23 +1,29 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup | bool and matrix_mautrix_googlechat_enabled | bool" - tags: +- tags: - setup-all - - setup-mautrix-googlechat + - setup-nginx-proxy + - install-all + - install-nginx-proxy + block: + - when: matrix_mautrix_googlechat_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_install.yml" - when: "run_setup | bool and matrix_mautrix_googlechat_enabled | bool" - tags: +- tags: - setup-all - setup-mautrix-googlechat + - install-all + - install-mautrix-googlechat + block: + - when: matrix_mautrix_googlechat_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" + + - when: matrix_mautrix_googlechat_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - when: "run_setup | bool and not matrix_mautrix_googlechat_enabled | bool" - tags: +- tags: - setup-all - setup-mautrix-googlechat + block: + - when: not matrix_mautrix_googlechat_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" diff --git a/roles/custom/matrix-bridge-mautrix-googlechat/tasks/setup_install.yml b/roles/custom/matrix-bridge-mautrix-googlechat/tasks/setup_install.yml index daadcba24..c1ae8cf53 100644 --- a/roles/custom/matrix-bridge-mautrix-googlechat/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-mautrix-googlechat/tasks/setup_install.yml @@ -1,13 +1,5 @@ --- -# If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. -# We don't want to fail in such cases. -- name: Fail if matrix-synapse role already executed - ansible.builtin.fail: - msg: >- - The matrix-bridge-mautrix-googlechat role needs to execute before the matrix-synapse role. - when: "matrix_synapse_role_executed | default(False)" - - ansible.builtin.set_fact: matrix_mautrix_googlechat_requires_restart: false @@ -20,8 +12,11 @@ - when: "matrix_mautrix_googlechat_sqlite_database_path_local_stat_result.stat.exists | bool" block: - - ansible.builtin.set_fact: - matrix_postgres_db_migration_request: + - ansible.builtin.include_role: + name: galaxy/com.devture.ansible.role.postgres + tasks_from: migrate_db_to_postgres + vars: + devture_postgres_db_migration_request: src: "{{ matrix_mautrix_googlechat_sqlite_database_path_local }}" dst: "{{ matrix_mautrix_googlechat_database_connection_string }}" caller: "{{ role_path | basename }}" @@ -29,10 +24,6 @@ engine_old: 'sqlite' systemd_services_to_stop: ['matrix-mautrix-googlechat.service'] - - ansible.builtin.import_role: - name: custom/matrix-postgres - tasks_from: migrate_db_to_postgres - - ansible.builtin.set_fact: matrix_mautrix_googlechat_requires_restart: true @@ -100,7 +91,10 @@ when: "matrix_mautrix_googlechat_stat_database.stat.exists" - name: (Data relocation) Move mautrix-googlechat database file to ./data directory - ansible.builtin.command: "mv {{ matrix_mautrix_googlechat_base_path }}/mautrix-googlechat.db {{ matrix_mautrix_googlechat_data_path }}/mautrix-googlechat.db" + ansible.builtin.command: + cmd: "mv {{ matrix_mautrix_googlechat_base_path }}/mautrix-googlechat.db {{ matrix_mautrix_googlechat_data_path }}/mautrix-googlechat.db" + creates: "{{ matrix_mautrix_googlechat_data_path }}/mautrix-googlechat.db" + removes: "{{ matrix_mautrix_googlechat_base_path }}/mautrix-googlechat.db" when: "matrix_mautrix_googlechat_stat_database.stat.exists" - name: Ensure mautrix-googlechat config.yaml installed @@ -124,15 +118,10 @@ src: "{{ role_path }}/templates/systemd/matrix-mautrix-googlechat.service.j2" dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-googlechat.service" mode: 0644 - register: matrix_mautrix_googlechat_systemd_service_result - -- name: Ensure systemd reloaded after matrix-mautrix-googlechat.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_mautrix_googlechat_systemd_service_result.changed" - name: Ensure matrix-mautrix-googlechat.service restarted, if necessary ansible.builtin.service: name: "matrix-mautrix-googlechat.service" state: restarted + daemon_reload: true when: "matrix_mautrix_googlechat_requires_restart | bool" diff --git a/roles/custom/matrix-bridge-mautrix-googlechat/tasks/setup_uninstall.yml b/roles/custom/matrix-bridge-mautrix-googlechat/tasks/setup_uninstall.yml index 37a4e6751..12b486308 100644 --- a/roles/custom/matrix-bridge-mautrix-googlechat/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-bridge-mautrix-googlechat/tasks/setup_uninstall.yml @@ -5,21 +5,16 @@ path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-googlechat.service" register: matrix_mautrix_googlechat_service_stat -- name: Ensure matrix-mautrix-googlechat is stopped - ansible.builtin.service: - name: matrix-mautrix-googlechat - state: stopped - enabled: false - daemon_reload: true - when: "matrix_mautrix_googlechat_service_stat.stat.exists" +- when: matrix_mautrix_googlechat_service_stat.stat.exists | bool + block: + - name: Ensure matrix-mautrix-googlechat is stopped + ansible.builtin.service: + name: matrix-mautrix-googlechat + state: stopped + enabled: false + daemon_reload: true -- name: Ensure matrix-mautrix-googlechat.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-googlechat.service" - state: absent - when: "matrix_mautrix_googlechat_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-mautrix-googlechat.service removal - ansible.builtin.service: - daemon_reload: true - when: "matrix_mautrix_googlechat_service_stat.stat.exists" + - name: Ensure matrix-mautrix-googlechat.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-googlechat.service" + state: absent diff --git a/roles/custom/matrix-bridge-mautrix-googlechat/tasks/validate_config.yml b/roles/custom/matrix-bridge-mautrix-googlechat/tasks/validate_config.yml index fc36472eb..06cb8de76 100644 --- a/roles/custom/matrix-bridge-mautrix-googlechat/tasks/validate_config.yml +++ b/roles/custom/matrix-bridge-mautrix-googlechat/tasks/validate_config.yml @@ -1,14 +1,12 @@ --- -- name: Fail if required settings not defined +- name: Fail if required mautrix-googlechat settings not defined ansible.builtin.fail: msg: >- - You need to define a required configuration setting (`{{ item }}`). - when: "vars[item] == ''" + You need to define a required configuration setting (`{{ item.name }}`). + when: "item.when | bool and vars[item.name] == ''" with_items: - - "matrix_mautrix_googlechat_public_endpoint" - - "matrix_mautrix_googlechat_appservice_token" - - "matrix_mautrix_googlechat_homeserver_token" -- ansible.builtin.debug: - msg: - - '`matrix_mautrix_googlechat_homeserver_domain` == {{ matrix_mautrix_googlechat_homeserver_domain }}' + - {'name': 'matrix_mautrix_googlechat_public_endpoint', when: true} + - {'name': 'matrix_mautrix_googlechat_appservice_token', when: true} + - {'name': 'matrix_mautrix_googlechat_homeserver_token', when: true} + - {'name': 'matrix_mautrix_googlechat_database_hostname', when: "{{ matrix_mautrix_googlechat_database_engine == 'postgres' }}"} diff --git a/roles/custom/matrix-bridge-mautrix-googlechat/templates/config.yaml.j2 b/roles/custom/matrix-bridge-mautrix-googlechat/templates/config.yaml.j2 index a2560a9fc..4f46aab25 100644 --- a/roles/custom/matrix-bridge-mautrix-googlechat/templates/config.yaml.j2 +++ b/roles/custom/matrix-bridge-mautrix-googlechat/templates/config.yaml.j2 @@ -88,10 +88,10 @@ bridge: # application service. encryption: # Allow encryption, work in group chat rooms with e2ee enabled - allow: false + allow: {{ matrix_mautrix_googlechat_bridge_encryption_allow|to_json }} # Default to encryption, force-enable encryption in all portals the bridge creates # This will cause the bridge bot to be in private chats for the encryption to work properly. - default: false + default: {{ matrix_mautrix_googlechat_bridge_encryption_default|to_json }} # Whether or not created rooms should have federation enabled. # If false, created portal rooms will never be federated. diff --git a/roles/custom/matrix-bridge-mautrix-hangouts/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-hangouts/defaults/main.yml index 8b338fd76..65b4a6ff5 100644 --- a/roles/custom/matrix-bridge-mautrix-hangouts/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-hangouts/defaults/main.yml @@ -65,7 +65,7 @@ matrix_mautrix_hangouts_sqlite_database_path_in_container: "/data/mautrix-hangou matrix_mautrix_hangouts_database_username: 'matrix_mautrix_hangouts' matrix_mautrix_hangouts_database_password: 'some-password' -matrix_mautrix_hangouts_database_hostname: 'matrix-postgres' +matrix_mautrix_hangouts_database_hostname: '' matrix_mautrix_hangouts_database_port: 5432 matrix_mautrix_hangouts_database_name: 'matrix_mautrix_hangouts' @@ -126,3 +126,7 @@ matrix_mautrix_hangouts_registration_yaml: | de.sorunome.msc2409.push_ephemeral: true matrix_mautrix_hangouts_registration: "{{ matrix_mautrix_hangouts_registration_yaml | from_yaml }}" + +# Enable End-to-bridge encryption +matrix_mautrix_hangouts_bridge_encryption_allow: "{{ matrix_bridges_encryption_enabled }}" +matrix_mautrix_hangouts_bridge_encryption_default: "{{ matrix_mautrix_hangouts_bridge_encryption_allow }}" diff --git a/roles/custom/matrix-bridge-mautrix-hangouts/tasks/init.yml b/roles/custom/matrix-bridge-mautrix-hangouts/tasks/init.yml deleted file mode 100644 index 380dc4b38..000000000 --- a/roles/custom/matrix-bridge-mautrix-hangouts/tasks/init.yml +++ /dev/null @@ -1,74 +0,0 @@ ---- -# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 -# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 -- name: Fail if trying to self-build on Ansible < 2.8 - ansible.builtin.fail: - msg: "To self-build the Mautrix-Hangouts image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mautrix_hangouts_container_image_self_build and matrix_mautrix_hangouts_enabled" - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-hangouts.service'] }}" - when: matrix_mautrix_hangouts_enabled | bool - -# If the matrix-synapse role is not used, these variables may not exist. -- ansible.builtin.set_fact: - matrix_homeserver_container_runtime_injected_arguments: > - {{ - matrix_homeserver_container_runtime_injected_arguments | default([]) - + - ["--mount type=bind,src={{ matrix_mautrix_hangouts_config_path }}/registration.yaml,dst=/matrix-mautrix-hangouts-registration.yaml,ro"] - }} - - matrix_homeserver_app_service_runtime_injected_config_files: > - {{ - matrix_homeserver_app_service_runtime_injected_config_files | default([]) - + - ["/matrix-mautrix-hangouts-registration.yaml"] - }} - when: matrix_mautrix_hangouts_enabled | bool - -- when: matrix_mautrix_hangouts_enabled | bool - tags: - - always - block: - - name: Fail if matrix-nginx-proxy role already executed - ansible.builtin.fail: - msg: >- - Trying to append Mautrix Hangouts's reverse-proxying configuration to matrix-nginx-proxy, - but it's pointless since the matrix-nginx-proxy role had already executed. - To fix this, please change the order of roles in your playbook, - so that the matrix-nginx-proxy role would run after the matrix-bridge-mautrix-hangouts role. - when: matrix_nginx_proxy_role_executed | default(False) | bool - - - name: Generate Mautrix Hangouts proxying configuration for matrix-nginx-proxy - ansible.builtin.set_fact: - matrix_mautrix_hangouts_matrix_nginx_proxy_configuration: | - location {{ matrix_mautrix_hangouts_public_endpoint }} { - {% if matrix_nginx_proxy_enabled | default(False) %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver 127.0.0.11 valid=5s; - set $backend "matrix-mautrix-hangouts:8080"; - proxy_pass http://$backend; - {% else %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://127.0.0.1:9007; - {% endif %} - } - - name: Register Mautrix Hangouts proxying configuration with matrix-nginx-proxy - ansible.builtin.set_fact: - matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: | - {{ - matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks | default([]) - + - [matrix_mautrix_hangouts_matrix_nginx_proxy_configuration] - }} - -- name: Warn about reverse-proxying if matrix-nginx-proxy not used - ansible.builtin.debug: - msg: >- - NOTE: You've enabled the Mautrix Hangouts bridge but are not using the matrix-nginx-proxy - reverse proxy. - Please make sure that you're proxying the `{{ matrix_mautrix_hangouts_public_endpoint }}` - URL endpoint to the matrix-mautrix-hangouts container. - You can expose the container's port using the `matrix_mautrix_hangouts_container_http_host_bind_port` variable. - when: "matrix_mautrix_hangouts_enabled | bool and not matrix_nginx_proxy_enabled | default(False) | bool" diff --git a/roles/custom/matrix-bridge-mautrix-hangouts/tasks/inject_into_nginx_proxy.yml b/roles/custom/matrix-bridge-mautrix-hangouts/tasks/inject_into_nginx_proxy.yml new file mode 100644 index 000000000..b5696c841 --- /dev/null +++ b/roles/custom/matrix-bridge-mautrix-hangouts/tasks/inject_into_nginx_proxy.yml @@ -0,0 +1,44 @@ +--- + +- name: Fail if matrix-nginx-proxy role already executed + ansible.builtin.fail: + msg: >- + Trying to append Mautrix Hangouts's reverse-proxying configuration to matrix-nginx-proxy, + but it's pointless since the matrix-nginx-proxy role had already executed. + To fix this, please change the order of roles in your playbook, + so that the matrix-nginx-proxy role would run after the matrix-bridge-mautrix-hangouts role. + when: matrix_nginx_proxy_role_executed | default(False) | bool + +- name: Generate Mautrix Hangouts proxying configuration for matrix-nginx-proxy + ansible.builtin.set_fact: + matrix_mautrix_hangouts_matrix_nginx_proxy_configuration: | + location {{ matrix_mautrix_hangouts_public_endpoint }} { + {% if matrix_nginx_proxy_enabled | default(False) %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "matrix-mautrix-hangouts:8080"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://127.0.0.1:9007; + {% endif %} + } + +- name: Register Mautrix Hangouts proxying configuration with matrix-nginx-proxy + ansible.builtin.set_fact: + matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: | + {{ + matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks | default([]) + + + [matrix_mautrix_hangouts_matrix_nginx_proxy_configuration] + }} + +- name: Warn about reverse-proxying if matrix-nginx-proxy not used + ansible.builtin.debug: + msg: >- + NOTE: You've enabled the Mautrix Hangouts bridge but are not using the matrix-nginx-proxy + reverse proxy. + Please make sure that you're proxying the `{{ matrix_mautrix_hangouts_public_endpoint }}` + URL endpoint to the matrix-mautrix-hangouts container. + You can expose the container's port using the `matrix_mautrix_hangouts_container_http_host_bind_port` variable. + when: "matrix_mautrix_hangouts_enabled | bool and not matrix_nginx_proxy_enabled | default(False) | bool" diff --git a/roles/custom/matrix-bridge-mautrix-hangouts/tasks/main.yml b/roles/custom/matrix-bridge-mautrix-hangouts/tasks/main.yml index d69136899..e7881567e 100644 --- a/roles/custom/matrix-bridge-mautrix-hangouts/tasks/main.yml +++ b/roles/custom/matrix-bridge-mautrix-hangouts/tasks/main.yml @@ -1,23 +1,29 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup | bool and matrix_mautrix_hangouts_enabled | bool" - tags: +- tags: - setup-all - - setup-mautrix-hangouts + - setup-nginx-proxy + - install-all + - install-nginx-proxy + block: + - when: matrix_mautrix_hangouts_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_install.yml" - when: "run_setup | bool and matrix_mautrix_hangouts_enabled | bool" - tags: +- tags: - setup-all - setup-mautrix-hangouts + - install-all + - install-mautrix-hangouts + block: + - when: matrix_mautrix_hangouts_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" + + - when: matrix_mautrix_hangouts_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - when: "run_setup | bool and not matrix_mautrix_hangouts_enabled | bool" - tags: +- tags: - setup-all - setup-mautrix-hangouts + block: + - when: not matrix_mautrix_hangouts_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" diff --git a/roles/custom/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml b/roles/custom/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml index a846a7b06..0fa549941 100644 --- a/roles/custom/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml @@ -1,13 +1,5 @@ --- -# If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. -# We don't want to fail in such cases. -- name: Fail if matrix-synapse role already executed - ansible.builtin.fail: - msg: >- - The matrix-bridge-mautrix-hangouts role needs to execute before the matrix-synapse role. - when: "matrix_synapse_role_executed | default(False)" - - ansible.builtin.set_fact: matrix_mautrix_hangouts_requires_restart: false @@ -20,8 +12,11 @@ - when: "matrix_mautrix_hangouts_sqlite_database_path_local_stat_result.stat.exists | bool" block: - - ansible.builtin.set_fact: - matrix_postgres_db_migration_request: + - ansible.builtin.include_role: + name: galaxy/com.devture.ansible.role.postgres + tasks_from: migrate_db_to_postgres + vars: + devture_postgres_db_migration_request: src: "{{ matrix_mautrix_hangouts_sqlite_database_path_local }}" dst: "{{ matrix_mautrix_hangouts_database_connection_string }}" caller: "{{ role_path | basename }}" @@ -29,10 +24,6 @@ engine_old: 'sqlite' systemd_services_to_stop: ['matrix-mautrix-hangouts.service'] - - ansible.builtin.import_role: - name: custom/matrix-postgres - tasks_from: migrate_db_to_postgres - - ansible.builtin.set_fact: matrix_mautrix_hangouts_requires_restart: true @@ -100,7 +91,10 @@ when: "matrix_mautrix_hangouts_stat_database.stat.exists" - name: (Data relocation) Move mautrix-hangouts database file to ./data directory - ansible.builtin.command: "mv {{ matrix_mautrix_hangouts_base_path }}/mautrix-hangouts.db {{ matrix_mautrix_hangouts_data_path }}/mautrix-hangouts.db" + ansible.builtin.command: + cmd: "mv {{ matrix_mautrix_hangouts_base_path }}/mautrix-hangouts.db {{ matrix_mautrix_hangouts_data_path }}/mautrix-hangouts.db" + creates: "{{ matrix_mautrix_hangouts_data_path }}/mautrix-hangouts.db" + removes: "{{ matrix_mautrix_hangouts_base_path }}/mautrix-hangouts.db" when: "matrix_mautrix_hangouts_stat_database.stat.exists" - name: Ensure mautrix-hangouts config.yaml installed @@ -124,15 +118,10 @@ src: "{{ role_path }}/templates/systemd/matrix-mautrix-hangouts.service.j2" dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-hangouts.service" mode: 0644 - register: matrix_mautrix_hangouts_systemd_service_result - -- name: Ensure systemd reloaded after matrix-mautrix-hangouts.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_mautrix_hangouts_systemd_service_result.changed" - name: Ensure matrix-mautrix-hangouts.service restarted, if necessary ansible.builtin.service: name: "matrix-mautrix-hangouts.service" state: restarted + daemon_reload: true when: "matrix_mautrix_hangouts_requires_restart | bool" diff --git a/roles/custom/matrix-bridge-mautrix-hangouts/tasks/setup_uninstall.yml b/roles/custom/matrix-bridge-mautrix-hangouts/tasks/setup_uninstall.yml index b7ff72393..02d7183f6 100644 --- a/roles/custom/matrix-bridge-mautrix-hangouts/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-bridge-mautrix-hangouts/tasks/setup_uninstall.yml @@ -5,21 +5,16 @@ path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-hangouts.service" register: matrix_mautrix_hangouts_service_stat -- name: Ensure matrix-mautrix-hangouts is stopped - ansible.builtin.service: - name: matrix-mautrix-hangouts - state: stopped - enabled: false - daemon_reload: true - when: "matrix_mautrix_hangouts_service_stat.stat.exists" +- when: matrix_mautrix_hangouts_service_stat.stat.exists | bool + block: + - name: Ensure matrix-mautrix-hangouts is stopped + ansible.builtin.service: + name: matrix-mautrix-hangouts + state: stopped + enabled: false + daemon_reload: true -- name: Ensure matrix-mautrix-hangouts.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-hangouts.service" - state: absent - when: "matrix_mautrix_hangouts_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-mautrix-hangouts.service removal - ansible.builtin.service: - daemon_reload: true - when: "matrix_mautrix_hangouts_service_stat.stat.exists" + - name: Ensure matrix-mautrix-hangouts.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-hangouts.service" + state: absent diff --git a/roles/custom/matrix-bridge-mautrix-hangouts/tasks/validate_config.yml b/roles/custom/matrix-bridge-mautrix-hangouts/tasks/validate_config.yml index c80586e09..11635642c 100644 --- a/roles/custom/matrix-bridge-mautrix-hangouts/tasks/validate_config.yml +++ b/roles/custom/matrix-bridge-mautrix-hangouts/tasks/validate_config.yml @@ -1,14 +1,12 @@ --- -- name: Fail if required settings not defined +- name: Fail if required mautrix-hangouts settings not defined ansible.builtin.fail: msg: >- - You need to define a required configuration setting (`{{ item }}`). - when: "vars[item] == ''" + You need to define a required configuration setting (`{{ item.name }}`). + when: "item.when | bool and vars[item.name] == ''" with_items: - - "matrix_mautrix_hangouts_public_endpoint" - - "matrix_mautrix_hangouts_appservice_token" - - "matrix_mautrix_hangouts_homeserver_token" -- ansible.builtin.debug: - msg: - - '`matrix_mautrix_hangouts_homeserver_domain` == {{ matrix_mautrix_hangouts_homeserver_domain }}' + - {'name': 'matrix_mautrix_hangouts_public_endpoint', when: true} + - {'name': 'matrix_mautrix_hangouts_appservice_token', when: true} + - {'name': 'matrix_mautrix_hangouts_homeserver_token', when: true} + - {'name': 'matrix_mautrix_hangouts_database_hostname', when: "{{ matrix_mautrix_hangouts_database_engine == 'postgres' }}"} diff --git a/roles/custom/matrix-bridge-mautrix-hangouts/templates/config.yaml.j2 b/roles/custom/matrix-bridge-mautrix-hangouts/templates/config.yaml.j2 index d737f3f17..25dd38ec6 100644 --- a/roles/custom/matrix-bridge-mautrix-hangouts/templates/config.yaml.j2 +++ b/roles/custom/matrix-bridge-mautrix-hangouts/templates/config.yaml.j2 @@ -88,10 +88,10 @@ bridge: # application service. encryption: # Allow encryption, work in group chat rooms with e2ee enabled - allow: false + allow: {{ matrix_mautrix_hangouts_bridge_encryption_allow|to_json }} # Default to encryption, force-enable encryption in all portals the bridge creates # This will cause the bridge bot to be in private chats for the encryption to work properly. - default: false + default: {{ matrix_mautrix_hangouts_bridge_encryption_default|to_json }} # Public website and API configs web: diff --git a/roles/custom/matrix-bridge-mautrix-instagram/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-instagram/defaults/main.yml index dcdf6723d..cef492889 100644 --- a/roles/custom/matrix-bridge-mautrix-instagram/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-instagram/defaults/main.yml @@ -8,7 +8,7 @@ matrix_mautrix_instagram_container_image_self_build: false matrix_mautrix_instagram_container_image_self_build_repo: "https://github.com/mautrix/instagram.git" matrix_mautrix_instagram_container_image_self_build_repo_version: "{{ 'master' if matrix_mautrix_instagram_version == 'latest' else matrix_mautrix_instagram_version }}" -matrix_mautrix_instagram_version: v0.2.2 +matrix_mautrix_instagram_version: v0.3.0 # See: https://mau.dev/tulir/mautrix-instagram/container_registry matrix_mautrix_instagram_docker_image: "{{ matrix_mautrix_instagram_docker_image_name_prefix }}mautrix/instagram:{{ matrix_mautrix_instagram_version }}" matrix_mautrix_instagram_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_instagram_container_image_self_build else 'dock.mau.dev/' }}" @@ -47,6 +47,16 @@ matrix_mautrix_instagram_homeserver_token: '' # If false, created portal rooms will never be federated. matrix_mautrix_instagram_federate_rooms: true +# Whether or not metrics endpoint should be enabled. +# Enabling them is usually enough for a local (in-container) Prometheus to consume them. +# If metrics need to be consumed by another (external) Prometheus server, consider exposing them via `matrix_mautrix_instagram_metrics_proxying_enabled`. +matrix_mautrix_instagram_metrics_enabled: false + +# Controls whether metrics should be proxied (exposed) on `matrix.DOMAIN/metrics/mautrix-instagram`. +# This will only work take effect if `matrix_nginx_proxy_proxy_matrix_metrics_enabled: true`. +# See the `matrix-nginx-proxy` role for details about enabling `matrix_nginx_proxy_proxy_matrix_metrics_enabled`. +matrix_mautrix_instagram_metrics_proxying_enabled: false + # Database-related configuration fields. # # To use Postgres: @@ -55,7 +65,7 @@ matrix_mautrix_instagram_database_engine: 'postgres' matrix_mautrix_instagram_database_username: 'matrix_mautrix_instagram' matrix_mautrix_instagram_database_password: 'some-password' -matrix_mautrix_instagram_database_hostname: 'matrix-postgres' +matrix_mautrix_instagram_database_hostname: '' matrix_mautrix_instagram_database_port: 5432 matrix_mautrix_instagram_database_name: 'matrix_mautrix_instagram' @@ -73,6 +83,9 @@ matrix_mautrix_instagram_login_shared_secret: '' matrix_mautrix_instagram_bridge_login_shared_secret_map: "{{ {matrix_mautrix_instagram_homeserver_domain: matrix_mautrix_instagram_login_shared_secret} if matrix_mautrix_instagram_login_shared_secret else {} }}" +# Enable bridge relay bot functionality +matrix_mautrix_instagram_relay_enabled: "{{ matrix_bridges_relay_enabled }}" + matrix_mautrix_instagram_appservice_bot_username: instagrambot matrix_mautrix_instagram_bridge_presence: true @@ -119,3 +132,8 @@ matrix_mautrix_instagram_registration_yaml: | de.sorunome.msc2409.push_ephemeral: true matrix_mautrix_instagram_registration: "{{ matrix_mautrix_instagram_registration_yaml | from_yaml }}" + +# Enable End-to-bridge encryption +matrix_mautrix_instagram_bridge_encryption_allow: "{{ matrix_bridges_encryption_enabled }}" +matrix_mautrix_instagram_bridge_encryption_default: "{{ matrix_mautrix_instagram_bridge_encryption_allow }}" +matrix_mautrix_instagram_bridge_encryption_key_sharing_allow: "{{ matrix_mautrix_instagram_bridge_encryption_allow }}" diff --git a/roles/custom/matrix-bridge-mautrix-instagram/tasks/init.yml b/roles/custom/matrix-bridge-mautrix-instagram/tasks/init.yml deleted file mode 100644 index 7ef037e33..000000000 --- a/roles/custom/matrix-bridge-mautrix-instagram/tasks/init.yml +++ /dev/null @@ -1,28 +0,0 @@ ---- -# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 -# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 -- name: Fail if trying to self-build on Ansible < 2.8 - ansible.builtin.fail: - msg: "To self-build the Mautrix-Instagram image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mautrix_instagram_container_image_self_build and matrix_mautrix_instagram_enabled" - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-instagram.service'] }}" - when: matrix_mautrix_instagram_enabled | bool - -# If the matrix-synapse role is not used, these variables may not exist. -- ansible.builtin.set_fact: - matrix_homeserver_container_runtime_injected_arguments: > - {{ - matrix_homeserver_container_runtime_injected_arguments | default([]) - + - ["--mount type=bind,src={{ matrix_mautrix_instagram_config_path }}/registration.yaml,dst=/matrix-mautrix-instagram-registration.yaml,ro"] - }} - - matrix_homeserver_app_service_runtime_injected_config_files: > - {{ - matrix_homeserver_app_service_runtime_injected_config_files | default([]) - + - ["/matrix-mautrix-instagram-registration.yaml"] - }} - when: matrix_mautrix_instagram_enabled | bool diff --git a/roles/custom/matrix-bridge-mautrix-instagram/tasks/inject_into_nginx_proxy.yml b/roles/custom/matrix-bridge-mautrix-instagram/tasks/inject_into_nginx_proxy.yml new file mode 100644 index 000000000..99a36c141 --- /dev/null +++ b/roles/custom/matrix-bridge-mautrix-instagram/tasks/inject_into_nginx_proxy.yml @@ -0,0 +1,35 @@ +--- + +- name: Fail if matrix-nginx-proxy role already executed + ansible.builtin.fail: + msg: >- + Trying to append mautrix-whatapp-metrics's reverse-proxying configuration to matrix-nginx-proxy, + but it's pointless since the matrix-nginx-proxy role had already executed. + To fix this, please change the order of roles in your playbook, + so that the matrix-nginx-proxy role would run after the matrix-bridge-mautrix-instagram role. + when: matrix_nginx_proxy_role_executed | default(False) | bool + +- when: matrix_mautrix_instagram_metrics_proxying_enabled | bool + block: + - name: Generate mautrix-instagram metrics proxying configuration for matrix-nginx-proxy (matrix.DOMAIN/metrics/mautrix-instagram) + ansible.builtin.set_fact: + matrix_mautrix_instagram_nginx_metrics_configuration_block: | + location /metrics/mautrix-instagram { + {% if matrix_nginx_proxy_enabled | default(False) %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "matrix-mautrix-instagram:8000"; + proxy_pass http://$backend/metrics; + {% else %} + return 404 "matrix-nginx-proxy is disabled and no host port was bound to the container, so metrics are unavailable"; + {% endif %} + } + + - name: Register mautrix-instagram metrics proxying configuration with matrix-nginx-proxy (matrix.DOMAIN/metrics/mautrix-instagram) + ansible.builtin.set_fact: + matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks: | + {{ + matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks | default([]) + + + [matrix_mautrix_instagram_nginx_metrics_configuration_block] + }} diff --git a/roles/custom/matrix-bridge-mautrix-instagram/tasks/main.yml b/roles/custom/matrix-bridge-mautrix-instagram/tasks/main.yml index d5becb6d3..834dec0cc 100644 --- a/roles/custom/matrix-bridge-mautrix-instagram/tasks/main.yml +++ b/roles/custom/matrix-bridge-mautrix-instagram/tasks/main.yml @@ -1,23 +1,29 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup | bool and matrix_mautrix_instagram_enabled | bool" - tags: +- tags: - setup-all - - setup-mautrix-instagram + - setup-nginx-proxy + - install-all + - install-nginx-proxy + block: + - when: matrix_mautrix_instagram_enabled | bool and matrix_mautrix_instagram_metrics_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_install.yml" - when: "run_setup | bool and matrix_mautrix_instagram_enabled | bool" - tags: +- tags: - setup-all - setup-mautrix-instagram + - install-all + - install-mautrix-instagram + block: + - when: matrix_mautrix_instagram_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" + + - when: matrix_mautrix_instagram_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - when: "run_setup | bool and not matrix_mautrix_instagram_enabled | bool" - tags: +- tags: - setup-all - setup-mautrix-instagram + block: + - when: not matrix_mautrix_instagram_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" diff --git a/roles/custom/matrix-bridge-mautrix-instagram/tasks/setup_install.yml b/roles/custom/matrix-bridge-mautrix-instagram/tasks/setup_install.yml index 19a2ff9ae..68891c9eb 100644 --- a/roles/custom/matrix-bridge-mautrix-instagram/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-mautrix-instagram/tasks/setup_install.yml @@ -1,11 +1,4 @@ --- -# If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. -# We don't want to fail in such cases. -- name: Fail if matrix-synapse role already executed - ansible.builtin.fail: - msg: >- - The matrix-bridge-mautrix-instagram role needs to execute before the matrix-synapse role. - when: "matrix_synapse_role_executed | default(False)" - name: Ensure Mautrix instagram image is pulled community.docker.docker_image: @@ -77,9 +70,3 @@ src: "{{ role_path }}/templates/systemd/matrix-mautrix-instagram.service.j2" dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-instagram.service" mode: 0644 - register: matrix_mautrix_instagram_systemd_service_result - -- name: Ensure systemd reloaded after matrix-mautrix-instagram.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_mautrix_instagram_systemd_service_result.changed" diff --git a/roles/custom/matrix-bridge-mautrix-instagram/tasks/setup_uninstall.yml b/roles/custom/matrix-bridge-mautrix-instagram/tasks/setup_uninstall.yml index a029a90ac..6ac0f6d52 100644 --- a/roles/custom/matrix-bridge-mautrix-instagram/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-bridge-mautrix-instagram/tasks/setup_uninstall.yml @@ -4,21 +4,16 @@ path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-instagram.service" register: matrix_mautrix_instagram_service_stat -- name: Ensure matrix-mautrix-instagram is stopped - ansible.builtin.service: - name: matrix-mautrix-instagram - state: stopped - enabled: false - daemon_reload: true - when: "matrix_mautrix_instagram_service_stat.stat.exists" +- when: matrix_mautrix_instagram_service_stat.stat.exists | bool + block: + - name: Ensure matrix-mautrix-instagram is stopped + ansible.builtin.service: + name: matrix-mautrix-instagram + state: stopped + enabled: false + daemon_reload: true -- name: Ensure matrix-mautrix-instagram.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-instagram.service" - state: absent - when: "matrix_mautrix_instagram_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-mautrix-instagram.service removal - ansible.builtin.service: - daemon_reload: true - when: "matrix_mautrix_instagram_service_stat.stat.exists" + - name: Ensure matrix-mautrix-instagram.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-instagram.service" + state: absent diff --git a/roles/custom/matrix-bridge-mautrix-instagram/tasks/validate_config.yml b/roles/custom/matrix-bridge-mautrix-instagram/tasks/validate_config.yml index 99f7b0156..51bedf683 100644 --- a/roles/custom/matrix-bridge-mautrix-instagram/tasks/validate_config.yml +++ b/roles/custom/matrix-bridge-mautrix-instagram/tasks/validate_config.yml @@ -1,9 +1,10 @@ --- -- name: Fail if required settings not defined +- name: Fail if required mautrix-instagram settings not defined ansible.builtin.fail: msg: >- - You need to define a required configuration setting (`{{ item }}`). - when: "vars[item] == ''" + You need to define a required configuration setting (`{{ item.name }}`). + when: "item.when | bool and vars[item.name] == ''" with_items: - - "matrix_mautrix_instagram_appservice_token" - - "matrix_mautrix_instagram_homeserver_token" + - {'name': 'matrix_mautrix_instagram_appservice_token', when: true} + - {'name': 'matrix_mautrix_instagram_homeserver_token', when: true} + - {'name': 'matrix_mautrix_instagram_database_hostname', when: "{{ matrix_mautrix_instagram_database_engine == 'postgres' }}"} diff --git a/roles/custom/matrix-bridge-mautrix-instagram/templates/config.yaml.j2 b/roles/custom/matrix-bridge-mautrix-instagram/templates/config.yaml.j2 index 039b9bfea..e3d4be521 100644 --- a/roles/custom/matrix-bridge-mautrix-instagram/templates/config.yaml.j2 +++ b/roles/custom/matrix-bridge-mautrix-instagram/templates/config.yaml.j2 @@ -57,7 +57,7 @@ appservice: # Prometheus telemetry config. Requires prometheus-client to be installed. metrics: - enabled: false + enabled: {{ matrix_mautrix_instagram_metrics_enabled | to_json }} listen_port: 8000 instagram: @@ -143,15 +143,15 @@ bridge: # application service. encryption: # Allow encryption, work in group chat rooms with e2ee enabled - allow: false + allow: {{ matrix_mautrix_instagram_bridge_encryption_allow|to_json }} # Default to encryption, force-enable encryption in all portals the bridge creates # This will cause the bridge bot to be in private chats for the encryption to work properly. - default: false + default: {{ matrix_mautrix_instagram_bridge_encryption_default|to_json }} # Options for automatic key sharing. key_sharing: # Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled. # You must use a client that supports requesting keys from other users to use this feature. - allow: false + allow: {{ matrix_mautrix_instagram_bridge_encryption_key_sharing_allow|to_json }} # Require the requesting device to have a valid cross-signing signature? # This doesn't require that the bridge has verified the device, only that the user has verified it. # Not yet implemented. @@ -196,6 +196,23 @@ bridge: # The shared secret to authorize users of the API. # Set to "generate" to generate and save a new token. shared_secret: generate + relay: + # Whether relay mode should be allowed. If allowed, `!ig set-relay` can be used to turn any + # authenticated user into a relaybot for that chat. + enabled: {{ matrix_mautrix_instagram_relay_enabled }} + # The formats to use when sending messages to Instagram via a relay user. + # + # Available variables: + # $sender_displayname - The display name of the sender (e.g. Example User) + # $sender_username - The username (Matrix ID localpart) of the sender (e.g. exampleuser) + # $sender_mxid - The Matrix ID of the sender (e.g. @exampleuser:example.com) + # $message - The message content + # + # Note that Instagram doesn't support captions for images, so images won't include any indication of being relayed. + message_formats: + m.text: '$sender_displayname: $message' + m.notice: '$sender_displayname: $message' + m.emote: '* $sender_displayname $message' # Python logging configuration. # diff --git a/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml index 24ba9b39d..7675e7b17 100644 --- a/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml @@ -9,10 +9,11 @@ matrix_mautrix_signal_docker_repo: "https://mau.dev/mautrix/signal.git" matrix_mautrix_signal_docker_repo_version: "{{ 'master' if matrix_mautrix_signal_version == 'latest' else matrix_mautrix_signal_version }}" matrix_mautrix_signal_docker_src_files_path: "{{ matrix_base_data_path }}/mautrix-signal/docker-src" -matrix_mautrix_signal_version: v0.4.1 -matrix_mautrix_signal_daemon_version: 0.23.0 +matrix_mautrix_signal_version: v0.4.3 +matrix_mautrix_signal_daemon_version: 0.23.2 # See: https://mau.dev/mautrix/signal/container_registry -matrix_mautrix_signal_docker_image: "dock.mau.dev/mautrix/signal:{{ matrix_mautrix_signal_version }}" +matrix_mautrix_signal_docker_image: "{{ matrix_mautrix_signal_docker_image_name_prefix }}mautrix/signal:{{ matrix_mautrix_signal_version }}" +matrix_mautrix_signal_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_signal_container_image_self_build else 'dock.mau.dev/' }}" matrix_mautrix_signal_docker_image_force_pull: "{{ matrix_mautrix_signal_docker_image.endswith(':latest') }}" matrix_mautrix_signal_daemon_container_image_self_build: false @@ -20,7 +21,8 @@ matrix_mautrix_signal_daemon_docker_repo: "https://gitlab.com/signald/signald" matrix_mautrix_signal_daemon_docker_repo_version: "{{ 'master' if matrix_mautrix_signal_daemon_version == 'latest' else matrix_mautrix_signal_daemon_version }}" matrix_mautrix_signal_daemon_docker_src_files_path: "{{ matrix_base_data_path }}/mautrix-signald/docker-src" -matrix_mautrix_signal_daemon_docker_image: "docker.io/signald/signald:{{ matrix_mautrix_signal_daemon_docker_image_tag }}" +matrix_mautrix_signal_daemon_docker_image: "{{ matrix_mautrix_signal_daemon_docker_image_name_prefix }}signald/signald:{{ matrix_mautrix_signal_daemon_docker_image_tag }}" +matrix_mautrix_signal_daemon_docker_image_name_prefix: "docker.io/" matrix_mautrix_signal_daemon_docker_image_force_pull: "{{ matrix_mautrix_signal_daemon_docker_image_tag.endswith(':latest') }}" matrix_mautrix_signal_daemon_docker_image_tag: "{{ matrix_mautrix_signal_daemon_version }}" @@ -68,6 +70,16 @@ matrix_mautrix_signal_logging_level: WARNING # If false, created portal rooms will never be federated. matrix_mautrix_signal_federate_rooms: true +# Whether or not metrics endpoint should be enabled. +# Enabling them is usually enough for a local (in-container) Prometheus to consume them. +# If metrics need to be consumed by another (external) Prometheus server, consider exposing them via `matrix_mautrix_signal_metrics_proxying_enabled`. +matrix_mautrix_signal_metrics_enabled: false + +# Controls whether metrics should be proxied (exposed) on `matrix.DOMAIN/metrics/mautrix-signal`. +# This will only work take effect if `matrix_nginx_proxy_proxy_matrix_metrics_enabled: true`. +# See the `matrix-nginx-proxy` role for details about enabling `matrix_nginx_proxy_proxy_matrix_metrics_enabled`. +matrix_mautrix_signal_metrics_proxying_enabled: false + # Database-related configuration fields # # This bridge only supports postgres. @@ -76,7 +88,7 @@ matrix_mautrix_signal_database_engine: 'postgres' matrix_mautrix_signal_database_username: 'matrix_mautrix_signal' matrix_mautrix_signal_database_password: 'some-password' -matrix_mautrix_signal_database_hostname: 'matrix-postgres' +matrix_mautrix_signal_database_hostname: '' matrix_mautrix_signal_database_port: 5432 matrix_mautrix_signal_database_name: 'matrix_mautrix_signal' @@ -92,7 +104,7 @@ matrix_mautrix_signal_appservice_database: "{{ matrix_mautrix_signal_login_shared_secret: '' # Enable bridge relay bot functionality -matrix_mautrix_signal_relaybot_enabled: false +matrix_mautrix_signal_relaybot_enabled: "{{ matrix_bridges_relay_enabled }}" # Permissions for using the bridge. # Permitted values: @@ -140,7 +152,7 @@ matrix_mautrix_signal_registration: "{{ matrix_mautrix_signal_registration_yaml matrix_mautrix_signal_log_level: 'DEBUG' -matrix_mautrix_signal_bridge_encryption_allow: false +matrix_mautrix_signal_bridge_encryption_allow: "{{ matrix_bridges_encryption_enabled }}" matrix_mautrix_signal_bridge_encryption_default: "{{ matrix_mautrix_signal_bridge_encryption_allow }}" matrix_mautrix_signal_bridge_encryption_key_sharing_allow: "{{ matrix_mautrix_signal_bridge_encryption_allow }}" diff --git a/roles/custom/matrix-bridge-mautrix-signal/tasks/init.yml b/roles/custom/matrix-bridge-mautrix-signal/tasks/init.yml deleted file mode 100644 index 17ad98a4c..000000000 --- a/roles/custom/matrix-bridge-mautrix-signal/tasks/init.yml +++ /dev/null @@ -1,22 +0,0 @@ ---- - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-signal.service', 'matrix-mautrix-signal-daemon.service'] }}" - when: matrix_mautrix_signal_enabled | bool - -# If the matrix-synapse role is not used, these variables may not exist. -- ansible.builtin.set_fact: - matrix_homeserver_container_runtime_injected_arguments: > - {{ - matrix_homeserver_container_runtime_injected_arguments | default([]) - + - ["--mount type=bind,src={{ matrix_mautrix_signal_config_path }}/registration.yaml,dst=/matrix-mautrix-signal-registration.yaml,ro"] - }} - - matrix_homeserver_app_service_runtime_injected_config_files: > - {{ - matrix_homeserver_app_service_runtime_injected_config_files | default([]) - + - ["/matrix-mautrix-signal-registration.yaml"] - }} - when: matrix_mautrix_signal_enabled | bool diff --git a/roles/custom/matrix-bridge-mautrix-signal/tasks/inject_into_nginx_proxy.yml b/roles/custom/matrix-bridge-mautrix-signal/tasks/inject_into_nginx_proxy.yml new file mode 100644 index 000000000..fe85254bd --- /dev/null +++ b/roles/custom/matrix-bridge-mautrix-signal/tasks/inject_into_nginx_proxy.yml @@ -0,0 +1,35 @@ +--- + +- name: Fail if matrix-nginx-proxy role already executed + ansible.builtin.fail: + msg: >- + Trying to append mautrix-whatapp-metrics's reverse-proxying configuration to matrix-nginx-proxy, + but it's pointless since the matrix-nginx-proxy role had already executed. + To fix this, please change the order of roles in your playbook, + so that the matrix-nginx-proxy role would run after the matrix-bridge-mautrix-signal role. + when: matrix_nginx_proxy_role_executed | default(False) | bool + +- when: matrix_mautrix_signal_metrics_proxying_enabled | bool + block: + - name: Generate mautrix-signal metrics proxying configuration for matrix-nginx-proxy (matrix.DOMAIN/metrics/mautrix-signal) + ansible.builtin.set_fact: + matrix_mautrix_signal_nginx_metrics_configuration_block: | + location /metrics/mautrix-signal { + {% if matrix_nginx_proxy_enabled | default(False) %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "matrix-mautrix-signal:8000"; + proxy_pass http://$backend/metrics; + {% else %} + return 404 "matrix-nginx-proxy is disabled and no host port was bound to the container, so metrics are unavailable"; + {% endif %} + } + + - name: Register mautrix-signal metrics proxying configuration with matrix-nginx-proxy (matrix.DOMAIN/metrics/mautrix-signal) + ansible.builtin.set_fact: + matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks: | + {{ + matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks | default([]) + + + [matrix_mautrix_signal_nginx_metrics_configuration_block] + }} diff --git a/roles/custom/matrix-bridge-mautrix-signal/tasks/main.yml b/roles/custom/matrix-bridge-mautrix-signal/tasks/main.yml index 54bdafcda..f5d769e5c 100644 --- a/roles/custom/matrix-bridge-mautrix-signal/tasks/main.yml +++ b/roles/custom/matrix-bridge-mautrix-signal/tasks/main.yml @@ -1,23 +1,29 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup | bool and matrix_mautrix_signal_enabled | bool" - tags: +- tags: - setup-all - - setup-mautrix-signal + - setup-nginx-proxy + - install-all + - install-nginx-proxy + block: + - when: matrix_mautrix_signal_enabled | bool and matrix_mautrix_signal_metrics_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_install.yml" - when: "run_setup | bool and matrix_mautrix_signal_enabled | bool" - tags: +- tags: - setup-all - setup-mautrix-signal + - install-all + - install-mautrix-signal + block: + - when: matrix_mautrix_signal_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" + + - when: matrix_mautrix_signal_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - when: "run_setup | bool and not matrix_mautrix_signal_enabled | bool" - tags: +- tags: - setup-all - setup-mautrix-signal + block: + - when: not matrix_mautrix_signal_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" diff --git a/roles/custom/matrix-bridge-mautrix-signal/tasks/setup_install.yml b/roles/custom/matrix-bridge-mautrix-signal/tasks/setup_install.yml index f5a162a3c..41e6394f1 100644 --- a/roles/custom/matrix-bridge-mautrix-signal/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-mautrix-signal/tasks/setup_install.yml @@ -1,13 +1,5 @@ --- -# If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. -# We don't want to fail in such cases. -- name: Fail if matrix-synapse role already executed - ansible.builtin.fail: - msg: >- - The matrix-bridge-mautrix-signal role needs to execute before the matrix-synapse role. - when: "matrix_synapse_role_executed | default(False)" - - name: Ensure Mautrix Signal image is pulled community.docker.docker_image: name: "{{ matrix_mautrix_signal_docker_image }}" @@ -129,9 +121,3 @@ src: "{{ role_path }}/templates/systemd/matrix-mautrix-signal.service.j2" dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-signal.service" mode: 0644 - register: matrix_mautrix_signal_systemd_service_result - -- name: Ensure systemd reloaded after matrix-mautrix-signal.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_mautrix_signal_systemd_service_result.changed or matrix_mautrix_signal_daemon_systemd_service_result.changed" diff --git a/roles/custom/matrix-bridge-mautrix-signal/tasks/setup_uninstall.yml b/roles/custom/matrix-bridge-mautrix-signal/tasks/setup_uninstall.yml index d98d28ba7..8cc0b419c 100644 --- a/roles/custom/matrix-bridge-mautrix-signal/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-bridge-mautrix-signal/tasks/setup_uninstall.yml @@ -6,19 +6,19 @@ path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-signal-daemon.service" register: matrix_mautrix_signal_daemon_service_stat -- name: Ensure matrix-mautrix-signal-daemon is stopped - ansible.builtin.service: - name: matrix-mautrix-signal-daemon - state: stopped - enabled: false - daemon_reload: true - when: "matrix_mautrix_signal_daemon_service_stat.stat.exists" +- when: matrix_mautrix_signal_daemon_service_stat.stat.exists | bool + block: + - name: Ensure matrix-mautrix-signal-daemon is stopped + ansible.builtin.service: + name: matrix-mautrix-signal-daemon + state: stopped + enabled: false + daemon_reload: true -- name: Ensure matrix-mautrix-signal-daemon.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-signal-daemon.service" - state: absent - when: "matrix_mautrix_signal_daemon_service_stat.stat.exists" + - name: Ensure matrix-mautrix-signal-daemon.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-signal-daemon.service" + state: absent # Bridge service - name: Check existence of matrix-mautrix-signal service @@ -26,22 +26,16 @@ path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-signal.service" register: matrix_mautrix_signal_service_stat -- name: Ensure matrix-mautrix-signal is stopped - ansible.builtin.service: - name: matrix-mautrix-signal - state: stopped - enabled: false - daemon_reload: true - when: "matrix_mautrix_signal_service_stat.stat.exists" - -- name: Ensure matrix-mautrix-signal.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-signal.service" - state: absent - when: "matrix_mautrix_signal_service_stat.stat.exists" +- when: matrix_mautrix_signal_service_stat.stat.exists | bool + block: + - name: Ensure matrix-mautrix-signal is stopped + ansible.builtin.service: + name: matrix-mautrix-signal + state: stopped + enabled: false + daemon_reload: true -# All services -- name: Ensure systemd reloaded after matrix-mautrix-signal_X.service removal - ansible.builtin.service: - daemon_reload: true - when: "matrix_mautrix_signal_service_stat.stat.exists or matrix_mautrix_signal_daemon_service_stat.stat.exists" + - name: Ensure matrix-mautrix-signal.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-signal.service" + state: absent diff --git a/roles/custom/matrix-bridge-mautrix-signal/tasks/validate_config.yml b/roles/custom/matrix-bridge-mautrix-signal/tasks/validate_config.yml index ea2c1c430..5cabf18c5 100644 --- a/roles/custom/matrix-bridge-mautrix-signal/tasks/validate_config.yml +++ b/roles/custom/matrix-bridge-mautrix-signal/tasks/validate_config.yml @@ -1,15 +1,16 @@ --- -- name: Fail if required settings not defined +- name: Fail if required mautrix-signal settings not defined ansible.builtin.fail: msg: >- - You need to define a required configuration setting (`{{ item }}`). - when: "vars[item] == ''" + You need to define a required configuration setting (`{{ item.name }}`). + when: "item.when | bool and vars[item.name] == ''" with_items: - - "matrix_mautrix_signal_homeserver_domain" - - "matrix_mautrix_signal_homeserver_address" - - "matrix_mautrix_signal_homeserver_token" - - "matrix_mautrix_signal_appservice_token" + - {'name': 'matrix_mautrix_signal_homeserver_domain', when: true} + - {'name': 'matrix_mautrix_signal_homeserver_address', when: true} + - {'name': 'matrix_mautrix_signal_homeserver_token', when: true} + - {'name': 'matrix_mautrix_signal_appservice_token', when: true} + - {'name': 'matrix_mautrix_signal_database_hostname', when: "{{ matrix_mautrix_signal_database_engine == 'postgres' }}"} - name: (Deprecation) Fail if matrix_mautrix_signal_bridge_permissions specified as YAML string, instead of a dictionary ansible.builtin.fail: diff --git a/roles/custom/matrix-bridge-mautrix-signal/templates/config.yaml.j2 b/roles/custom/matrix-bridge-mautrix-signal/templates/config.yaml.j2 index 796a6e41a..828ff940b 100644 --- a/roles/custom/matrix-bridge-mautrix-signal/templates/config.yaml.j2 +++ b/roles/custom/matrix-bridge-mautrix-signal/templates/config.yaml.j2 @@ -67,7 +67,7 @@ appservice: # Prometheus telemetry config. Requires prometheus-client to be installed. metrics: - enabled: false + enabled: {{ matrix_mautrix_signal_metrics_enabled | to_json }} listen_port: 8000 # Manhole config. diff --git a/roles/custom/matrix-bridge-mautrix-slack/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-slack/defaults/main.yml new file mode 100644 index 000000000..2b6c77522 --- /dev/null +++ b/roles/custom/matrix-bridge-mautrix-slack/defaults/main.yml @@ -0,0 +1,138 @@ +--- +# mautrix-slack is a Matrix <-> Slack bridge +# Project source code URL: https://github.com/mautrix/slack + +matrix_mautrix_slack_enabled: true + +matrix_mautrix_slack_container_image_self_build: false +matrix_mautrix_slack_container_image_self_build_repo: "https://mau.dev/mautrix/slack.git" +matrix_mautrix_slack_container_image_self_build_branch: "{{ 'main' if matrix_mautrix_slack_version == 'latest' else matrix_mautrix_slack_version }}" + +matrix_mautrix_slack_version: latest +# See: https://mau.dev/mautrix/slack/container_registry +matrix_mautrix_slack_docker_image: "{{ matrix_mautrix_slack_docker_image_name_prefix }}mautrix/slack:{{ matrix_mautrix_slack_version }}" +matrix_mautrix_slack_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_slack_container_image_self_build else 'dock.mau.dev/' }}" +matrix_mautrix_slack_docker_image_force_pull: "{{ matrix_mautrix_slack_docker_image.endswith(':latest') }}" + +matrix_mautrix_slack_base_path: "{{ matrix_base_data_path }}/mautrix-slack" +matrix_mautrix_slack_config_path: "{{ matrix_mautrix_slack_base_path }}/config" +matrix_mautrix_slack_data_path: "{{ matrix_mautrix_slack_base_path }}/data" +matrix_mautrix_slack_docker_src_files_path: "{{ matrix_mautrix_slack_base_path }}/docker-src" + +matrix_mautrix_slack_homeserver_address: "{{ matrix_homeserver_container_url }}" +matrix_mautrix_slack_homeserver_domain: "{{ matrix_domain }}" +matrix_mautrix_slack_appservice_address: "http://matrix-mautrix-slack:8080" + +matrix_mautrix_slack_command_prefix: "!slack" + +matrix_mautrix_slack_bridge_permissions: | + {{ + {matrix_mautrix_slack_homeserver_domain: 'user'} + | combine({matrix_admin: 'admin'} if matrix_admin else {}) + }} + +# A list of extra arguments to pass to the container +matrix_mautrix_slack_container_extra_arguments: [] + +# List of systemd services that matrix-mautrix-slack.service depends on. +matrix_mautrix_slack_systemd_required_services_list: ['docker.service'] + +# List of systemd services that matrix-mautrix-slack.service wants +matrix_mautrix_slack_systemd_wanted_services_list: [] + +matrix_mautrix_slack_appservice_token: '' +matrix_mautrix_slack_homeserver_token: '' + +matrix_mautrix_slack_appservice_bot_username: slackbot + +# Minimum severity of journal log messages. +# Options: debug, info, warn, error, fatal +matrix_mautrix_slack_logging_level: 'warn' + +# Database-related configuration fields. +# +# To use SQLite, stick to these defaults. +# +# To use Postgres: +# - change the engine (`matrix_mautrix_slack_database_engine: 'postgres'`) +# - adjust your database credentials via the `matrix_mautrix_slack_database_*` variables +matrix_mautrix_slack_database_engine: 'sqlite' + +matrix_mautrix_slack_sqlite_database_path_local: "{{ matrix_mautrix_slack_data_path }}/mautrix-slack.db" +matrix_mautrix_slack_sqlite_database_path_in_container: "/data/mautrix-slack.db" + +matrix_mautrix_slack_database_username: 'matrix_mautrix_slack' +matrix_mautrix_slack_database_password: 'some-password' +matrix_mautrix_slack_database_hostname: '' +matrix_mautrix_slack_database_port: 5432 +matrix_mautrix_slack_database_name: 'matrix_mautrix_slack' + +matrix_mautrix_slack_database_connection_string: 'postgresql://{{ matrix_mautrix_slack_database_username }}:{{ matrix_mautrix_slack_database_password }}@{{ matrix_mautrix_slack_database_hostname }}:{{ matrix_mautrix_slack_database_port }}/{{ matrix_mautrix_slack_database_name }}?sslmode=disable' + +matrix_mautrix_slack_appservice_database_type: "{{ + { + 'sqlite': 'sqlite3', + 'postgres':'postgres', + }[matrix_mautrix_slack_database_engine] +}}" + +matrix_mautrix_slack_appservice_database_uri: "{{ + { + 'sqlite': matrix_mautrix_slack_sqlite_database_path_in_container, + 'postgres': matrix_mautrix_slack_database_connection_string, + }[matrix_mautrix_slack_database_engine] +}}" + +# Can be set to enable automatic double-puppeting via Shared Secret Auth (https://github.com/devture/matrix-synapse-shared-secret-auth). +matrix_mautrix_slack_login_shared_secret: '' +matrix_mautrix_slack_bridge_login_shared_secret_map: + "{{ {matrix_mautrix_slack_homeserver_domain: matrix_mautrix_slack_login_shared_secret} if matrix_mautrix_slack_login_shared_secret else {} }}" + +# Servers to always allow double puppeting from +matrix_mautrix_slack_bridge_double_puppet_server_map: + "{{ matrix_mautrix_slack_homeserver_domain : matrix_mautrix_slack_homeserver_address }}" + +# Default mautrix-slack configuration template which covers the generic use case. +# You can customize it by controlling the various variables inside it. +# +# For a more advanced customization, you can extend the default (see `matrix_mautrix_slack_configuration_extension_yaml`) +# or completely replace this variable with your own template. +matrix_mautrix_slack_configuration_yaml: "{{ lookup('template', 'templates/config.yaml.j2') }}" + +matrix_mautrix_slack_configuration_extension_yaml: | + # Your custom YAML configuration goes here. + # This configuration extends the default starting configuration (`matrix_mautrix_slack_configuration_yaml`). + # + # You can override individual variables from the default configuration, or introduce new ones. + # + # If you need something more special, you can take full control by + # completely redefining `matrix_mautrix_slack_configuration_yaml`. + +matrix_mautrix_slack_configuration_extension: "{{ matrix_mautrix_slack_configuration_extension_yaml | from_yaml if matrix_mautrix_slack_configuration_extension_yaml | from_yaml is mapping else {} }}" + +# Holds the final configuration (a combination of the default and its extension). +# You most likely don't need to touch this variable. Instead, see `matrix_mautrix_slack_configuration_yaml`. +matrix_mautrix_slack_configuration: "{{ matrix_mautrix_slack_configuration_yaml | from_yaml | combine(matrix_mautrix_slack_configuration_extension, recursive=True) }}" + +matrix_mautrix_slack_registration_yaml: | + id: slack + url: {{ matrix_mautrix_slack_appservice_address }} + as_token: "{{ matrix_mautrix_slack_appservice_token }}" + hs_token: "{{ matrix_mautrix_slack_homeserver_token }}" + # See https://github.com/mautrix/signal/issues/43 + sender_localpart: _bot_{{ matrix_mautrix_slack_appservice_bot_username }} + rate_limited: false + namespaces: + users: + - regex: '^@slack_[a-z-A-Z0-9\-]+:{{ matrix_mautrix_slack_homeserver_domain | regex_escape }}$' + exclusive: true + - exclusive: true + regex: '^@{{ matrix_mautrix_slack_appservice_bot_username | regex_escape }}:{{ matrix_mautrix_slack_homeserver_domain | regex_escape }}$' + de.sorunome.msc2409.push_ephemeral: true + +matrix_mautrix_slack_registration: "{{ matrix_mautrix_slack_registration_yaml | from_yaml }}" + +# Enable End-to-bridge encryption +matrix_mautrix_slack_bridge_encryption_allow: "{{ matrix_bridges_encryption_enabled }}" +matrix_mautrix_slack_bridge_encryption_default: "{{ matrix_mautrix_slack_bridge_encryption_allow }}" +matrix_mautrix_slack_bridge_encryption_key_sharing_allow: "{{ matrix_mautrix_slack_bridge_encryption_allow }}" diff --git a/roles/custom/matrix-bridge-mautrix-slack/tasks/main.yml b/roles/custom/matrix-bridge-mautrix-slack/tasks/main.yml new file mode 100644 index 000000000..b7a2199d7 --- /dev/null +++ b/roles/custom/matrix-bridge-mautrix-slack/tasks/main.yml @@ -0,0 +1,20 @@ +--- + +- tags: + - setup-all + - setup-mautrix-slack + - install-all + - install-mautrix-slack + block: + - when: matrix_mautrix_slack_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" + + - when: matrix_mautrix_slack_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" + +- tags: + - setup-all + - setup-mautrix-slack + block: + - when: not matrix_mautrix_slack_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" diff --git a/roles/custom/matrix-bridge-mautrix-slack/tasks/setup_install.yml b/roles/custom/matrix-bridge-mautrix-slack/tasks/setup_install.yml new file mode 100644 index 000000000..f266f0262 --- /dev/null +++ b/roles/custom/matrix-bridge-mautrix-slack/tasks/setup_install.yml @@ -0,0 +1,108 @@ +--- + +- ansible.builtin.set_fact: + matrix_mautrix_slack_requires_restart: false + +- when: "matrix_mautrix_slack_database_engine == 'postgres'" + block: + - name: Check if an SQLite database already exists + ansible.builtin.stat: + path: "{{ matrix_mautrix_slack_sqlite_database_path_local }}" + register: matrix_mautrix_slack_sqlite_database_path_local_stat_result + + - when: "matrix_mautrix_slack_sqlite_database_path_local_stat_result.stat.exists | bool" + block: + - ansible.builtin.include_role: + name: galaxy/com.devture.ansible.role.postgres + tasks_from: migrate_db_to_postgres + vars: + devture_postgres_db_migration_request: + src: "{{ matrix_mautrix_slack_sqlite_database_path_local }}" + dst: "{{ matrix_mautrix_slack_database_connection_string }}" + caller: "{{ role_path | basename }}" + engine_variable_name: 'matrix_mautrix_slack_database_engine' + engine_old: 'sqlite' + systemd_services_to_stop: ['matrix-mautrix-slack.service'] + pgloader_options: ['--with "quote identifiers"'] + + - ansible.builtin.set_fact: + matrix_mautrix_slack_requires_restart: true + +- name: Ensure Mautrix Slack paths exists + ansible.builtin.file: + path: "{{ item.path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - {path: "{{ matrix_mautrix_slack_base_path }}", when: true} + - {path: "{{ matrix_mautrix_slack_config_path }}", when: true} + - {path: "{{ matrix_mautrix_slack_data_path }}", when: true} + - {path: "{{ matrix_mautrix_slack_docker_src_files_path }}", when: "{{ matrix_mautrix_slack_container_image_self_build }}"} + when: item.when | bool + +- name: Ensure Mautrix Slack image is pulled + community.docker.docker_image: + name: "{{ matrix_mautrix_slack_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_mautrix_slack_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_slack_docker_image_force_pull }}" + when: not matrix_mautrix_slack_container_image_self_build + register: result + retries: "{{ devture_playbook_help_container_retries_count }}" + delay: "{{ devture_playbook_help_container_retries_delay }}" + until: result is not failed + +- name: Ensure Mautrix slack repository is present on self-build + ansible.builtin.git: + repo: "{{ matrix_mautrix_slack_container_image_self_build_repo }}" + dest: "{{ matrix_mautrix_slack_docker_src_files_path }}" + version: "{{ matrix_mautrix_slack_container_image_self_build_branch }}" + force: "yes" + become: true + become_user: "{{ matrix_user_username }}" + register: matrix_mautrix_slack_git_pull_results + when: "matrix_mautrix_slack_container_image_self_build | bool" + +- name: Ensure Mautrix slack Docker image is built + community.docker.docker_image: + name: "{{ matrix_mautrix_slack_docker_image }}" + source: build + force_source: "{{ matrix_mautrix_slack_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_slack_git_pull_results.changed }}" + build: + dockerfile: Dockerfile + path: "{{ matrix_mautrix_slack_docker_src_files_path }}" + pull: true + when: "matrix_mautrix_slack_container_image_self_build | bool" + +- name: Ensure mautrix-slack config.yaml installed + ansible.builtin.copy: + content: "{{ matrix_mautrix_slack_configuration | to_nice_yaml(indent=2, width=999999) }}" + dest: "{{ matrix_mautrix_slack_config_path }}/config.yaml" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure mautrix-slack registration.yaml installed + ansible.builtin.copy: + content: "{{ matrix_mautrix_slack_registration | to_nice_yaml(indent=2, width=999999) }}" + dest: "{{ matrix_mautrix_slack_config_path }}/registration.yaml" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure matrix-mautrix-slack.service installed + ansible.builtin.template: + src: "{{ role_path }}/templates/systemd/matrix-mautrix-slack.service.j2" + dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-slack.service" + mode: 0644 + register: matrix_mautrix_slack_systemd_service_result + +- name: Ensure matrix-mautrix-slack.service restarted, if necessary + ansible.builtin.service: + name: "matrix-mautrix-slack.service" + state: restarted + daemon_reload: true + when: "matrix_mautrix_slack_requires_restart | bool" diff --git a/roles/custom/matrix-bridge-mautrix-slack/tasks/setup_uninstall.yml b/roles/custom/matrix-bridge-mautrix-slack/tasks/setup_uninstall.yml new file mode 100644 index 000000000..19350b443 --- /dev/null +++ b/roles/custom/matrix-bridge-mautrix-slack/tasks/setup_uninstall.yml @@ -0,0 +1,20 @@ +--- + +- name: Check existence of matrix-mautrix-slack service + ansible.builtin.stat: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-slack.service" + register: matrix_mautrix_slack_service_stat + +- when: matrix_mautrix_slack_service_stat.stat.exists | bool + block: + - name: Ensure matrix-mautrix-slack is stopped + ansible.builtin.service: + name: matrix-mautrix-slack + state: stopped + enabled: false + daemon_reload: true + + - name: Ensure matrix-mautrix-slack.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-slack.service" + state: absent diff --git a/roles/custom/matrix-bridge-mautrix-slack/tasks/validate_config.yml b/roles/custom/matrix-bridge-mautrix-slack/tasks/validate_config.yml new file mode 100644 index 000000000..3c764a4ea --- /dev/null +++ b/roles/custom/matrix-bridge-mautrix-slack/tasks/validate_config.yml @@ -0,0 +1,20 @@ +--- + +- name: Fail if required mautrix-slack settings not defined + ansible.builtin.fail: + msg: >- + You need to define a required configuration setting (`{{ item.name }}`). + when: "item.when | bool and vars[item.name] == ''" + with_items: + - {'name': 'matrix_mautrix_slack_appservice_token', when: true} + - {'name': 'matrix_mautrix_slack_homeserver_token', when: true} + - {'name': 'matrix_mautrix_slack_database_hostname', when: "{{ matrix_mautrix_slack_database_engine == 'postgres' }}"} + +- name: Fail if appservice-slack and mautrix-slack have conflicting bot usernames + when: matrix_appservice_slack_enabled | default(False) | bool and matrix_mautrix_slack_appservice_bot_username == matrix_appservice_slack_bot_name | default ('') + ansible.builtin.fail: + msg: | + The appservice-slack and mautrix-slack components are both enabled and use the same bot username ({{ matrix_mautrix_slack_appservice_bot_username }}), as per their default configuration, which causes a conflcit. + To resolve the conflict, make one of these components use a different username. + Consider either changing `matrix_mautrix_slack_appservice_bot_username` (the bot username for the mautrix-slack component) or `matrix_appservice_slack_bot_name` (the bot username for the appservice-slack component). + We recommend that you change the username for the newly-added (and yet unused) component. diff --git a/roles/custom/matrix-bridge-mautrix-slack/templates/config.yaml.j2 b/roles/custom/matrix-bridge-mautrix-slack/templates/config.yaml.j2 new file mode 100644 index 000000000..5c60c66f4 --- /dev/null +++ b/roles/custom/matrix-bridge-mautrix-slack/templates/config.yaml.j2 @@ -0,0 +1,240 @@ +#jinja2: lstrip_blocks: "True" +# Homeserver details. +homeserver: + # The address that this appservice can use to connect to the homeserver. + address: {{ matrix_mautrix_slack_homeserver_address | to_json }} + # The domain of the homeserver (for MXIDs, etc). + domain: {{ matrix_mautrix_slack_homeserver_domain | to_json }} + + # What software is the homeserver running? + # Standard Matrix homeservers like Synapse, Dendrite and Conduit should just use "standard" here. + software: standard + # The URL to push real-time bridge status to. + # If set, the bridge will make POST requests to this URL whenever a user's slack connection state changes. + # The bridge will use the appservice as_token to authorize requests. + status_endpoint: null + # Endpoint for reporting per-message status. + message_send_checkpoint_endpoint: null + # Does the homeserver support https://github.com/matrix-org/matrix-spec-proposals/pull/2246? + async_media: false + +# Application service host/registration related details. +# Changing these values requires regeneration of the registration. +appservice: + # The address that the homeserver can use to connect to this appservice. + address: {{ matrix_mautrix_slack_appservice_address | to_json }} + + # The hostname and port where this appservice should listen. + hostname: 0.0.0.0 + port: 8080 + + # Database config. + database: + # The database type. "sqlite3-fk-wal" and "postgres" are supported. + type: {{ matrix_mautrix_slack_appservice_database_type|to_json }} + # The database URI. + # SQLite: A raw file path is supported, but `file:?_txlock=immediate` is recommended. + # https://github.com/mattn/go-sqlite3#connection-string + # Postgres: Connection string. For example, postgres://user:password@host/database?sslmode=disable + # To connect via Unix socket, use something like postgres:///dbname?host=/var/run/postgresql + uri: {{ matrix_mautrix_slack_appservice_database_uri|to_json }} + # Maximum number of connections. Mostly relevant for Postgres. + max_open_conns: 20 + max_idle_conns: 2 + # Maximum connection idle time and lifetime before they're closed. Disabled if null. + # Parsed with https://pkg.go.dev/time#ParseDuration + max_conn_idle_time: null + max_conn_lifetime: null + + # The unique ID of this appservice. + id: slack + # Appservice bot details. + bot: + # Username of the appservice bot. + username: {{ matrix_mautrix_slack_appservice_bot_username|to_json }} + # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty + # to leave display name/avatar as-is. + displayname: Slack bridge bot + avatar: mxc://maunium.net/pVtzLmChZejGxLqmXtQjFxem + # Whether or not to receive ephemeral events via appservice transactions. + # Requires MSC2409 support (i.e. Synapse 1.22+). + # You should disable bridge -> sync_with_custom_puppets when this is enabled. + ephemeral_events: true + + # Should incoming events be handled asynchronously? + # This may be necessary for large public instances with lots of messages going through. + # However, messages will not be guaranteed to be bridged in the same order they were sent in. + async_transactions: false + + # Authentication tokens for AS <-> HS communication. Autogenerated; do not modify. + as_token: {{ matrix_mautrix_slack_appservice_token | to_json }} + hs_token: {{ matrix_mautrix_slack_homeserver_token | to_json }} + +# Bridge config +bridge: + # Localpart template of MXIDs for Slack users. + # {{ '{{.}}' }} is replaced with the internal ID of the Slack user. + username_template: "{{ 'slack_{{.}}' }}" + # Displayname template for Slack users. + # TODO: document variables + displayname_template: "{{ '{{.RealName}} (S)' }}" + bot_displayname_template: "{{ '{{.Name}} (bot)' }}" + channel_name_template: "{{ '#{{.Name}} ({{.TeamName}})' }}" + + portal_message_buffer: 128 + + # Should the bridge send a read receipt from the bridge bot when a message has been sent to Slack? + delivery_receipts: true + # Whether the bridge should send the message status as a custom com.beeper.message_send_status event. + message_status_events: false + # Whether the bridge should send error notices via m.notice events when a message fails to bridge. + message_error_notices: true + + # Should the bridge sync with double puppeting to receive EDUs that aren't normally sent to appservices. + sync_with_custom_puppets: false + # Should the bridge update the m.direct account data event when double puppeting is enabled. + # Note that updating the m.direct event is not atomic (except with mautrix-asmux) + # and is therefore prone to race conditions. + sync_direct_chat_list: false + + # Servers to always allow double puppeting from + double_puppet_server_map: + "{{ matrix_mautrix_slack_homeserver_domain }}": {{ matrix_mautrix_slack_homeserver_address }} + # Allow using double puppeting from any server with a valid client .well-known file. + double_puppet_allow_discovery: false + # Shared secrets for https://github.com/devture/matrix-synapse-shared-secret-auth + # + # If set, double puppeting will be enabled automatically for local users + # instead of users having to find an access token and run `login-matrix` + # manually. + login_shared_secret_map: {{ matrix_mautrix_slack_bridge_login_shared_secret_map|to_json }} + + message_handling_timeout: + # Send an error message after this timeout, but keep waiting for the response until the deadline. + # This is counted from the origin_server_ts, so the warning time is consistent regardless of the source of delay. + # If the message is older than this when it reaches the bridge, the message won't be handled at all. + error_after: 10s + # Drop messages after this timeout. They may still go through if the message got sent to the servers. + # This is counted from the time the bridge starts handling the message. + deadline: 60s + + # The prefix for commands. Only required in non-management rooms. + command_prefix: "{{ matrix_mautrix_slack_command_prefix }}" + # Messages sent upon joining a management room. + # Markdown is supported. The defaults are listed below. + management_room_text: + # Sent when joining a room. + welcome: "Hello, I'm a Slack bridge bot." + # Sent when joining a management room and the user is already logged in. + welcome_connected: "Use `help` for help." + # Sent when joining a management room and the user is not logged in. + welcome_unconnected: "Use `help` for help, or `login-token` or `login-password` to log in." + # Optional extra text sent when joining a management room. + additional_help: "" + + backfill: + # Allow backfilling at all? Requires MSC2716 support on homeserver. + enable: false + + # If a backfilled chat is older than this number of hours, mark it as read even if it's unread on Slack. + # Set to -1 to let any chat be unread. + unread_hours_threshold: 720 + + # Number of messages to immediately backfill when creating a portal. + immediate_messages: 10 + + # Settings for incremental backfill of history. + incremental: + # Maximum number of messages to backfill per batch. + messages_per_batch: 100 + # The number of seconds to wait after backfilling the batch of messages. + post_batch_delay: 20 + # The maximum number of messages to backfill per portal, split by the chat type. + # If set to -1, all messages in the chat will eventually be backfilled. + max_messages: + # Channels + channel: -1 + # Group direct messages + group_dm: -1 + # 1:1 direct messages + dm: -1 + + # End-to-bridge encryption support options. + # + # See https://docs.mau.fi/bridges/general/end-to-bridge-encryption.html for more info. + encryption: + # Allow encryption, work in group chat rooms with e2ee enabled + allow: {{ matrix_mautrix_slack_bridge_encryption_allow|to_json }} + # Default to encryption, force-enable encryption in all portals the bridge creates + # This will cause the bridge bot to be in private chats for the encryption to work properly. + default: {{ matrix_mautrix_slack_bridge_encryption_default|to_json }} + # Whether to use MSC2409/MSC3202 instead of /sync long polling for receiving encryption-related data. + appservice: false + # Require encryption, drop any unencrypted messages. + require: false + # Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled. + # You must use a client that supports requesting keys from other users to use this feature. + allow_key_sharing: {{ matrix_mautrix_slack_bridge_encryption_key_sharing_allow|to_json }} + # What level of device verification should be required from users? + # + # Valid levels: + # unverified - Send keys to all device in the room. + # cross-signed-untrusted - Require valid cross-signing, but trust all cross-signing keys. + # cross-signed-tofu - Require valid cross-signing, trust cross-signing keys on first use (and reject changes). + # cross-signed-verified - Require valid cross-signing, plus a valid user signature from the bridge bot. + # Note that creating user signatures from the bridge bot is not currently possible. + # verified - Require manual per-device verification + # (currently only possible by modifying the `trust` column in the `crypto_device` database table). + verification_levels: + # Minimum level for which the bridge should send keys to when bridging messages from WhatsApp to Matrix. + receive: unverified + # Minimum level that the bridge should accept for incoming Matrix messages. + send: unverified + # Minimum level that the bridge should require for accepting key requests. + share: cross-signed-tofu + # Options for Megolm room key rotation. These options allow you to + # configure the m.room.encryption event content. See: + # https://spec.matrix.org/v1.3/client-server-api/#mroomencryption for + # more information about that event. + rotation: + # Enable custom Megolm room key rotation settings. Note that these + # settings will only apply to rooms created after this option is + # set. + enable_custom: false + # The maximum number of milliseconds a session should be used + # before changing it. The Matrix spec recommends 604800000 (a week) + # as the default. + milliseconds: 604800000 + # The maximum number of messages that should be sent with a given a + # session before changing it. The Matrix spec recommends 100 as the + # default. + messages: 100 + + # Settings for provisioning API + provisioning: + # Prefix for the provisioning API paths. + prefix: /_matrix/provision + # Shared secret for authentication. If set to "generate", a random secret will be generated, + # or if set to "disable", the provisioning API will be disabled. + shared_secret: generate + + # Permissions for using the bridge. + # Permitted values: + # relay - Talk through the relaybot (if enabled), no access otherwise + # user - Access to use the bridge to chat with a Slack account. + # admin - User level and some additional administration tools + # Permitted keys: + # * - All Matrix users + # domain - All users on that homeserver + # mxid - Specific user + permissions: {{ matrix_mautrix_slack_bridge_permissions|to_json }} + +logging: + directory: ./logs + file_name_format: '' + file_date_format: "2006-01-02" + file_mode: 384 + timestamp_format: Jan _2, 2006 15:04:05 + print_level: {{ matrix_mautrix_slack_logging_level | to_json }} + print_json: false + file_json: false diff --git a/roles/custom/matrix-prometheus-node-exporter/templates/systemd/matrix-prometheus-node-exporter.service.j2 b/roles/custom/matrix-bridge-mautrix-slack/templates/systemd/matrix-mautrix-slack.service.j2 similarity index 51% rename from roles/custom/matrix-prometheus-node-exporter/templates/systemd/matrix-prometheus-node-exporter.service.j2 rename to roles/custom/matrix-bridge-mautrix-slack/templates/systemd/matrix-mautrix-slack.service.j2 index 82aca453f..af5f3c038 100644 --- a/roles/custom/matrix-prometheus-node-exporter/templates/systemd/matrix-prometheus-node-exporter.service.j2 +++ b/roles/custom/matrix-bridge-mautrix-slack/templates/systemd/matrix-mautrix-slack.service.j2 @@ -1,11 +1,11 @@ #jinja2: lstrip_blocks: "True" [Unit] -Description=matrix-prometheus-node-exporter -{% for service in matrix_prometheus_node_exporter_systemd_required_services_list %} +Description=Matrix Mautrix Slack bridge +{% for service in matrix_mautrix_slack_systemd_required_services_list %} Requires={{ service }} After={{ service }} {% endfor %} -{% for service in matrix_prometheus_node_exporter_systemd_wanted_services_list %} +{% for service in matrix_mautrix_slack_systemd_wanted_services_list %} Wants={{ service }} {% endfor %} DefaultDependencies=no @@ -13,32 +13,31 @@ DefaultDependencies=no [Service] Type=simple Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" -ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-prometheus-node-exporter 2>/dev/null || true' -ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-prometheus-node-exporter 2>/dev/null || true' +ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-mautrix-slack 2>/dev/null || true' +ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-mautrix-slack 2>/dev/null || true' +# Intentional delay, so that the homeserver (we likely depend on) can manage to start. +ExecStartPre={{ matrix_host_command_sleep }} 5 -ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-prometheus-node-exporter \ +ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-mautrix-slack \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ - --read-only \ - {% for arg in matrix_prometheus_node_exporter_container_extra_arguments %} + --network={{ matrix_docker_network }} \ + --mount type=bind,src={{ matrix_mautrix_slack_config_path }},dst=/config,ro \ + --mount type=bind,src={{ matrix_mautrix_slack_data_path }},dst=/data \ + --workdir=/data \ + {% for arg in matrix_mautrix_slack_container_extra_arguments %} {{ arg }} \ {% endfor %} - --network={{ matrix_docker_network }} \ - {% if matrix_prometheus_node_exporter_container_http_host_bind_port %} - -p {{ matrix_prometheus_node_exporter_container_http_host_bind_port }}:9100 \ - {% endif %} - --pid=host \ - --mount type=bind,src=/,dst=/host,ro,bind-propagation=rslave \ - {{ matrix_prometheus_node_exporter_docker_image }} \ - --path.rootfs=/host {{ matrix_prometheus_node_exporter_process_extra_arguments|join(' ') }} + {{ matrix_mautrix_slack_docker_image }} \ + /usr/bin/mautrix-slack -c /config/config.yaml -r /config/registration.yaml --no-update -ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-prometheus-node-exporter 2>/dev/null || true' -ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-prometheus-node-exporter 2>/dev/null || true' +ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-mautrix-slack 2>/dev/null || true' +ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-mautrix-slack 2>/dev/null || true' Restart=always RestartSec=30 -SyslogIdentifier=matrix-prometheus-node-exporter +SyslogIdentifier=matrix-mautrix-slack [Install] WantedBy=multi-user.target diff --git a/roles/custom/matrix-bridge-mautrix-telegram/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-telegram/defaults/main.yml index 0f52cc222..79f835932 100644 --- a/roles/custom/matrix-bridge-mautrix-telegram/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-telegram/defaults/main.yml @@ -9,16 +9,18 @@ matrix_telegram_lottieconverter_container_image_self_build_mask_arch: false matrix_telegram_lottieconverter_docker_repo: "https://mau.dev/tulir/lottieconverter.git" matrix_telegram_lottieconverter_docker_repo_version: "master" matrix_telegram_lottieconverter_docker_src_files_path: "{{ matrix_base_data_path }}/lotticonverter/docker-src" -matrix_telegram_lottieconverter_docker_image: "dock.mau.dev/tulir/lottieconverter:alpine-3.16" # needs to be adjusted according to the FROM clause of Dockerfile of mautrix-telegram +matrix_telegram_lottieconverter_docker_image: "{{ matrix_telegram_lottieconverter_docker_image_name_prefix }}tulir/lottieconverter:alpine-3.16" # needs to be adjusted according to the FROM clause of Dockerfile of mautrix-telegram +matrix_telegram_lottieconverter_docker_image_name_prefix: "{{ 'localhost/' if matrix_telegram_lottieconverter_container_image_self_build else 'dock.mau.dev/' }}" matrix_mautrix_telegram_container_image_self_build: false matrix_mautrix_telegram_docker_repo: "https://mau.dev/mautrix/telegram.git" matrix_mautrix_telegram_docker_repo_version: "{{ 'master' if matrix_mautrix_telegram_version == 'latest' else matrix_mautrix_telegram_version }}" matrix_mautrix_telegram_docker_src_files_path: "{{ matrix_base_data_path }}/mautrix-telegram/docker-src" -matrix_mautrix_telegram_version: v0.12.1 +matrix_mautrix_telegram_version: v0.14.1 # See: https://mau.dev/mautrix/telegram/container_registry -matrix_mautrix_telegram_docker_image: "dock.mau.dev/mautrix/telegram:{{ matrix_mautrix_telegram_version }}" +matrix_mautrix_telegram_docker_image: "{{ matrix_mautrix_telegram_docker_image_name_prefix }}mautrix/telegram:{{ matrix_mautrix_telegram_version }}" +matrix_mautrix_telegram_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_telegram_container_image_self_build else 'dock.mau.dev/' }}" matrix_mautrix_telegram_docker_image_force_pull: "{{ matrix_mautrix_telegram_docker_image.endswith(':latest') }}" matrix_mautrix_telegram_base_path: "{{ matrix_base_data_path }}/mautrix-telegram" @@ -95,7 +97,7 @@ matrix_mautrix_telegram_sqlite_database_path_in_container: "/data/mautrix-telegr matrix_mautrix_telegram_database_username: 'matrix_mautrix_telegram' matrix_mautrix_telegram_database_password: 'some-password' -matrix_mautrix_telegram_database_hostname: 'matrix-postgres' +matrix_mautrix_telegram_database_hostname: '' matrix_mautrix_telegram_database_port: 5432 matrix_mautrix_telegram_database_name: 'matrix_mautrix_telegram' @@ -161,6 +163,6 @@ matrix_mautrix_telegram_alias_template: 'telegram_{groupname}' matrix_mautrix_telegram_displayname_template: '{displayname} (Telegram)' # Enable End-to-bridge encryption -matrix_mautrix_telegram_bridge_encryption_allow: false +matrix_mautrix_telegram_bridge_encryption_allow: "{{ matrix_bridges_encryption_enabled }}" matrix_mautrix_telegram_bridge_encryption_default: "{{ matrix_mautrix_telegram_bridge_encryption_allow }}" matrix_mautrix_telegram_bridge_encryption_key_sharing_allow: "{{ matrix_mautrix_telegram_bridge_encryption_allow }}" diff --git a/roles/custom/matrix-bridge-mautrix-telegram/tasks/init.yml b/roles/custom/matrix-bridge-mautrix-telegram/tasks/init.yml deleted file mode 100644 index f828f7932..000000000 --- a/roles/custom/matrix-bridge-mautrix-telegram/tasks/init.yml +++ /dev/null @@ -1,74 +0,0 @@ ---- -# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 -# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 -- name: Fail if trying to self-build on Ansible < 2.8 - ansible.builtin.fail: - msg: "To self-build the Mautrix-Telegram image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mautrix_telegram_container_image_self_build and matrix_mautrix_telegram_enabled" - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-telegram.service'] }}" - when: matrix_mautrix_telegram_enabled | bool - -# If the matrix-synapse role is not used, these variables may not exist. -- ansible.builtin.set_fact: - matrix_homeserver_container_runtime_injected_arguments: > - {{ - matrix_homeserver_container_runtime_injected_arguments | default([]) - + - ["--mount type=bind,src={{ matrix_mautrix_telegram_config_path }}/registration.yaml,dst=/matrix-mautrix-telegram-registration.yaml,ro"] - }} - - matrix_homeserver_app_service_runtime_injected_config_files: > - {{ - matrix_homeserver_app_service_runtime_injected_config_files | default([]) - + - ["/matrix-mautrix-telegram-registration.yaml"] - }} - when: matrix_mautrix_telegram_enabled | bool - -- when: matrix_mautrix_telegram_enabled | bool and matrix_mautrix_telegram_appservice_public_enabled | bool - tags: - - always - block: - - name: Fail if matrix-nginx-proxy role already executed - ansible.builtin.fail: - msg: >- - Trying to append Mautrix Telegram's reverse-proxying configuration to matrix-nginx-proxy, - but it's pointless since the matrix-nginx-proxy role had already executed. - To fix this, please change the order of roles in your playbook, - so that the matrix-nginx-proxy role would run after the matrix-bridge-mautrix-telegram role. - when: matrix_nginx_proxy_role_executed | default(False) | bool - - - name: Generate Mautrix Telegram proxying configuration for matrix-nginx-proxy - ansible.builtin.set_fact: - matrix_mautrix_telegram_matrix_nginx_proxy_configuration: | - location {{ matrix_mautrix_telegram_public_endpoint }} { - {% if matrix_nginx_proxy_enabled | default(False) %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver 127.0.0.11 valid=5s; - set $backend "matrix-mautrix-telegram:8080"; - proxy_pass http://$backend; - {% else %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://127.0.0.1:9006; - {% endif %} - } - - - name: Register Mautrix Telegram proxying configuration with matrix-nginx-proxy - ansible.builtin.set_fact: - matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: | - {{ - matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks | default([]) - + - [matrix_mautrix_telegram_matrix_nginx_proxy_configuration] - }} - - name: Warn about reverse-proxying if matrix-nginx-proxy not used - ansible.builtin.debug: - msg: >- - NOTE: You've enabled the Mautrix Telegram bridge but are not using the matrix-nginx-proxy - reverse proxy. - Please make sure that you're proxying the `{{ matrix_mautrix_telegram_public_endpoint }}` - URL endpoint to the matrix-mautrix-telegram container. - You can expose the container's port using the `matrix_mautrix_telegram_container_http_host_bind_port` variable. - when: "not matrix_nginx_proxy_enabled | default(False) | bool" diff --git a/roles/custom/matrix-bridge-mautrix-telegram/tasks/inject_into_nginx_proxy.yml b/roles/custom/matrix-bridge-mautrix-telegram/tasks/inject_into_nginx_proxy.yml new file mode 100644 index 000000000..7bbd15518 --- /dev/null +++ b/roles/custom/matrix-bridge-mautrix-telegram/tasks/inject_into_nginx_proxy.yml @@ -0,0 +1,44 @@ +--- + +- name: Fail if matrix-nginx-proxy role already executed + ansible.builtin.fail: + msg: >- + Trying to append Mautrix Telegram's reverse-proxying configuration to matrix-nginx-proxy, + but it's pointless since the matrix-nginx-proxy role had already executed. + To fix this, please change the order of roles in your playbook, + so that the matrix-nginx-proxy role would run after the matrix-bridge-mautrix-telegram role. + when: matrix_nginx_proxy_role_executed | default(False) | bool + +- name: Generate Mautrix Telegram proxying configuration for matrix-nginx-proxy + ansible.builtin.set_fact: + matrix_mautrix_telegram_matrix_nginx_proxy_configuration: | + location {{ matrix_mautrix_telegram_public_endpoint }} { + {% if matrix_nginx_proxy_enabled | default(False) %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "matrix-mautrix-telegram:8080"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://127.0.0.1:9006; + {% endif %} + } + +- name: Register Mautrix Telegram proxying configuration with matrix-nginx-proxy + ansible.builtin.set_fact: + matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: | + {{ + matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks | default([]) + + + [matrix_mautrix_telegram_matrix_nginx_proxy_configuration] + }} + +- name: Warn about reverse-proxying if matrix-nginx-proxy not used + ansible.builtin.debug: + msg: >- + NOTE: You've enabled the Mautrix Telegram bridge but are not using the matrix-nginx-proxy + reverse proxy. + Please make sure that you're proxying the `{{ matrix_mautrix_telegram_public_endpoint }}` + URL endpoint to the matrix-mautrix-telegram container. + You can expose the container's port using the `matrix_mautrix_telegram_container_http_host_bind_port` variable. + when: "not matrix_nginx_proxy_enabled | default(False) | bool" diff --git a/roles/custom/matrix-bridge-mautrix-telegram/tasks/main.yml b/roles/custom/matrix-bridge-mautrix-telegram/tasks/main.yml index 471f0cf13..212848b6a 100644 --- a/roles/custom/matrix-bridge-mautrix-telegram/tasks/main.yml +++ b/roles/custom/matrix-bridge-mautrix-telegram/tasks/main.yml @@ -1,22 +1,29 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup | bool and matrix_mautrix_telegram_enabled | bool" - tags: +- tags: - setup-all - - setup-mautrix-telegram + - setup-nginx-proxy + - install-all + - install-nginx-proxy + block: + - when: matrix_mautrix_telegram_enabled | bool and matrix_mautrix_telegram_appservice_public_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_install.yml" - when: "run_setup | bool and matrix_mautrix_telegram_enabled | bool" - tags: +- tags: - setup-all - setup-mautrix-telegram + - install-all + - install-mautrix-telegram + block: + - when: matrix_mautrix_telegram_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" + + - when: matrix_mautrix_telegram_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - when: "run_setup | bool and not matrix_mautrix_telegram_enabled | bool" - tags: +- tags: - setup-all - setup-mautrix-telegram + block: + - when: not matrix_mautrix_telegram_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" diff --git a/roles/custom/matrix-bridge-mautrix-telegram/tasks/setup_install.yml b/roles/custom/matrix-bridge-mautrix-telegram/tasks/setup_install.yml index ba9c450fa..ddf11d8db 100644 --- a/roles/custom/matrix-bridge-mautrix-telegram/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-mautrix-telegram/tasks/setup_install.yml @@ -1,13 +1,5 @@ --- -# If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. -# We don't want to fail in such cases. -- name: Fail if matrix-synapse role already executed - ansible.builtin.fail: - msg: >- - The matrix-bridge-mautrix-telegram role needs to execute before the matrix-synapse role. - when: "matrix_synapse_role_executed | default(False)" - - ansible.builtin.set_fact: matrix_mautrix_telegram_requires_restart: false @@ -20,8 +12,11 @@ - when: "matrix_mautrix_telegram_sqlite_database_path_local_stat_result.stat.exists | bool" block: - - ansible.builtin.set_fact: - matrix_postgres_db_migration_request: + - ansible.builtin.include_role: + name: galaxy/com.devture.ansible.role.postgres + tasks_from: migrate_db_to_postgres + vars: + devture_postgres_db_migration_request: src: "{{ matrix_mautrix_telegram_sqlite_database_path_local }}" dst: "{{ matrix_mautrix_telegram_database_connection_string }}" caller: "{{ role_path | basename }}" @@ -29,10 +24,6 @@ engine_old: 'sqlite' systemd_services_to_stop: ['matrix-mautrix-telegram.service'] - - ansible.builtin.import_role: - name: custom/matrix-postgres - tasks_from: migrate_db_to_postgres - - ansible.builtin.set_fact: matrix_mautrix_telegram_requires_restart: true @@ -125,7 +116,10 @@ when: "matrix_mautrix_telegram_stat_database.stat.exists" - name: (Data relocation) Move mautrix-telegram database file to ./data directory - ansible.builtin.command: "mv {{ matrix_mautrix_telegram_base_path }}/mautrix-telegram.db {{ matrix_mautrix_telegram_data_path }}/mautrix-telegram.db" + ansible.builtin.command: + cmd: "mv {{ matrix_mautrix_telegram_base_path }}/mautrix-telegram.db {{ matrix_mautrix_telegram_data_path }}/mautrix-telegram.db" + creates: "{{ matrix_mautrix_telegram_data_path }}/mautrix-telegram.db" + removes: "{{ matrix_mautrix_telegram_base_path }}/mautrix-telegram.db" when: "matrix_mautrix_telegram_stat_database.stat.exists" - name: Ensure mautrix-telegram config.yaml installed @@ -149,15 +143,10 @@ src: "{{ role_path }}/templates/systemd/matrix-mautrix-telegram.service.j2" dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-telegram.service" mode: 0644 - register: matrix_mautrix_telegram_systemd_service_result - -- name: Ensure systemd reloaded after matrix-mautrix-telegram.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_mautrix_telegram_systemd_service_result.changed" - name: Ensure matrix-mautrix-telegram.service restarted, if necessary ansible.builtin.service: name: "matrix-mautrix-telegram.service" state: restarted + daemon_reload: true when: "matrix_mautrix_telegram_requires_restart | bool" diff --git a/roles/custom/matrix-bridge-mautrix-telegram/tasks/setup_uninstall.yml b/roles/custom/matrix-bridge-mautrix-telegram/tasks/setup_uninstall.yml index 90ca01951..ebb7e5db2 100644 --- a/roles/custom/matrix-bridge-mautrix-telegram/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-bridge-mautrix-telegram/tasks/setup_uninstall.yml @@ -5,21 +5,16 @@ path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-telegram.service" register: matrix_mautrix_telegram_service_stat -- name: Ensure matrix-mautrix-telegram is stopped - ansible.builtin.service: - name: matrix-mautrix-telegram - state: stopped - enabled: false - daemon_reload: true - when: "matrix_mautrix_telegram_service_stat.stat.exists" +- when: matrix_mautrix_telegram_service_stat.stat.exists | bool + block: + - name: Ensure matrix-mautrix-telegram is stopped + ansible.builtin.service: + name: matrix-mautrix-telegram + state: stopped + enabled: false + daemon_reload: true -- name: Ensure matrix-mautrix-telegram.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-telegram.service" - state: absent - when: "matrix_mautrix_telegram_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-mautrix-telegram.service removal - ansible.builtin.service: - daemon_reload: true - when: "matrix_mautrix_telegram_service_stat.stat.exists" + - name: Ensure matrix-mautrix-telegram.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-telegram.service" + state: absent diff --git a/roles/custom/matrix-bridge-mautrix-telegram/tasks/validate_config.yml b/roles/custom/matrix-bridge-mautrix-telegram/tasks/validate_config.yml index 9711448bf..16ebf37dc 100644 --- a/roles/custom/matrix-bridge-mautrix-telegram/tasks/validate_config.yml +++ b/roles/custom/matrix-bridge-mautrix-telegram/tasks/validate_config.yml @@ -1,16 +1,17 @@ --- -- name: Fail if required settings not defined +- name: Fail if required mautrix-telegram settings not defined ansible.builtin.fail: msg: >- - You need to define a required configuration setting (`{{ item }}`). - when: "vars[item] == ''" + You need to define a required configuration setting (`{{ item.name }}`). + when: "item.when | bool and vars[item.name] == ''" with_items: - - "matrix_mautrix_telegram_api_id" - - "matrix_mautrix_telegram_api_hash" - - "matrix_mautrix_telegram_public_endpoint" - - "matrix_mautrix_telegram_appservice_token" - - "matrix_mautrix_telegram_homeserver_token" + - {'name': 'matrix_mautrix_telegram_api_id', when: true} + - {'name': 'matrix_mautrix_telegram_api_hash', when: true} + - {'name': 'matrix_mautrix_telegram_public_endpoint', when: true} + - {'name': 'matrix_mautrix_telegram_appservice_token', when: true} + - {'name': 'matrix_mautrix_telegram_homeserver_token', when: true} + - {'name': 'matrix_mautrix_telegram_database_hostname', when: "{{ matrix_mautrix_telegram_database_engine == 'postgres' }}"} - name: (Deprecation) Catch and report renamed Telegram variables ansible.builtin.fail: diff --git a/roles/custom/matrix-bridge-mautrix-twitter/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-twitter/defaults/main.yml index 684b889ac..55e8411b6 100644 --- a/roles/custom/matrix-bridge-mautrix-twitter/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-twitter/defaults/main.yml @@ -8,7 +8,7 @@ matrix_mautrix_twitter_container_image_self_build: false matrix_mautrix_twitter_container_image_self_build_repo: "https://github.com/mautrix/twitter.git" matrix_mautrix_twitter_container_image_self_build_repo_version: "{{ 'master' if matrix_mautrix_twitter_version == 'latest' else matrix_mautrix_twitter_version }}" -matrix_mautrix_twitter_version: v0.1.5 +matrix_mautrix_twitter_version: v0.1.6 # See: https://mau.dev/tulir/mautrix-twitter/container_registry matrix_mautrix_twitter_docker_image: "{{ matrix_mautrix_twitter_docker_image_name_prefix }}mautrix/twitter:{{ matrix_mautrix_twitter_version }}" matrix_mautrix_twitter_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_twitter_container_image_self_build else 'dock.mau.dev/' }}" @@ -54,7 +54,7 @@ matrix_mautrix_twitter_federate_rooms: true matrix_mautrix_twitter_database_engine: 'postgres' matrix_mautrix_twitter_database_username: 'matrix_mautrix_twitter' -matrix_mautrix_twitter_database_password: '' +matrix_mautrix_twitter_database_password: 'some-password' matrix_mautrix_twitter_database_hostname: '' matrix_mautrix_twitter_database_port: 5432 matrix_mautrix_twitter_database_name: 'matrix_mautrix_twitter' @@ -78,6 +78,16 @@ matrix_mautrix_twitter_appservice_bot_username: twitterbot # Specifies the default log level for all bridge loggers. matrix_mautrix_twitter_logging_level: WARNING +# Whether or not metrics endpoint should be enabled. +# Enabling them is usually enough for a local (in-container) Prometheus to consume them. +# If metrics need to be consumed by another (external) Prometheus server, consider exposing them via `matrix_mautrix_twitter_metrics_proxying_enabled`. +matrix_mautrix_twitter_metrics_enabled: false + +# Controls whether metrics should be proxied (exposed) on `matrix.DOMAIN/metrics/mautrix-twitter`. +# This will only work take effect if `matrix_nginx_proxy_proxy_matrix_metrics_enabled: true`. +# See the `matrix-nginx-proxy` role for details about enabling `matrix_nginx_proxy_proxy_matrix_metrics_enabled`. +matrix_mautrix_twitter_metrics_proxying_enabled: false + # Default configuration template which covers the generic use case. # You can customize it by controlling the various variables inside it. # @@ -117,3 +127,8 @@ matrix_mautrix_twitter_registration_yaml: | de.sorunome.msc2409.push_ephemeral: true matrix_mautrix_twitter_registration: "{{ matrix_mautrix_twitter_registration_yaml | from_yaml }}" + +# Enable End-to-bridge encryption +matrix_mautrix_twitter_bridge_encryption_allow: "{{ matrix_bridges_encryption_enabled }}" +matrix_mautrix_twitter_bridge_encryption_default: "{{ matrix_mautrix_twitter_bridge_encryption_allow }}" +matrix_mautrix_twitter_bridge_encryption_key_sharing_allow: "{{ matrix_mautrix_twitter_bridge_encryption_allow }}" diff --git a/roles/custom/matrix-bridge-mautrix-twitter/tasks/init.yml b/roles/custom/matrix-bridge-mautrix-twitter/tasks/init.yml deleted file mode 100644 index 67f0a7dcf..000000000 --- a/roles/custom/matrix-bridge-mautrix-twitter/tasks/init.yml +++ /dev/null @@ -1,29 +0,0 @@ ---- - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-twitter.service'] }}" - when: matrix_mautrix_twitter_enabled | bool - -# If the matrix-synapse role is not used, these variables may not exist. -- ansible.builtin.set_fact: - matrix_homeserver_container_runtime_injected_arguments: > - {{ - matrix_homeserver_container_runtime_injected_arguments | default([]) - + - ["--mount type=bind,src={{ matrix_mautrix_twitter_config_path }}/registration.yaml,dst=/matrix-mautrix-twitter-registration.yaml,ro"] - }} - - matrix_homeserver_app_service_runtime_injected_config_files: > - {{ - matrix_homeserver_app_service_runtime_injected_config_files | default([]) - + - ["/matrix-mautrix-twitter-registration.yaml"] - }} - when: matrix_mautrix_twitter_enabled | bool - -# ansible lower than 2.8, does not support docker_image build parameters -# for self buildig it is explicitly needed, so we rather fail here -- name: Fail if running on Ansible lower than 2.8 and trying self building - ansible.builtin.fail: - msg: "To self build Mautrix Twitter image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mautrix_twitter_container_image_self_build" diff --git a/roles/custom/matrix-bridge-mautrix-twitter/tasks/inject_into_nginx_proxy.yml b/roles/custom/matrix-bridge-mautrix-twitter/tasks/inject_into_nginx_proxy.yml new file mode 100644 index 000000000..2efad7cdf --- /dev/null +++ b/roles/custom/matrix-bridge-mautrix-twitter/tasks/inject_into_nginx_proxy.yml @@ -0,0 +1,35 @@ +--- + +- name: Fail if matrix-nginx-proxy role already executed + ansible.builtin.fail: + msg: >- + Trying to append mautrix-whatapp-metrics's reverse-proxying configuration to matrix-nginx-proxy, + but it's pointless since the matrix-nginx-proxy role had already executed. + To fix this, please change the order of roles in your playbook, + so that the matrix-nginx-proxy role would run after the matrix-bridge-mautrix-twitter role. + when: matrix_nginx_proxy_role_executed | default(False) | bool + +- when: matrix_mautrix_twitter_metrics_proxying_enabled | bool + block: + - name: Generate mautrix-twitter metrics proxying configuration for matrix-nginx-proxy (matrix.DOMAIN/metrics/mautrix-twitter) + ansible.builtin.set_fact: + matrix_mautrix_twitter_nginx_metrics_configuration_block: | + location /metrics/mautrix-twitter { + {% if matrix_nginx_proxy_enabled | default(False) %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "matrix-mautrix-twitter:8000"; + proxy_pass http://$backend/metrics; + {% else %} + return 404 "matrix-nginx-proxy is disabled and no host port was bound to the container, so metrics are unavailable"; + {% endif %} + } + + - name: Register mautrix-twitter metrics proxying configuration with matrix-nginx-proxy (matrix.DOMAIN/metrics/mautrix-twitter) + ansible.builtin.set_fact: + matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks: | + {{ + matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks | default([]) + + + [matrix_mautrix_twitter_nginx_metrics_configuration_block] + }} diff --git a/roles/custom/matrix-bridge-mautrix-twitter/tasks/main.yml b/roles/custom/matrix-bridge-mautrix-twitter/tasks/main.yml index 2f0c39b2a..655e52fbc 100644 --- a/roles/custom/matrix-bridge-mautrix-twitter/tasks/main.yml +++ b/roles/custom/matrix-bridge-mautrix-twitter/tasks/main.yml @@ -1,23 +1,29 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup | bool and matrix_mautrix_twitter_enabled | bool" - tags: +- tags: - setup-all - - setup-mautrix-twitter + - setup-nginx-proxy + - install-all + - install-nginx-proxy + block: + - when: matrix_mautrix_twitter_enabled | bool and matrix_mautrix_twitter_metrics_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_install.yml" - when: "run_setup | bool and matrix_mautrix_twitter_enabled | bool" - tags: +- tags: - setup-all - setup-mautrix-twitter + - install-all + - install-mautrix-twitter + block: + - when: matrix_mautrix_twitter_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" + + - when: matrix_mautrix_twitter_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - when: "run_setup | bool and not matrix_mautrix_twitter_enabled | bool" - tags: +- tags: - setup-all - setup-mautrix-twitter + block: + - when: not matrix_mautrix_twitter_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" diff --git a/roles/custom/matrix-bridge-mautrix-twitter/tasks/setup_install.yml b/roles/custom/matrix-bridge-mautrix-twitter/tasks/setup_install.yml index c3ab2d4e7..d5c26c2b5 100644 --- a/roles/custom/matrix-bridge-mautrix-twitter/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-mautrix-twitter/tasks/setup_install.yml @@ -1,13 +1,5 @@ --- -# If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. -# We don't want to fail in such cases. -- name: Fail if matrix-synapse role already executed - ansible.builtin.fail: - msg: >- - The matrix-bridge-mautrix-twitter role needs to execute before the matrix-synapse role. - when: "matrix_synapse_role_executed | default(False)" - - ansible.builtin.set_fact: matrix_mautrix_twitter_requires_restart: false @@ -80,15 +72,10 @@ src: "{{ role_path }}/templates/systemd/matrix-mautrix-twitter.service.j2" dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-twitter.service" mode: 0644 - register: matrix_mautrix_twitter_systemd_service_result - -- name: Ensure systemd reloaded after matrix-mautrix-twitter.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_mautrix_twitter_systemd_service_result.changed" - name: Ensure matrix-mautrix-twitter.service restarted, if necessary ansible.builtin.service: name: "matrix-mautrix-twitter.service" state: restarted + daemon_reload: true when: "matrix_mautrix_twitter_requires_restart | bool" diff --git a/roles/custom/matrix-bridge-mautrix-twitter/tasks/setup_uninstall.yml b/roles/custom/matrix-bridge-mautrix-twitter/tasks/setup_uninstall.yml index 5f6b14916..2a73e4818 100644 --- a/roles/custom/matrix-bridge-mautrix-twitter/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-bridge-mautrix-twitter/tasks/setup_uninstall.yml @@ -5,20 +5,15 @@ path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-twitter.service" register: matrix_mautrix_twitter_service_stat -- name: Ensure matrix-mautrix-twitter is stopped - ansible.builtin.service: - name: matrix-mautrix-twitter - state: stopped - daemon_reload: true - when: "matrix_mautrix_twitter_service_stat.stat.exists" +- when: matrix_mautrix_twitter_service_stat.stat.exists | bool + block: + - name: Ensure matrix-mautrix-twitter is stopped + ansible.builtin.service: + name: matrix-mautrix-twitter + state: stopped + daemon_reload: true -- name: Ensure matrix-mautrix-twitter.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-twitter.service" - state: absent - when: "matrix_mautrix_twitter_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-mautrix-twitter.service removal - ansible.builtin.service: - daemon_reload: true - when: "matrix_mautrix_twitter_service_stat.stat.exists" + - name: Ensure matrix-mautrix-twitter.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-twitter.service" + state: absent diff --git a/roles/custom/matrix-bridge-mautrix-twitter/tasks/validate_config.yml b/roles/custom/matrix-bridge-mautrix-twitter/tasks/validate_config.yml index 326dca83a..cfd408a7b 100644 --- a/roles/custom/matrix-bridge-mautrix-twitter/tasks/validate_config.yml +++ b/roles/custom/matrix-bridge-mautrix-twitter/tasks/validate_config.yml @@ -1,12 +1,11 @@ --- -- name: Fail if required settings not defined +- name: Fail if required mautrix-twitter settings not defined ansible.builtin.fail: msg: >- - You need to define a required configuration setting (`{{ item }}`). - when: "vars[item] == ''" + You need to define a required configuration setting (`{{ item.name }}`). + when: "item.when | bool and vars[item.name] == ''" with_items: - - "matrix_mautrix_twitter_appservice_token" - - "matrix_mautrix_twitter_homeserver_token" - - "matrix_mautrix_twitter_database_hostname" - - "matrix_mautrix_twitter_database_password" + - {'name': 'matrix_mautrix_twitter_appservice_token', when: true} + - {'name': 'matrix_mautrix_twitter_homeserver_token', when: true} + - {'name': 'matrix_mautrix_twitter_database_hostname', when: "{{ matrix_mautrix_twitter_database_engine == 'postgres' }}"} diff --git a/roles/custom/matrix-bridge-mautrix-twitter/templates/config.yaml.j2 b/roles/custom/matrix-bridge-mautrix-twitter/templates/config.yaml.j2 index da823d1eb..bfcfdecb4 100644 --- a/roles/custom/matrix-bridge-mautrix-twitter/templates/config.yaml.j2 +++ b/roles/custom/matrix-bridge-mautrix-twitter/templates/config.yaml.j2 @@ -65,7 +65,7 @@ appservice: # Prometheus telemetry config. Requires prometheus-client to be installed. metrics: - enabled: false + enabled: {{ matrix_mautrix_twitter_metrics_enabled | to_json }} listen_port: 8000 # Bridge config @@ -126,15 +126,15 @@ bridge: # this to work. See https://github.com/tulir/mautrix-telegram/wiki/End‐to‐bridge-encryption encryption: # Allow encryption, work in group chat rooms with e2ee enabled - allow: false + allow: {{ matrix_mautrix_twitter_bridge_encryption_allow|to_json }} # Default to encryption, force-enable encryption in all portals the bridge creates # This will cause the bridge bot to be in private chats for the encryption to work properly. - default: false + default: {{ matrix_mautrix_twitter_bridge_encryption_default|to_json }} # Options for automatic key sharing. key_sharing: # Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled. # You must use a client that supports requesting keys from other users to use this feature. - allow: false + allow: {{ matrix_mautrix_twitter_bridge_encryption_key_sharing_allow|to_json }} # Require the requesting device to have a valid cross-signing signature? # This doesn't require that the bridge has verified the device, only that the user has verified it. # Not yet implemented. diff --git a/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml index 55b7387f1..a308811a7 100644 --- a/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml @@ -8,7 +8,7 @@ matrix_mautrix_whatsapp_container_image_self_build: false matrix_mautrix_whatsapp_container_image_self_build_repo: "https://mau.dev/mautrix/whatsapp.git" matrix_mautrix_whatsapp_container_image_self_build_branch: "{{ 'master' if matrix_mautrix_whatsapp_version == 'latest' else matrix_mautrix_whatsapp_version }}" -matrix_mautrix_whatsapp_version: v0.7.1 +matrix_mautrix_whatsapp_version: v0.9.0 # See: https://mau.dev/mautrix/whatsapp/container_registry matrix_mautrix_whatsapp_docker_image: "{{ matrix_mautrix_whatsapp_docker_image_name_prefix }}mautrix/whatsapp:{{ matrix_mautrix_whatsapp_version }}" matrix_mautrix_whatsapp_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_whatsapp_container_image_self_build else 'dock.mau.dev/' }}" @@ -47,6 +47,16 @@ matrix_mautrix_whatsapp_logging_level: 'warn' # If false, created portal rooms will never be federated. matrix_mautrix_whatsapp_federate_rooms: true +# Whether or not metrics endpoint should be enabled. +# Enabling them is usually enough for a local (in-container) Prometheus to consume them. +# If metrics need to be consumed by another (external) Prometheus server, consider exposing them via `matrix_mautrix_whatsapp_metrics_proxying_enabled`. +matrix_mautrix_whatsapp_metrics_enabled: false + +# Controls whether metrics should be proxied (exposed) on `matrix.DOMAIN/metrics/mautrix-whatsapp`. +# This will only work take effect if `matrix_nginx_proxy_proxy_matrix_metrics_enabled: true`. +# See the `matrix-nginx-proxy` role for details about enabling `matrix_nginx_proxy_proxy_matrix_metrics_enabled`. +matrix_mautrix_whatsapp_metrics_proxying_enabled: false + # Database-related configuration fields. # # To use SQLite, stick to these defaults. @@ -61,7 +71,7 @@ matrix_mautrix_whatsapp_sqlite_database_path_in_container: "/data/mautrix-whatsa matrix_mautrix_whatsapp_database_username: 'matrix_mautrix_whatsapp' matrix_mautrix_whatsapp_database_password: 'some-password' -matrix_mautrix_whatsapp_database_hostname: 'matrix-postgres' +matrix_mautrix_whatsapp_database_hostname: '' matrix_mautrix_whatsapp_database_port: 5432 matrix_mautrix_whatsapp_database_name: 'matrix_mautrix_whatsapp' @@ -87,7 +97,7 @@ matrix_mautrix_whatsapp_bridge_login_shared_secret_map: "{{ {matrix_mautrix_whatsapp_homeserver_domain: matrix_mautrix_whatsapp_login_shared_secret} if matrix_mautrix_whatsapp_login_shared_secret else {} }}" # Enable End-to-bridge encryption -matrix_mautrix_whatsapp_bridge_encryption_allow: false +matrix_mautrix_whatsapp_bridge_encryption_allow: "{{ matrix_bridges_encryption_enabled }}" matrix_mautrix_whatsapp_bridge_encryption_default: "{{ matrix_mautrix_whatsapp_bridge_encryption_allow }}" matrix_mautrix_whatsapp_bridge_encryption_key_sharing_allow: "{{ matrix_mautrix_whatsapp_bridge_encryption_allow }}" @@ -102,6 +112,12 @@ matrix_mautrix_whatsapp_bridge_permissions: | | combine({matrix_admin: 'admin'} if matrix_admin else {}) }} +# Enable bridge relay functionality +matrix_mautrix_whatsapp_bridge_relay_enabled: "{{ matrix_bridges_relay_enabled }}" + +# Only allow admins on this home server to set themselves as a relay user +matrix_mautrix_whatsapp_bridge_relay_admin_only: true + # Default mautrix-whatsapp configuration template which covers the generic use case. # You can customize it by controlling the various variables inside it. # diff --git a/roles/custom/matrix-bridge-mautrix-whatsapp/tasks/init.yml b/roles/custom/matrix-bridge-mautrix-whatsapp/tasks/init.yml deleted file mode 100644 index 7907c73d0..000000000 --- a/roles/custom/matrix-bridge-mautrix-whatsapp/tasks/init.yml +++ /dev/null @@ -1,21 +0,0 @@ ---- -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-whatsapp.service'] }}" - when: matrix_mautrix_whatsapp_enabled | bool - -# If the matrix-synapse role is not used, these variables may not exist. -- ansible.builtin.set_fact: - matrix_homeserver_container_runtime_injected_arguments: > - {{ - matrix_homeserver_container_runtime_injected_arguments | default([]) - + - ["--mount type=bind,src={{ matrix_mautrix_whatsapp_config_path }}/registration.yaml,dst=/matrix-mautrix-whatsapp-registration.yaml,ro"] - }} - - matrix_homeserver_app_service_runtime_injected_config_files: > - {{ - matrix_homeserver_app_service_runtime_injected_config_files | default([]) - + - ["/matrix-mautrix-whatsapp-registration.yaml"] - }} - when: matrix_mautrix_whatsapp_enabled | bool diff --git a/roles/custom/matrix-bridge-mautrix-whatsapp/tasks/inject_into_nginx_proxy.yml b/roles/custom/matrix-bridge-mautrix-whatsapp/tasks/inject_into_nginx_proxy.yml new file mode 100644 index 000000000..03113dcc5 --- /dev/null +++ b/roles/custom/matrix-bridge-mautrix-whatsapp/tasks/inject_into_nginx_proxy.yml @@ -0,0 +1,35 @@ +--- + +- name: Fail if matrix-nginx-proxy role already executed + ansible.builtin.fail: + msg: >- + Trying to append mautrix-whatapp-metrics's reverse-proxying configuration to matrix-nginx-proxy, + but it's pointless since the matrix-nginx-proxy role had already executed. + To fix this, please change the order of roles in your playbook, + so that the matrix-nginx-proxy role would run after the matrix-bridge-mautrix-whatsapp role. + when: matrix_nginx_proxy_role_executed | default(False) | bool + +- when: matrix_mautrix_whatsapp_metrics_proxying_enabled | bool + block: + - name: Generate mautrix-whatsapp metrics proxying configuration for matrix-nginx-proxy (matrix.DOMAIN/metrics/mautrix-whatsapp) + ansible.builtin.set_fact: + matrix_mautrix_whatsapp_nginx_metrics_configuration_block: | + location /metrics/mautrix-whatsapp { + {% if matrix_nginx_proxy_enabled | default(False) %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "matrix-mautrix-whatsapp:8001"; + proxy_pass http://$backend/metrics; + {% else %} + return 404 "matrix-nginx-proxy is disabled and no host port was bound to the container, so metrics are unavailable"; + {% endif %} + } + + - name: Register mautrix-whatsapp metrics proxying configuration with matrix-nginx-proxy (matrix.DOMAIN/metrics/mautrix-whatsapp) + ansible.builtin.set_fact: + matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks: | + {{ + matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks | default([]) + + + [matrix_mautrix_whatsapp_nginx_metrics_configuration_block] + }} diff --git a/roles/custom/matrix-bridge-mautrix-whatsapp/tasks/main.yml b/roles/custom/matrix-bridge-mautrix-whatsapp/tasks/main.yml index 4df6fd23b..cb4e8deac 100644 --- a/roles/custom/matrix-bridge-mautrix-whatsapp/tasks/main.yml +++ b/roles/custom/matrix-bridge-mautrix-whatsapp/tasks/main.yml @@ -1,22 +1,29 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup | bool and matrix_mautrix_whatsapp_enabled | bool" - tags: +- tags: - setup-all - - setup-mautrix-whatsapp + - setup-nginx-proxy + - install-all + - install-nginx-proxy + block: + - when: matrix_mautrix_whatsapp_enabled | bool and matrix_mautrix_whatsapp_metrics_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_install.yml" - when: "run_setup and matrix_mautrix_whatsapp_enabled" - tags: +- tags: - setup-all - setup-mautrix-whatsapp + - install-all + - install-mautrix-whatsapp + block: + - when: matrix_mautrix_whatsapp_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" + + - when: matrix_mautrix_whatsapp_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - when: "run_setup and not matrix_mautrix_whatsapp_enabled" - tags: +- tags: - setup-all - setup-mautrix-whatsapp + block: + - when: not matrix_mautrix_whatsapp_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" diff --git a/roles/custom/matrix-bridge-mautrix-whatsapp/tasks/setup_install.yml b/roles/custom/matrix-bridge-mautrix-whatsapp/tasks/setup_install.yml index 6b376946d..e41fe9c3a 100644 --- a/roles/custom/matrix-bridge-mautrix-whatsapp/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-mautrix-whatsapp/tasks/setup_install.yml @@ -1,13 +1,5 @@ --- -# If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. -# We don't want to fail in such cases. -- name: Fail if matrix-synapse role already executed - ansible.builtin.fail: - msg: >- - The matrix-bridge-mautrix-whatsapp role needs to execute before the matrix-synapse role. - when: "matrix_synapse_role_executed | default(False)" - - ansible.builtin.set_fact: matrix_mautrix_whatsapp_requires_restart: false @@ -20,8 +12,11 @@ - when: "matrix_mautrix_whatsapp_sqlite_database_path_local_stat_result.stat.exists | bool" block: - - ansible.builtin.set_fact: - matrix_postgres_db_migration_request: + - ansible.builtin.include_role: + name: galaxy/com.devture.ansible.role.postgres + tasks_from: migrate_db_to_postgres + vars: + devture_postgres_db_migration_request: src: "{{ matrix_mautrix_whatsapp_sqlite_database_path_local }}" dst: "{{ matrix_mautrix_whatsapp_database_connection_string }}" caller: "{{ role_path | basename }}" @@ -30,10 +25,6 @@ systemd_services_to_stop: ['matrix-mautrix-whatsapp.service'] pgloader_options: ['--with "quote identifiers"'] - - ansible.builtin.import_role: - name: custom/matrix-postgres - tasks_from: migrate_db_to_postgres - - ansible.builtin.set_fact: matrix_mautrix_whatsapp_requires_restart: true @@ -106,11 +97,17 @@ when: "matrix_mautrix_whatsapp_stat_database.stat.exists" - name: (Data relocation) Move mautrix-whatsapp database file to ./data directory - ansible.builtin.command: "mv {{ matrix_mautrix_whatsapp_base_path }}/mautrix-whatsapp.db {{ matrix_mautrix_whatsapp_data_path }}/mautrix-whatsapp.db" + ansible.builtin.command: + cmd: "mv {{ matrix_mautrix_whatsapp_base_path }}/mautrix-whatsapp.db {{ matrix_mautrix_whatsapp_data_path }}/mautrix-whatsapp.db" + creates: "{{ matrix_mautrix_whatsapp_data_path }}/mautrix-whatsapp.db" + removes: "{{ matrix_mautrix_whatsapp_base_path }}/mautrix-whatsapp.db" when: "matrix_mautrix_whatsapp_stat_database.stat.exists" - name: (Data relocation) Move mautrix-whatsapp mx-state file to ./data directory - ansible.builtin.command: "mv {{ matrix_mautrix_whatsapp_base_path }}/mx-state.json {{ matrix_mautrix_whatsapp_data_path }}/mx-state.json" + ansible.builtin.command: + cmd: "mv {{ matrix_mautrix_whatsapp_base_path }}/mx-state.json {{ matrix_mautrix_whatsapp_data_path }}/mx-state.json" + creates: "{{ matrix_mautrix_whatsapp_data_path }}/mx-state.json" + removes: "{{ matrix_mautrix_whatsapp_base_path }}/mx-state.json" when: "matrix_mautrix_whatsapp_stat_mx_state.stat.exists" - name: Ensure mautrix-whatsapp config.yaml installed @@ -134,15 +131,10 @@ src: "{{ role_path }}/templates/systemd/matrix-mautrix-whatsapp.service.j2" dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-whatsapp.service" mode: 0644 - register: matrix_mautrix_whatsapp_systemd_service_result - -- name: Ensure systemd reloaded after matrix-mautrix-whatsapp.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_mautrix_whatsapp_systemd_service_result.changed" - name: Ensure matrix-mautrix-whatsapp.service restarted, if necessary ansible.builtin.service: name: "matrix-mautrix-whatsapp.service" state: restarted + daemon_reload: true when: "matrix_mautrix_whatsapp_requires_restart | bool" diff --git a/roles/custom/matrix-bridge-mautrix-whatsapp/tasks/setup_uninstall.yml b/roles/custom/matrix-bridge-mautrix-whatsapp/tasks/setup_uninstall.yml index ff2150011..98607b945 100644 --- a/roles/custom/matrix-bridge-mautrix-whatsapp/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-bridge-mautrix-whatsapp/tasks/setup_uninstall.yml @@ -5,21 +5,16 @@ path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-whatsapp.service" register: matrix_mautrix_whatsapp_service_stat -- name: Ensure matrix-mautrix-whatsapp is stopped - ansible.builtin.service: - name: matrix-mautrix-whatsapp - state: stopped - enabled: false - daemon_reload: true - when: "matrix_mautrix_whatsapp_service_stat.stat.exists" +- when: matrix_mautrix_whatsapp_service_stat.stat.exists | bool + block: + - name: Ensure matrix-mautrix-whatsapp is stopped + ansible.builtin.service: + name: matrix-mautrix-whatsapp + state: stopped + enabled: false + daemon_reload: true -- name: Ensure matrix-mautrix-whatsapp.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-whatsapp.service" - state: absent - when: "matrix_mautrix_whatsapp_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-mautrix-whatsapp.service removal - ansible.builtin.service: - daemon_reload: true - when: "matrix_mautrix_whatsapp_service_stat.stat.exists" + - name: Ensure matrix-mautrix-whatsapp.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-whatsapp.service" + state: absent diff --git a/roles/custom/matrix-bridge-mautrix-whatsapp/tasks/validate_config.yml b/roles/custom/matrix-bridge-mautrix-whatsapp/tasks/validate_config.yml index 863dc926f..0a6a38cd7 100644 --- a/roles/custom/matrix-bridge-mautrix-whatsapp/tasks/validate_config.yml +++ b/roles/custom/matrix-bridge-mautrix-whatsapp/tasks/validate_config.yml @@ -1,14 +1,14 @@ --- -- name: Fail if required settings not defined +- name: Fail if required mautrix-whatsapp settings not defined ansible.builtin.fail: msg: >- - You need to define a required configuration setting (`{{ item }}`). - when: "vars[item] == ''" + You need to define a required configuration setting (`{{ item.name }}`). + when: "item.when | bool and vars[item.name] == ''" with_items: - - "matrix_mautrix_whatsapp_appservice_token" - - "matrix_mautrix_whatsapp_homeserver_token" - + - {'name': 'matrix_mautrix_whatsapp_appservice_token', when: true} + - {'name': 'matrix_mautrix_whatsapp_homeserver_token', when: true} + - {'name': 'matrix_mautrix_whatsapp_database_hostname', when: "{{ matrix_mautrix_whatsapp_database_engine == 'postgres' }}"} - name: (Deprecation) Catch and report renamed settings ansible.builtin.fail: diff --git a/roles/custom/matrix-bridge-mautrix-whatsapp/templates/config.yaml.j2 b/roles/custom/matrix-bridge-mautrix-whatsapp/templates/config.yaml.j2 index 9c0b95e8d..ad381f6aa 100644 --- a/roles/custom/matrix-bridge-mautrix-whatsapp/templates/config.yaml.j2 +++ b/roles/custom/matrix-bridge-mautrix-whatsapp/templates/config.yaml.j2 @@ -67,9 +67,9 @@ segment_key: null # Prometheus config. metrics: # Enable prometheus metrics? - enabled: false + enabled: {{ matrix_mautrix_whatsapp_metrics_enabled | to_json }} # IP and port where the metrics listener should be. The path is always /metrics - listen: 127.0.0.1:8001 + listen: 0.0.0.0:8001 # Config for things that are directly sent to WhatsApp. whatsapp: @@ -290,6 +290,8 @@ bridge: # Send captions in the same message as images. This will send data compatible with both MSC2530 and MSC3552. # This is currently not supported in most clients. caption_in_message: false + # Should polls be sent using MSC3381 event types? + extev_polls: false # Should Matrix edits be bridged to WhatsApp edits? # Official WhatsApp clients don't render edits yet, but once they do, the bridge should work with them right away. send_whatsapp_edits: false @@ -394,9 +396,9 @@ bridge: relay: # Whether relay mode should be allowed. If allowed, `!wa set-relay` can be used to turn any # authenticated user into a relaybot for that chat. - enabled: false + enabled: {{ matrix_mautrix_whatsapp_bridge_relay_enabled | to_json }} # Should only admins be allowed to set themselves as relay users? - admin_only: true + admin_only: {{ matrix_mautrix_whatsapp_bridge_relay_admin_only | to_json }} # The formats to use when sending messages to WhatsApp via the relaybot. message_formats: m.text: "{{ '{{ .Sender.Displayname }}' }}: {{ '{{ .Message }}' }}" diff --git a/roles/custom/matrix-bridge-mx-puppet-discord/defaults/main.yml b/roles/custom/matrix-bridge-mx-puppet-discord/defaults/main.yml index 771af9922..be6911570 100644 --- a/roles/custom/matrix-bridge-mx-puppet-discord/defaults/main.yml +++ b/roles/custom/matrix-bridge-mx-puppet-discord/defaults/main.yml @@ -66,7 +66,7 @@ matrix_mx_puppet_discord_sqlite_database_path_in_container: "/data/database.db" matrix_mx_puppet_discord_database_username: matrix_mx_puppet_discord matrix_mx_puppet_discord_database_password: ~ -matrix_mx_puppet_discord_database_hostname: 'matrix-postgres' +matrix_mx_puppet_discord_database_hostname: '' matrix_mx_puppet_discord_database_port: 5432 matrix_mx_puppet_discord_database_name: matrix_mx_puppet_discord diff --git a/roles/custom/matrix-bridge-mx-puppet-discord/tasks/init.yml b/roles/custom/matrix-bridge-mx-puppet-discord/tasks/init.yml deleted file mode 100644 index 9e2a937fe..000000000 --- a/roles/custom/matrix-bridge-mx-puppet-discord/tasks/init.yml +++ /dev/null @@ -1,28 +0,0 @@ ---- -# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 -# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 -- name: Fail if trying to self-build on Ansible < 2.8 - ansible.builtin.fail: - msg: "To self-build the mx-puppet-discord image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_discord_container_image_self_build and matrix_mx_puppet_discord_enabled" - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-discord.service'] }}" - when: matrix_mx_puppet_discord_enabled | bool - -# If the matrix-synapse role is not used, these variables may not exist. -- ansible.builtin.set_fact: - matrix_homeserver_container_runtime_injected_arguments: > - {{ - matrix_homeserver_container_runtime_injected_arguments | default([]) - + - ["--mount type=bind,src={{ matrix_mx_puppet_discord_config_path }}/registration.yaml,dst=/matrix-mx-puppet-discord-registration.yaml,ro"] - }} - - matrix_homeserver_app_service_runtime_injected_config_files: > - {{ - matrix_homeserver_app_service_runtime_injected_config_files | default([]) - + - ["/matrix-mx-puppet-discord-registration.yaml"] - }} - when: matrix_mx_puppet_discord_enabled | bool diff --git a/roles/custom/matrix-bridge-mx-puppet-discord/tasks/main.yml b/roles/custom/matrix-bridge-mx-puppet-discord/tasks/main.yml index 281092e1a..c0300b513 100644 --- a/roles/custom/matrix-bridge-mx-puppet-discord/tasks/main.yml +++ b/roles/custom/matrix-bridge-mx-puppet-discord/tasks/main.yml @@ -1,23 +1,20 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup | bool and matrix_mx_puppet_discord_enabled | bool" - tags: +- tags: - setup-all - setup-mx-puppet-discord + - install-all + - install-mx-puppet-discord + block: + - when: matrix_mx_puppet_discord_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_install.yml" - when: "run_setup | bool and matrix_mx_puppet_discord_enabled | bool" - tags: - - setup-all - - setup-mx-puppet-discord + - when: matrix_mx_puppet_discord_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - when: "run_setup | bool and not matrix_mx_puppet_discord_enabled | bool" - tags: +- tags: - setup-all - setup-mx-puppet-discord + block: + - when: not matrix_mx_puppet_discord_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" diff --git a/roles/custom/matrix-bridge-mx-puppet-discord/tasks/setup_install.yml b/roles/custom/matrix-bridge-mx-puppet-discord/tasks/setup_install.yml index 3b119745c..8bf19f80e 100644 --- a/roles/custom/matrix-bridge-mx-puppet-discord/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-mx-puppet-discord/tasks/setup_install.yml @@ -1,13 +1,5 @@ --- -# If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. -# We don't want to fail in such cases. -- name: Fail if matrix-synapse role already executed - ansible.builtin.fail: - msg: >- - The matrix-bridge-mx-puppet-discord role needs to execute before the matrix-synapse role. - when: "matrix_synapse_role_executed | default(False)" - - name: Ensure MX Puppet Discord paths exist ansible.builtin.file: path: "{{ item.path }}" @@ -54,8 +46,11 @@ - when: "matrix_mx_puppet_discord_sqlite_database_path_local_stat_result.stat.exists | bool" block: - - ansible.builtin.set_fact: - matrix_postgres_db_migration_request: + - ansible.builtin.include_role: + name: galaxy/com.devture.ansible.role.postgres + tasks_from: migrate_db_to_postgres + vars: + devture_postgres_db_migration_request: src: "{{ matrix_mx_puppet_discord_sqlite_database_path_local }}" dst: "{{ matrix_mx_puppet_discord_database_connection_string }}" caller: "{{ role_path | basename }}" @@ -63,10 +58,6 @@ engine_old: 'sqlite' systemd_services_to_stop: ['matrix-mx-puppet-discord.service'] - - ansible.builtin.import_role: - name: custom/matrix-postgres - tasks_from: migrate_db_to_postgres - - ansible.builtin.set_fact: matrix_mx_puppet_discord_requires_restart: true @@ -126,15 +117,10 @@ src: "{{ role_path }}/templates/systemd/matrix-mx-puppet-discord.service.j2" dest: "/etc/systemd/system/matrix-mx-puppet-discord.service" mode: 0644 - register: matrix_mx_puppet_discord_systemd_service_result - -- name: Ensure systemd reloaded after matrix-mx-puppet-discord.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_mx_puppet_discord_systemd_service_result.changed" - name: Ensure matrix-mx-puppet-discord.service restarted, if necessary ansible.builtin.service: name: "matrix-mx-puppet-discord.service" state: restarted + daemon_reload: true when: "matrix_mx_puppet_discord_requires_restart | bool" diff --git a/roles/custom/matrix-bridge-mx-puppet-discord/tasks/setup_uninstall.yml b/roles/custom/matrix-bridge-mx-puppet-discord/tasks/setup_uninstall.yml index 585c6c856..c1ed9ec36 100644 --- a/roles/custom/matrix-bridge-mx-puppet-discord/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-bridge-mx-puppet-discord/tasks/setup_uninstall.yml @@ -5,21 +5,16 @@ path: "/etc/systemd/system/matrix-mx-puppet-discord.service" register: matrix_mx_puppet_discord_service_stat -- name: Ensure matrix-mx-puppet-discord is stopped - ansible.builtin.service: - name: matrix-mx-puppet-discord - state: stopped - enabled: false - daemon_reload: true - when: "matrix_mx_puppet_discord_service_stat.stat.exists" +- when: matrix_mx_puppet_discord_service_stat.stat.exists | bool + block: + - name: Ensure matrix-mx-puppet-discord is stopped + ansible.builtin.service: + name: matrix-mx-puppet-discord + state: stopped + enabled: false + daemon_reload: true -- name: Ensure matrix-mx-puppet-discord.service doesn't exist - ansible.builtin.file: - path: "/etc/systemd/system/matrix-mx-puppet-discord.service" - state: absent - when: "matrix_mx_puppet_discord_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-mx-puppet-discord.service removal - ansible.builtin.service: - daemon_reload: true - when: "matrix_mx_puppet_discord_service_stat.stat.exists" + - name: Ensure matrix-mx-puppet-discord.service doesn't exist + ansible.builtin.file: + path: "/etc/systemd/system/matrix-mx-puppet-discord.service" + state: absent diff --git a/roles/custom/matrix-bridge-mx-puppet-discord/tasks/validate_config.yml b/roles/custom/matrix-bridge-mx-puppet-discord/tasks/validate_config.yml index e73a868a5..4526198a0 100644 --- a/roles/custom/matrix-bridge-mx-puppet-discord/tasks/validate_config.yml +++ b/roles/custom/matrix-bridge-mx-puppet-discord/tasks/validate_config.yml @@ -1,10 +1,11 @@ --- -- name: Fail if required settings not defined +- name: Fail if required mx-puppet-discord settings not defined ansible.builtin.fail: msg: >- - You need to define a required configuration setting (`{{ item }}`). - when: "vars[item] == ''" + You need to define a required configuration setting (`{{ item.name }}`). + when: "item.when | bool and vars[item.name] == ''" with_items: - - "matrix_mx_puppet_discord_appservice_token" - - "matrix_mx_puppet_discord_homeserver_token" + - {'name': 'matrix_mx_puppet_discord_appservice_token', when: true} + - {'name': 'matrix_mx_puppet_discord_homeserver_token', when: true} + - {'name': 'matrix_mx_puppet_discord_database_hostname', when: "{{ matrix_mx_puppet_discord_database_engine == 'postgres' }}"} diff --git a/roles/custom/matrix-bridge-mx-puppet-groupme/defaults/main.yml b/roles/custom/matrix-bridge-mx-puppet-groupme/defaults/main.yml index 59b8c1936..ca9d7668f 100644 --- a/roles/custom/matrix-bridge-mx-puppet-groupme/defaults/main.yml +++ b/roles/custom/matrix-bridge-mx-puppet-groupme/defaults/main.yml @@ -62,7 +62,7 @@ matrix_mx_puppet_groupme_sqlite_database_path_in_container: "/data/database.db" matrix_mx_puppet_groupme_database_username: matrix_mx_puppet_groupme matrix_mx_puppet_groupme_database_password: ~ -matrix_mx_puppet_groupme_database_hostname: 'matrix-postgres' +matrix_mx_puppet_groupme_database_hostname: '' matrix_mx_puppet_groupme_database_port: 5432 matrix_mx_puppet_groupme_database_name: matrix_mx_puppet_groupme diff --git a/roles/custom/matrix-bridge-mx-puppet-groupme/tasks/init.yml b/roles/custom/matrix-bridge-mx-puppet-groupme/tasks/init.yml deleted file mode 100644 index 76d184dd1..000000000 --- a/roles/custom/matrix-bridge-mx-puppet-groupme/tasks/init.yml +++ /dev/null @@ -1,28 +0,0 @@ ---- -# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 -# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 -- name: Fail if trying to self-build on Ansible < 2.8 - ansible.builtin.fail: - msg: "To self-build the mx-puppet-groupme image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_groupme_container_image_self_build and matrix_mx_puppet_groupme_enabled" - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-groupme.service'] }}" - when: matrix_mx_puppet_groupme_enabled | bool - -# If the matrix-synapse role is not used, these variables may not exist. -- ansible.builtin.set_fact: - matrix_homeserver_container_runtime_injected_arguments: > - {{ - matrix_homeserver_container_runtime_injected_arguments | default([]) - + - ["--mount type=bind,src={{ matrix_mx_puppet_groupme_config_path }}/registration.yaml,dst=/matrix-mx-puppet-groupme-registration.yaml,ro"] - }} - - matrix_homeserver_app_service_runtime_injected_config_files: > - {{ - matrix_homeserver_app_service_runtime_injected_config_files | default([]) - + - ["/matrix-mx-puppet-groupme-registration.yaml"] - }} - when: matrix_mx_puppet_groupme_enabled | bool diff --git a/roles/custom/matrix-bridge-mx-puppet-groupme/tasks/main.yml b/roles/custom/matrix-bridge-mx-puppet-groupme/tasks/main.yml index 8cc557592..de225e71d 100644 --- a/roles/custom/matrix-bridge-mx-puppet-groupme/tasks/main.yml +++ b/roles/custom/matrix-bridge-mx-puppet-groupme/tasks/main.yml @@ -1,23 +1,20 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup | bool and matrix_mx_puppet_groupme_enabled | bool" - tags: +- tags: - setup-all - setup-mx-puppet-groupme + - install-all + - install-mx-puppet-groupme + block: + - when: matrix_mx_puppet_groupme_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_install.yml" - when: "run_setup | bool and matrix_mx_puppet_groupme_enabled | bool" - tags: - - setup-all - - setup-mx-puppet-groupme + - when: matrix_mx_puppet_groupme_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - when: "run_setup | bool and not matrix_mx_puppet_groupme_enabled | bool" - tags: +- tags: - setup-all - setup-mx-puppet-groupme + block: + - when: not matrix_mx_puppet_groupme_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" diff --git a/roles/custom/matrix-bridge-mx-puppet-groupme/tasks/setup_install.yml b/roles/custom/matrix-bridge-mx-puppet-groupme/tasks/setup_install.yml index 400de9c58..0ba1e699f 100644 --- a/roles/custom/matrix-bridge-mx-puppet-groupme/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-mx-puppet-groupme/tasks/setup_install.yml @@ -1,13 +1,5 @@ --- -# If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. -# We don't want to fail in such cases. -- name: Fail if matrix-synapse role already executed - ansible.builtin.fail: - msg: >- - The matrix-bridge-mx-puppet-groupme role needs to execute before the matrix-synapse role. - when: "matrix_synapse_role_executed | default(False)" - - name: Ensure MX Puppet Groupme paths exist ansible.builtin.file: path: "{{ item.path }}" @@ -37,7 +29,10 @@ when: "matrix_mx_puppet_groupme_stat_database.stat.exists" - name: (Data relocation) Move mx-puppet-groupme database file to ./data directory - ansible.builtin.command: "mv {{ matrix_mx_puppet_groupme_base_path }}/database.db {{ matrix_mx_puppet_groupme_data_path }}/database.db" + ansible.builtin.command: + cmd: "mv {{ matrix_mx_puppet_groupme_base_path }}/database.db {{ matrix_mx_puppet_groupme_data_path }}/database.db" + creates: "{{ matrix_mx_puppet_groupme_data_path }}/database.db" + removes: "{{ matrix_mx_puppet_groupme_base_path }}/database.db" when: "matrix_mx_puppet_groupme_stat_database.stat.exists" - ansible.builtin.set_fact: @@ -52,8 +47,11 @@ - when: "matrix_mx_puppet_groupme_sqlite_database_path_local_stat_result.stat.exists | bool" block: - - ansible.builtin.set_fact: - matrix_postgres_db_migration_request: + - ansible.builtin.include_role: + name: galaxy/com.devture.ansible.role.postgres + tasks_from: migrate_db_to_postgres + vars: + devture_postgres_db_migration_request: src: "{{ matrix_mx_puppet_groupme_sqlite_database_path_local }}" dst: "{{ matrix_mx_puppet_groupme_database_connection_string }}" caller: "{{ role_path | basename }}" @@ -61,10 +59,6 @@ engine_old: 'sqlite' systemd_services_to_stop: ['matrix-mx-puppet-groupme.service'] - - ansible.builtin.import_role: - name: custom/matrix-postgres - tasks_from: migrate_db_to_postgres - - ansible.builtin.set_fact: matrix_mx_puppet_groupme_requires_restart: true @@ -124,15 +118,10 @@ src: "{{ role_path }}/templates/systemd/matrix-mx-puppet-groupme.service.j2" dest: "/etc/systemd/system/matrix-mx-puppet-groupme.service" mode: 0644 - register: matrix_mx_puppet_groupme_systemd_service_result - -- name: Ensure systemd reloaded after matrix-mx-puppet-groupme.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_mx_puppet_groupme_systemd_service_result.changed" - name: Ensure matrix-mx-puppet-groupme.service restarted, if necessary ansible.builtin.service: name: "matrix-mx-puppet-groupme.service" state: restarted + daemon_reload: true when: "matrix_mx_puppet_groupme_requires_restart | bool" diff --git a/roles/custom/matrix-bridge-mx-puppet-groupme/tasks/setup_uninstall.yml b/roles/custom/matrix-bridge-mx-puppet-groupme/tasks/setup_uninstall.yml index 5ded61070..ce0823e6e 100644 --- a/roles/custom/matrix-bridge-mx-puppet-groupme/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-bridge-mx-puppet-groupme/tasks/setup_uninstall.yml @@ -5,21 +5,16 @@ path: "/etc/systemd/system/matrix-mx-puppet-groupme.service" register: matrix_mx_puppet_groupme_service_stat -- name: Ensure matrix-mx-puppet-groupme is stopped - ansible.builtin.service: - name: matrix-mx-puppet-groupme - state: stopped - enabled: false - daemon_reload: true - when: "matrix_mx_puppet_groupme_service_stat.stat.exists" +- when: matrix_mx_puppet_groupme_service_stat.stat.exists | bool + block: + - name: Ensure matrix-mx-puppet-groupme is stopped + ansible.builtin.service: + name: matrix-mx-puppet-groupme + state: stopped + enabled: false + daemon_reload: true -- name: Ensure matrix-mx-puppet-groupme.service doesn't exist - ansible.builtin.file: - path: "/etc/systemd/system/matrix-mx-puppet-groupme.service" - state: absent - when: "matrix_mx_puppet_groupme_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-mx-puppet-groupme.service removal - ansible.builtin.service: - daemon_reload: true - when: "matrix_mx_puppet_groupme_service_stat.stat.exists" + - name: Ensure matrix-mx-puppet-groupme.service doesn't exist + ansible.builtin.file: + path: "/etc/systemd/system/matrix-mx-puppet-groupme.service" + state: absent diff --git a/roles/custom/matrix-bridge-mx-puppet-groupme/tasks/validate_config.yml b/roles/custom/matrix-bridge-mx-puppet-groupme/tasks/validate_config.yml index d091de6dc..60d8fffd2 100644 --- a/roles/custom/matrix-bridge-mx-puppet-groupme/tasks/validate_config.yml +++ b/roles/custom/matrix-bridge-mx-puppet-groupme/tasks/validate_config.yml @@ -1,10 +1,11 @@ --- -- name: Fail if required settings not defined +- name: Fail if required mx-puppet-groupme settings not defined ansible.builtin.fail: msg: >- - You need to define a required configuration setting (`{{ item }}`). - when: "vars[item] == ''" + You need to define a required configuration setting (`{{ item.name }}`). + when: "item.when | bool and vars[item.name] == ''" with_items: - - "matrix_mx_puppet_groupme_appservice_token" - - "matrix_mx_puppet_groupme_homeserver_token" + - {'name': 'matrix_mx_puppet_groupme_appservice_token', when: true} + - {'name': 'matrix_mx_puppet_groupme_homeserver_token', when: true} + - {'name': 'matrix_mx_puppet_groupme_database_hostname', when: "{{ matrix_mx_puppet_groupme_database_engine == 'postgres' }}"} diff --git a/roles/custom/matrix-bridge-mx-puppet-instagram/defaults/main.yml b/roles/custom/matrix-bridge-mx-puppet-instagram/defaults/main.yml index aae6eb5a7..0f6dd4438 100644 --- a/roles/custom/matrix-bridge-mx-puppet-instagram/defaults/main.yml +++ b/roles/custom/matrix-bridge-mx-puppet-instagram/defaults/main.yml @@ -56,7 +56,7 @@ matrix_mx_puppet_instagram_sqlite_database_path_in_container: "/data/database.db matrix_mx_puppet_instagram_database_username: matrix_mx_puppet_instagram matrix_mx_puppet_instagram_database_password: ~ -matrix_mx_puppet_instagram_database_hostname: 'matrix-postgres' +matrix_mx_puppet_instagram_database_hostname: '' matrix_mx_puppet_instagram_database_port: 5432 matrix_mx_puppet_instagram_database_name: matrix_mx_puppet_instagram diff --git a/roles/custom/matrix-bridge-mx-puppet-instagram/tasks/init.yml b/roles/custom/matrix-bridge-mx-puppet-instagram/tasks/init.yml deleted file mode 100644 index 741c32c0f..000000000 --- a/roles/custom/matrix-bridge-mx-puppet-instagram/tasks/init.yml +++ /dev/null @@ -1,28 +0,0 @@ ---- -# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 -# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 -- name: Fail if trying to self-build on Ansible < 2.8 - ansible.builtin.fail: - msg: "To self-build the mx-puppet-instagram image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_instagram_container_image_self_build and matrix_mx_puppet_instagram_enabled" - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-instagram.service'] }}" - when: matrix_mx_puppet_instagram_enabled | bool - -# If the matrix-synapse role is not used, these variables may not exist. -- ansible.builtin.set_fact: - matrix_homeserver_container_runtime_injected_arguments: > - {{ - matrix_homeserver_container_runtime_injected_arguments | default([]) - + - ["--mount type=bind,src={{ matrix_mx_puppet_instagram_config_path }}/registration.yaml,dst=/matrix-mx-puppet-instagram-registration.yaml,ro"] - }} - - matrix_homeserver_app_service_runtime_injected_config_files: > - {{ - matrix_homeserver_app_service_runtime_injected_config_files | default([]) - + - ["/matrix-mx-puppet-instagram-registration.yaml"] - }} - when: matrix_mx_puppet_instagram_enabled | bool diff --git a/roles/custom/matrix-bridge-mx-puppet-instagram/tasks/main.yml b/roles/custom/matrix-bridge-mx-puppet-instagram/tasks/main.yml index 978577cc3..0d46532ce 100644 --- a/roles/custom/matrix-bridge-mx-puppet-instagram/tasks/main.yml +++ b/roles/custom/matrix-bridge-mx-puppet-instagram/tasks/main.yml @@ -1,23 +1,20 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup | bool and matrix_mx_puppet_instagram_enabled | bool" - tags: +- tags: - setup-all - setup-mx-puppet-instagram + - install-all + - install-mx-puppet-instagram + block: + - when: matrix_mx_puppet_instagram_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_install.yml" - when: "run_setup | bool and matrix_mx_puppet_instagram_enabled | bool" - tags: - - setup-all - - setup-mx-puppet-instagram + - when: matrix_mx_puppet_instagram_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - when: "run_setup | bool and not matrix_mx_puppet_instagram_enabled | bool" - tags: +- tags: - setup-all - setup-mx-puppet-instagram + block: + - when: not matrix_mx_puppet_instagram_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" diff --git a/roles/custom/matrix-bridge-mx-puppet-instagram/tasks/setup_install.yml b/roles/custom/matrix-bridge-mx-puppet-instagram/tasks/setup_install.yml index c98535e3b..be68d9fc1 100644 --- a/roles/custom/matrix-bridge-mx-puppet-instagram/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-mx-puppet-instagram/tasks/setup_install.yml @@ -1,14 +1,5 @@ --- -# If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. -# We don't want to fail in such cases. -- name: Fail if matrix-synapse role already executed - ansible.builtin.fail: - msg: >- - The matrix-bridge-mx-puppet-instagram role needs to execute before the matrix-synapse role. - when: "matrix_synapse_role_executed | default(False)" - - - ansible.builtin.set_fact: matrix_mx_puppet_instagram_requires_restart: false @@ -21,8 +12,11 @@ - when: "matrix_mx_puppet_instagram_sqlite_database_path_local_stat_result.stat.exists | bool" block: - - ansible.builtin.set_fact: - matrix_postgres_db_migration_request: + - ansible.builtin.include_role: + name: galaxy/com.devture.ansible.role.postgres + tasks_from: migrate_db_to_postgres + vars: + devture_postgres_db_migration_request: src: "{{ matrix_mx_puppet_instagram_sqlite_database_path_local }}" dst: "{{ matrix_mx_puppet_instagram_database_connection_string }}" caller: "{{ role_path | basename }}" @@ -30,10 +24,6 @@ engine_old: 'sqlite' systemd_services_to_stop: ['matrix-mx-puppet-instagram.service'] - - ansible.builtin.import_role: - name: custom/matrix-postgres - tasks_from: migrate_db_to_postgres - - ansible.builtin.set_fact: matrix_mx_puppet_instagram_requires_restart: true @@ -107,15 +97,10 @@ src: "{{ role_path }}/templates/systemd/matrix-mx-puppet-instagram.service.j2" dest: "/etc/systemd/system/matrix-mx-puppet-instagram.service" mode: 0644 - register: matrix_mx_puppet_instagram_systemd_service_result - -- name: Ensure systemd reloaded after matrix-mx-puppet-instagram.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_mx_puppet_instagram_systemd_service_result.changed" - name: Ensure matrix-mx-puppet-instagram.service restarted, if necessary ansible.builtin.service: name: "matrix-mx-puppet-instagram.service" state: restarted + daemon_reload: true when: "matrix_mx_puppet_instagram_requires_restart | bool" diff --git a/roles/custom/matrix-bridge-mx-puppet-instagram/tasks/setup_uninstall.yml b/roles/custom/matrix-bridge-mx-puppet-instagram/tasks/setup_uninstall.yml index 2d5a98aa4..943c0556a 100644 --- a/roles/custom/matrix-bridge-mx-puppet-instagram/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-bridge-mx-puppet-instagram/tasks/setup_uninstall.yml @@ -5,21 +5,16 @@ path: "/etc/systemd/system/matrix-mx-puppet-instagram.service" register: matrix_mx_puppet_instagram_service_stat -- name: Ensure matrix-mx-puppet-instagram is stopped - ansible.builtin.service: - name: matrix-mx-puppet-instagram - state: stopped - enabled: false - daemon_reload: true - when: "matrix_mx_puppet_instagram_service_stat.stat.exists" +- when: matrix_mx_puppet_instagram_service_stat.stat.exists | bool + block: + - name: Ensure matrix-mx-puppet-instagram is stopped + ansible.builtin.service: + name: matrix-mx-puppet-instagram + state: stopped + enabled: false + daemon_reload: true -- name: Ensure matrix-mx-puppet-instagram.service doesn't exist - ansible.builtin.file: - path: "/etc/systemd/system/matrix-mx-puppet-instagram.service" - state: absent - when: "matrix_mx_puppet_instagram_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-mx-puppet-instagram.service removal - ansible.builtin.service: - daemon_reload: true - when: "matrix_mx_puppet_instagram_service_stat.stat.exists" + - name: Ensure matrix-mx-puppet-instagram.service doesn't exist + ansible.builtin.file: + path: "/etc/systemd/system/matrix-mx-puppet-instagram.service" + state: absent diff --git a/roles/custom/matrix-bridge-mx-puppet-instagram/tasks/validate_config.yml b/roles/custom/matrix-bridge-mx-puppet-instagram/tasks/validate_config.yml index 383fe5021..77be870f9 100644 --- a/roles/custom/matrix-bridge-mx-puppet-instagram/tasks/validate_config.yml +++ b/roles/custom/matrix-bridge-mx-puppet-instagram/tasks/validate_config.yml @@ -1,10 +1,11 @@ --- -- name: Fail if required settings not defined +- name: Fail if required mx-puppet-instagram settings not defined ansible.builtin.fail: msg: >- - You need to define a required configuration setting (`{{ item }}`). - when: "vars[item] == ''" + You need to define a required configuration setting (`{{ item.name }}`). + when: "item.when | bool and vars[item.name] == ''" with_items: - - "matrix_mx_puppet_instagram_appservice_token" - - "matrix_mx_puppet_instagram_homeserver_token" + - {'name': 'matrix_mx_puppet_instagram_appservice_token', when: true} + - {'name': 'matrix_mx_puppet_instagram_homeserver_token', when: true} + - {'name': 'matrix_mx_puppet_instagram_database_hostname', when: "{{ matrix_mx_puppet_instagram_database_engine == 'postgres' }}"} diff --git a/roles/custom/matrix-bridge-mx-puppet-slack/defaults/main.yml b/roles/custom/matrix-bridge-mx-puppet-slack/defaults/main.yml index eae0b933b..b428c40bd 100644 --- a/roles/custom/matrix-bridge-mx-puppet-slack/defaults/main.yml +++ b/roles/custom/matrix-bridge-mx-puppet-slack/defaults/main.yml @@ -70,7 +70,7 @@ matrix_mx_puppet_slack_sqlite_database_path_in_container: "/data/database.db" matrix_mx_puppet_slack_database_username: matrix_mx_puppet_slack matrix_mx_puppet_slack_database_password: ~ -matrix_mx_puppet_slack_database_hostname: 'matrix-postgres' +matrix_mx_puppet_slack_database_hostname: '' matrix_mx_puppet_slack_database_port: 5432 matrix_mx_puppet_slack_database_name: matrix_mx_puppet_slack diff --git a/roles/custom/matrix-bridge-mx-puppet-slack/tasks/init.yml b/roles/custom/matrix-bridge-mx-puppet-slack/tasks/init.yml deleted file mode 100644 index 9eff170ac..000000000 --- a/roles/custom/matrix-bridge-mx-puppet-slack/tasks/init.yml +++ /dev/null @@ -1,75 +0,0 @@ ---- -# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 -# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 -- name: Fail if trying to self-build on Ansible < 2.8 - ansible.builtin.fail: - msg: "To self-build the mx-puppet-slack image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_slack_container_image_self_build and matrix_mx_puppet_slack_enabled" - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-slack.service'] }}" - when: matrix_mx_puppet_slack_enabled | bool - -# If the matrix-synapse role is not used, these variables may not exist. -- ansible.builtin.set_fact: - matrix_homeserver_container_runtime_injected_arguments: > - {{ - matrix_homeserver_container_runtime_injected_arguments | default([]) - + - ["--mount type=bind,src={{ matrix_mx_puppet_slack_config_path }}/registration.yaml,dst=/matrix-mx-puppet-slack-registration.yaml,ro"] - }} - - matrix_homeserver_app_service_runtime_injected_config_files: > - {{ - matrix_homeserver_app_service_runtime_injected_config_files | default([]) - + - ["/matrix-mx-puppet-slack-registration.yaml"] - }} - when: matrix_mx_puppet_slack_enabled | bool - -- when: matrix_mx_puppet_slack_enabled | bool - tags: - - always - block: - - name: Fail if matrix-nginx-proxy role already executed - ansible.builtin.fail: - msg: >- - Trying to append Slack Appservice's reverse-proxying configuration to matrix-nginx-proxy, - but it's pointless since the matrix-nginx-proxy role had already executed. - To fix this, please change the order of roles in your playbook, - so that the matrix-nginx-proxy role would run after the matrix-mx-puppet-slack role. - when: matrix_nginx_proxy_role_executed | default(False) | bool - - - name: Generate Matrix MX Puppet Slack proxying configuration for matrix-nginx-proxy - ansible.builtin.set_fact: - matrix_mx_puppet_slack_matrix_nginx_proxy_configuration: | - location {{ matrix_mx_puppet_slack_redirect_path }} { - {% if matrix_nginx_proxy_enabled | default(False) %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver 127.0.0.11 valid=5s; - set $backend "{{ matrix_mx_puppet_slack_appservice_address }}"; - proxy_pass $backend; - {% else %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://127.0.0.1:{{ matrix_mx_puppet_slack_appservice_port }}; - {% endif %} - } - - - name: Register Slack Appservice proxying configuration with matrix-nginx-proxy - ansible.builtin.set_fact: - matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: | - {{ - matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks | default([]) - + - [matrix_mx_puppet_slack_matrix_nginx_proxy_configuration] - }} - -- name: Warn about reverse-proxying if matrix-nginx-proxy not used - ansible.builtin.debug: - msg: >- - NOTE: You've enabled the Matrix Slack bridge but are not using the matrix-nginx-proxy - reverse proxy. - Please make sure that you're proxying the `{{ matrix_mx_puppet_slack_redirect_path }}` - URL endpoint to the matrix-mx-puppet-slack container. - You can expose the container's port using the `matrix_appservice_slack_container_http_host_bind_port` variable. - when: "matrix_mx_puppet_slack_enabled | bool and not matrix_nginx_proxy_enabled | default(False) | bool" diff --git a/roles/custom/matrix-bridge-mx-puppet-slack/tasks/inject_into_nginx_proxy.yml b/roles/custom/matrix-bridge-mx-puppet-slack/tasks/inject_into_nginx_proxy.yml new file mode 100644 index 000000000..c4e82a5b5 --- /dev/null +++ b/roles/custom/matrix-bridge-mx-puppet-slack/tasks/inject_into_nginx_proxy.yml @@ -0,0 +1,44 @@ +--- + +- name: Fail if matrix-nginx-proxy role already executed + ansible.builtin.fail: + msg: >- + Trying to append Slack Appservice's reverse-proxying configuration to matrix-nginx-proxy, + but it's pointless since the matrix-nginx-proxy role had already executed. + To fix this, please change the order of roles in your playbook, + so that the matrix-nginx-proxy role would run after the matrix-mx-puppet-slack role. + when: matrix_nginx_proxy_role_executed | default(False) | bool + +- name: Generate Matrix MX Puppet Slack proxying configuration for matrix-nginx-proxy + ansible.builtin.set_fact: + matrix_mx_puppet_slack_matrix_nginx_proxy_configuration: | + location {{ matrix_mx_puppet_slack_redirect_path }} { + {% if matrix_nginx_proxy_enabled | default(False) %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "{{ matrix_mx_puppet_slack_appservice_address }}"; + proxy_pass $backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://127.0.0.1:{{ matrix_mx_puppet_slack_appservice_port }}; + {% endif %} + } + +- name: Register Slack Appservice proxying configuration with matrix-nginx-proxy + ansible.builtin.set_fact: + matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: | + {{ + matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks | default([]) + + + [matrix_mx_puppet_slack_matrix_nginx_proxy_configuration] + }} + +- name: Warn about reverse-proxying if matrix-nginx-proxy not used + ansible.builtin.debug: + msg: >- + NOTE: You've enabled the Matrix Slack bridge but are not using the matrix-nginx-proxy + reverse proxy. + Please make sure that you're proxying the `{{ matrix_mx_puppet_slack_redirect_path }}` + URL endpoint to the matrix-mx-puppet-slack container. + You can expose the container's port using the `matrix_appservice_slack_container_http_host_bind_port` variable. + when: "not matrix_nginx_proxy_enabled | default(False) | bool" diff --git a/roles/custom/matrix-bridge-mx-puppet-slack/tasks/main.yml b/roles/custom/matrix-bridge-mx-puppet-slack/tasks/main.yml index 869afc497..63e074050 100644 --- a/roles/custom/matrix-bridge-mx-puppet-slack/tasks/main.yml +++ b/roles/custom/matrix-bridge-mx-puppet-slack/tasks/main.yml @@ -1,23 +1,29 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup | bool and matrix_mx_puppet_slack_enabled | bool" - tags: +- tags: - setup-all - - setup-mx-puppet-slack + - setup-nginx-proxy + - install-all + - install-nginx-proxy + block: + - when: matrix_mx_puppet_slack_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_install.yml" - when: "run_setup | bool and matrix_mx_puppet_slack_enabled | bool" - tags: +- tags: - setup-all - setup-mx-puppet-slack + - install-all + - install-mx-puppet-slack + block: + - when: matrix_mx_puppet_slack_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" + + - when: matrix_mx_puppet_slack_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - when: "run_setup | bool and not matrix_mx_puppet_slack_enabled | bool" - tags: +- tags: - setup-all - setup-mx-puppet-slack + block: + - when: not matrix_mx_puppet_slack_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" diff --git a/roles/custom/matrix-bridge-mx-puppet-slack/tasks/setup_install.yml b/roles/custom/matrix-bridge-mx-puppet-slack/tasks/setup_install.yml index e5d837633..bba2d25c6 100644 --- a/roles/custom/matrix-bridge-mx-puppet-slack/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-mx-puppet-slack/tasks/setup_install.yml @@ -1,13 +1,5 @@ --- -# If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. -# We don't want to fail in such cases. -- name: Fail if matrix-synapse role already executed - ansible.builtin.fail: - msg: >- - The matrix-bridge-mx-puppet-slack role needs to execute before the matrix-synapse role. - when: "matrix_synapse_role_executed | default(False)" - - name: Ensure MX Puppet Slack paths exist ansible.builtin.file: path: "{{ item.path }}" @@ -48,8 +40,11 @@ - when: "matrix_mx_puppet_slack_sqlite_database_path_local_stat_result.stat.exists | bool" block: - - ansible.builtin.set_fact: - matrix_postgres_db_migration_request: + - ansible.builtin.include_role: + name: galaxy/com.devture.ansible.role.postgres + tasks_from: migrate_db_to_postgres + vars: + devture_postgres_db_migration_request: src: "{{ matrix_mx_puppet_slack_sqlite_database_path_local }}" dst: "{{ matrix_mx_puppet_slack_database_connection_string }}" caller: "{{ role_path | basename }}" @@ -57,10 +52,6 @@ engine_old: 'sqlite' systemd_services_to_stop: ['matrix-mx-puppet-slack.service'] - - ansible.builtin.import_role: - name: custom/matrix-postgres - tasks_from: migrate_db_to_postgres - - ansible.builtin.set_fact: matrix_mx_puppet_slack_requires_restart: true @@ -100,7 +91,10 @@ when: "matrix_mx_puppet_slack_enabled | bool and matrix_mx_puppet_slack_container_image_self_build" - name: (Data relocation) Move mx-puppet-slack database file to ./data directory - ansible.builtin.command: "mv {{ matrix_mx_puppet_slack_base_path }}/database.db {{ matrix_mx_puppet_slack_data_path }}/database.db" + ansible.builtin.command: + cmd: "mv {{ matrix_mx_puppet_slack_base_path }}/database.db {{ matrix_mx_puppet_slack_data_path }}/database.db" + creates: "{{ matrix_mx_puppet_slack_data_path }}/database.db" + removes: "{{ matrix_mx_puppet_slack_base_path }}/database.db" when: "matrix_mx_puppet_slack_stat_database.stat.exists" - name: Ensure mx-puppet-slack config.yaml installed @@ -124,15 +118,10 @@ src: "{{ role_path }}/templates/systemd/matrix-mx-puppet-slack.service.j2" dest: "/etc/systemd/system/matrix-mx-puppet-slack.service" mode: 0644 - register: matrix_mx_puppet_slack_systemd_service_result - -- name: Ensure systemd reloaded after matrix-mx-puppet-slack.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_mx_puppet_slack_systemd_service_result.changed" - name: Ensure matrix-mx-puppet-slack.service restarted, if necessary ansible.builtin.service: name: "matrix-mx-puppet-slack.service" state: restarted + daemon_reload: true when: "matrix_mx_puppet_slack_requires_restart | bool" diff --git a/roles/custom/matrix-bridge-mx-puppet-slack/tasks/setup_uninstall.yml b/roles/custom/matrix-bridge-mx-puppet-slack/tasks/setup_uninstall.yml index 3f91b467b..444939198 100644 --- a/roles/custom/matrix-bridge-mx-puppet-slack/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-bridge-mx-puppet-slack/tasks/setup_uninstall.yml @@ -5,21 +5,16 @@ path: "/etc/systemd/system/matrix-mx-puppet-slack.service" register: matrix_mx_puppet_slack_service_stat -- name: Ensure matrix-mx-puppet-slack is stopped - ansible.builtin.service: - name: matrix-mx-puppet-slack - state: stopped - enabled: false - daemon_reload: true - when: "matrix_mx_puppet_slack_service_stat.stat.exists" +- when: matrix_mx_puppet_slack_service_stat.stat.exists | bool + block: + - name: Ensure matrix-mx-puppet-slack is stopped + ansible.builtin.service: + name: matrix-mx-puppet-slack + state: stopped + enabled: false + daemon_reload: true -- name: Ensure matrix-mx-puppet-slack.service doesn't exist - ansible.builtin.file: - path: "/etc/systemd/system/matrix-mx-puppet-slack.service" - state: absent - when: "matrix_mx_puppet_slack_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-mx-puppet-slack.service removal - ansible.builtin.service: - daemon_reload: true - when: "matrix_mx_puppet_slack_service_stat.stat.exists" + - name: Ensure matrix-mx-puppet-slack.service doesn't exist + ansible.builtin.file: + path: "/etc/systemd/system/matrix-mx-puppet-slack.service" + state: absent diff --git a/roles/custom/matrix-bridge-mx-puppet-slack/tasks/validate_config.yml b/roles/custom/matrix-bridge-mx-puppet-slack/tasks/validate_config.yml index ea917f97e..f3c9d1ebc 100644 --- a/roles/custom/matrix-bridge-mx-puppet-slack/tasks/validate_config.yml +++ b/roles/custom/matrix-bridge-mx-puppet-slack/tasks/validate_config.yml @@ -1,10 +1,11 @@ --- -- name: Fail if required settings not defined +- name: Fail if required mx-puppet-slack settings not defined ansible.builtin.fail: msg: >- - You need to define a required configuration setting (`{{ item }}`). - when: "vars[item] == ''" + You need to define a required configuration setting (`{{ item.name }}`). + when: "item.when | bool and vars[item.name] == ''" with_items: - - "matrix_mx_puppet_slack_appservice_token" - - "matrix_mx_puppet_slack_homeserver_token" + - {'name': 'matrix_mx_puppet_slack_appservice_token', when: true} + - {'name': 'matrix_mx_puppet_slack_homeserver_token', when: true} + - {'name': 'matrix_mx_puppet_slack_database_hostname', when: "{{ matrix_mx_puppet_slack_database_engine == 'postgres' }}"} diff --git a/roles/custom/matrix-bridge-mx-puppet-steam/defaults/main.yml b/roles/custom/matrix-bridge-mx-puppet-steam/defaults/main.yml index 895411624..9efedb13b 100644 --- a/roles/custom/matrix-bridge-mx-puppet-steam/defaults/main.yml +++ b/roles/custom/matrix-bridge-mx-puppet-steam/defaults/main.yml @@ -62,7 +62,7 @@ matrix_mx_puppet_steam_sqlite_database_path_in_container: "/data/database.db" matrix_mx_puppet_steam_database_username: matrix_mx_puppet_steam matrix_mx_puppet_steam_database_password: ~ -matrix_mx_puppet_steam_database_hostname: 'matrix-postgres' +matrix_mx_puppet_steam_database_hostname: '' matrix_mx_puppet_steam_database_port: 5432 matrix_mx_puppet_steam_database_name: matrix_mx_puppet_steam diff --git a/roles/custom/matrix-bridge-mx-puppet-steam/tasks/init.yml b/roles/custom/matrix-bridge-mx-puppet-steam/tasks/init.yml deleted file mode 100644 index 5f9a5a833..000000000 --- a/roles/custom/matrix-bridge-mx-puppet-steam/tasks/init.yml +++ /dev/null @@ -1,28 +0,0 @@ ---- -# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 -# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 -- name: Fail if trying to self-build on Ansible < 2.8 - ansible.builtin.fail: - msg: "To self-build the mx-puppet-steam image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_steam_container_image_self_build and matrix_mx_puppet_steam_enabled" - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-steam.service'] }}" - when: matrix_mx_puppet_steam_enabled | bool - -# If the matrix-synapse role is not used, these variables may not exist. -- ansible.builtin.set_fact: - matrix_homeserver_container_runtime_injected_arguments: > - {{ - matrix_homeserver_container_runtime_injected_arguments | default([]) - + - ["--mount type=bind,src={{ matrix_mx_puppet_steam_config_path }}/registration.yaml,dst=/matrix-mx-puppet-steam-registration.yaml,ro"] - }} - - matrix_homeserver_app_service_runtime_injected_config_files: > - {{ - matrix_homeserver_app_service_runtime_injected_config_files | default([]) - + - ["/matrix-mx-puppet-steam-registration.yaml"] - }} - when: matrix_mx_puppet_steam_enabled | bool diff --git a/roles/custom/matrix-bridge-mx-puppet-steam/tasks/main.yml b/roles/custom/matrix-bridge-mx-puppet-steam/tasks/main.yml index 236a7009f..66d2980d3 100644 --- a/roles/custom/matrix-bridge-mx-puppet-steam/tasks/main.yml +++ b/roles/custom/matrix-bridge-mx-puppet-steam/tasks/main.yml @@ -1,23 +1,20 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup | bool and matrix_mx_puppet_steam_enabled | bool" - tags: +- tags: - setup-all - setup-mx-puppet-steam + - install-all + - install-mx-puppet-steam + block: + - when: matrix_mx_puppet_steam_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_install.yml" - when: "run_setup | bool and matrix_mx_puppet_steam_enabled | bool" - tags: - - setup-all - - setup-mx-puppet-steam + - when: matrix_mx_puppet_steam_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - when: "run_setup | bool and not matrix_mx_puppet_steam_enabled | bool" - tags: +- tags: - setup-all - setup-mx-puppet-steam + block: + - when: not matrix_mx_puppet_steam_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" diff --git a/roles/custom/matrix-bridge-mx-puppet-steam/tasks/setup_install.yml b/roles/custom/matrix-bridge-mx-puppet-steam/tasks/setup_install.yml index 988544691..f2ccea594 100644 --- a/roles/custom/matrix-bridge-mx-puppet-steam/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-mx-puppet-steam/tasks/setup_install.yml @@ -1,13 +1,5 @@ --- -# If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. -# We don't want to fail in such cases. -- name: Fail if matrix-synapse role already executed - ansible.builtin.fail: - msg: >- - The matrix-bridge-mx-puppet-steam role needs to execute before the matrix-synapse role. - when: "matrix_synapse_role_executed | default(False)" - - name: Ensure MX Puppet Steam paths exist ansible.builtin.file: path: "{{ item.path }}" @@ -37,7 +29,10 @@ when: "matrix_mx_puppet_steam_stat_database.stat.exists" - name: (Data relocation) Move mx-puppet-steam database file to ./data directory - ansible.builtin.command: "mv {{ matrix_mx_puppet_steam_base_path }}/database.db {{ matrix_mx_puppet_steam_data_path }}/database.db" + ansible.builtin.command: + cmd: "mv {{ matrix_mx_puppet_steam_base_path }}/database.db {{ matrix_mx_puppet_steam_data_path }}/database.db" + creates: "{{ matrix_mx_puppet_steam_data_path }}/database.db" + removes: "{{ matrix_mx_puppet_steam_base_path }}/database.db" when: "matrix_mx_puppet_steam_stat_database.stat.exists" - ansible.builtin.set_fact: @@ -52,8 +47,11 @@ - when: "matrix_mx_puppet_steam_sqlite_database_path_local_stat_result.stat.exists | bool" block: - - ansible.builtin.set_fact: - matrix_postgres_db_migration_request: + - ansible.builtin.include_role: + name: galaxy/com.devture.ansible.role.postgres + tasks_from: migrate_db_to_postgres + vars: + devture_postgres_db_migration_request: src: "{{ matrix_mx_puppet_steam_sqlite_database_path_local }}" dst: "{{ matrix_mx_puppet_steam_database_connection_string }}" caller: "{{ role_path | basename }}" @@ -61,10 +59,6 @@ engine_old: 'sqlite' systemd_services_to_stop: ['matrix-mx-puppet-steam.service'] - - ansible.builtin.import_role: - name: custom/matrix-postgres - tasks_from: migrate_db_to_postgres - - ansible.builtin.set_fact: matrix_mx_puppet_steam_requires_restart: true @@ -124,15 +118,10 @@ src: "{{ role_path }}/templates/systemd/matrix-mx-puppet-steam.service.j2" dest: "/etc/systemd/system/matrix-mx-puppet-steam.service" mode: 0644 - register: matrix_mx_puppet_steam_systemd_service_result - -- name: Ensure systemd reloaded after matrix-mx-puppet-steam.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_mx_puppet_steam_systemd_service_result.changed" - name: Ensure matrix-mx-puppet-steam.service restarted, if necessary ansible.builtin.service: name: "matrix-mx-puppet-steam.service" state: restarted + daemon_reload: true when: "matrix_mx_puppet_steam_requires_restart | bool" diff --git a/roles/custom/matrix-bridge-mx-puppet-steam/tasks/setup_uninstall.yml b/roles/custom/matrix-bridge-mx-puppet-steam/tasks/setup_uninstall.yml index d88e54722..75d0ebc0f 100644 --- a/roles/custom/matrix-bridge-mx-puppet-steam/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-bridge-mx-puppet-steam/tasks/setup_uninstall.yml @@ -5,21 +5,16 @@ path: "/etc/systemd/system/matrix-mx-puppet-steam.service" register: matrix_mx_puppet_steam_service_stat -- name: Ensure matrix-mx-puppet-steam is stopped - ansible.builtin.service: - name: matrix-mx-puppet-steam - state: stopped - enabled: false - daemon_reload: true - when: "matrix_mx_puppet_steam_service_stat.stat.exists" +- when: matrix_mx_puppet_steam_service_stat.stat.exists | bool + block: + - name: Ensure matrix-mx-puppet-steam is stopped + ansible.builtin.service: + name: matrix-mx-puppet-steam + state: stopped + enabled: false + daemon_reload: true -- name: Ensure matrix-mx-puppet-steam.service doesn't exist - ansible.builtin.file: - path: "/etc/systemd/system/matrix-mx-puppet-steam.service" - state: absent - when: "matrix_mx_puppet_steam_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-mx-puppet-steam.service removal - ansible.builtin.service: - daemon_reload: true - when: "matrix_mx_puppet_steam_service_stat.stat.exists" + - name: Ensure matrix-mx-puppet-steam.service doesn't exist + ansible.builtin.file: + path: "/etc/systemd/system/matrix-mx-puppet-steam.service" + state: absent diff --git a/roles/custom/matrix-bridge-mx-puppet-steam/tasks/validate_config.yml b/roles/custom/matrix-bridge-mx-puppet-steam/tasks/validate_config.yml index 2e54d6ffa..b25345dc6 100644 --- a/roles/custom/matrix-bridge-mx-puppet-steam/tasks/validate_config.yml +++ b/roles/custom/matrix-bridge-mx-puppet-steam/tasks/validate_config.yml @@ -1,10 +1,11 @@ --- -- name: Fail if required settings not defined +- name: Fail if required mx-puppet-steam settings not defined ansible.builtin.fail: msg: >- - You need to define a required configuration setting (`{{ item }}`). - when: "vars[item] == ''" + You need to define a required configuration setting (`{{ item.name }}`). + when: "item.when | bool and vars[item.name] == ''" with_items: - - "matrix_mx_puppet_steam_appservice_token" - - "matrix_mx_puppet_steam_homeserver_token" + - {'name': 'matrix_mx_puppet_steam_appservice_token', when: true} + - {'name': 'matrix_mx_puppet_steam_homeserver_token', when: true} + - {'name': 'matrix_mx_puppet_steam_database_hostname', when: "{{ matrix_mx_puppet_steam_database_engine == 'postgres' }}"} diff --git a/roles/custom/matrix-bridge-mx-puppet-twitter/defaults/main.yml b/roles/custom/matrix-bridge-mx-puppet-twitter/defaults/main.yml index 73674220f..8e5e82f06 100644 --- a/roles/custom/matrix-bridge-mx-puppet-twitter/defaults/main.yml +++ b/roles/custom/matrix-bridge-mx-puppet-twitter/defaults/main.yml @@ -71,7 +71,7 @@ matrix_mx_puppet_twitter_sqlite_database_path_in_container: "/data/database.db" matrix_mx_puppet_twitter_database_username: mx_puppet_twitter matrix_mx_puppet_twitter_database_password: ~ -matrix_mx_puppet_twitter_database_hostname: 'matrix-postgres' +matrix_mx_puppet_twitter_database_hostname: '' matrix_mx_puppet_twitter_database_port: 5432 matrix_mx_puppet_twitter_database_name: matrix_mx_puppet_twitter diff --git a/roles/custom/matrix-bridge-mx-puppet-twitter/tasks/init.yml b/roles/custom/matrix-bridge-mx-puppet-twitter/tasks/init.yml deleted file mode 100644 index a58cd9ac6..000000000 --- a/roles/custom/matrix-bridge-mx-puppet-twitter/tasks/init.yml +++ /dev/null @@ -1,75 +0,0 @@ ---- -# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 -# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 -- name: Fail if trying to self-build on Ansible < 2.8 - ansible.builtin.fail: - msg: "To self-build the mx-puppet-twitter image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_twitter_container_image_self_build and matrix_mx_puppet_twitter_enabled" - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-twitter.service'] }}" - when: matrix_mx_puppet_twitter_enabled | bool - -# If the matrix-synapse role is not used, these variables may not exist. -- ansible.builtin.set_fact: - matrix_homeserver_container_runtime_injected_arguments: > - {{ - matrix_homeserver_container_runtime_injected_arguments | default([]) - + - ["--mount type=bind,src={{ matrix_mx_puppet_twitter_config_path }}/registration.yaml,dst=/matrix-mx-puppet-twitter-registration.yaml,ro"] - }} - - matrix_homeserver_app_service_runtime_injected_config_files: > - {{ - matrix_homeserver_app_service_runtime_injected_config_files | default([]) - + - ["/matrix-mx-puppet-twitter-registration.yaml"] - }} - when: matrix_mx_puppet_twitter_enabled | bool - -- when: matrix_mx_puppet_twitter_enabled | bool - tags: - - always - block: - - name: Fail if matrix-nginx-proxy role already executed - ansible.builtin.fail: - msg: >- - Trying to append Twitter Appservice's reverse-proxying configuration to matrix-nginx-proxy, - but it's pointless since the matrix-nginx-proxy role had already executed. - To fix this, please change the order of roles in your playbook, - so that the matrix-nginx-proxy role would run after the matrix-mx-puppet-twitter role. - when: matrix_nginx_proxy_role_executed | default(False) | bool - - - name: Generate Matrix MX Puppet Twitter proxying configuration for matrix-nginx-proxy - ansible.builtin.set_fact: - matrix_mx_puppet_twitter_matrix_nginx_proxy_configuration: | - location {{ matrix_mx_puppet_twitter_webhook_path }} { - {% if matrix_nginx_proxy_enabled | default(False) %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver 127.0.0.11 valid=5s; - set $backend "{{ matrix_mx_puppet_twitter_appservice_address }}"; - proxy_pass $backend; - {% else %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://127.0.0.1:{{ matrix_mx_puppet_twitter_appservice_port }}; - {% endif %} - } - - - name: Register Twitter Appservice proxying configuration with matrix-nginx-proxy - ansible.builtin.set_fact: - matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: | - {{ - matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks | default([]) - + - [matrix_mx_puppet_twitter_matrix_nginx_proxy_configuration] - }} - -- name: Warn about reverse-proxying if matrix-nginx-proxy not used - ansible.builtin.debug: - msg: >- - NOTE: You've enabled the Matrix Twitter bridge but are not using the matrix-nginx-proxy - reverse proxy. - Please make sure that you're proxying the `{{ matrix_mx_puppet_twitter_redirect_path }}` - URL endpoint to the matrix-mx-puppet-twitter container. - You can expose the container's port using the `matrix_mx_puppet_twitter_container_http_host_bind_port` variable. - when: "matrix_mx_puppet_twitter_enabled | bool and not matrix_nginx_proxy_enabled | default(False) | bool" diff --git a/roles/custom/matrix-bridge-mx-puppet-twitter/tasks/inject_into_nginx_proxy.yml b/roles/custom/matrix-bridge-mx-puppet-twitter/tasks/inject_into_nginx_proxy.yml new file mode 100644 index 000000000..df2b76feb --- /dev/null +++ b/roles/custom/matrix-bridge-mx-puppet-twitter/tasks/inject_into_nginx_proxy.yml @@ -0,0 +1,44 @@ +--- + +- name: Fail if matrix-nginx-proxy role already executed + ansible.builtin.fail: + msg: >- + Trying to append Twitter Appservice's reverse-proxying configuration to matrix-nginx-proxy, + but it's pointless since the matrix-nginx-proxy role had already executed. + To fix this, please change the order of roles in your playbook, + so that the matrix-nginx-proxy role would run after the matrix-mx-puppet-twitter role. + when: matrix_nginx_proxy_role_executed | default(False) | bool + +- name: Generate Matrix MX Puppet Twitter proxying configuration for matrix-nginx-proxy + ansible.builtin.set_fact: + matrix_mx_puppet_twitter_matrix_nginx_proxy_configuration: | + location {{ matrix_mx_puppet_twitter_webhook_path }} { + {% if matrix_nginx_proxy_enabled | default(False) %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "{{ matrix_mx_puppet_twitter_appservice_address }}"; + proxy_pass $backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://127.0.0.1:{{ matrix_mx_puppet_twitter_appservice_port }}; + {% endif %} + } + +- name: Register Twitter Appservice proxying configuration with matrix-nginx-proxy + ansible.builtin.set_fact: + matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: | + {{ + matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks | default([]) + + + [matrix_mx_puppet_twitter_matrix_nginx_proxy_configuration] + }} + +- name: Warn about reverse-proxying if matrix-nginx-proxy not used + ansible.builtin.debug: + msg: >- + NOTE: You've enabled the Matrix Twitter bridge but are not using the matrix-nginx-proxy + reverse proxy. + Please make sure that you're proxying the `{{ matrix_mx_puppet_twitter_redirect_path }}` + URL endpoint to the matrix-mx-puppet-twitter container. + You can expose the container's port using the `matrix_mx_puppet_twitter_container_http_host_bind_port` variable. + when: "not matrix_nginx_proxy_enabled | default(False) | bool" diff --git a/roles/custom/matrix-bridge-mx-puppet-twitter/tasks/main.yml b/roles/custom/matrix-bridge-mx-puppet-twitter/tasks/main.yml index 20e4f6862..d6d681037 100644 --- a/roles/custom/matrix-bridge-mx-puppet-twitter/tasks/main.yml +++ b/roles/custom/matrix-bridge-mx-puppet-twitter/tasks/main.yml @@ -1,23 +1,29 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup | bool and matrix_mx_puppet_twitter_enabled | bool" - tags: +- tags: - setup-all - - setup-mx-puppet-twitter + - setup-nginx-proxy + - install-all + - install-nginx-proxy + block: + - when: matrix_mx_puppet_twitter_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_install.yml" - when: "run_setup | bool and matrix_mx_puppet_twitter_enabled | bool" - tags: +- tags: - setup-all - setup-mx-puppet-twitter + - install-all + - install-mx-puppet-twitter + block: + - when: matrix_mx_puppet_twitter_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" + + - when: matrix_mx_puppet_twitter_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - when: "run_setup | bool and not matrix_mx_puppet_twitter_enabled | bool" - tags: +- tags: - setup-all - setup-mx-puppet-twitter + block: + - when: not matrix_mx_puppet_twitter_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" diff --git a/roles/custom/matrix-bridge-mx-puppet-twitter/tasks/setup_install.yml b/roles/custom/matrix-bridge-mx-puppet-twitter/tasks/setup_install.yml index d5ebec74e..9224e9568 100644 --- a/roles/custom/matrix-bridge-mx-puppet-twitter/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-mx-puppet-twitter/tasks/setup_install.yml @@ -1,13 +1,5 @@ --- -# If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. -# We don't want to fail in such cases. -- name: Fail if matrix-synapse role already executed - ansible.builtin.fail: - msg: >- - The matrix-bridge-mx-puppet-twitter role needs to execute before the matrix-synapse role. - when: "matrix_synapse_role_executed | default(False)" - - name: Ensure MX Puppet Twitter paths exist ansible.builtin.file: path: "{{ item.path }}" @@ -37,7 +29,10 @@ when: "matrix_mx_puppet_twitter_stat_database.stat.exists" - name: (Data relocation) Move mx-puppet-twitter database file to ./data directory - ansible.builtin.command: "mv {{ matrix_mx_puppet_twitter_base_path }}/database.db {{ matrix_mx_puppet_twitter_data_path }}/database.db" + ansible.builtin.command: + cmd: "mv {{ matrix_mx_puppet_twitter_base_path }}/database.db {{ matrix_mx_puppet_twitter_data_path }}/database.db" + creates: "{{ matrix_mx_puppet_twitter_data_path }}/database.db" + removes: "{{ matrix_mx_puppet_twitter_base_path }}/database.db" when: "matrix_mx_puppet_twitter_stat_database.stat.exists" - ansible.builtin.set_fact: @@ -52,8 +47,11 @@ - when: "matrix_mx_puppet_twitter_sqlite_database_path_local_stat_result.stat.exists | bool" block: - - ansible.builtin.set_fact: - matrix_postgres_db_migration_request: + - ansible.builtin.include_role: + name: galaxy/com.devture.ansible.role.postgres + tasks_from: migrate_db_to_postgres + vars: + devture_postgres_db_migration_request: src: "{{ matrix_mx_puppet_twitter_sqlite_database_path_local }}" dst: "{{ matrix_mx_puppet_twitter_database_connection_string }}" caller: "{{ role_path | basename }}" @@ -61,10 +59,6 @@ engine_old: 'sqlite' systemd_services_to_stop: ['matrix-mx-puppet-twitter.service'] - - ansible.builtin.import_role: - name: custom/matrix-postgres - tasks_from: migrate_db_to_postgres - - ansible.builtin.set_fact: matrix_mx_puppet_twitter_requires_restart: true @@ -124,15 +118,10 @@ src: "{{ role_path }}/templates/systemd/matrix-mx-puppet-twitter.service.j2" dest: "/etc/systemd/system/matrix-mx-puppet-twitter.service" mode: 0644 - register: matrix_mx_puppet_twitter_systemd_service_result - -- name: Ensure systemd reloaded after matrix-mx-puppet-twitter.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_mx_puppet_twitter_systemd_service_result.changed" - name: Ensure matrix-mx-puppet-twitter.service restarted, if necessary ansible.builtin.service: name: "matrix-mx-puppet-twitter.service" state: restarted + daemon_reload: true when: "matrix_mx_puppet_twitter_requires_restart | bool" diff --git a/roles/custom/matrix-bridge-mx-puppet-twitter/tasks/setup_uninstall.yml b/roles/custom/matrix-bridge-mx-puppet-twitter/tasks/setup_uninstall.yml index 6db13de08..c529f0b34 100644 --- a/roles/custom/matrix-bridge-mx-puppet-twitter/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-bridge-mx-puppet-twitter/tasks/setup_uninstall.yml @@ -5,21 +5,16 @@ path: "/etc/systemd/system/matrix-mx-puppet-twitter.service" register: matrix_mx_puppet_twitter_service_stat -- name: Ensure matrix-mx-puppet-twitter is stopped - ansible.builtin.service: - name: matrix-mx-puppet-twitter - state: stopped - enabled: false - daemon_reload: true - when: "matrix_mx_puppet_twitter_service_stat.stat.exists" +- when: matrix_mx_puppet_twitter_service_stat.stat.exists | bool + block: + - name: Ensure matrix-mx-puppet-twitter is stopped + ansible.builtin.service: + name: matrix-mx-puppet-twitter + state: stopped + enabled: false + daemon_reload: true -- name: Ensure matrix-mx-puppet-twitter.service doesn't exist - ansible.builtin.file: - path: "/etc/systemd/system/matrix-mx-puppet-twitter.service" - state: absent - when: "matrix_mx_puppet_twitter_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-mx-puppet-twitter.service removal - ansible.builtin.service: - daemon_reload: true - when: "matrix_mx_puppet_twitter_service_stat.stat.exists" + - name: Ensure matrix-mx-puppet-twitter.service doesn't exist + ansible.builtin.file: + path: "/etc/systemd/system/matrix-mx-puppet-twitter.service" + state: absent diff --git a/roles/custom/matrix-bridge-mx-puppet-twitter/tasks/validate_config.yml b/roles/custom/matrix-bridge-mx-puppet-twitter/tasks/validate_config.yml index b5b7ef5b7..373c1ccb8 100644 --- a/roles/custom/matrix-bridge-mx-puppet-twitter/tasks/validate_config.yml +++ b/roles/custom/matrix-bridge-mx-puppet-twitter/tasks/validate_config.yml @@ -1,10 +1,11 @@ --- -- name: Fail if required settings not defined +- name: Fail if required mx-puppet-twitter settings not defined ansible.builtin.fail: msg: >- - You need to define a required configuration setting (`{{ item }}`). - when: "vars[item] == ''" + You need to define a required configuration setting (`{{ item.name }}`). + when: "item.when | bool and vars[item.name] == ''" with_items: - - "matrix_mx_puppet_twitter_appservice_token" - - "matrix_mx_puppet_twitter_homeserver_token" + - {'name': 'matrix_mx_puppet_twitter_appservice_token', when: true} + - {'name': 'matrix_mx_puppet_twitter_homeserver_token', when: true} + - {'name': 'matrix_mx_puppet_twitter_database_hostname', when: "{{ matrix_mx_puppet_twitter_database_engine == 'postgres' }}"} diff --git a/roles/custom/matrix-bridge-sms/tasks/init.yml b/roles/custom/matrix-bridge-sms/tasks/init.yml deleted file mode 100644 index 3c044c152..000000000 --- a/roles/custom/matrix-bridge-sms/tasks/init.yml +++ /dev/null @@ -1,30 +0,0 @@ ---- - -# If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. -# We don't want to fail in such cases. -- name: Fail if matrix-synapse role already executed - ansible.builtin.fail: - msg: >- - The matrix-sms-bridge role needs to execute before the matrix-synapse role. - when: "matrix_sms_bridge_enabled and matrix_synapse_role_executed | default(False)" - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-sms-bridge.service'] }}" - when: matrix_sms_bridge_enabled | bool - -# If the matrix-synapse role is not used, these variables may not exist. -- ansible.builtin.set_fact: - matrix_homeserver_container_runtime_injected_arguments: > - {{ - matrix_homeserver_container_runtime_injected_arguments | default([]) - + - ["--mount type=bind,src={{ matrix_sms_bridge_config_path }}/registration.yaml,dst=/matrix-sms-bridge-registration.yaml,ro"] - }} - - matrix_homeserver_app_service_runtime_injected_config_files: > - {{ - matrix_homeserver_app_service_runtime_injected_config_files | default([]) - + - ["/matrix-sms-bridge-registration.yaml"] - }} - when: matrix_sms_bridge_enabled | bool diff --git a/roles/custom/matrix-bridge-sms/tasks/main.yml b/roles/custom/matrix-bridge-sms/tasks/main.yml index 1a6b964ba..57d517275 100644 --- a/roles/custom/matrix-bridge-sms/tasks/main.yml +++ b/roles/custom/matrix-bridge-sms/tasks/main.yml @@ -1,23 +1,20 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup | bool and matrix_sms_bridge_enabled | bool" - tags: +- tags: - setup-all - setup-matrix-sms-bridge + - install-all + - install-matrix-sms-bridge + block: + - when: matrix_sms_bridge_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_install.yml" - when: "run_setup | bool and matrix_sms_bridge_enabled | bool" - tags: - - setup-all - - setup-matrix-sms-bridge + - when: matrix_sms_bridge_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - when: "run_setup | bool and not matrix_sms_bridge_enabled | bool" - tags: +- tags: - setup-all - setup-matrix-sms-bridge + block: + - when: not matrix_sms_bridge_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" diff --git a/roles/custom/matrix-bridge-sms/tasks/setup_install.yml b/roles/custom/matrix-bridge-sms/tasks/setup_install.yml index 2050797af..b3d78a342 100644 --- a/roles/custom/matrix-bridge-sms/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-sms/tasks/setup_install.yml @@ -51,9 +51,3 @@ src: "{{ role_path }}/templates/systemd/matrix-sms-bridge.service.j2" dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-sms-bridge.service" mode: 0644 - register: matrix_sms_bridge_systemd_service_result - -- name: Ensure systemd reloaded after matrix-sms-bridge.service installation - ansible.builtin.service: - daemon_reload: true - when: matrix_sms_bridge_systemd_service_result.changed diff --git a/roles/custom/matrix-cactus-comments/defaults/main.yml b/roles/custom/matrix-cactus-comments/defaults/main.yml index 224a53489..80f8c15ee 100644 --- a/roles/custom/matrix-cactus-comments/defaults/main.yml +++ b/roles/custom/matrix-cactus-comments/defaults/main.yml @@ -31,10 +31,12 @@ matrix_cactus_comments_version: 0.9.0 matrix_cactus_comments_docker_image: "{{ matrix_container_global_registry_prefix }}cactuscomments/cactus-appservice:{{ matrix_cactus_comments_version }}" matrix_cactus_comments_docker_image_force_pull: "{{ matrix_cactus_comments_docker_image.endswith(':latest') }}" -# matrix_cactus_comments_client_version specifies the version of the cactus-client release to use. +# The released & compiled client is uploaded to a URL that changes per commit. Therefore it is necessary to check the +# available versions and adjust the url manually. # For available versions, see: https://gitlab.com/cactus-comments/cactus-client/-/releases # Also see: `matrix_cactus_comments_client_local_dir` -matrix_cactus_comments_client_version: "0.13.0" +matrix_cactus_comments_webclient_js_url: "https://gateway.pinata.cloud/ipfs/QmSiWN27KZZ1XE32jKwifBnS3nWTUcFGNArKzur2nmDgoL/v0.13.0/cactus.js" +matrix_cactus_comments_webclient_css_url: "https://gateway.pinata.cloud/ipfs/QmSiWN27KZZ1XE32jKwifBnS3nWTUcFGNArKzur2nmDgoL/v0.13.0/style.css" # matrix_cactus_comments_client_local_dir specifies a local directory (on the Ansible controller, not on the remote server) with cactus-client files to use. # This is an alternative to `matrix_cactus_comments_client_version`, to be used when you'd like to diff --git a/roles/custom/matrix-cactus-comments/tasks/init.yml b/roles/custom/matrix-cactus-comments/tasks/inject_into_nginx_proxy.yml similarity index 67% rename from roles/custom/matrix-cactus-comments/tasks/init.yml rename to roles/custom/matrix-cactus-comments/tasks/inject_into_nginx_proxy.yml index 5067d0254..a1da604c9 100644 --- a/roles/custom/matrix-cactus-comments/tasks/init.yml +++ b/roles/custom/matrix-cactus-comments/tasks/inject_into_nginx_proxy.yml @@ -1,30 +1,6 @@ --- -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-cactus-comments.service'] }}" - when: matrix_cactus_comments_enabled | bool - -# If the matrix-synapse role is not used, these variables may not exist. -- ansible.builtin.set_fact: - matrix_homeserver_container_runtime_injected_arguments: > - {{ - matrix_homeserver_container_runtime_injected_arguments | default([]) - + - ["--mount type=bind,src={{ matrix_cactus_comments_app_service_config_file }},dst=/matrix-cactus-comments.yaml,ro"] - }} - - matrix_homeserver_app_service_runtime_injected_config_files: > - {{ - matrix_homeserver_app_service_runtime_injected_config_files | default([]) - + - ["/matrix-cactus-comments.yaml"] - }} - when: matrix_cactus_comments_enabled | bool - -- when: matrix_cactus_comments_enabled | bool and matrix_cactus_comments_serve_client_enabled | bool - tags: - - always - block: +- block: - name: Fail if matrix-nginx-proxy role already executed ansible.builtin.fail: msg: >- diff --git a/roles/custom/matrix-cactus-comments/tasks/main.yml b/roles/custom/matrix-cactus-comments/tasks/main.yml index 857e2db19..c1a08d328 100644 --- a/roles/custom/matrix-cactus-comments/tasks/main.yml +++ b/roles/custom/matrix-cactus-comments/tasks/main.yml @@ -1,23 +1,29 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup | bool and matrix_cactus_comments_enabled | bool" - tags: +- tags: - setup-all - - setup-cactus-comments + - setup-nginx-proxy + - install-all + - install-nginx-proxy + block: + - when: matrix_cactus_comments_enabled | bool and matrix_cactus_comments_serve_client_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_install.yml" - when: "run_setup | bool and matrix_cactus_comments_enabled | bool" - tags: +- tags: - setup-all - setup-cactus-comments + - install-all + - install-cactus-comments + block: + - when: matrix_cactus_comments_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" + + - when: matrix_cactus_comments_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - when: "run_setup | bool and not matrix_cactus_comments_enabled | bool" - tags: +- tags: - setup-all - setup-cactus-comments + block: + - when: not matrix_cactus_comments_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" diff --git a/roles/custom/matrix-cactus-comments/tasks/setup_install.yml b/roles/custom/matrix-cactus-comments/tasks/setup_install.yml index 8de14d19b..03b97d0ad 100644 --- a/roles/custom/matrix-cactus-comments/tasks/setup_install.yml +++ b/roles/custom/matrix-cactus-comments/tasks/setup_install.yml @@ -67,37 +67,16 @@ - when: matrix_cactus_comments_client_local_dir | length == 0 block: - - name: Download client binary to local folder + - name: Download web client js ansible.builtin.get_url: - url: "https://gitlab.com/cactus-comments/cactus-client/-/archive/v{{ matrix_cactus_comments_client_version }}/cactus-client-v{{ matrix_cactus_comments_client_version }}.tar.gz" - dest: "/tmp/cactus-comments-{{ matrix_cactus_comments_client_version }}.tar.gz" - mode: '0644' - register: _download_client - until: _download_client is succeeded - retries: 5 - delay: 2 - check_mode: false - - - name: Unpack client - ansible.builtin.unarchive: - src: "/tmp/cactus-comments-{{ matrix_cactus_comments_client_version }}.tar.gz" - dest: "/tmp/" - remote_src: true - mode: 0600 - check_mode: false - - - name: Propagate client javascript file - ansible.builtin.copy: - src: "/tmp/cactus-client-v{{ matrix_cactus_comments_client_version }}/src/cactus.js" - remote_src: true + url: "{{ matrix_cactus_comments_webclient_js_url }}" dest: "{{ matrix_cactus_comments_client_path }}/cactus.js" mode: "{{ matrix_cactus_comments_client_file_permissions }}" owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" - - name: Propagate client style file - ansible.builtin.copy: - src: "/tmp/cactus-client-v{{ matrix_cactus_comments_client_version }}/src/style.css" - remote_src: true + - name: Download web client css + ansible.builtin.get_url: + url: "{{ matrix_cactus_comments_webclient_css_url }}" dest: "{{ matrix_cactus_comments_client_path }}/style.css" mode: "{{ matrix_cactus_comments_client_file_permissions }}" owner: "{{ matrix_user_username }}" @@ -125,14 +104,3 @@ src: "{{ role_path }}/templates/systemd/matrix-cactus-comments.service.j2" dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-cactus-comments.service" mode: 0644 - register: matrix_cactus_comments_systemd_service_result - -- name: Ensure systemd reloaded after matrix-cactus-comments.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_cactus_comments_systemd_service_result.changed | bool" - -- name: Ensure matrix-cactus-comments.service restarted, if necessary - ansible.builtin.service: - name: "matrix-cactus-comments.service" - state: restarted diff --git a/roles/custom/matrix-cactus-comments/tasks/setup_uninstall.yml b/roles/custom/matrix-cactus-comments/tasks/setup_uninstall.yml index bd46f252b..e3a5f3909 100644 --- a/roles/custom/matrix-cactus-comments/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-cactus-comments/tasks/setup_uninstall.yml @@ -5,32 +5,21 @@ path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-cactus-comments.service" register: matrix_cactus_comments_service_stat -- name: Ensure cactus comments is stopped - ansible.builtin.service: - name: matrix-cactus-comments - state: stopped - enabled: false - daemon_reload: true - register: stopping_result - when: "matrix_cactus_comments_service_stat.stat.exists | bool" +- when: matrix_cactus_comments_service_stat.stat.exists | bool + block: + - name: Ensure cactus comments is stopped + ansible.builtin.service: + name: matrix-cactus-comments + state: stopped + enabled: false + daemon_reload: true -- name: Ensure matrix-cactus-comments.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-cactus-comments.service" - state: absent - when: "matrix_cactus_comments_service_stat.stat.exists | bool" - -- name: Ensure systemd reloaded after matrix-cactus-comments.service removal - ansible.builtin.service: - daemon_reload: true - when: "matrix_cactus_comments_service_stat.stat.exists | bool" - -- name: Ensure Matrix cactus comments paths don't exist - ansible.builtin.file: - path: "{{ matrix_cactus_comments_base_path }}" - state: absent + - name: Ensure matrix-cactus-comments.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-cactus-comments.service" + state: absent -- name: Ensure cactus comments Docker image doesn't exist - community.docker.docker_image: - name: "{{ matrix_cactus_comments_docker_image }}" - state: absent + - name: Ensure Matrix cactus comments paths don't exist + ansible.builtin.file: + path: "{{ matrix_cactus_comments_base_path }}" + state: absent diff --git a/roles/custom/matrix-client-cinny/defaults/main.yml b/roles/custom/matrix-client-cinny/defaults/main.yml index de974eb12..6b771fdc1 100644 --- a/roles/custom/matrix-client-cinny/defaults/main.yml +++ b/roles/custom/matrix-client-cinny/defaults/main.yml @@ -6,7 +6,7 @@ matrix_client_cinny_enabled: true matrix_client_cinny_container_image_self_build: false matrix_client_cinny_container_image_self_build_repo: "https://github.com/ajbura/cinny.git" -matrix_client_cinny_version: v2.2.2 +matrix_client_cinny_version: v2.2.6 matrix_client_cinny_docker_image: "{{ matrix_client_cinny_docker_image_name_prefix }}ajbura/cinny:{{ matrix_client_cinny_version }}" matrix_client_cinny_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_cinny_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_client_cinny_docker_image_force_pull: "{{ matrix_client_cinny_docker_image.endswith(':latest') }}" @@ -14,17 +14,128 @@ matrix_client_cinny_docker_image_force_pull: "{{ matrix_client_cinny_docker_imag matrix_client_cinny_data_path: "{{ matrix_base_data_path }}/client-cinny" matrix_client_cinny_docker_src_files_path: "{{ matrix_client_cinny_data_path }}/docker-src" +# The base container network +matrix_client_cinny_container_network: matrix-client-cinny + +# A list of additional container networks that the container would be connected to. +# The role does not create these networks, so make sure they already exist. +# Use this to expose this container to a reverse proxy, which runs in a different container network. +matrix_client_cinny_container_additional_networks: [] + # Controls whether the container exposes its HTTP port (tcp/8080 in the container). # # Takes an ":" or "" value (e.g. "127.0.0.1:8768"), or empty string to not expose. matrix_client_cinny_container_http_host_bind_port: '' + +# matrix_client_cinny_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container. +# See `../templates/labels.j2` for details. +# +# To inject your own other container labels, see `matrix_client_cinny_container_labels_additional_labels`. +matrix_client_cinny_container_labels_traefik_enabled: true +matrix_client_cinny_container_labels_traefik_docker_network: "{{ matrix_client_cinny_container_network }}" +matrix_client_cinny_container_labels_traefik_hostname: "{{ matrix_client_cinny_hostname }}" +# The path prefix must either be `/` or not end with a slash (e.g. `/cinny`). +matrix_client_cinny_container_labels_traefik_path_prefix: "{{ matrix_client_cinny_path_prefix }}" +matrix_client_cinny_container_labels_traefik_rule: "Host(`{{ matrix_client_cinny_container_labels_traefik_hostname }}`){% if matrix_client_cinny_container_labels_traefik_path_prefix != '/' %} && PathPrefix(`{{ matrix_client_cinny_container_labels_traefik_path_prefix }}`){% endif %}" +matrix_client_cinny_container_labels_traefik_priority: 0 +matrix_client_cinny_container_labels_traefik_entrypoints: web-secure +matrix_client_cinny_container_labels_traefik_tls: "{{ matrix_client_cinny_container_labels_traefik_entrypoints != 'web' }}" +matrix_client_cinny_container_labels_traefik_tls_certResolver: default # noqa var-naming + +# Controls which additional headers to attach to all HTTP responses. +# To add your own headers, use `matrix_client_cinny_container_labels_traefik_additional_response_headers_custom` +matrix_client_cinny_container_labels_traefik_additional_response_headers: "{{ matrix_client_cinny_container_labels_traefik_additional_response_headers_auto | combine(matrix_client_cinny_container_labels_traefik_additional_response_headers_custom) }}" +matrix_client_cinny_container_labels_traefik_additional_response_headers_auto: | + {{ + {} + | combine ({'X-XSS-Protection': matrix_client_cinny_http_header_xss_protection} if matrix_client_cinny_http_header_xss_protection else {}) + | combine ({'X-Frame-Options': matrix_client_cinny_http_header_frame_options} if matrix_client_cinny_http_header_frame_options else {}) + | combine ({'X-Content-Type-Options': matrix_client_cinny_http_header_content_type_options} if matrix_client_cinny_http_header_content_type_options else {}) + | combine ({'Content-Security-Policy': matrix_client_cinny_http_header_content_security_policy} if matrix_client_cinny_http_header_content_security_policy else {}) + | combine ({'Permission-Policy': matrix_client_cinny_http_header_content_permission_policy} if matrix_client_cinny_http_header_content_permission_policy else {}) + | combine ({'Strict-Transport-Security': matrix_client_cinny_http_header_strict_transport_security} if matrix_client_cinny_http_header_strict_transport_security and matrix_client_cinny_container_labels_traefik_tls else {}) + }} +matrix_client_cinny_container_labels_traefik_additional_response_headers_custom: {} + +# matrix_client_cinny_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file. +# See `../templates/labels.j2` for details. +# +# Example: +# matrix_client_cinny_container_labels_additional_labels: | +# my.label=1 +# another.label="here" +matrix_client_cinny_container_labels_additional_labels: '' + # A list of extra arguments to pass to the container matrix_client_cinny_container_extra_arguments: [] # List of systemd services that matrix-client-cinny.service depends on matrix_client_cinny_systemd_required_services_list: ['docker.service'] +# Specifies the value of the `X-XSS-Protection` header +# Stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. +# +# Learn more about it is here: +# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection +# - https://portswigger.net/web-security/cross-site-scripting/reflected +matrix_client_cinny_http_header_xss_protection: "1; mode=block" + +# Specifies the value of the `X-Frame-Options` header which controls whether framing can happen. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options +matrix_client_cinny_http_header_frame_options: SAMEORIGIN + +# Specifies the value of the `X-Content-Type-Options` header. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options +matrix_client_cinny_http_header_content_type_options: nosniff + +# Specifies the value of the `Content-Security-Policy` header. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy +matrix_client_cinny_http_header_content_security_policy: frame-ancestors 'self' + +# Specifies the value of the `Permission-Policy` header. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permission-Policy +matrix_client_cinny_http_header_content_permission_policy: "{{ 'interest-cohort=()' if matrix_client_cinny_floc_optout_enabled else '' }}" + +# Specifies the value of the `Strict-Transport-Security` header. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security +matrix_client_cinny_http_header_strict_transport_security: "max-age=31536000; includeSubDomains{{ '; preload' if matrix_client_cinny_hsts_preload_enabled else '' }}" + +# Controls whether to send a "Permissions-Policy interest-cohort=();" header along with all responses +# +# Learn more about what it is here: +# - https://www.eff.org/deeplinks/2021/03/googles-floc-terrible-idea +# - https://paramdeo.com/blog/opting-your-website-out-of-googles-floc-network +# - https://amifloced.org/ +# +# Of course, a better solution is to just stop using browsers (like Chrome), which participate in such tracking practices. +# See: `matrix_client_cinny_content_permission_policy` +matrix_client_cinny_floc_optout_enabled: true + +# Controls if HSTS preloading is enabled +# +# In its strongest and recommended form, the [HSTS policy](https://www.chromium.org/hsts) includes all subdomains, and +# indicates a willingness to be "preloaded" into browsers: +# `Strict-Transport-Security: max-age=31536000; includeSubDomains; preload` +# For more information visit: +# - https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security +# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security +# - https://hstspreload.org/#opt-in +# See: `matrix_client_cinny_http_header_strict_transport_security` +matrix_client_cinny_hsts_preload_enabled: false + +# The hostname at which Cinny is served. +# Only works with with Traefik reverse-proxying. +# For matrix-nginx-proxy, `matrix_server_fqn_cinny` is used and this variable has no effect. +matrix_client_cinny_hostname: "{{ matrix_server_fqn_cinny }}" + +# The path at which Cinny is exposed. +# When matrix-nginx-proxy is used, setting this to values other than `/` will cause configuration mismatches and trouble. +# +# If Traefik is used, the hostname is also configurable - see `matrix_client_cinny_container_labels_traefik_hostname`. +# This value must either be `/` or not end with a slash (e.g. `/cinny`). +matrix_client_cinny_path_prefix: / + # Controls whether the self-check feature should validate SSL certificates. matrix_client_cinny_self_check_validate_certificates: true diff --git a/roles/custom/matrix-client-cinny/tasks/init.yml b/roles/custom/matrix-client-cinny/tasks/init.yml deleted file mode 100644 index 00e46dc82..000000000 --- a/roles/custom/matrix-client-cinny/tasks/init.yml +++ /dev/null @@ -1,11 +0,0 @@ ---- -# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 -# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 -- name: Fail if trying to self-build on Ansible < 2.8 - ansible.builtin.fail: - msg: "To self-build the Cinny image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_client_cinny_container_image_self_build and matrix_client_cinny_enabled" - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-client-cinny.service'] }}" - when: matrix_client_cinny_enabled | bool diff --git a/roles/custom/matrix-client-cinny/tasks/main.yml b/roles/custom/matrix-client-cinny/tasks/main.yml index 9eb007810..40c6514b5 100644 --- a/roles/custom/matrix-client-cinny/tasks/main.yml +++ b/roles/custom/matrix-client-cinny/tasks/main.yml @@ -1,30 +1,26 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup | bool and matrix_client_cinny_enabled | bool" - tags: +- tags: - setup-all - setup-client-cinny + - install-all + - install-client-cinny + block: + - when: matrix_client_cinny_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" + + - when: matrix_client_cinny_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_install.yml" - when: "run_setup | bool and matrix_client_cinny_enabled | bool" - tags: +- tags: - setup-all - setup-client-cinny + block: + - when: not matrix_client_cinny_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/self_check.yml" - delegate_to: 127.0.0.1 - become: false - when: "run_self_check | bool and matrix_client_cinny_enabled | bool" - tags: +- tags: - self-check - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - when: "run_setup | bool and not matrix_client_cinny_enabled | bool" - tags: - - setup-all - - setup-client-cinny + block: + - when: matrix_client_cinny_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/self_check.yml" diff --git a/roles/custom/matrix-client-cinny/tasks/self_check.yml b/roles/custom/matrix-client-cinny/tasks/self_check.yml index e0f9bfc1e..2ea64a32e 100644 --- a/roles/custom/matrix-client-cinny/tasks/self_check.yml +++ b/roles/custom/matrix-client-cinny/tasks/self_check.yml @@ -1,7 +1,7 @@ --- - ansible.builtin.set_fact: - matrix_client_cinny_url_endpoint_public: "https://{{ matrix_server_fqn_cinny }}/config.json" + matrix_client_cinny_url_endpoint_public: "https://{{ matrix_client_cinny_hostname }}{{ matrix_client_cinny_path_prefix }}/config.json" - name: Check Cinny ansible.builtin.uri: @@ -11,12 +11,14 @@ register: matrix_client_cinny_self_check_result check_mode: false ignore_errors: true + delegate_to: 127.0.0.1 + become: false - name: Fail if Cinny not working ansible.builtin.fail: - msg: "Failed checking Cinny is up at `{{ matrix_server_fqn_cinny }}` (checked endpoint: `{{ matrix_client_cinny_url_endpoint_public }}`). Is Cinny running? Is port 443 open in your firewall? Full error: {{ matrix_client_cinny_self_check_result }}" + msg: "Failed checking Cinny is up at `{{ matrix_client_cinny_hostname }}` (checked endpoint: `{{ matrix_client_cinny_url_endpoint_public }}`). Is Cinny running? Is port 443 open in your firewall? Full error: {{ matrix_client_cinny_self_check_result }}" when: "matrix_client_cinny_self_check_result.failed or 'json' not in matrix_client_cinny_self_check_result" - name: Report working Cinny ansible.builtin.debug: - msg: "Cinny at `{{ matrix_server_fqn_cinny }}` is working (checked endpoint: `{{ matrix_client_cinny_url_endpoint_public }}`)" + msg: "Cinny at `{{ matrix_client_cinny_hostname }}` is working (checked endpoint: `{{ matrix_client_cinny_url_endpoint_public }}`)" diff --git a/roles/custom/matrix-client-cinny/tasks/setup_install.yml b/roles/custom/matrix-client-cinny/tasks/setup_install.yml index 09b117be8..e4eb79387 100644 --- a/roles/custom/matrix-client-cinny/tasks/setup_install.yml +++ b/roles/custom/matrix-client-cinny/tasks/setup_install.yml @@ -51,7 +51,7 @@ group: "{{ matrix_user_groupname }}" with_items: - {src: "{{ role_path }}/templates/nginx.conf.j2", name: "nginx.conf"} - when: "item.src is not none" + - {src: "{{ role_path }}/templates/labels.j2", name: "labels"} - name: Ensure Cinny Docker image is built community.docker.docker_image: @@ -64,14 +64,13 @@ pull: true when: "matrix_client_cinny_container_image_self_build | bool" +- name: Ensure Cinny container network is created + community.general.docker_network: + name: "{{ matrix_client_cinny_container_network }}" + driver: bridge + - name: Ensure matrix-client-cinny.service installed ansible.builtin.template: src: "{{ role_path }}/templates/systemd/matrix-client-cinny.service.j2" dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-client-cinny.service" mode: 0644 - register: matrix_client_cinny_systemd_service_result - -- name: Ensure systemd reloaded after matrix-client-cinny.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_client_cinny_systemd_service_result.changed | bool" diff --git a/roles/custom/matrix-client-cinny/tasks/setup_uninstall.yml b/roles/custom/matrix-client-cinny/tasks/setup_uninstall.yml index 5b67e819e..a73825623 100644 --- a/roles/custom/matrix-client-cinny/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-client-cinny/tasks/setup_uninstall.yml @@ -4,32 +4,21 @@ path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-client-cinny.service" register: matrix_client_cinny_service_stat -- name: Ensure matrix-client-cinny is stopped - ansible.builtin.service: - name: matrix-client-cinny - state: stopped - enabled: false - daemon_reload: true - register: stopping_result - when: "matrix_client_cinny_service_stat.stat.exists | bool" +- when: matrix_client_cinny_service_stat.stat.exists | bool + block: + - name: Ensure matrix-client-cinny is stopped + ansible.builtin.service: + name: matrix-client-cinny + state: stopped + enabled: false + daemon_reload: true -- name: Ensure matrix-client-cinny.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-client-cinny.service" - state: absent - when: "matrix_client_cinny_service_stat.stat.exists | bool" - -- name: Ensure systemd reloaded after matrix-client-cinny.service removal - ansible.builtin.service: - daemon_reload: true - when: "matrix_client_cinny_service_stat.stat.exists | bool" - -- name: Ensure Cinny paths doesn't exist - ansible.builtin.file: - path: "{{ matrix_client_cinny_data_path }}" - state: absent + - name: Ensure matrix-client-cinny.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-client-cinny.service" + state: absent -- name: Ensure Cinny Docker image doesn't exist - community.docker.docker_image: - name: "{{ matrix_client_cinny_docker_image }}" - state: absent + - name: Ensure Cinny paths doesn't exist + ansible.builtin.file: + path: "{{ matrix_client_cinny_data_path }}" + state: absent diff --git a/roles/custom/matrix-client-cinny/tasks/validate_config.yml b/roles/custom/matrix-client-cinny/tasks/validate_config.yml index 10f64fee1..333872097 100644 --- a/roles/custom/matrix-client-cinny/tasks/validate_config.yml +++ b/roles/custom/matrix-client-cinny/tasks/validate_config.yml @@ -6,3 +6,23 @@ when: "vars[item] == '' or vars[item] is none" with_items: - "matrix_client_cinny_default_hs_url" + +- when: matrix_client_cinny_container_labels_traefik_enabled | bool + block: + - name: Fail if required matrix-client-cinny Traefik settings not defined + ansible.builtin.fail: + msg: >- + You need to define a required configuration setting (`{{ item }}`). + when: "vars[item] == ''" + with_items: + - matrix_client_cinny_container_labels_traefik_hostname + - matrix_client_cinny_container_labels_traefik_path_prefix + + # We ensure it doesn't end with a slash, because we handle both (slash and no-slash). + # Knowing that `matrix_client_cinny_container_labels_traefik_path_prefix` does not end with a slash + # ensures we know how to set these routes up without having to do "does it end with a slash" checks elsewhere. + - name: Fail if matrix_client_cinny_container_labels_traefik_path_prefix ends with a slash + ansible.builtin.fail: + msg: >- + matrix_client_cinny_container_labels_traefik_path_prefix (`{{ matrix_client_cinny_container_labels_traefik_path_prefix }}`) must either be `/` or not end with a slash (e.g. `/cinny`). + when: "matrix_client_cinny_container_labels_traefik_path_prefix != '/' and matrix_client_cinny_container_labels_traefik_path_prefix[-1] == '/'" diff --git a/roles/custom/matrix-client-cinny/templates/labels.j2 b/roles/custom/matrix-client-cinny/templates/labels.j2 new file mode 100644 index 000000000..f1c4f49ad --- /dev/null +++ b/roles/custom/matrix-client-cinny/templates/labels.j2 @@ -0,0 +1,45 @@ +{% if matrix_client_cinny_container_labels_traefik_enabled %} +traefik.enable=true + +{% if matrix_client_cinny_container_labels_traefik_docker_network %} +traefik.docker.network={{ matrix_client_cinny_container_labels_traefik_docker_network }} +{% endif %} + +{% set middlewares = [] %} + +{% if matrix_client_cinny_container_labels_traefik_path_prefix != '/' %} +traefik.http.middlewares.matrix-client-cinny-slashless-redirect.redirectregex.regex=({{ matrix_client_cinny_container_labels_traefik_path_prefix | quote }})$ +traefik.http.middlewares.matrix-client-cinny-slashless-redirect.redirectregex.replacement=${1}/ +{% set middlewares = middlewares + ['matrix-client-cinny-slashless-redirect'] %} +{% endif %} + +{% if matrix_client_cinny_container_labels_traefik_path_prefix != '/' %} +traefik.http.middlewares.matrix-client-cinny-strip-prefix.stripprefix.prefixes={{ matrix_client_cinny_container_labels_traefik_path_prefix }} +{% set middlewares = middlewares + ['matrix-client-cinny-strip-prefix'] %} +{% endif %} + +{% if matrix_client_cinny_container_labels_traefik_additional_response_headers.keys() | length > 0 %} +{% for name, value in matrix_client_cinny_container_labels_traefik_additional_response_headers.items() %} +traefik.http.middlewares.matrix-client-cinny-add-headers.headers.customresponseheaders.{{ name }}={{ value }} +{% endfor %} +{% set middlewares = middlewares + ['matrix-client-cinny-add-headers'] %} +{% endif %} + +traefik.http.routers.matrix-client-cinny.rule={{ matrix_client_cinny_container_labels_traefik_rule }} +{% if matrix_client_cinny_container_labels_traefik_priority | int > 0 %} +traefik.http.routers.matrix-client-cinny.priority={{ matrix_client_cinny_container_labels_traefik_priority }} +{% endif %} +traefik.http.routers.matrix-client-cinny.service=matrix-client-cinny +{% if middlewares | length > 0 %} +traefik.http.routers.matrix-client-cinny.middlewares={{ middlewares | join(',') }} +{% endif %} +traefik.http.routers.matrix-client-cinny.entrypoints={{ matrix_client_cinny_container_labels_traefik_entrypoints }} +traefik.http.routers.matrix-client-cinny.tls={{ matrix_client_cinny_container_labels_traefik_tls | to_json }} +{% if matrix_client_cinny_container_labels_traefik_tls %} +traefik.http.routers.matrix-client-cinny.tls.certResolver={{ matrix_client_cinny_container_labels_traefik_tls_certResolver }} +{% endif %} + +traefik.http.services.matrix-client-cinny.loadbalancer.server.port=8080 +{% endif %} + +{{ matrix_client_cinny_container_labels_additional_labels }} diff --git a/roles/custom/matrix-client-cinny/templates/systemd/matrix-client-cinny.service.j2 b/roles/custom/matrix-client-cinny/templates/systemd/matrix-client-cinny.service.j2 index b9a66c74b..2c49a0f3b 100644 --- a/roles/custom/matrix-client-cinny/templates/systemd/matrix-client-cinny.service.j2 +++ b/roles/custom/matrix-client-cinny/templates/systemd/matrix-client-cinny.service.j2 @@ -13,15 +13,18 @@ Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-client-cinny 2>/dev/null || true' ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-client-cinny 2>/dev/null || true' -ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-client-cinny \ +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ + --rm \ + --name=matrix-client-cinny \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ --read-only \ - --network={{ matrix_docker_network }} \ + --network={{ matrix_client_cinny_container_network }} \ {% if matrix_client_cinny_container_http_host_bind_port %} -p {{ matrix_client_cinny_container_http_host_bind_port }}:8080 \ {% endif %} + --label-file={{ matrix_client_cinny_data_path }}/labels \ --tmpfs=/tmp:rw,noexec,nosuid,size=10m \ --mount type=bind,src={{ matrix_client_cinny_data_path }}/nginx.conf,dst=/etc/nginx/nginx.conf,ro \ --mount type=bind,src={{ matrix_client_cinny_data_path }}/config.json,dst=/app/config.json,ro \ @@ -30,8 +33,15 @@ ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name {% endfor %} {{ matrix_client_cinny_docker_image }} +{% for network in matrix_client_cinny_container_additional_networks %} +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-client-cinny +{% endfor %} + +ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-client-cinny + ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-client-cinny 2>/dev/null || true' ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-client-cinny 2>/dev/null || true' + Restart=always RestartSec=30 SyslogIdentifier=matrix-client-cinny diff --git a/roles/custom/matrix-client-element/defaults/main.yml b/roles/custom/matrix-client-element/defaults/main.yml index a1543b5bb..123cbd32a 100644 --- a/roles/custom/matrix-client-element/defaults/main.yml +++ b/roles/custom/matrix-client-element/defaults/main.yml @@ -10,7 +10,7 @@ matrix_client_element_container_image_self_build_repo: "https://github.com/vecto # - https://github.com/vector-im/element-web/issues/19544 matrix_client_element_container_image_self_build_low_memory_system_patch_enabled: "{{ ansible_memtotal_mb < 4096 }}" -matrix_client_element_version: v1.11.14 +matrix_client_element_version: v1.11.36 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}" matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}" @@ -18,17 +18,127 @@ matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_ matrix_client_element_data_path: "{{ matrix_base_data_path }}/client-element" matrix_client_element_docker_src_files_path: "{{ matrix_client_element_data_path }}/docker-src" +# The base container network +matrix_client_element_container_network: matrix-client-element + +# A list of additional container networks that the container would be connected to. +# The role does not create these networks, so make sure they already exist. +# Use this to expose this container to a reverse proxy, which runs in a different container network. +matrix_client_element_container_additional_networks: [] + # Controls whether the matrix-client-element container exposes its HTTP port (tcp/8080 in the container). # # Takes an ":" or "" value (e.g. "127.0.0.1:8765"), or empty string to not expose. matrix_client_element_container_http_host_bind_port: '' +# matrix_client_element_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container. +# See `../templates/labels.j2` for details. +# +# To inject your own other container labels, see `matrix_client_element_container_labels_additional_labels`. +matrix_client_element_container_labels_traefik_enabled: true +matrix_client_element_container_labels_traefik_docker_network: "{{ matrix_client_element_container_network }}" +matrix_client_element_container_labels_traefik_hostname: "{{ matrix_client_element_hostname }}" +# The path prefix must either be `/` or not end with a slash (e.g. `/element`). +matrix_client_element_container_labels_traefik_path_prefix: "{{ matrix_client_element_path_prefix }}" +matrix_client_element_container_labels_traefik_rule: "Host(`{{ matrix_client_element_container_labels_traefik_hostname }}`){% if matrix_client_element_container_labels_traefik_path_prefix != '/' %} && PathPrefix(`{{ matrix_client_element_container_labels_traefik_path_prefix }}`){% endif %}" +matrix_client_element_container_labels_traefik_priority: 0 +matrix_client_element_container_labels_traefik_entrypoints: web-secure +matrix_client_element_container_labels_traefik_tls: "{{ matrix_client_element_container_labels_traefik_entrypoints != 'web' }}" +matrix_client_element_container_labels_traefik_tls_certResolver: default # noqa var-naming + +# Controls which additional headers to attach to all HTTP responses. +# To add your own headers, use `matrix_client_element_container_labels_traefik_additional_response_headers_custom` +matrix_client_element_container_labels_traefik_additional_response_headers: "{{ matrix_client_element_container_labels_traefik_additional_response_headers_auto | combine(matrix_client_element_container_labels_traefik_additional_response_headers_custom) }}" +matrix_client_element_container_labels_traefik_additional_response_headers_auto: | + {{ + {} + | combine ({'X-XSS-Protection': matrix_client_element_http_header_xss_protection} if matrix_client_element_http_header_xss_protection else {}) + | combine ({'X-Frame-Options': matrix_client_element_http_header_frame_options} if matrix_client_element_http_header_frame_options else {}) + | combine ({'X-Content-Type-Options': matrix_client_element_http_header_content_type_options} if matrix_client_element_http_header_content_type_options else {}) + | combine ({'Content-Security-Policy': matrix_client_element_http_header_content_security_policy} if matrix_client_element_http_header_content_security_policy else {}) + | combine ({'Permission-Policy': matrix_client_element_http_header_content_permission_policy} if matrix_client_element_http_header_content_permission_policy else {}) + | combine ({'Strict-Transport-Security': matrix_client_element_http_header_strict_transport_security} if matrix_client_element_http_header_strict_transport_security and matrix_client_element_container_labels_traefik_tls else {}) + }} +matrix_client_element_container_labels_traefik_additional_response_headers_custom: {} + +# matrix_client_element_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file. +# See `../templates/labels.j2` for details. +# +# Example: +# matrix_client_element_container_labels_additional_labels: | +# my.label=1 +# another.label="here" +matrix_client_element_container_labels_additional_labels: '' + # A list of extra arguments to pass to the container matrix_client_element_container_extra_arguments: [] # List of systemd services that matrix-client-element.service depends on matrix_client_element_systemd_required_services_list: ['docker.service'] +# Specifies the value of the `X-XSS-Protection` header +# Stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. +# +# Learn more about it is here: +# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection +# - https://portswigger.net/web-security/cross-site-scripting/reflected +matrix_client_element_http_header_xss_protection: "1; mode=block" + +# Specifies the value of the `X-Frame-Options` header which controls whether framing can happen. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options +matrix_client_element_http_header_frame_options: SAMEORIGIN + +# Specifies the value of the `X-Content-Type-Options` header. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options +matrix_client_element_http_header_content_type_options: nosniff + +# Specifies the value of the `Content-Security-Policy` header. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy +matrix_client_element_http_header_content_security_policy: frame-ancestors 'self' + +# Specifies the value of the `Permission-Policy` header. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permission-Policy +matrix_client_element_http_header_content_permission_policy: "{{ 'interest-cohort=()' if matrix_client_element_floc_optout_enabled else '' }}" + +# Specifies the value of the `Strict-Transport-Security` header. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security +matrix_client_element_http_header_strict_transport_security: "max-age=31536000; includeSubDomains{{ '; preload' if matrix_client_element_hsts_preload_enabled else '' }}" + +# Controls whether to send a "Permissions-Policy interest-cohort=();" header along with all responses +# +# Learn more about what it is here: +# - https://www.eff.org/deeplinks/2021/03/googles-floc-terrible-idea +# - https://paramdeo.com/blog/opting-your-website-out-of-googles-floc-network +# - https://amifloced.org/ +# +# Of course, a better solution is to just stop using browsers (like Chrome), which participate in such tracking practices. +# See: `matrix_client_element_content_permission_policy` +matrix_client_element_floc_optout_enabled: true + +# Controls if HSTS preloading is enabled +# +# In its strongest and recommended form, the [HSTS policy](https://www.chromium.org/hsts) includes all subdomains, and +# indicates a willingness to be "preloaded" into browsers: +# `Strict-Transport-Security: max-age=31536000; includeSubDomains; preload` +# For more information visit: +# - https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security +# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security +# - https://hstspreload.org/#opt-in +# See: `matrix_client_element_http_header_strict_transport_security` +matrix_client_element_hsts_preload_enabled: false + +# The hostname at which Element is served. +# Only works with with Traefik reverse-proxying. +# For matrix-nginx-proxy, `matrix_server_fqn_element` is used and this variable has no effect. +matrix_client_element_hostname: "{{ matrix_server_fqn_element }}" + +# The path at which Element is exposed. +# When matrix-nginx-proxy is used, setting this to values other than `/` will cause configuration mismatches and trouble. +# +# If Traefik is used, the hostname is also configurable - see `matrix_client_element_container_labels_traefik_hostname`. +# This value must either be `/` or not end with a slash (e.g. `/element`). +matrix_client_element_path_prefix: / + # Element config.json customizations matrix_client_element_default_server_name: "{{ matrix_domain }}" matrix_client_element_default_hs_url: "" @@ -49,7 +159,7 @@ matrix_client_element_welcome_user_id: ~ matrix_client_element_brand: "Element" # URL to Logo on welcome page -matrix_client_element_welcome_logo: "welcome/images/logo.svg" +matrix_client_element_welcome_logo: "themes/element/img/logos/element-logo.svg" # URL of link on welcome image matrix_client_element_welcome_logo_link: "https://element.io" @@ -81,6 +191,9 @@ matrix_client_element_self_check_validate_certificates: true # don't show the registration button on welcome page matrix_client_element_registration_enabled: false +# Default country code on welcome page when login by phone number +matrix_client_element_default_country_code: "GB" + # Controls whether presence will be enabled matrix_client_element_enable_presence_by_hs_url: ~ @@ -135,3 +248,70 @@ matrix_client_element_configuration_extension: "{{ matrix_client_element_configu # Holds the final Element configuration (a combination of the default and its extension). # You most likely don't need to touch this variable. Instead, see `matrix_client_element_configuration_default`. matrix_client_element_configuration: "{{ matrix_client_element_configuration_default | combine(matrix_client_element_configuration_extension, recursive=True) }}" + +# Element Location sharing functionality +# More info: https://element.io/blog/element-launches-e2ee-location-sharing/ +# How to host your own map tile server: https://matrix.org/docs/guides/map-tile-server +matrix_client_element_location_sharing_enabled: false + +# Default Element location sharing map style configuration template which covers the generic use case. +# You can customize it by controlling the various variables inside it. +# +# For a more advanced customization, you can extend the default (see `matrix_client_element_location_sharing_map_style_extension_json`) +# or completely replace this variable with your own template. +# +# The side-effect of this lookup is that Ansible would even parse the JSON for us, returning a dict. +# This is unlike what it does when looking up YAML template files (no automatic parsing there). +matrix_client_element_location_sharing_map_style_default: "{{ lookup('template', 'templates/map_style.json.j2') }}" + +# Your custom JSON configuration for Element location sharing map style should go to `matrix_client_element_location_sharing_map_style_extension_json`. +# This configuration extends the default starting configuration (`matrix_client_element_location_sharing_map_style_default`). +# +# You can override individual variables from the default configuration, or introduce new ones. +# +# If you need something more special, you can take full control by +# completely redefining `matrix_client_element_location_sharing_map_style_default`. +# +# Example configuration override follows: +# +# matrix_client_element_location_sharing_map_style_extension_json: | +# { +# "sources": { +# "localsource": { +# "tileSize": 512 +# } +# } +# } +# +# Example configuration extension follows: +# +# matrix_client_element_location_sharing_map_style_extension_json: | +# { +# "sources": { +# "anothersource": { +# "attribution": "", +# "tileSize": 256, +# "tiles": ["https://anothertile.example.com/{z}/{x}/{y}.png"], +# "type": "raster" +# } +# } +# } +matrix_client_element_location_sharing_map_style_extension_json: '{}' + +matrix_client_element_location_sharing_map_style_extension: "{{ matrix_client_element_location_sharing_map_style_extension_json | from_json if matrix_client_element_location_sharing_map_style_extension_json | from_json is mapping else {} }}" + +# Holds the final Element location sharing map style configuration (a combination of the default and its extension). +# You most likely don't need to touch this variable. Instead, see `matrix_client_element_location_sharing_map_style_default`. +matrix_client_element_location_sharing_map_style: "{{ matrix_client_element_location_sharing_map_style_default | combine(matrix_client_element_location_sharing_map_style_extension, recursive=True) }}" + +# Example tile servers configuration +# matrix_client_element_location_sharing_map_style_content_sources_localsource_tiles: ["https://tile.example.com/{z}/{x}/{y}.png"] +# or +# matrix_client_element_location_sharing_map_style_content_sources_localsource_tiles: ["https://s1.example.com/{z}/{x}/{y}.png", "https://s2.example.com/{z}/{x}/{y}.png", "https://s3.example.com/{z}/{x}/{y}.png"] +matrix_client_element_location_sharing_map_style_content_sources_localsource_tiles: [] + +# Map attribution (optional): +# Attribution for OpenStreetMap would be like this: +# matrix_client_element_location_sharing_map_style_content_sources_localsource_attribution: "© OpenStreetMap contributors" +# Leave blank, if map does not require attribution. +matrix_client_element_location_sharing_map_style_content_sources_localsource_attribution: "" diff --git a/roles/custom/matrix-client-element/tasks/init.yml b/roles/custom/matrix-client-element/tasks/init.yml deleted file mode 100644 index 7bdad9e1a..000000000 --- a/roles/custom/matrix-client-element/tasks/init.yml +++ /dev/null @@ -1,12 +0,0 @@ ---- - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-client-element.service'] }}" - when: matrix_client_element_enabled | bool - -# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 -# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 -- name: Fail if trying to self-build on Ansible < 2.8 - ansible.builtin.fail: - msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_client_element_container_image_self_build and matrix_client_element_enabled" diff --git a/roles/custom/matrix-client-element/tasks/main.yml b/roles/custom/matrix-client-element/tasks/main.yml index 53a25afb9..770200678 100644 --- a/roles/custom/matrix-client-element/tasks/main.yml +++ b/roles/custom/matrix-client-element/tasks/main.yml @@ -1,42 +1,29 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup | bool and matrix_client_element_enabled | bool" - tags: - - setup-all - - setup-client-element - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/prepare_themes.yml" - when: run_setup | bool - tags: +- tags: - setup-all - setup-client-element + - install-all + - install-client-element + block: + - when: matrix_client_element_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/migrate_riot_web.yml" - when: run_setup | bool - tags: - - setup-all - - setup-client-element + - when: matrix_client_element_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/prepare_themes.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_install.yml" - when: "run_setup | bool and matrix_client_element_enabled | bool" - tags: - - setup-all - - setup-client-element + - when: matrix_client_element_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - when: "run_setup | bool and not matrix_client_element_enabled | bool" - tags: +- tags: - setup-all - setup-client-element + block: + - when: not matrix_client_element_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/self_check.yml" - delegate_to: 127.0.0.1 - become: false - when: "run_self_check | bool and matrix_client_element_enabled | bool" - tags: +- tags: - self-check + block: + - when: matrix_client_element_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/self_check.yml" diff --git a/roles/custom/matrix-client-element/tasks/migrate_riot_web.yml b/roles/custom/matrix-client-element/tasks/migrate_riot_web.yml deleted file mode 100644 index bb62b7ce5..000000000 --- a/roles/custom/matrix-client-element/tasks/migrate_riot_web.yml +++ /dev/null @@ -1,37 +0,0 @@ ---- - -- name: Check existence of matrix-riot-web.service - ansible.builtin.stat: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-riot-web.service" - register: matrix_client_riot_web_service_stat - when: "matrix_client_element_enabled | bool" - -- name: Ensure matrix-riot-web is stopped - ansible.builtin.service: - name: matrix-riot-web - state: stopped - enabled: false - daemon_reload: true - register: stopping_result - when: "matrix_client_element_enabled | bool and matrix_client_riot_web_service_stat.stat.exists" - -- name: Ensure matrix-riot-web.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-riot-web.service" - state: absent - when: "matrix_client_element_enabled | bool and matrix_client_riot_web_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-riot-web.service removal - ansible.builtin.service: - daemon_reload: true - when: "matrix_client_element_enabled | bool and matrix_client_riot_web_service_stat.stat.exists" - -- name: Check existence of /matrix/riot-web - ansible.builtin.stat: - path: "/matrix/riot-web" - register: matrix_client_riot_web_dir_stat - when: "matrix_client_element_enabled | bool" - -- name: Relocate /matrix/riot-web to /matrix/client-element - ansible.builtin.command: "mv /matrix/riot-web /matrix/client-element" - when: "matrix_client_element_enabled | bool and matrix_client_riot_web_dir_stat.stat.exists" diff --git a/roles/custom/matrix-client-element/tasks/prepare_themes.yml b/roles/custom/matrix-client-element/tasks/prepare_themes.yml index 3f5c9783c..70646c94c 100644 --- a/roles/custom/matrix-client-element/tasks/prepare_themes.yml +++ b/roles/custom/matrix-client-element/tasks/prepare_themes.yml @@ -9,29 +9,29 @@ delegate_to: 127.0.0.1 become: false block: - - name: Ensure Element themes repository is pulled - ansible.builtin.git: - repo: "{{ matrix_client_element_themes_repository_url }}" - version: "{{ matrix_client_element_themes_repository_version }}" - dest: "{{ role_path }}/files/scratchpad/themes" + - name: Ensure Element themes repository is pulled + ansible.builtin.git: + repo: "{{ matrix_client_element_themes_repository_url }}" + version: "{{ matrix_client_element_themes_repository_version }}" + dest: "{{ role_path }}/files/scratchpad/themes" - - name: Find all Element theme files - ansible.builtin.find: - paths: "{{ role_path }}/files/scratchpad/themes" - patterns: "*.json" - recurse: true - register: matrix_client_element_theme_file_list + - name: Find all Element theme files + ansible.builtin.find: + paths: "{{ role_path }}/files/scratchpad/themes" + patterns: "*.json" + recurse: true + register: matrix_client_element_theme_file_list - - name: Read Element theme - ansible.builtin.slurp: - path: "{{ item.path }}" - register: "matrix_client_element_theme_file_contents" - with_items: "{{ matrix_client_element_theme_file_list.files }}" + - name: Read Element theme + ansible.builtin.slurp: + path: "{{ item.path }}" + register: "matrix_client_element_theme_file_contents" + with_items: "{{ matrix_client_element_theme_file_list.files }}" - - name: Load Element theme - ansible.builtin.set_fact: - matrix_client_element_settingDefaults_custom_themes: "{{ matrix_client_element_settingDefaults_custom_themes + [item['content'] | b64decode | from_json] }}" # noqa var-naming - with_items: "{{ matrix_client_element_theme_file_contents.results }}" + - name: Load Element theme + ansible.builtin.set_fact: + matrix_client_element_settingDefaults_custom_themes: "{{ matrix_client_element_settingDefaults_custom_themes + [item['content'] | b64decode | from_json] }}" # noqa var-naming + with_items: "{{ matrix_client_element_theme_file_contents.results }}" # # Tasks related to getting rid of Element themes (if it was previously enabled) diff --git a/roles/custom/matrix-client-element/tasks/self_check.yml b/roles/custom/matrix-client-element/tasks/self_check.yml index 031bb5f90..c336e4b65 100644 --- a/roles/custom/matrix-client-element/tasks/self_check.yml +++ b/roles/custom/matrix-client-element/tasks/self_check.yml @@ -11,6 +11,8 @@ register: matrix_client_element_self_check_result check_mode: false ignore_errors: true + delegate_to: 127.0.0.1 + become: false - name: Fail if Element not working ansible.builtin.fail: diff --git a/roles/custom/matrix-client-element/tasks/setup_install.yml b/roles/custom/matrix-client-element/tasks/setup_install.yml index 0edb0b50e..50d6370f7 100644 --- a/roles/custom/matrix-client-element/tasks/setup_install.yml +++ b/roles/custom/matrix-client-element/tasks/setup_install.yml @@ -50,16 +50,14 @@ when: "matrix_client_element_container_image_self_build | bool and matrix_client_element_container_image_self_build_low_memory_system_patch_enabled | bool" - name: Ensure Element Docker image is built - community.docker.docker_image: - name: "{{ matrix_client_element_docker_image }}" - source: build - force_source: "{{ matrix_client_element_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_client_element_git_pull_results.changed }}" - build: - dockerfile: Dockerfile - path: "{{ matrix_client_element_docker_src_files_path }}" - pull: true - when: "matrix_client_element_container_image_self_build | bool" + ansible.builtin.command: + cmd: |- + {{ devture_systemd_docker_base_host_command_docker }} buildx build + --tag={{ matrix_client_element_docker_image }} + --file={{ matrix_client_element_docker_src_files_path }}/Dockerfile + {{ matrix_client_element_docker_src_files_path }} + changed_when: true + when: matrix_client_element_container_image_self_build | bool - name: Ensure Element configuration installed ansible.builtin.copy: @@ -69,6 +67,15 @@ owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" +- name: Ensure Element location sharing map style installed + when: matrix_client_element_location_sharing_enabled | bool + ansible.builtin.copy: + content: "{{ matrix_client_element_location_sharing_map_style | to_nice_json }}" + dest: "{{ matrix_client_element_data_path }}/map_style.json" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + - name: Ensure Element config files installed ansible.builtin.template: src: "{{ item.src }}" @@ -78,6 +85,7 @@ group: "{{ matrix_user_groupname }}" with_items: - {src: "{{ role_path }}/templates/nginx.conf.j2", name: "nginx.conf"} + - {src: "{{ role_path }}/templates/labels.j2", name: "labels"} - {src: "{{ matrix_client_element_page_template_welcome_path }}", name: "welcome.html"} - {src: "{{ matrix_client_element_embedded_pages_home_path }}", name: "home.html"} when: "item.src is not none" @@ -90,14 +98,13 @@ - {src: "{{ matrix_client_element_embedded_pages_home_path }}", name: "home.html"} when: "item.src is none" +- name: Ensure Element container network is created + community.general.docker_network: + name: "{{ matrix_client_element_container_network }}" + driver: bridge + - name: Ensure matrix-client-element.service installed ansible.builtin.template: src: "{{ role_path }}/templates/systemd/matrix-client-element.service.j2" dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-client-element.service" mode: 0644 - register: matrix_client_element_systemd_service_result - -- name: Ensure systemd reloaded after matrix-client-element.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_client_element_systemd_service_result.changed | bool" diff --git a/roles/custom/matrix-client-element/tasks/setup_uninstall.yml b/roles/custom/matrix-client-element/tasks/setup_uninstall.yml index 3a1de4094..e0930cc11 100644 --- a/roles/custom/matrix-client-element/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-client-element/tasks/setup_uninstall.yml @@ -5,32 +5,21 @@ path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-client-element.service" register: matrix_client_element_service_stat -- name: Ensure matrix-client-element is stopped - ansible.builtin.service: - name: matrix-client-element - state: stopped - enabled: false - daemon_reload: true - register: stopping_result - when: "matrix_client_element_service_stat.stat.exists | bool" +- when: matrix_client_element_service_stat.stat.exists | bool + block: + - name: Ensure matrix-client-element is stopped + ansible.builtin.service: + name: matrix-client-element + state: stopped + enabled: false + daemon_reload: true -- name: Ensure matrix-client-element.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-client-element.service" - state: absent - when: "matrix_client_element_service_stat.stat.exists | bool" - -- name: Ensure systemd reloaded after matrix-client-element.service removal - ansible.builtin.service: - daemon_reload: true - when: "matrix_client_element_service_stat.stat.exists | bool" - -- name: Ensure Element paths doesn't exist - ansible.builtin.file: - path: "{{ matrix_client_element_data_path }}" - state: absent + - name: Ensure matrix-client-element.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-client-element.service" + state: absent -- name: Ensure Element Docker image doesn't exist - community.docker.docker_image: - name: "{{ matrix_client_element_docker_image }}" - state: absent + - name: Ensure Element path doesn't exist + ansible.builtin.file: + path: "{{ matrix_client_element_data_path }}" + state: absent diff --git a/roles/custom/matrix-client-element/tasks/validate_config.yml b/roles/custom/matrix-client-element/tasks/validate_config.yml index fdf74f07d..fdf42df7a 100644 --- a/roles/custom/matrix-client-element/tasks/validate_config.yml +++ b/roles/custom/matrix-client-element/tasks/validate_config.yml @@ -8,6 +8,14 @@ with_items: - "matrix_client_element_default_hs_url" +- name: Fail if Element location sharing enabled, but no tile server defined + ansible.builtin.fail: + msg: >- + You need to define at least one map tile server in matrix_client_element_location_sharing_map_style_content_sources_localsource_tiles list + when: + - matrix_client_element_location_sharing_enabled | bool + - matrix_client_element_location_sharing_map_style_content_sources_localsource_tiles | length == 0 + - name: (Deprecation) Catch and report riot-web variables ansible.builtin.fail: msg: >- @@ -18,3 +26,23 @@ when: "vars | dict2items | selectattr('key', 'match', item.old) | list | items2dict" with_items: - {'old': 'matrix_riot_web_.*', 'new': 'matrix_client_element_.*'} + +- when: matrix_client_element_container_labels_traefik_enabled | bool + block: + - name: Fail if required matrix-client-element Traefik settings not defined + ansible.builtin.fail: + msg: >- + You need to define a required configuration setting (`{{ item }}`). + when: "vars[item] == ''" + with_items: + - matrix_client_element_container_labels_traefik_hostname + - matrix_client_element_container_labels_traefik_path_prefix + + # We ensure it doesn't end with a slash, because we handle both (slash and no-slash). + # Knowing that `matrix_client_element_container_labels_traefik_path_prefix` does not end with a slash + # ensures we know how to set these routes up without having to do "does it end with a slash" checks elsewhere. + - name: Fail if matrix_client_element_container_labels_traefik_path_prefix ends with a slash + ansible.builtin.fail: + msg: >- + matrix_client_element_container_labels_traefik_path_prefix (`{{ matrix_client_element_container_labels_traefik_path_prefix }}`) must either be `/` or not end with a slash (e.g. `/element`). + when: "matrix_client_element_container_labels_traefik_path_prefix != '/' and matrix_client_element_container_labels_traefik_path_prefix[-1] == '/'" diff --git a/roles/custom/matrix-client-element/templates/config.json.j2 b/roles/custom/matrix-client-element/templates/config.json.j2 index e34773981..c0d11abdb 100644 --- a/roles/custom/matrix-client-element/templates/config.json.j2 +++ b/roles/custom/matrix-client-element/templates/config.json.j2 @@ -1,45 +1,49 @@ { "default_server_config": { "m.homeserver": { - "base_url": {{ matrix_client_element_default_hs_url | string|to_json }}, - "server_name": {{ matrix_client_element_default_server_name | string|to_json }} + "base_url": {{ matrix_client_element_default_hs_url | string | to_json }}, + "server_name": {{ matrix_client_element_default_server_name | string | to_json }} }, "m.identity_server": { - "base_url": {{ matrix_client_element_default_is_url | string|to_json }} + "base_url": {{ matrix_client_element_default_is_url | string | to_json }} } }, "settingDefaults": { - "custom_themes": {{ matrix_client_element_settingDefaults_custom_themes|to_json }} + "custom_themes": {{ matrix_client_element_settingDefaults_custom_themes | to_json }} }, - "default_theme": {{ matrix_client_element_default_theme | string|to_json }}, - "permalinkPrefix": {{ matrix_client_element_permalinkPrefix | string|to_json }}, - "disable_custom_urls": {{ matrix_client_element_disable_custom_urls|to_json }}, - "disable_guests": {{ matrix_client_element_disable_guests|to_json }}, - "brand": {{ matrix_client_element_brand|to_json }}, - "integrations_ui_url": {{ matrix_client_element_integrations_ui_url | string|to_json }}, - "integrations_rest_url": {{ matrix_client_element_integrations_rest_url | string|to_json }}, - "integrations_widgets_urls": {{ matrix_client_element_integrations_widgets_urls|to_json }}, - "integrations_jitsi_widget_url": {{ matrix_client_element_integrations_jitsi_widget_url | string|to_json }}, - "bug_report_endpoint_url": {{ matrix_client_element_bug_report_endpoint_url|to_json }}, - "showLabsSettings": {{ matrix_client_element_showLabsSettings|to_json }}, + "default_theme": {{ matrix_client_element_default_theme | string | to_json }}, + "default_country_code": {{ matrix_client_element_default_country_code | string | to_json }}, + "permalinkPrefix": {{ matrix_client_element_permalinkPrefix | string | to_json }}, + "disable_custom_urls": {{ matrix_client_element_disable_custom_urls | to_json }}, + "disable_guests": {{ matrix_client_element_disable_guests | to_json }}, + "brand": {{ matrix_client_element_brand | to_json }}, + "integrations_ui_url": {{ matrix_client_element_integrations_ui_url | string | to_json }}, + "integrations_rest_url": {{ matrix_client_element_integrations_rest_url | string | to_json }}, + "integrations_widgets_urls": {{ matrix_client_element_integrations_widgets_urls | to_json }}, + "integrations_jitsi_widget_url": {{ matrix_client_element_integrations_jitsi_widget_url | string | to_json }}, + "bug_report_endpoint_url": {{ matrix_client_element_bug_report_endpoint_url | to_json }}, + "showLabsSettings": {{ matrix_client_element_showLabsSettings | to_json }}, "roomDirectory": { - "servers": {{ matrix_client_element_roomdir_servers|to_json }} + "servers": {{ matrix_client_element_roomdir_servers | to_json }} }, - "welcomeUserId": {{ matrix_client_element_welcome_user_id|to_json }}, + "welcomeUserId": {{ matrix_client_element_welcome_user_id | to_json }}, {% if matrix_client_element_enable_presence_by_hs_url is not none %} - "enable_presence_by_hs_url": {{ matrix_client_element_enable_presence_by_hs_url|to_json }}, + "enable_presence_by_hs_url": {{ matrix_client_element_enable_presence_by_hs_url | to_json }}, {% endif %} "embeddedPages": { - "homeUrl": {{ matrix_client_element_embedded_pages_home_url | string|to_json }} + "homeUrl": {{ matrix_client_element_embedded_pages_home_url | string | to_json }} }, {% if matrix_client_element_jitsi_preferredDomain %} "jitsi": { - "preferredDomain": {{ matrix_client_element_jitsi_preferredDomain|to_json }} + "preferred_domain": {{ matrix_client_element_jitsi_preferredDomain | to_json }} }, + {% endif %} + {% if matrix_client_element_location_sharing_enabled %} + "map_style_url": "https://{{ matrix_server_fqn_element }}/map_style.json", {% endif %} "branding": { - "authFooterLinks": {{ matrix_client_element_branding_authFooterLinks|to_json }}, - "authHeaderLogoUrl": {{ matrix_client_element_branding_authHeaderLogoUrl|to_json }}, - "welcomeBackgroundUrl": {{ matrix_client_element_branding_welcomeBackgroundUrl|to_json }} + "authFooterLinks": {{ matrix_client_element_branding_authFooterLinks | to_json }}, + "authHeaderLogoUrl": {{ matrix_client_element_branding_authHeaderLogoUrl | to_json }}, + "welcomeBackgroundUrl": {{ matrix_client_element_branding_welcomeBackgroundUrl | to_json }} } } diff --git a/roles/custom/matrix-client-element/templates/labels.j2 b/roles/custom/matrix-client-element/templates/labels.j2 new file mode 100644 index 000000000..de67299e2 --- /dev/null +++ b/roles/custom/matrix-client-element/templates/labels.j2 @@ -0,0 +1,45 @@ +{% if matrix_client_element_container_labels_traefik_enabled %} +traefik.enable=true + +{% if matrix_client_element_container_labels_traefik_docker_network %} +traefik.docker.network={{ matrix_client_element_container_labels_traefik_docker_network }} +{% endif %} + +{% set middlewares = [] %} + +{% if matrix_client_element_container_labels_traefik_path_prefix != '/' %} +traefik.http.middlewares.matrix-client-element-slashless-redirect.redirectregex.regex=({{ matrix_client_element_container_labels_traefik_path_prefix | quote }})$ +traefik.http.middlewares.matrix-client-element-slashless-redirect.redirectregex.replacement=${1}/ +{% set middlewares = middlewares + ['matrix-client-element-slashless-redirect'] %} +{% endif %} + +{% if matrix_client_element_container_labels_traefik_path_prefix != '/' %} +traefik.http.middlewares.matrix-client-element-strip-prefix.stripprefix.prefixes={{ matrix_client_element_container_labels_traefik_path_prefix }} +{% set middlewares = middlewares + ['matrix-client-element-strip-prefix'] %} +{% endif %} + +{% if matrix_client_element_container_labels_traefik_additional_response_headers.keys() | length > 0 %} +{% for name, value in matrix_client_element_container_labels_traefik_additional_response_headers.items() %} +traefik.http.middlewares.matrix-client-element-add-headers.headers.customresponseheaders.{{ name }}={{ value }} +{% endfor %} +{% set middlewares = middlewares + ['matrix-client-element-add-headers'] %} +{% endif %} + +traefik.http.routers.matrix-client-element.rule={{ matrix_client_element_container_labels_traefik_rule }} +{% if matrix_client_element_container_labels_traefik_priority | int > 0 %} +traefik.http.routers.matrix-client-element.priority={{ matrix_client_element_container_labels_traefik_priority }} +{% endif %} +traefik.http.routers.matrix-client-element.service=matrix-client-element +{% if middlewares | length > 0 %} +traefik.http.routers.matrix-client-element.middlewares={{ middlewares | join(',') }} +{% endif %} +traefik.http.routers.matrix-client-element.entrypoints={{ matrix_client_element_container_labels_traefik_entrypoints }} +traefik.http.routers.matrix-client-element.tls={{ matrix_client_element_container_labels_traefik_tls | to_json }} +{% if matrix_client_element_container_labels_traefik_tls %} +traefik.http.routers.matrix-client-element.tls.certResolver={{ matrix_client_element_container_labels_traefik_tls_certResolver }} +{% endif %} + +traefik.http.services.matrix-client-element.loadbalancer.server.port=8080 +{% endif %} + +{{ matrix_client_element_container_labels_additional_labels }} diff --git a/roles/custom/matrix-client-element/templates/map_style.json.j2 b/roles/custom/matrix-client-element/templates/map_style.json.j2 new file mode 100644 index 000000000..1b92df633 --- /dev/null +++ b/roles/custom/matrix-client-element/templates/map_style.json.j2 @@ -0,0 +1,18 @@ +{ + "layers": [ + { + "id": "locallayer", + "source": "localsource", + "type": "raster" + } + ], + "sources": { + "localsource": { + "attribution": {{ matrix_client_element_location_sharing_map_style_content_sources_localsource_attribution|to_json }}, + "tileSize": 256, + "tiles": {{ matrix_client_element_location_sharing_map_style_content_sources_localsource_tiles|to_json }}, + "type": "raster" + } + }, + "version": 8 +} diff --git a/roles/custom/matrix-client-element/templates/systemd/matrix-client-element.service.j2 b/roles/custom/matrix-client-element/templates/systemd/matrix-client-element.service.j2 index 52f3249a9..bbb509896 100644 --- a/roles/custom/matrix-client-element/templates/systemd/matrix-client-element.service.j2 +++ b/roles/custom/matrix-client-element/templates/systemd/matrix-client-element.service.j2 @@ -13,19 +13,25 @@ Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-client-element 2>/dev/null || true' ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-client-element 2>/dev/null || true' -ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-client-element \ +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ + --rm \ + --name=matrix-client-element \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ --read-only \ - --network={{ matrix_docker_network }} \ + --network={{ matrix_client_element_container_network }} \ {% if matrix_client_element_container_http_host_bind_port %} -p {{ matrix_client_element_container_http_host_bind_port }}:8080 \ {% endif %} + --label-file={{ matrix_client_element_data_path }}/labels \ --tmpfs=/tmp:rw,noexec,nosuid,size=10m \ --mount type=bind,src={{ matrix_client_element_data_path }}/nginx.conf,dst=/etc/nginx/nginx.conf,ro \ --mount type=bind,src={{ matrix_client_element_data_path }}/config.json,dst=/app/config.json,ro \ --mount type=bind,src={{ matrix_client_element_data_path }}/config.json,dst=/app/config.{{ matrix_server_fqn_element }}.json,ro \ + {% if matrix_client_element_location_sharing_enabled %} + --mount type=bind,src={{ matrix_client_element_data_path }}/map_style.json,dst=/app/map_style.json,ro \ + {% endif %} {% if matrix_client_element_embedded_pages_home_path is not none %} --mount type=bind,src={{ matrix_client_element_data_path }}/home.html,dst=/app/home.html,ro \ {% endif %} @@ -35,8 +41,15 @@ ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name {% endfor %} {{ matrix_client_element_docker_image }} +{% for network in matrix_client_element_container_additional_networks %} +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-client-element +{% endfor %} + +ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-client-element + ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-client-element 2>/dev/null || true' ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-client-element 2>/dev/null || true' + Restart=always RestartSec=30 SyslogIdentifier=matrix-client-element diff --git a/roles/custom/matrix-client-hydrogen/defaults/main.yml b/roles/custom/matrix-client-hydrogen/defaults/main.yml index 80bdb021e..de16c8b69 100644 --- a/roles/custom/matrix-client-hydrogen/defaults/main.yml +++ b/roles/custom/matrix-client-hydrogen/defaults/main.yml @@ -3,30 +3,138 @@ matrix_client_hydrogen_enabled: true -# Self building is used by default because the `config.json` file is only read at build time. -# The pre-built images also were not functional as of 2021-05-15. -matrix_client_hydrogen_container_image_self_build: true +matrix_client_hydrogen_container_image_self_build: false matrix_client_hydrogen_container_image_self_build_repo: "https://github.com/vector-im/hydrogen-web.git" -matrix_client_hydrogen_version: v0.3.4 -matrix_client_hydrogen_docker_image: "{{ matrix_client_hydrogen_docker_image_name_prefix }}vectorim/hydrogen-web:{{ matrix_client_hydrogen_version }}" -matrix_client_hydrogen_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_hydrogen_container_image_self_build else matrix_container_global_registry_prefix }}" +matrix_client_hydrogen_version: v0.4.0 +matrix_client_hydrogen_docker_image: "{{ matrix_client_hydrogen_docker_image_name_prefix }}vector-im/hydrogen-web:{{ matrix_client_hydrogen_version }}" +matrix_client_hydrogen_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_hydrogen_container_image_self_build else 'ghcr.io/' }}" matrix_client_hydrogen_docker_image_force_pull: "{{ matrix_client_hydrogen_docker_image.endswith(':latest') }}" matrix_client_hydrogen_data_path: "{{ matrix_base_data_path }}/client-hydrogen" matrix_client_hydrogen_docker_src_files_path: "{{ matrix_client_hydrogen_data_path }}/docker-src" +# The base container network +matrix_client_hydrogen_container_network: matrix-client-hydrogen + +# A list of additional container networks that the container would be connected to. +# The role does not create these networks, so make sure they already exist. +# Use this to expose this container to a reverse proxy, which runs in a different container network. +matrix_client_hydrogen_container_additional_networks: [] + # Controls whether the container exposes its HTTP port (tcp/8080 in the container). # # Takes an ":" or "" value (e.g. "127.0.0.1:8768"), or empty string to not expose. matrix_client_hydrogen_container_http_host_bind_port: '' +# matrix_client_hydrogen_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container. +# See `../templates/labels.j2` for details. +# +# To inject your own other container labels, see `matrix_client_hydrogen_container_labels_additional_labels`. +matrix_client_hydrogen_container_labels_traefik_enabled: true +matrix_client_hydrogen_container_labels_traefik_docker_network: "{{ matrix_client_hydrogen_container_network }}" +matrix_client_hydrogen_container_labels_traefik_hostname: "{{ matrix_client_hydrogen_hostname }}" +# The path prefix must either be `/` or not end with a slash (e.g. `/hydrogen`). +matrix_client_hydrogen_container_labels_traefik_path_prefix: "{{ matrix_client_hydrogen_path_prefix }}" +matrix_client_hydrogen_container_labels_traefik_rule: "Host(`{{ matrix_client_hydrogen_container_labels_traefik_hostname }}`){% if matrix_client_hydrogen_container_labels_traefik_path_prefix != '/' %} && PathPrefix(`{{ matrix_client_hydrogen_container_labels_traefik_path_prefix }}`){% endif %}" +matrix_client_hydrogen_container_labels_traefik_priority: 0 +matrix_client_hydrogen_container_labels_traefik_entrypoints: web-secure +matrix_client_hydrogen_container_labels_traefik_tls: "{{ matrix_client_hydrogen_container_labels_traefik_entrypoints != 'web' }}" +matrix_client_hydrogen_container_labels_traefik_tls_certResolver: default # noqa var-naming + +# Controls which additional headers to attach to all HTTP responses. +# To add your own headers, use `matrix_client_hydrogen_container_labels_traefik_additional_response_headers_custom` +matrix_client_hydrogen_container_labels_traefik_additional_response_headers: "{{ matrix_client_hydrogen_container_labels_traefik_additional_response_headers_auto | combine(matrix_client_hydrogen_container_labels_traefik_additional_response_headers_custom) }}" +matrix_client_hydrogen_container_labels_traefik_additional_response_headers_auto: | + {{ + {} + | combine ({'X-XSS-Protection': matrix_client_hydrogen_http_header_xss_protection} if matrix_client_hydrogen_http_header_xss_protection else {}) + | combine ({'X-Frame-Options': matrix_client_hydrogen_http_header_frame_options} if matrix_client_hydrogen_http_header_frame_options else {}) + | combine ({'X-Content-Type-Options': matrix_client_hydrogen_http_header_content_type_options} if matrix_client_hydrogen_http_header_content_type_options else {}) + | combine ({'Content-Security-Policy': matrix_client_hydrogen_http_header_content_security_policy} if matrix_client_hydrogen_http_header_content_security_policy else {}) + | combine ({'Permission-Policy': matrix_client_hydrogen_http_header_content_permission_policy} if matrix_client_hydrogen_http_header_content_permission_policy else {}) + | combine ({'Strict-Transport-Security': matrix_client_hydrogen_http_header_strict_transport_security} if matrix_client_hydrogen_http_header_strict_transport_security and matrix_client_hydrogen_container_labels_traefik_tls else {}) + }} +matrix_client_hydrogen_container_labels_traefik_additional_response_headers_custom: {} + +# matrix_client_hydrogen_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file. +# See `../templates/labels.j2` for details. +# +# Example: +# matrix_client_hydrogen_container_labels_additional_labels: | +# my.label=1 +# another.label="here" +matrix_client_hydrogen_container_labels_additional_labels: '' + # A list of extra arguments to pass to the container matrix_client_hydrogen_container_extra_arguments: [] # List of systemd services that matrix-client-hydrogen.service depends on matrix_client_hydrogen_systemd_required_services_list: ['docker.service'] +# Specifies the value of the `X-XSS-Protection` header +# Stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. +# +# Learn more about it is here: +# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection +# - https://portswigger.net/web-security/cross-site-scripting/reflected +matrix_client_hydrogen_http_header_xss_protection: "1; mode=block" + +# Specifies the value of the `X-Frame-Options` header which controls whether framing can happen. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options +matrix_client_hydrogen_http_header_frame_options: SAMEORIGIN + +# Specifies the value of the `X-Content-Type-Options` header. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options +matrix_client_hydrogen_http_header_content_type_options: nosniff + +# Specifies the value of the `Content-Security-Policy` header. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy +matrix_client_hydrogen_http_header_content_security_policy: frame-ancestors 'self' + +# Specifies the value of the `Permission-Policy` header. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permission-Policy +matrix_client_hydrogen_http_header_content_permission_policy: "{{ 'interest-cohort=()' if matrix_client_hydrogen_floc_optout_enabled else '' }}" + +# Specifies the value of the `Strict-Transport-Security` header. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security +matrix_client_hydrogen_http_header_strict_transport_security: "max-age=31536000; includeSubDomains{{ '; preload' if matrix_client_hydrogen_hsts_preload_enabled else '' }}" + +# Controls whether to send a "Permissions-Policy interest-cohort=();" header along with all responses +# +# Learn more about what it is here: +# - https://www.eff.org/deeplinks/2021/03/googles-floc-terrible-idea +# - https://paramdeo.com/blog/opting-your-website-out-of-googles-floc-network +# - https://amifloced.org/ +# +# Of course, a better solution is to just stop using browsers (like Chrome), which participate in such tracking practices. +# See: `matrix_client_hydrogen_content_permission_policy` +matrix_client_hydrogen_floc_optout_enabled: true + +# Controls if HSTS preloading is enabled +# +# In its strongest and recommended form, the [HSTS policy](https://www.chromium.org/hsts) includes all subdomains, and +# indicates a willingness to be "preloaded" into browsers: +# `Strict-Transport-Security: max-age=31536000; includeSubDomains; preload` +# For more information visit: +# - https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security +# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security +# - https://hstspreload.org/#opt-in +# See: `matrix_client_hydrogen_http_header_strict_transport_security` +matrix_client_hydrogen_hsts_preload_enabled: false + +# The hostname at which Hydrogen is served. +# Only works with with Traefik reverse-proxying. +# For matrix-nginx-proxy, `matrix_server_fqn_hydrogen` is used and this variable has no effect. +matrix_client_hydrogen_hostname: "{{ matrix_server_fqn_hydrogen }}" + +# The path at which Hydrogen is exposed. +# When matrix-nginx-proxy is used, setting this to values other than `/` will cause configuration mismatches and trouble. +# +# If Traefik is used, the hostname is also configurable - see `matrix_client_hydrogen_container_labels_traefik_hostname`. +# This value must either be `/` or not end with a slash (e.g. `/hydrogen`). +matrix_client_hydrogen_path_prefix: / + # Controls whether the self-check feature should validate SSL certificates. matrix_client_hydrogen_self_check_validate_certificates: true @@ -38,7 +146,6 @@ matrix_client_hydrogen_push: matrix_client_hydrogen_default_hs_url: "" matrix_client_hydrogen_bugReportEndpointUrl: "https://element.io/bugreports/submit" # noqa var-naming - # Default Hydrogen configuration template which covers the generic use case. # You can customize it by controlling the various variables inside it. # diff --git a/roles/custom/matrix-client-hydrogen/tasks/init.yml b/roles/custom/matrix-client-hydrogen/tasks/init.yml deleted file mode 100644 index 561018e1a..000000000 --- a/roles/custom/matrix-client-hydrogen/tasks/init.yml +++ /dev/null @@ -1,11 +0,0 @@ ---- -# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 -# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 -- name: Fail if trying to self-build on Ansible < 2.8 - ansible.builtin.fail: - msg: "To self-build the Hydrogen image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_client_hydrogen_container_image_self_build and matrix_client_hydrogen_enabled" - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-client-hydrogen.service'] }}" - when: matrix_client_hydrogen_enabled | bool diff --git a/roles/custom/matrix-client-hydrogen/tasks/main.yml b/roles/custom/matrix-client-hydrogen/tasks/main.yml index 89133364e..9e7445c0b 100644 --- a/roles/custom/matrix-client-hydrogen/tasks/main.yml +++ b/roles/custom/matrix-client-hydrogen/tasks/main.yml @@ -1,30 +1,26 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup | bool and matrix_client_hydrogen_enabled | bool" - tags: +- tags: - setup-all - setup-client-hydrogen + - install-all + - install-client-hydrogen + block: + - when: matrix_client_hydrogen_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_install.yml" - when: "run_setup | bool and matrix_client_hydrogen_enabled | bool" - tags: - - setup-all - - setup-client-hydrogen + - when: matrix_client_hydrogen_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - when: "run_setup | bool and not matrix_client_hydrogen_enabled | bool" - tags: +- tags: - setup-all - setup-client-hydrogen + block: + - when: not matrix_client_hydrogen_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/self_check.yml" - delegate_to: 127.0.0.1 - become: false - when: "run_self_check | bool and matrix_client_hydrogen_enabled | bool" - tags: +- tags: - self-check + block: + - when: matrix_client_hydrogen_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/self_check.yml" diff --git a/roles/custom/matrix-client-hydrogen/tasks/self_check.yml b/roles/custom/matrix-client-hydrogen/tasks/self_check.yml index 978e531f2..42c1f09b6 100644 --- a/roles/custom/matrix-client-hydrogen/tasks/self_check.yml +++ b/roles/custom/matrix-client-hydrogen/tasks/self_check.yml @@ -1,7 +1,7 @@ --- - ansible.builtin.set_fact: - matrix_client_hydrogen_url_endpoint_public: "https://{{ matrix_server_fqn_hydrogen }}/config.json" + matrix_client_hydrogen_url_endpoint_public: "https://{{ matrix_client_hydrogen_hostname }}{{ matrix_client_hydrogen_path_prefix }}/config.json" - name: Check Hydrogen ansible.builtin.uri: @@ -11,12 +11,14 @@ register: matrix_client_hydrogen_self_check_result check_mode: false ignore_errors: true + delegate_to: 127.0.0.1 + become: false - name: Fail if Hydrogen not working ansible.builtin.fail: - msg: "Failed checking Hydrogen is up at `{{ matrix_server_fqn_hydrogen }}` (checked endpoint: `{{ matrix_client_hydrogen_url_endpoint_public }}`). Is Hydrogen running? Is port 443 open in your firewall? Full error: {{ matrix_client_hydrogen_self_check_result }}" + msg: "Failed checking Hydrogen is up at `{{ matrix_client_hydrogen_hostname }}` (checked endpoint: `{{ matrix_client_hydrogen_url_endpoint_public }}`). Is Hydrogen running? Is port 443 open in your firewall? Full error: {{ matrix_client_hydrogen_self_check_result }}" when: "matrix_client_hydrogen_self_check_result.failed or 'json' not in matrix_client_hydrogen_self_check_result" - name: Report working Hydrogen ansible.builtin.debug: - msg: "Hydrogen at `{{ matrix_server_fqn_hydrogen }}` is working (checked endpoint: `{{ matrix_client_hydrogen_url_endpoint_public }}`)" + msg: "Hydrogen at `{{ matrix_client_hydrogen_hostname }}` is working (checked endpoint: `{{ matrix_client_hydrogen_url_endpoint_public }}`)" diff --git a/roles/custom/matrix-client-hydrogen/tasks/setup_install.yml b/roles/custom/matrix-client-hydrogen/tasks/setup_install.yml index 6905081ad..0e1148042 100644 --- a/roles/custom/matrix-client-hydrogen/tasks/setup_install.yml +++ b/roles/custom/matrix-client-hydrogen/tasks/setup_install.yml @@ -38,11 +38,10 @@ - name: Ensure Hydrogen configuration installed ansible.builtin.copy: content: "{{ matrix_client_hydrogen_configuration | to_nice_json }}" - dest: "{{ matrix_client_hydrogen_docker_src_files_path }}/src/platform/web/assets/config.json" + dest: "{{ matrix_client_hydrogen_data_path }}/config.json" mode: 0644 owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" - when: "matrix_client_hydrogen_container_image_self_build | bool" - name: Ensure Hydrogen additional config files installed ansible.builtin.template: @@ -53,10 +52,8 @@ group: "{{ matrix_user_groupname }}" with_items: - {src: "{{ role_path }}/templates/nginx.conf.j2", name: "nginx.conf"} - when: "item.src is not none" + - {src: "{{ role_path }}/templates/labels.j2", name: "labels"} -# This step MUST come after the steps to install the configuration files because the config files -# are currently only read at build time, not at run time like most other components in the playbook - name: Ensure Hydrogen Docker image is built community.docker.docker_image: name: "{{ matrix_client_hydrogen_docker_image }}" @@ -68,14 +65,13 @@ pull: true when: "matrix_client_hydrogen_container_image_self_build | bool" +- name: Ensure Hydrogen container network is created + community.general.docker_network: + name: "{{ matrix_client_hydrogen_container_network }}" + driver: bridge + - name: Ensure matrix-client-hydrogen.service installed ansible.builtin.template: src: "{{ role_path }}/templates/systemd/matrix-client-hydrogen.service.j2" dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-client-hydrogen.service" mode: 0644 - register: matrix_client_hydrogen_systemd_service_result - -- name: Ensure systemd reloaded after matrix-client-hydrogen.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_client_hydrogen_systemd_service_result.changed | bool" diff --git a/roles/custom/matrix-client-hydrogen/tasks/setup_uninstall.yml b/roles/custom/matrix-client-hydrogen/tasks/setup_uninstall.yml index 090ce5673..d6caa5b97 100644 --- a/roles/custom/matrix-client-hydrogen/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-client-hydrogen/tasks/setup_uninstall.yml @@ -5,32 +5,21 @@ path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-client-hydrogen.service" register: matrix_client_hydrogen_service_stat -- name: Ensure matrix-client-hydrogen is stopped - ansible.builtin.service: - name: matrix-client-hydrogen - state: stopped - enabled: false - daemon_reload: true - register: stopping_result - when: "matrix_client_hydrogen_service_stat.stat.exists | bool" +- when: matrix_client_hydrogen_service_stat.stat.exists | bool + block: + - name: Ensure matrix-client-hydrogen is stopped + ansible.builtin.service: + name: matrix-client-hydrogen + state: stopped + enabled: false + daemon_reload: true -- name: Ensure matrix-client-hydrogen.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-client-hydrogen.service" - state: absent - when: "matrix_client_hydrogen_service_stat.stat.exists | bool" - -- name: Ensure systemd reloaded after matrix-client-hydrogen.service removal - ansible.builtin.service: - daemon_reload: true - when: "matrix_client_hydrogen_service_stat.stat.exists | bool" - -- name: Ensure Hydrogen paths doesn't exist - ansible.builtin.file: - path: "{{ matrix_client_hydrogen_data_path }}" - state: absent + - name: Ensure matrix-client-hydrogen.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-client-hydrogen.service" + state: absent -- name: Ensure Hydrogen Docker image doesn't exist - community.docker.docker_image: - name: "{{ matrix_client_hydrogen_docker_image }}" - state: absent + - name: Ensure Hydrogen paths doesn't exist + ansible.builtin.file: + path: "{{ matrix_client_hydrogen_data_path }}" + state: absent diff --git a/roles/custom/matrix-client-hydrogen/tasks/validate_config.yml b/roles/custom/matrix-client-hydrogen/tasks/validate_config.yml index 65b0e14f6..dd880ddb2 100644 --- a/roles/custom/matrix-client-hydrogen/tasks/validate_config.yml +++ b/roles/custom/matrix-client-hydrogen/tasks/validate_config.yml @@ -7,3 +7,23 @@ when: "(vars[item] == '' or vars[item] is none) and matrix_client_hydrogen_container_image_self_build | bool" with_items: - "matrix_client_hydrogen_default_hs_url" + +- when: matrix_client_hydrogen_container_labels_traefik_enabled | bool + block: + - name: Fail if required matrix-client-hydrogen Traefik settings not defined + ansible.builtin.fail: + msg: >- + You need to define a required configuration setting (`{{ item }}`). + when: "vars[item] == ''" + with_items: + - matrix_client_hydrogen_container_labels_traefik_hostname + - matrix_client_hydrogen_container_labels_traefik_path_prefix + + # We ensure it doesn't end with a slash, because we handle both (slash and no-slash). + # Knowing that `matrix_client_hydrogen_container_labels_traefik_path_prefix` does not end with a slash + # ensures we know how to set these routes up without having to do "does it end with a slash" checks elsewhere. + - name: Fail if matrix_client_hydrogen_container_labels_traefik_path_prefix ends with a slash + ansible.builtin.fail: + msg: >- + matrix_client_hydrogen_container_labels_traefik_path_prefix (`{{ matrix_client_hydrogen_container_labels_traefik_path_prefix }}`) must either be `/` or not end with a slash (e.g. `/hydrogen`). + when: "matrix_client_hydrogen_container_labels_traefik_path_prefix != '/' and matrix_client_hydrogen_container_labels_traefik_path_prefix[-1] == '/'" diff --git a/roles/custom/matrix-client-hydrogen/templates/config.json.j2 b/roles/custom/matrix-client-hydrogen/templates/config.json.j2 index 161ee47bb..519d22615 100644 --- a/roles/custom/matrix-client-hydrogen/templates/config.json.j2 +++ b/roles/custom/matrix-client-hydrogen/templates/config.json.j2 @@ -3,7 +3,7 @@ "defaultHomeServer": {{ matrix_client_hydrogen_default_hs_url | string | to_json }}, "bugReportEndpointUrl": {{ matrix_client_hydrogen_bugReportEndpointUrl | to_json }}, "themeManifests": [ - "assets/theme-Element.json" + "{{ '' if matrix_client_hydrogen_path_prefix == '/' else matrix_client_hydrogen_path_prefix }}/assets/theme-element.json" ], "defaultTheme": { "light": "element-light", diff --git a/roles/custom/matrix-client-hydrogen/templates/labels.j2 b/roles/custom/matrix-client-hydrogen/templates/labels.j2 new file mode 100644 index 000000000..71c3ca59e --- /dev/null +++ b/roles/custom/matrix-client-hydrogen/templates/labels.j2 @@ -0,0 +1,45 @@ +{% if matrix_client_hydrogen_container_labels_traefik_enabled %} +traefik.enable=true + +{% if matrix_client_hydrogen_container_labels_traefik_docker_network %} +traefik.docker.network={{ matrix_client_hydrogen_container_labels_traefik_docker_network }} +{% endif %} + +{% set middlewares = [] %} + +{% if matrix_client_hydrogen_container_labels_traefik_path_prefix != '/' %} +traefik.http.middlewares.matrix-client-hydrogen-slashless-redirect.redirectregex.regex=({{ matrix_client_hydrogen_container_labels_traefik_path_prefix | quote }})$ +traefik.http.middlewares.matrix-client-hydrogen-slashless-redirect.redirectregex.replacement=${1}/ +{% set middlewares = middlewares + ['matrix-client-hydrogen-slashless-redirect'] %} +{% endif %} + +{% if matrix_client_hydrogen_container_labels_traefik_path_prefix != '/' %} +traefik.http.middlewares.matrix-client-hydrogen-strip-prefix.stripprefix.prefixes={{ matrix_client_hydrogen_container_labels_traefik_path_prefix }} +{% set middlewares = middlewares + ['matrix-client-hydrogen-strip-prefix'] %} +{% endif %} + +{% if matrix_client_hydrogen_container_labels_traefik_additional_response_headers.keys() | length > 0 %} +{% for name, value in matrix_client_hydrogen_container_labels_traefik_additional_response_headers.items() %} +traefik.http.middlewares.matrix-client-hydrogen-add-headers.headers.customresponseheaders.{{ name }}={{ value }} +{% endfor %} +{% set middlewares = middlewares + ['matrix-client-hydrogen-add-headers'] %} +{% endif %} + +traefik.http.routers.matrix-client-hydrogen.rule={{ matrix_client_hydrogen_container_labels_traefik_rule }} +{% if matrix_client_hydrogen_container_labels_traefik_priority | int > 0 %} +traefik.http.routers.matrix-client-hydrogen.priority={{ matrix_client_hydrogen_container_labels_traefik_priority }} +{% endif %} +traefik.http.routers.matrix-client-hydrogen.service=matrix-client-hydrogen +{% if middlewares | length > 0 %} +traefik.http.routers.matrix-client-hydrogen.middlewares={{ middlewares | join(',') }} +{% endif %} +traefik.http.routers.matrix-client-hydrogen.entrypoints={{ matrix_client_hydrogen_container_labels_traefik_entrypoints }} +traefik.http.routers.matrix-client-hydrogen.tls={{ matrix_client_hydrogen_container_labels_traefik_tls | to_json }} +{% if matrix_client_hydrogen_container_labels_traefik_tls %} +traefik.http.routers.matrix-client-hydrogen.tls.certResolver={{ matrix_client_hydrogen_container_labels_traefik_tls_certResolver }} +{% endif %} + +traefik.http.services.matrix-client-hydrogen.loadbalancer.server.port=8080 +{% endif %} + +{{ matrix_client_hydrogen_container_labels_additional_labels }} diff --git a/roles/custom/matrix-client-hydrogen/templates/systemd/matrix-client-hydrogen.service.j2 b/roles/custom/matrix-client-hydrogen/templates/systemd/matrix-client-hydrogen.service.j2 index 92bfadcb9..1f1f0dc9b 100644 --- a/roles/custom/matrix-client-hydrogen/templates/systemd/matrix-client-hydrogen.service.j2 +++ b/roles/custom/matrix-client-hydrogen/templates/systemd/matrix-client-hydrogen.service.j2 @@ -13,24 +13,35 @@ Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-client-hydrogen 2>/dev/null || true' ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-client-hydrogen 2>/dev/null || true' -ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-client-hydrogen \ +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ + --rm \ + --name=matrix-client-hydrogen \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ --read-only \ - --network={{ matrix_docker_network }} \ + --network={{ matrix_client_hydrogen_container_network }} \ {% if matrix_client_hydrogen_container_http_host_bind_port %} -p {{ matrix_client_hydrogen_container_http_host_bind_port }}:8080 \ {% endif %} + --label-file={{ matrix_client_hydrogen_data_path }}/labels \ --tmpfs=/tmp:rw,noexec,nosuid,size=10m \ --mount type=bind,src={{ matrix_client_hydrogen_data_path }}/nginx.conf,dst=/etc/nginx/nginx.conf,ro \ + --mount type=bind,src={{ matrix_client_hydrogen_data_path }}/config.json,dst=/config.json.bundled,ro \ {% for arg in matrix_client_hydrogen_container_extra_arguments %} {{ arg }} \ {% endfor %} {{ matrix_client_hydrogen_docker_image }} +{% for network in matrix_client_hydrogen_container_additional_networks %} +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-client-hydrogen +{% endfor %} + +ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-client-hydrogen + ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-client-hydrogen 2>/dev/null || true' ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-client-hydrogen 2>/dev/null || true' + Restart=always RestartSec=30 SyslogIdentifier=matrix-client-hydrogen diff --git a/roles/custom/matrix-common-after/defaults/main.yml b/roles/custom/matrix-common-after/defaults/main.yml deleted file mode 100644 index 51c48c7d0..000000000 --- a/roles/custom/matrix-common-after/defaults/main.yml +++ /dev/null @@ -1,17 +0,0 @@ ---- -# Specifies how long to wait between starting systemd services and checking if they're started. -# -# A too low value may lead to a failure, as services may not have enough time to start and potentially fail. -# -# A value higher than 30 seconds (or any multiple of that) may also not work well, because a failing systemd service -# auto-restarts after 30 seconds (`RestartSec=30` in systemd service files). -# Checking if a service is running right after it had potentially restarted in such a way will lead us to -# thinking it's running, while it's merely starting again (and likely to fail again, given that it already did once). -# -# All of the services we manage are also started sequentially, which in itself can take a long time. -# There may be a ~10 second (or even larger) interval between starting the first service and starting the last one. -# This makes it even harder to pick a correct value. Such a 10 second gap and a waiting time of 20 seconds will -# put us right at the "dangerous" 30-second mark. -# -# We can try to measure this gap and adjust our waiting time accordingly, but we currently don't. -matrix_common_after_systemd_service_start_wait_for_timeout_seconds: 15 diff --git a/roles/custom/matrix-common-after/tasks/main.yml b/roles/custom/matrix-common-after/tasks/main.yml index 2cffecb1e..5e4dc76b9 100644 --- a/roles/custom/matrix-common-after/tasks/main.yml +++ b/roles/custom/matrix-common-after/tasks/main.yml @@ -1,15 +1,6 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/start.yml" - when: run_start | bool - tags: - - start - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/stop.yml" - when: run_stop | bool - tags: - - stop - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/run_docker_prune.yml" - tags: +- tags: - run-docker-prune + block: + - ansible.builtin.include_tasks: "{{ role_path }}/tasks/run_docker_prune.yml" diff --git a/roles/custom/matrix-common-after/tasks/start.yml b/roles/custom/matrix-common-after/tasks/start.yml deleted file mode 100644 index a781dab75..000000000 --- a/roles/custom/matrix-common-after/tasks/start.yml +++ /dev/null @@ -1,73 +0,0 @@ ---- - -- name: Determine whether we should make services autostart - ansible.builtin.set_fact: - matrix_services_autostart_enabled_bool: "{{ true if matrix_services_autostart_enabled | default('') == '' else matrix_services_autostart_enabled | bool }}" - -- name: Ensure systemd is reloaded - ansible.builtin.service: - daemon_reload: true - -- name: Ensure Matrix services are stopped - ansible.builtin.service: - name: "{{ item }}" - state: stopped - with_items: "{{ matrix_systemd_services_list }}" - when: not ansible_check_mode - -- name: Ensure Matrix services are started - ansible.builtin.service: - name: "{{ item }}" - enabled: "{{ matrix_services_autostart_enabled_bool }}" - state: started - with_items: "{{ matrix_systemd_services_list }}" - when: not ansible_check_mode - -# If we check service state immediately, we may succeed, -# because it takes some time for the service to attempt to start and actually fail. -# -# Waiting too long (30s) may not work for a similar reason, -# as we may run into systemd's automatic restart logic retrying the service. -- name: Wait a bit, so that services can start (or fail) - ansible.builtin.wait_for: - timeout: "{{ matrix_common_after_systemd_service_start_wait_for_timeout_seconds }}" - delegate_to: 127.0.0.1 - become: false - -- when: "ansible_distribution != 'Archlinux'" - block: - - name: Populate service facts - ansible.builtin.service_facts: - - - name: Fail if service isn't detected to be running - ansible.builtin.fail: - msg: >- - {{ item }} was not detected to be running. - It's possible that there's a configuration problem or another service on your server interferes with it (uses the same ports, etc.). - Try running `systemctl status {{ item }}` and `journalctl -fu {{ item }}` on the server to investigate. - If you're on a slow or overloaded server, it may be that services take a longer time to start and that this error is a false-positive. - You can consider raising the value of the `matrix_common_after_systemd_service_start_wait_for_timeout_seconds` variable. - See `roles/custom/matrix-common-after/defaults/main.yml` for more details about that. - with_items: "{{ matrix_systemd_services_list }}" - when: - - "item.endswith('.service') and (ansible_facts.services[item] | default(none) is none or ansible_facts.services[item].state != 'running')" - -- when: "ansible_distribution == 'Archlinux'" - block: - # Currently there is a bug in ansible that renders is incompatible with systemd. - # service_facts is not collecting the data successfully. - # Therefore iterating here manually - - name: Fetch systemd information - ansible.builtin.systemd: - name: "{{ item }}" - register: systemdstatus - with_items: "{{ matrix_systemd_services_list }}" - - - name: Fail if service isn't detected to be running - ansible.builtin.fail: - msg: >- - {{ item.item }} was not detected to be running. - It's possible that there's a configuration problem or another service on your server interferes with it (uses the same ports, etc.). - Try running `systemctl status {{ item.item }}` and `journalctl -fu {{ item.item }}` on the server to investigate. - with_items: "{{ systemdstatus.results }}" - when: "item.status['ActiveState'] != 'active'" diff --git a/roles/custom/matrix-common-after/tasks/stop.yml b/roles/custom/matrix-common-after/tasks/stop.yml deleted file mode 100644 index a343999c6..000000000 --- a/roles/custom/matrix-common-after/tasks/stop.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- - -- name: Ensure Matrix services stopped - ansible.builtin.service: - name: "{{ item }}" - state: stopped - with_items: "{{ matrix_systemd_services_list }}" diff --git a/roles/custom/matrix-conduit/defaults/main.yml b/roles/custom/matrix-conduit/defaults/main.yml index 366321b9c..7673a7d27 100644 --- a/roles/custom/matrix-conduit/defaults/main.yml +++ b/roles/custom/matrix-conduit/defaults/main.yml @@ -6,7 +6,7 @@ matrix_conduit_enabled: true matrix_conduit_docker_image: "{{ matrix_conduit_docker_image_name_prefix }}matrixconduit/matrix-conduit:{{ matrix_conduit_docker_image_tag }}" matrix_conduit_docker_image_name_prefix: "docker.io/" -matrix_conduit_docker_image_tag: "v0.4.0" +matrix_conduit_docker_image_tag: "v0.5.0" matrix_conduit_docker_image_force_pull: "{{ matrix_conduit_docker_image.endswith(':latest') }}" matrix_conduit_base_path: "{{ matrix_base_data_path }}/conduit" @@ -23,6 +23,14 @@ matrix_conduit_systemd_required_services_list: ["docker.service"] # List of systemd services that matrix-conduit.service wants matrix_conduit_systemd_wanted_services_list: [] +# The base container network. It will be auto-created by this role if it doesn't exist already. +matrix_conduit_container_network: "{{ matrix_docker_network }}" + +# A list of additional container networks that the container would be connected to. +# The role does not create these networks, so make sure they already exist. +# Use this to expose this container to another reverse proxy, which runs in a different container network. +matrix_conduit_container_additional_networks: [] + # Extra arguments for the Docker container matrix_conduit_container_extra_arguments: [] diff --git a/roles/custom/matrix-conduit/tasks/conduit/setup.yml b/roles/custom/matrix-conduit/tasks/conduit/setup.yml deleted file mode 100644 index 425d0f7e9..000000000 --- a/roles/custom/matrix-conduit/tasks/conduit/setup.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/conduit/setup_install.yml" - when: "matrix_conduit_enabled | bool" - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/conduit/setup_uninstall.yml" - when: "not matrix_conduit_enabled | bool" diff --git a/roles/custom/matrix-conduit/tasks/conduit/setup_uninstall.yml b/roles/custom/matrix-conduit/tasks/conduit/setup_uninstall.yml deleted file mode 100644 index efe7d40a0..000000000 --- a/roles/custom/matrix-conduit/tasks/conduit/setup_uninstall.yml +++ /dev/null @@ -1,30 +0,0 @@ ---- - -- name: Check existence of matrix-conduit service - ansible.builtin.stat: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-conduit.service" - register: matrix_conduit_service_stat - -- name: Ensure matrix-conduit is stopped - ansible.builtin.systemd: - name: matrix-conduit - state: stopped - daemon_reload: true - register: stopping_result - when: "matrix_conduit_service_stat.stat.exists" - -- name: Ensure matrix-conduit.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-conduit.service" - state: absent - when: "matrix_conduit_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-conduit.service removal - ansible.builtin.systemd: - daemon_reload: true - when: "matrix_conduit_service_stat.stat.exists" - -- name: Ensure Conduit Docker image doesn't exist - community.docker.docker_image: - name: "{{ matrix_conduit_docker_image }}" - state: absent diff --git a/roles/custom/matrix-conduit/tasks/init.yml b/roles/custom/matrix-conduit/tasks/init.yml deleted file mode 100644 index 5f464e404..000000000 --- a/roles/custom/matrix-conduit/tasks/init.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-conduit.service'] }}" - when: matrix_conduit_enabled | bool diff --git a/roles/custom/matrix-conduit/tasks/main.yml b/roles/custom/matrix-conduit/tasks/main.yml index 623d04582..f48e385e0 100644 --- a/roles/custom/matrix-conduit/tasks/main.yml +++ b/roles/custom/matrix-conduit/tasks/main.yml @@ -1,17 +1,17 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/conduit/setup.yml" - when: run_setup | bool - tags: +- tags: - setup-all - setup-conduit + - install-all + - install-conduit + block: + - when: matrix_conduit_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" -- name: Mark matrix-conduit role as executed - ansible.builtin.set_fact: - matrix_conduit_role_executed: true - tags: - - always +- tags: + - setup-all + - setup-conduit + block: + - when: not matrix_conduit_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" diff --git a/roles/custom/matrix-conduit/tasks/conduit/setup_install.yml b/roles/custom/matrix-conduit/tasks/setup_install.yml similarity index 85% rename from roles/custom/matrix-conduit/tasks/conduit/setup_install.yml rename to roles/custom/matrix-conduit/tasks/setup_install.yml index ebc5447b2..ecccbb326 100644 --- a/roles/custom/matrix-conduit/tasks/conduit/setup_install.yml +++ b/roles/custom/matrix-conduit/tasks/setup_install.yml @@ -1,14 +1,4 @@ --- -- name: Ensure Conduit Docker image is pulled - community.docker.docker_image: - name: "{{ matrix_conduit_docker_image }}" - source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_conduit_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_conduit_docker_image_force_pull }}" - register: result - retries: "{{ devture_playbook_help_container_retries_count }}" - delay: "{{ devture_playbook_help_container_retries_delay }}" - until: result is not failed - name: Ensure Conduit config path exists ansible.builtin.file: @@ -34,14 +24,24 @@ owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" +- name: Ensure Conduit container network is created + community.general.docker_network: + name: "{{ matrix_conduit_container_network }}" + driver: bridge + +- name: Ensure Conduit container image is pulled + community.docker.docker_image: + name: "{{ matrix_conduit_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_conduit_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_conduit_docker_image_force_pull }}" + register: result + retries: "{{ devture_playbook_help_container_retries_count }}" + delay: "{{ devture_playbook_help_container_retries_delay }}" + until: result is not failed + - name: Ensure matrix-conduit.service installed ansible.builtin.template: src: "{{ role_path }}/templates/conduit/systemd/matrix-conduit.service.j2" dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-conduit.service" mode: 0644 - register: matrix_conduit_systemd_service_result - -- name: Ensure systemd reloaded after matrix-conduit.service installation - ansible.builtin.systemd: - daemon_reload: true - when: "matrix_conduit_systemd_service_result.changed | bool" diff --git a/roles/custom/matrix-conduit/tasks/setup_uninstall.yml b/roles/custom/matrix-conduit/tasks/setup_uninstall.yml new file mode 100644 index 000000000..1745ff973 --- /dev/null +++ b/roles/custom/matrix-conduit/tasks/setup_uninstall.yml @@ -0,0 +1,19 @@ +--- + +- name: Check existence of matrix-conduit service + ansible.builtin.stat: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-conduit.service" + register: matrix_conduit_service_stat + +- when: matrix_conduit_service_stat.stat.exists | bool + block: + - name: Ensure matrix-conduit is stopped + ansible.builtin.systemd: + name: matrix-conduit + state: stopped + daemon_reload: true + + - name: Ensure matrix-conduit.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-conduit.service" + state: absent diff --git a/roles/custom/matrix-conduit/templates/conduit/systemd/matrix-conduit.service.j2 b/roles/custom/matrix-conduit/templates/conduit/systemd/matrix-conduit.service.j2 index cdaead01d..91c1e9151 100644 --- a/roles/custom/matrix-conduit/templates/conduit/systemd/matrix-conduit.service.j2 +++ b/roles/custom/matrix-conduit/templates/conduit/systemd/matrix-conduit.service.j2 @@ -12,13 +12,15 @@ Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-conduit 2>/dev/null || true' ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-conduit 2>/dev/null || true' -ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-conduit \ +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ + --rm \ + --name=matrix-conduit \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ --read-only \ --tmpfs=/tmp:rw,noexec,nosuid,size={{ matrix_conduit_tmp_directory_size_mb }}m \ - --network={{ matrix_docker_network }} \ + --network={{ matrix_conduit_container_network }} \ --env CONDUIT_CONFIG=/etc/matrix-conduit/conduit.toml \ --mount type=bind,src={{ matrix_conduit_data_path }},dst=/var/lib/matrix-conduit \ --mount type=bind,src={{ matrix_conduit_config_path }},dst=/etc/matrix-conduit,ro \ @@ -27,6 +29,12 @@ ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name {% endfor %} {{ matrix_conduit_docker_image }} +{% for network in matrix_conduit_container_additional_networks %} +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-conduit +{% endfor %} + +ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-conduit + ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-conduit 2>/dev/null || true' ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-conduit 2>/dev/null || true' ExecReload={{ devture_systemd_docker_base_host_command_docker }} exec matrix-conduit /bin/sh -c 'kill -HUP 1' diff --git a/roles/custom/matrix-conduit/vars/main.yml b/roles/custom/matrix-conduit/vars/main.yml index f6cc471bf..ad60e1c3e 100644 --- a/roles/custom/matrix-conduit/vars/main.yml +++ b/roles/custom/matrix-conduit/vars/main.yml @@ -1,6 +1,3 @@ --- matrix_conduit_client_api_url_endpoint_public: "https://{{ matrix_server_fqn_matrix }}/_matrix/client/versions" matrix_conduit_federation_api_url_endpoint_public: "https://{{ matrix_server_fqn_matrix }}:{{ matrix_federation_public_port }}/_matrix/federation/v1/version" - -# Tells whether this role had executed or not. Toggled to `true` during runtime. -matrix_conduit_role_executed: false diff --git a/roles/custom/matrix-corporal/defaults/main.yml b/roles/custom/matrix-corporal/defaults/main.yml index 8c391dfbf..2b703bdd7 100644 --- a/roles/custom/matrix-corporal/defaults/main.yml +++ b/roles/custom/matrix-corporal/defaults/main.yml @@ -23,7 +23,7 @@ matrix_corporal_container_extra_arguments: [] # List of systemd services that matrix-corporal.service depends on matrix_corporal_systemd_required_services_list: ['docker.service'] -matrix_corporal_version: 2.4.0 +matrix_corporal_version: 2.5.2 matrix_corporal_docker_image: "{{ matrix_corporal_docker_image_name_prefix }}devture/matrix-corporal:{{ matrix_corporal_docker_image_tag }}" matrix_corporal_docker_image_name_prefix: "{{ 'localhost/' if matrix_corporal_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_corporal_docker_image_tag: "{{ matrix_corporal_version }}" # for backward-compatibility @@ -37,7 +37,7 @@ matrix_corporal_var_dir_path: "{{ matrix_corporal_base_path }}/var" matrix_corporal_matrix_homeserver_domain_name: "{{ matrix_domain }}" -# Controls where matrix-corporal can reach your Synapse server (e.g. "http://matrix-synapse:{{ matrix_synapse_container_client_api_port }}"). +# Controls where matrix-corporal can reach your Synapse server (e.g. "http://matrix-synapse-reverse-proxy-companion:{{ matrix_synapse_container_client_api_port }}"). # If Synapse runs on the same machine, you may need to add its service to `matrix_corporal_systemd_required_services_list`. matrix_corporal_matrix_homeserver_api_endpoint: "" diff --git a/roles/custom/matrix-corporal/tasks/init.yml b/roles/custom/matrix-corporal/tasks/init.yml deleted file mode 100644 index dffdbe908..000000000 --- a/roles/custom/matrix-corporal/tasks/init.yml +++ /dev/null @@ -1,11 +0,0 @@ ---- -# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 -# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 -- name: Fail if trying to self-build on Ansible < 2.8 - ansible.builtin.fail: - msg: "To self-build the Matrix Corporal image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_corporal_container_image_self_build and matrix_corporal_enabled" - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-corporal.service'] }}" - when: matrix_corporal_enabled | bool diff --git a/roles/custom/matrix-corporal/tasks/main.yml b/roles/custom/matrix-corporal/tasks/main.yml index 1699262b1..e8f3b785a 100644 --- a/roles/custom/matrix-corporal/tasks/main.yml +++ b/roles/custom/matrix-corporal/tasks/main.yml @@ -1,24 +1,26 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup | bool and matrix_corporal_enabled | bool" - tags: +- tags: - setup-all - setup-corporal + - install-all + - install-corporal + block: + - when: matrix_corporal_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" + + - when: matrix_corporal_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_corporal.yml" - when: run_setup | bool - tags: +- tags: - setup-all - setup-corporal + block: + - when: not matrix_corporal_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/self_check_corporal.yml" - delegate_to: 127.0.0.1 - become: false - when: "run_self_check | bool and matrix_corporal_enabled | bool" - tags: +- tags: - self-check + block: + - when: matrix_corporal_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/self_check.yml" diff --git a/roles/custom/matrix-corporal/tasks/self_check_corporal.yml b/roles/custom/matrix-corporal/tasks/self_check.yml similarity index 96% rename from roles/custom/matrix-corporal/tasks/self_check_corporal.yml rename to roles/custom/matrix-corporal/tasks/self_check.yml index 3ddda8e04..bf0e768b4 100644 --- a/roles/custom/matrix-corporal/tasks/self_check_corporal.yml +++ b/roles/custom/matrix-corporal/tasks/self_check.yml @@ -11,6 +11,8 @@ check_mode: false register: result_corporal_client_api ignore_errors: true + delegate_to: 127.0.0.1 + become: false - name: Fail if Matrix Corporal HTTP gateway not working ansible.builtin.fail: diff --git a/roles/custom/matrix-corporal/tasks/setup_corporal.yml b/roles/custom/matrix-corporal/tasks/setup_install.yml similarity index 53% rename from roles/custom/matrix-corporal/tasks/setup_corporal.yml rename to roles/custom/matrix-corporal/tasks/setup_install.yml index 3f6ac86cd..e257d0118 100644 --- a/roles/custom/matrix-corporal/tasks/setup_corporal.yml +++ b/roles/custom/matrix-corporal/tasks/setup_install.yml @@ -1,9 +1,5 @@ --- -# -# Tasks related to setting up matrix-corporal -# - - name: Ensure Matrix Corporal paths exist ansible.builtin.file: path: "{{ item }}" @@ -15,7 +11,6 @@ - "{{ matrix_corporal_config_dir_path }}" - "{{ matrix_corporal_cache_dir_path }}" - "{{ matrix_corporal_var_dir_path }}" - when: matrix_corporal_enabled | bool - name: Ensure Matrix Corporal repository is present on self-build ansible.builtin.git: @@ -26,7 +21,7 @@ become: true become_user: "{{ matrix_user_username }}" register: matrix_corporal_git_pull_results - when: "matrix_corporal_enabled | bool and matrix_corporal_container_image_self_build | bool" + when: matrix_corporal_container_image_self_build | bool - name: Ensure Matrix Corporal Docker image is built community.docker.docker_image: @@ -38,7 +33,7 @@ dockerfile: etc/docker/Dockerfile path: "{{ matrix_corporal_container_src_files_path }}" pull: true - when: "matrix_corporal_enabled | bool and matrix_corporal_container_image_self_build | bool" + when: matrix_corporal_container_image_self_build | bool - name: Ensure Matrix Corporal Docker image is pulled community.docker.docker_image: @@ -46,7 +41,7 @@ source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" force_source: "{{ matrix_corporal_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_corporal_docker_image_force_pull }}" - when: "matrix_corporal_enabled | bool and not matrix_corporal_container_image_self_build | bool" + when: not matrix_corporal_container_image_self_build | bool register: result retries: "{{ devture_playbook_help_container_retries_count }}" delay: "{{ devture_playbook_help_container_retries_delay }}" @@ -59,7 +54,6 @@ mode: 0644 owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" - when: matrix_corporal_enabled | bool - name: Ensure matrix-corporal.service installed ansible.builtin.template: @@ -67,55 +61,3 @@ dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-corporal.service" mode: 0644 register: matrix_corporal_systemd_service_result - when: matrix_corporal_enabled | bool - -- name: Ensure systemd reloaded after matrix-corporal.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_corporal_enabled | bool and matrix_corporal_systemd_service_result.changed" - - -# -# Tasks related to getting rid of matrix-corporal (if it was previously enabled) -# - -- name: Check existence of matrix-corporal service - ansible.builtin.stat: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-corporal.service" - register: matrix_corporal_service_stat - when: "not matrix_corporal_enabled | bool" - -- name: Ensure matrix-corporal is stopped - ansible.builtin.service: - name: matrix-corporal - state: stopped - enabled: false - daemon_reload: true - register: stopping_result - when: "not matrix_corporal_enabled | bool and matrix_corporal_service_stat.stat.exists" - -- name: Ensure matrix-corporal.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-corporal.service" - state: absent - when: "not matrix_corporal_enabled | bool and matrix_corporal_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-corporal.service removal - ansible.builtin.service: - daemon_reload: true - when: "not matrix_corporal_enabled | bool and matrix_corporal_service_stat.stat.exists" - -- name: Ensure matrix-corporal files don't exist - ansible.builtin.file: - path: "{{ item }}" - state: absent - with_items: - - "{{ devture_systemd_docker_base_systemd_path }}/matrix-corporal.service" - - "{{ matrix_corporal_config_dir_path }}/config.json" - when: "not matrix_corporal_enabled | bool" - -- name: Ensure Matrix Corporal Docker image doesn't exist - community.docker.docker_image: - name: "{{ matrix_corporal_docker_image }}" - state: absent - when: "not matrix_corporal_enabled | bool" diff --git a/roles/custom/matrix-corporal/tasks/setup_uninstall.yml b/roles/custom/matrix-corporal/tasks/setup_uninstall.yml new file mode 100644 index 000000000..6c6e8063a --- /dev/null +++ b/roles/custom/matrix-corporal/tasks/setup_uninstall.yml @@ -0,0 +1,28 @@ +--- + +- name: Check existence of matrix-corporal service + ansible.builtin.stat: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-corporal.service" + register: matrix_corporal_service_stat + +- when: matrix_corporal_service_stat.stat.exists | bool + block: + - name: Ensure matrix-corporal is stopped + ansible.builtin.service: + name: matrix-corporal + state: stopped + enabled: false + daemon_reload: true + + - name: Ensure matrix-corporal.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-corporal.service" + state: absent + + - name: Ensure matrix-corporal files don't exist + ansible.builtin.file: + path: "{{ item }}" + state: absent + with_items: + - "{{ devture_systemd_docker_base_systemd_path }}/matrix-corporal.service" + - "{{ matrix_corporal_config_dir_path }}/config.json" diff --git a/roles/custom/matrix-coturn/defaults/main.yml b/roles/custom/matrix-coturn/defaults/main.yml index b2aff9844..dd25df709 100644 --- a/roles/custom/matrix-coturn/defaults/main.yml +++ b/roles/custom/matrix-coturn/defaults/main.yml @@ -8,7 +8,7 @@ matrix_coturn_container_image_self_build_repo: "https://github.com/coturn/coturn matrix_coturn_container_image_self_build_repo_version: "docker/{{ matrix_coturn_version }}" matrix_coturn_container_image_self_build_repo_dockerfile_path: "docker/coturn/alpine/Dockerfile" -matrix_coturn_version: 4.6.0-r0 +matrix_coturn_version: 4.6.2-r4 matrix_coturn_docker_image: "{{ matrix_coturn_docker_image_name_prefix }}coturn/coturn:{{ matrix_coturn_version }}-alpine" matrix_coturn_docker_image_name_prefix: "{{ 'localhost/' if matrix_coturn_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_coturn_docker_image_force_pull: "{{ matrix_coturn_docker_image.endswith(':latest') }}" @@ -20,6 +20,13 @@ matrix_coturn_docker_image_force_pull: "{{ matrix_coturn_docker_image.endswith(' # # Setting up deny/allow rules with `matrix_coturn_allowed_peer_ips`/`matrix_coturn_denied_peer_ips` is also # possible for achieving such isolation, but is more complicated due to the dynamic nature of Docker networking. +# +# Setting `matrix_coturn_docker_network` to 'host' will run the container with host networking, +# which will drastically improve performance when thousands of ports are opened due to Docker not having to set up forwarding rules for each port. +# Running with host networking can be dangerous, as it potentially exposes your local network and its services to Coturn peers. +# Regardless of the networking mode, we apply a deny list which via `matrix_coturn_denied_peer_ips`, +# which hopefully prevents access to such private network ranges. +# When running in host-networking mode, you need to adjust the firewall yourself, so that ports are opened. matrix_coturn_docker_network: "matrix-coturn" matrix_coturn_base_path: "{{ matrix_base_data_path }}/coturn" @@ -32,7 +39,8 @@ matrix_coturn_systemd_required_services_list: ['docker.service'] # A list of additional "volumes" to mount in the container. # This list gets populated dynamically at runtime. You can provide a different default value, # if you wish to mount your own files into the container. -# Contains definition objects like this: `{"src": "/outside", "dst": "/inside", "options": "rw|ro|slave|.."} +# Contains definition objects like this: `{"type": "bind", "src": "/outside", "dst": "/inside", "options": "readonly"}. +# See the `--mount` documentation for the `docker run` command. matrix_coturn_container_additional_volumes: [] # A list of extra arguments to pass to the container @@ -41,20 +49,20 @@ matrix_coturn_container_extra_arguments: [] # Controls whether the Coturn container exposes its plain STUN port (tcp/3478 and udp/3478 in the container). # # Takes an ":" or "" value (e.g. "127.0.0.1:3478"), or empty string to not expose. -matrix_coturn_container_stun_plain_host_bind_port: '3478' +matrix_coturn_container_stun_plain_host_bind_port: "{{ '3478' if matrix_coturn_docker_network != 'host' else '' }}" # Controls whether the Coturn container exposes its TLS STUN port (tcp/5349 and udp/5349 in the container). # # Takes an ":" or "" value (e.g. "127.0.0.1:5349"), or empty string to not expose. -matrix_coturn_container_stun_tls_host_bind_port: '5349' +matrix_coturn_container_stun_tls_host_bind_port: "{{ '5349' if matrix_coturn_docker_network != 'host' else '' }}" # Controls whether the Coturn container exposes its TURN UDP port range and which interface to do it on. # # Takes an interface "" (e.g. "127.0.0.1"), or empty string to listen on all interfaces. -# Takes a null/none value (`~`) to prevent listening. +# Takes a null/none value (`~`) or 'none' (as a string) to prevent listening. # # The UDP port-range itself is specified using `matrix_coturn_turn_udp_min_port` and `matrix_coturn_turn_udp_max_port`. -matrix_coturn_container_turn_range_listen_interface: '' +matrix_coturn_container_turn_range_listen_interface: "{{ '' if matrix_coturn_docker_network != 'host' else 'none' }}" # UDP port-range to use for TURN matrix_coturn_turn_udp_min_port: 49152 @@ -69,10 +77,68 @@ matrix_coturn_turn_external_ip_address: '' matrix_coturn_turn_external_ip_addresses: ["{{ matrix_coturn_turn_external_ip_address }}"] matrix_coturn_allowed_peer_ips: [] -matrix_coturn_denied_peer_ips: [] + +# We block loopback interfaces and private networks by default to prevent private resources from being accessible. +# This is especially important when Coturn does not run within a container network (e.g. `matrix_coturn_docker_network: host`). +# +# Learn more: https://www.rtcsec.com/article/cve-2020-26262-bypass-of-coturns-access-control-protection/ +# +# If you're running Coturn for local network peers, you may wish to override these rules. +matrix_coturn_denied_peer_ips: + - 0.0.0.0-0.255.255.255 + - 10.0.0.0-10.255.255.255 + - 100.64.0.0-100.127.255.255 + - 127.0.0.0-127.255.255.255 + - 169.254.0.0-169.254.255.255 + - 172.16.0.0-172.31.255.255 + - 192.0.0.0-192.0.0.255 + - 192.0.2.0-192.0.2.255 + - 192.88.99.0-192.88.99.255 + - 192.168.0.0-192.168.255.255 + - 198.18.0.0-198.19.255.255 + - 198.51.100.0-198.51.100.255 + - 203.0.113.0-203.0.113.255 + - 240.0.0.0-255.255.255.255 + - ::1 + - 64:ff9b::-64:ff9b::ffff:ffff + - ::ffff:0.0.0.0-::ffff:255.255.255.255 + - 100::-100::ffff:ffff:ffff:ffff + - 2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff + - 2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff + - fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff + - fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff + matrix_coturn_user_quota: null matrix_coturn_total_quota: null +# Controls whether `no-tcp-relay` is added to the configuration +# Learn more here: https://github.com/coturn/coturn/blob/242eb78227f66442ba1573c00ec4552faae23eed/examples/etc/turnserver.conf#L419-L422 +matrix_coturn_no_tcp_relay_enabled: true + +# Controls whether `no-multicast-peers` is added to the configuration +# Learn more here: https://github.com/coturn/coturn/blob/242eb78227f66442ba1573c00ec4552faae23eed/examples/etc/turnserver.conf#L629-L632 +matrix_coturn_no_multicast_peers_enabled: true + +# Controls whether `no-rfc5780` is added to the configuration +# Learn more here: https://github.com/coturn/coturn/blob/242eb78227f66442ba1573c00ec4552faae23eed/examples/etc/turnserver.conf#L770-L781 +matrix_coturn_no_rfc5780_enabled: true + +# Controls whether `no-stun-backward-compatibility` is added to the configuration +# Learn more here: https://github.com/coturn/coturn/blob/242eb78227f66442ba1573c00ec4552faae23eed/examples/etc/turnserver.conf#L783-L789 +matrix_coturn_no_stun_backward_compatibility_enabled: true + +# Controls whether `response-origin-only-with-rfc5780` is added to the configuration +# Learn more here: https://github.com/coturn/coturn/blob/242eb78227f66442ba1573c00ec4552faae23eed/examples/etc/turnserver.conf#L791-L796 +matrix_coturn_response_origin_only_with_rfc5780_enabled: true + +# Additional configuration to be passed to turnserver.conf +# Example: +# matrix_coturn_additional_configuration: | +# simple-log +# aux-server=1.2.3.4 +# relay-ip=4.3.2.1 +matrix_coturn_additional_configuration: '' + # To enable TLS, you need to provide paths to certificates. # Paths defined in `matrix_coturn_tls_cert_path` and `matrix_coturn_tls_key_path` are in-container paths. # Files on the host can be mounted into the container using `matrix_coturn_container_additional_volumes`. diff --git a/roles/custom/matrix-coturn/tasks/init.yml b/roles/custom/matrix-coturn/tasks/init.yml deleted file mode 100644 index 315dfb656..000000000 --- a/roles/custom/matrix-coturn/tasks/init.yml +++ /dev/null @@ -1,15 +0,0 @@ ---- -# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 -# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 -- name: Fail if trying to self-build on Ansible < 2.8 - ansible.builtin.fail: - msg: "To self-build the coturn image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_coturn_container_image_self_build and matrix_coturn_enabled" - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-coturn.service'] }}" - when: matrix_coturn_enabled | bool - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-coturn-reload.timer'] }}" - when: "matrix_coturn_enabled | bool and matrix_coturn_tls_enabled | bool" diff --git a/roles/custom/matrix-coturn/tasks/main.yml b/roles/custom/matrix-coturn/tasks/main.yml index 78f712f01..1b1332fb7 100644 --- a/roles/custom/matrix-coturn/tasks/main.yml +++ b/roles/custom/matrix-coturn/tasks/main.yml @@ -1,23 +1,20 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup | bool and matrix_coturn_enabled | bool" - tags: +- tags: - setup-all - setup-coturn + - install-all + - install-coturn + block: + - when: matrix_coturn_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_install.yml" - when: "run_setup | bool and matrix_coturn_enabled | bool" - tags: - - setup-all - - setup-coturn + - when: matrix_coturn_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - when: "run_setup | bool and not matrix_coturn_enabled | bool" - tags: +- tags: - setup-all - setup-coturn + block: + - when: not matrix_coturn_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" diff --git a/roles/custom/matrix-coturn/tasks/setup_install.yml b/roles/custom/matrix-coturn/tasks/setup_install.yml index 31b5446cb..503ffae10 100644 --- a/roles/custom/matrix-coturn/tasks/setup_install.yml +++ b/roles/custom/matrix-coturn/tasks/setup_install.yml @@ -1,11 +1,5 @@ --- -# This is a cleanup/migration task. It can be removed some time in the future. -- name: (Migration) Remove deprecated cronjob - ansible.builtin.file: - path: "{{ matrix_cron_path }}/matrix-coturn-ssl-reload" - state: absent - - name: Ensure Matrix Coturn path exists ansible.builtin.file: path: "{{ item.path }}" @@ -69,6 +63,7 @@ group: "{{ matrix_user_groupname }}" - name: Ensure Coturn network is created in Docker + when: matrix_coturn_docker_network not in ['', 'host'] community.docker.docker_network: name: "{{ matrix_coturn_docker_network }}" driver: bridge @@ -78,7 +73,6 @@ src: "{{ role_path }}/templates/systemd/matrix-coturn.service.j2" dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-coturn.service" mode: 0644 - register: matrix_coturn_systemd_service_change_results # This may be unnecessary when more long-lived certificates are used. # We optimize for the common use-case though (short-lived Let's Encrypt certificates). @@ -88,7 +82,6 @@ src: "{{ role_path }}/templates/systemd/{{ item }}.j2" dest: "{{ devture_systemd_docker_base_systemd_path }}/{{ item }}" mode: 0644 - register: "matrix_coturn_systemd_service_change_results" when: "matrix_coturn_tls_enabled | bool" with_items: - matrix-coturn-reload.service @@ -99,13 +92,7 @@ ansible.builtin.file: path: "{{ item }}" state: absent - register: "matrix_coturn_systemd_service_change_results" when: "not matrix_coturn_tls_enabled | bool" with_items: - matrix-coturn-reload.service - matrix-coturn-reload.timer - -- name: Ensure systemd reloaded if systemd units changed - ansible.builtin.service: - daemon_reload: true - when: "matrix_coturn_systemd_service_change_results.changed" diff --git a/roles/custom/matrix-coturn/tasks/setup_uninstall.yml b/roles/custom/matrix-coturn/tasks/setup_uninstall.yml index bf71b90ae..e747ff094 100644 --- a/roles/custom/matrix-coturn/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-coturn/tasks/setup_uninstall.yml @@ -6,42 +6,33 @@ register: matrix_coturn_service_stat when: "not matrix_coturn_enabled | bool" -- name: Ensure matrix-coturn is stopped - ansible.builtin.service: - name: matrix-coturn - state: stopped - enabled: false - daemon_reload: true - when: "matrix_coturn_service_stat.stat.exists | bool" +- when: matrix_coturn_service_stat.stat.exists | bool + block: + - name: Ensure matrix-coturn is stopped + ansible.builtin.service: + name: matrix-coturn + state: stopped + enabled: false + daemon_reload: true -- name: Ensure matrix-coturn-reload.timer is stopped - ansible.builtin.service: - name: matrix-coturn - state: stopped - enabled: false - daemon_reload: true - failed_when: false - when: "matrix_coturn_service_stat.stat.exists | bool" + - name: Ensure matrix-coturn-reload.timer is stopped + ansible.builtin.service: + name: matrix-coturn + state: stopped + enabled: false + daemon_reload: true + failed_when: false -- name: Ensure systemd units don't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/{{ item }}" - state: absent - register: matrix_coturn_systemd_unit_uninstallation_result - with_items: - - matrix-coturn.service - - matrix-coturn-reload.service - - matrix-coturn-reload.timer + - name: Ensure systemd units don't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/{{ item }}" + state: absent + with_items: + - matrix-coturn.service + - matrix-coturn-reload.service + - matrix-coturn-reload.timer -- name: Ensure systemd reloaded after unit removal - ansible.builtin.service: - daemon_reload: true - when: "matrix_coturn_systemd_unit_uninstallation_result.changed | bool" - -- name: Ensure Matrix coturn paths don't exist - ansible.builtin.file: - path: "{{ matrix_coturn_base_path }}" - state: absent - -# Intentionally not removing the Docker image when uninstalling. -# We can't be sure it had been pulled by us in the first place. + - name: Ensure Matrix coturn paths don't exist + ansible.builtin.file: + path: "{{ matrix_coturn_base_path }}" + state: absent diff --git a/roles/custom/matrix-coturn/templates/systemd/matrix-coturn.service.j2 b/roles/custom/matrix-coturn/templates/systemd/matrix-coturn.service.j2 index 3a0782bf8..2c0c9cd9e 100644 --- a/roles/custom/matrix-coturn/templates/systemd/matrix-coturn.service.j2 +++ b/roles/custom/matrix-coturn/templates/systemd/matrix-coturn.service.j2 @@ -30,12 +30,12 @@ ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name -p {{ matrix_coturn_container_stun_tls_host_bind_port }}:5349 \ -p {{ matrix_coturn_container_stun_tls_host_bind_port }}:5349/udp \ {% endif %} - {% if matrix_coturn_container_turn_range_listen_interface is not none %} + {% if matrix_coturn_container_turn_range_listen_interface is not in [none, 'none'] %} -p {{ matrix_coturn_container_turn_range_listen_interface }}{{ ':' if matrix_coturn_container_turn_range_listen_interface else '' }}{{ matrix_coturn_turn_udp_min_port }}-{{ matrix_coturn_turn_udp_max_port }}:{{ matrix_coturn_turn_udp_min_port }}-{{ matrix_coturn_turn_udp_max_port }}/udp \ {% endif %} --mount type=bind,src={{ matrix_coturn_config_path }},dst=/turnserver.conf,ro \ {% for volume in matrix_coturn_container_additional_volumes %} - -v {{ volume.src }}:{{ volume.dst }}:{{ volume.options }} \ + --mount type={{ volume.type | default('bind' if '/' in volume.src else 'volume') }},src={{ volume.src }},dst={{ volume.dst }}{{ (',' + volume.options) if volume.options else '' }} \ {% endfor %} {% for arg in matrix_coturn_container_extra_arguments %} {{ arg }} \ diff --git a/roles/custom/matrix-coturn/templates/turnserver.conf.j2 b/roles/custom/matrix-coturn/templates/turnserver.conf.j2 index 1bdf310a2..3ed7b99fa 100644 --- a/roles/custom/matrix-coturn/templates/turnserver.conf.j2 +++ b/roles/custom/matrix-coturn/templates/turnserver.conf.j2 @@ -30,7 +30,22 @@ no-dtls {% endif %} prod + +{% if matrix_coturn_no_tcp_relay_enabled %} no-tcp-relay +{% endif %} + +{% if matrix_coturn_no_rfc5780_enabled %} +no-rfc5780 +{% endif %} + +{% if matrix_coturn_no_stun_backward_compatibility_enabled %} +no-stun-backward-compatibility +{% endif %} + +{% if matrix_coturn_response_origin_only_with_rfc5780_enabled %} +response-origin-only-with-rfc5780 +{% endif %} {% if matrix_coturn_user_quota != None %} user-quota={{ matrix_coturn_user_quota }} @@ -39,9 +54,15 @@ user-quota={{ matrix_coturn_user_quota }} total-quota={{ matrix_coturn_total_quota }} {% endif %} +{% if matrix_coturn_no_multicast_peers_enabled %} +no-multicast-peers +{% endif %} + {% for ip_range in matrix_coturn_denied_peer_ips %} denied-peer-ip={{ ip_range }} {% endfor %} {% for ip_range in matrix_coturn_allowed_peer_ips %} allowed-peer-ip={{ ip_range }} {% endfor %} + +{{ matrix_coturn_additional_configuration }} diff --git a/roles/custom/matrix-dendrite/defaults/main.yml b/roles/custom/matrix-dendrite/defaults/main.yml index b9dddfe9b..5cfbfe15e 100644 --- a/roles/custom/matrix-dendrite/defaults/main.yml +++ b/roles/custom/matrix-dendrite/defaults/main.yml @@ -4,9 +4,13 @@ matrix_dendrite_enabled: true -matrix_dendrite_docker_image: "{{ matrix_dendrite_docker_image_name_prefix }}matrixdotorg/dendrite-monolith:{{ matrix_dendrite_docker_image_tag }}" -matrix_dendrite_docker_image_name_prefix: "docker.io/" -matrix_dendrite_docker_image_tag: "v0.10.7" +matrix_dendrite_container_image_self_build: false +matrix_dendrite_container_image_self_build_repo: "https://github.com/matrix-org/dendrite.git" + +matrix_dendrite_docker_image_path: "matrixdotorg/dendrite-monolith" +matrix_dendrite_docker_image: "{{ matrix_dendrite_docker_image_name_prefix }}{{ matrix_dendrite_docker_image_path }}:{{ matrix_dendrite_docker_image_tag }}" +matrix_dendrite_docker_image_name_prefix: "{{ 'localhost/' if matrix_dendrite_container_image_self_build else matrix_container_global_registry_prefix }}" +matrix_dendrite_docker_image_tag: "v0.13.1" matrix_dendrite_docker_image_force_pull: "{{ matrix_dendrite_docker_image.endswith(':latest') }}" matrix_dendrite_base_path: "{{ matrix_base_data_path }}/dendrite" @@ -14,8 +18,11 @@ matrix_dendrite_config_dir_path: "{{ matrix_dendrite_base_path }}/config" matrix_dendrite_storage_path: "{{ matrix_dendrite_base_path }}/storage" matrix_dendrite_media_store_path: "{{ matrix_dendrite_storage_path }}/media-store" matrix_dendrite_nats_storage_path: "{{ matrix_dendrite_base_path }}/nats" +matrix_dendrite_bin_path: "{{ matrix_dendrite_base_path }}/bin" matrix_dendrite_ext_path: "{{ matrix_dendrite_base_path }}/ext" +matrix_dendrite_docker_src_files_path: "{{ matrix_dendrite_base_path }}/docker-src" + # By default, we make Dendrite only serve HTTP (not HTTPS). # HTTPS is usually served at the reverse-proxy side (usually via `matrix-nginx-proxy`). # @@ -32,6 +39,14 @@ matrix_dendrite_http_bind_address: "{{ (':' + matrix_dendrite_http_bind_port | s # This is passed as an `-https-bind-address` flag to the Dendrite server in the container matrix_dendrite_https_bind_address: "{{ (':' + matrix_dendrite_https_bind_port | string) if matrix_dendrite_https_bind_port else '' }}" +# The base container network. It will be auto-created by this role if it doesn't exist already. +matrix_dendrite_container_network: "{{ matrix_docker_network }}" + +# A list of additional container networks that the container would be connected to. +# The role does not create these networks, so make sure they already exist. +# Use this to expose this container to another reverse proxy, which runs in a different container network. +matrix_dendrite_container_additional_networks: [] + # Controls whether the matrix-dendrite container exposes the HTTP port (tcp/{{ matrix_dendrite_http_bind_port }} in the container). # # Takes an ":" or "" value (e.g. "127.0.0.1:8008"), or empty string to not expose. @@ -46,15 +61,15 @@ matrix_dendrite_container_https_host_bind_address: "" # Also see `matrix_dendrite_container_arguments` matrix_dendrite_container_extra_arguments: [] -# matrix_dendrite_container_runtime_injected_arguments is a list of extra arguments to pass to the container. -# This list is built during runtime. You're not meant to override this variable. +# matrix_dendrite_container_extra_arguments_auto is a list of extra arguments to pass to the container. +# This list is managed by the playbook. You're not meant to override this variable. # If you'd like to inject your own arguments, see `matrix_dendrite_container_extra_arguments`. -matrix_dendrite_container_runtime_injected_arguments: [] +matrix_dendrite_container_extra_arguments_auto: [] # matrix_dendrite_container_arguments holds the final list of extra arguments to pass to the container. # You're not meant to override this variable. # If you'd like to inject your own arguments, see `matrix_dendrite_container_extra_arguments`. -matrix_dendrite_container_arguments: "{{ matrix_dendrite_container_extra_arguments + matrix_dendrite_container_runtime_injected_arguments }}" +matrix_dendrite_container_arguments: "{{ matrix_dendrite_container_extra_arguments + matrix_dendrite_container_extra_arguments_auto }}" # A list of extra arguments to pass to the container process (`dendrite-monolith` command) # Example: @@ -76,31 +91,34 @@ matrix_dendrite_systemd_wanted_services_list: [] # matrix_dendrite_template_dendrite_config: "{{ playbook_dir }}/inventory/host_vars//dendrite.yaml.j2" matrix_dendrite_template_dendrite_config: "{{ role_path }}/templates/dendrite/dendrite.yaml.j2" -matrix_dendrite_registration_shared_secret: '' +matrix_dendrite_client_api_registration_shared_secret: "" matrix_dendrite_allow_guest_access: false matrix_dendrite_max_file_size_bytes: 10485760 # Controls which HTTP header (e.g. 'X-Forwarded-For', 'X-Real-IP') to inspect to find the real remote IP address of the client. # This is likely required if Dendrite is running behind a reverse proxy server. -matrix_dendrite_sync_api_real_ip_header: '' +matrix_dendrite_sync_api_real_ip_header: "X-Forwarded-For" # The tmpfs at /tmp needs to be large enough to handle multiple concurrent file uploads. matrix_dendrite_tmp_directory_size_mb: 500 # Rate limits -matrix_dendrite_rate_limiting_enabled: true -matrix_dendrite_rate_limiting_threshold: 20 -matrix_dendrite_rate_limiting_cooloff_ms: 500 +matrix_dendrite_client_api_rate_limiting_enabled: true +matrix_dendrite_client_api_rate_limiting_threshold: 20 +matrix_dendrite_client_api_rate_limiting_cooloff_ms: 500 # Controls whether people with access to the homeserver can register by themselves. -matrix_dendrite_registration_disabled: true +matrix_dendrite_client_api_registration_disabled: true # reCAPTCHA API for validating registration attempts -matrix_dendrite_enable_registration_captcha: false -matrix_dendrite_recaptcha_public_key: "" -matrix_dendrite_recaptcha_private_key: "" -matrix_dendrite_recaptcha_siteverify_api: "https://www.google.com/recaptcha/api/siteverify" +matrix_dendrite_client_api_enable_registration_captcha: false +matrix_dendrite_client_api_recaptcha_public_key: "" +matrix_dendrite_client_api_recaptcha_private_key: "" +matrix_dendrite_client_api_recaptcha_siteverify_api: "" +matrix_dendrite_client_api_recaptcha_api_js_url: "" +matrix_dendrite_client_api_recaptcha_form_field: "" +matrix_dendrite_client_api_recaptcha_sitekey_class: "" # A list of additional "volumes" to mount in the container. # This list gets populated dynamically based on Dendrite extensions that have been enabled. @@ -118,15 +136,15 @@ matrix_dendrite_container_additional_volumes: [] # Also see `matrix_dendrite_app_service_config_files_final` matrix_dendrite_app_service_config_files: [] -# matrix_dendrite_app_service_runtime_injected_config_files is a list of appservice config files. -# This list is built during runtime. You're not meant to override this variable. +# matrix_dendrite_app_service_config_files_auto is a list of appservice config files. +# This list is managed by the playbook. You're not meant to override this variable. # If you'd like to inject your own arguments, see `matrix_dendrite_app_service_config_files`. -matrix_dendrite_app_service_runtime_injected_config_files: [] +matrix_dendrite_app_service_config_files_auto: [] # matrix_dendrite_app_service_config_files_final holds the final list of config files to pass to the container. # You're not meant to override this variable. # If you'd like to inject your own arguments, see `matrix_dendrite_app_service_config_files`. -matrix_dendrite_app_service_config_files_final: "{{ matrix_dendrite_app_service_config_files + matrix_dendrite_app_service_runtime_injected_config_files }}" +matrix_dendrite_app_service_config_files_final: "{{ matrix_dendrite_app_service_config_files + matrix_dendrite_app_service_config_files_auto }}" # Enable exposure of metrics matrix_dendrite_metrics_enabled: false @@ -135,23 +153,23 @@ matrix_dendrite_metrics_password: "metrics" # Postgres database information matrix_dendrite_database_str: "postgresql://{{ matrix_dendrite_database_user }}:{{ matrix_dendrite_database_password }}@{{ matrix_dendrite_database_hostname }}" -matrix_dendrite_database_hostname: "matrix-postgres" +matrix_dendrite_database_hostname: "" matrix_dendrite_database_user: "dendrite" matrix_dendrite_database_password: "itsasecret" -matrix_dendrite_federationapi_database: "dendrite_federationapi" -matrix_dendrite_keyserver_database: "dendrite_keyserver" -matrix_dendrite_mediaapi_database: "dendrite_mediaapi" +matrix_dendrite_federation_api_database: "dendrite_federationapi" +matrix_dendrite_key_server_database: "dendrite_keyserver" +matrix_dendrite_media_api_database: "dendrite_mediaapi" matrix_dendrite_room_database: "dendrite_room" -matrix_dendrite_syncapi_database: "dendrite_syncapi" -matrix_dendrite_userapi_database: "dendrite_userapi" -matrix_dendrite_pushserver_database: "dendrite_pushserver" +matrix_dendrite_sync_api_database: "dendrite_syncapi" +matrix_dendrite_user_api_database: "dendrite_userapi" +matrix_dendrite_push_server_database: "dendrite_pushserver" +matrix_dendrite_relay_api_database: "dendrite_relayapi" matrix_dendrite_mscs_database: "dendrite_mscs" -matrix_dendrite_turn_uris: [] -matrix_dendrite_turn_shared_secret: "" -matrix_dendrite_turn_allow_guests: false +matrix_dendrite_client_api_turn_uris: [] +matrix_dendrite_client_api_turn_shared_secret: "" +matrix_dendrite_client_api_turn_allow_guests: false -# Controls whether the self-check feature should validate TLS certificates. matrix_dendrite_disable_tls_validation: false matrix_dendrite_trusted_id_servers: @@ -194,3 +212,16 @@ matrix_dendrite_configuration_extension: "{{ matrix_dendrite_configuration_exten # Holds the final Dendrite configuration (a combination of the default and its extension). # You most likely don't need to touch this variable. Instead, see `matrix_dendrite_configuration_yaml`. matrix_dendrite_configuration: "{{ matrix_dendrite_configuration_yaml | from_yaml | combine(matrix_dendrite_configuration_extension, recursive=True) }}" + +matrix_dendrite_user_api_auto_join_rooms: [] + +# statistics reporting configuration. These statistics contain the server +# name, number of active users and some information on your deployment config. +matrix_dendrite_report_stats: false + +# Contorls whether thumbnails for media content are generated dynamically +matrix_dendrite_media_api_dynamic_thumbnails: false +matrix_dendrite_media_api_max_thumbnail_generators: 10 + +# Controls whether the full-text search engine is enabled +matrix_dendrite_sync_api_search_enabled: false diff --git a/roles/custom/matrix-dendrite/tasks/dendrite/setup.yml b/roles/custom/matrix-dendrite/tasks/dendrite/setup.yml deleted file mode 100644 index 1a8497294..000000000 --- a/roles/custom/matrix-dendrite/tasks/dendrite/setup.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/dendrite/setup_install.yml" - when: matrix_dendrite_enabled | bool - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/dendrite/setup_uninstall.yml" - when: "not matrix_dendrite_enabled | bool" diff --git a/roles/custom/matrix-dendrite/tasks/dendrite/setup_install.yml b/roles/custom/matrix-dendrite/tasks/dendrite/setup_install.yml deleted file mode 100644 index aec7f77b4..000000000 --- a/roles/custom/matrix-dendrite/tasks/dendrite/setup_install.yml +++ /dev/null @@ -1,81 +0,0 @@ ---- -# This will throw a Permission Denied error if already mounted using fuse -- name: Check Dendrite media store path - ansible.builtin.stat: - path: "{{ matrix_dendrite_media_store_path }}" - register: local_path_media_store_stat - ignore_errors: true - -# This is separate and conditional, to ensure we don't execute it -# if the path already exists or we failed to check, because it's mounted using fuse. -- name: Ensure Dendrite media store path exists - ansible.builtin.file: - path: "{{ matrix_dendrite_media_store_path }}" - state: directory - mode: 0750 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - when: "not local_path_media_store_stat.failed and not local_path_media_store_stat.stat.exists" - -- name: Ensure Dendrite Docker image is pulled - community.docker.docker_image: - name: "{{ matrix_dendrite_docker_image }}" - source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_dendrite_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_dendrite_docker_image_force_pull }}" - register: result - retries: "{{ devture_playbook_help_container_retries_count }}" - delay: "{{ devture_playbook_help_container_retries_delay }}" - until: result is not failed - -- name: Check if a Dendrite signing key exists - ansible.builtin.stat: - path: "{{ matrix_dendrite_config_dir_path }}/{{ matrix_server_fqn_matrix }}.signing.pem" - register: matrix_dendrite_signing_key_stat - -# We do this so that the signing key would get generated. -# We don't use the `docker_container` module, because using it with `cap_drop` requires -# a very recent version, which is not available for a lot of people yet. -- name: Generate Dendrite signing key - ansible.builtin.command: | - docker run - --rm - --name=matrix-dendrite-config - --entrypoint=generate-keys - --mount type=bind,src={{ matrix_dendrite_config_dir_path }},dst=/data - {{ matrix_dendrite_docker_image }} --private-key=/data/{{ matrix_server_fqn_matrix }}.signing.pem - generate - when: "not matrix_dendrite_signing_key_stat.stat.exists" - -- name: Ensure Dendrite server key exists - ansible.builtin.file: - path: "{{ matrix_dendrite_config_dir_path }}/{{ matrix_server_fqn_matrix }}.signing.pem" - mode: 0644 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - -- name: Ensure Dendrite configuration installed - ansible.builtin.copy: - content: "{{ matrix_dendrite_configuration | to_nice_yaml(indent=2, width=999999) }}" - dest: "{{ matrix_dendrite_config_dir_path }}/dendrite.yaml" - mode: 0644 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - -- name: Ensure matrix-dendrite.service installed - ansible.builtin.template: - src: "{{ role_path }}/templates/dendrite/systemd/matrix-dendrite.service.j2" - dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-dendrite.service" - mode: 0644 - register: matrix_dendrite_systemd_service_result - -- name: Ensure systemd reloaded after matrix-dendrite.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_dendrite_systemd_service_result.changed | bool" - -- name: Ensure matrix-dendrite-create-account script created - ansible.builtin.template: - src: "{{ role_path }}/templates/dendrite/usr-local-bin/matrix-dendrite-create-account.j2" - dest: "{{ matrix_local_bin_path }}/matrix-dendrite-create-account" - mode: 0750 diff --git a/roles/custom/matrix-dendrite/tasks/dendrite/setup_uninstall.yml b/roles/custom/matrix-dendrite/tasks/dendrite/setup_uninstall.yml deleted file mode 100644 index ce3e34769..000000000 --- a/roles/custom/matrix-dendrite/tasks/dendrite/setup_uninstall.yml +++ /dev/null @@ -1,30 +0,0 @@ ---- - -- name: Check existence of matrix-dendrite service - ansible.builtin.stat: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-dendrite.service" - register: matrix_dendrite_service_stat - -- name: Ensure matrix-dendrite is stopped - ansible.builtin.service: - name: matrix-dendrite - state: stopped - daemon_reload: true - register: stopping_result - when: "matrix_dendrite_service_stat.stat.exists" - -- name: Ensure matrix-dendrite.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-dendrite.service" - state: absent - when: "matrix_dendrite_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-dendrite.service removal - ansible.builtin.service: - daemon_reload: true - when: "matrix_dendrite_service_stat.stat.exists" - -- name: Ensure Dendrite Docker image doesn't exist - community.docker.docker_image: - name: "{{ matrix_dendrite_docker_image }}" - state: absent diff --git a/roles/custom/matrix-dendrite/tasks/init.yml b/roles/custom/matrix-dendrite/tasks/init.yml deleted file mode 100644 index 4ce641e9d..000000000 --- a/roles/custom/matrix-dendrite/tasks/init.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-dendrite.service'] }}" - when: matrix_dendrite_enabled | bool diff --git a/roles/custom/matrix-dendrite/tasks/main.yml b/roles/custom/matrix-dendrite/tasks/main.yml index d14beb154..78d81524c 100644 --- a/roles/custom/matrix-dendrite/tasks/main.yml +++ b/roles/custom/matrix-dendrite/tasks/main.yml @@ -1,42 +1,35 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: run_setup | bool - tags: +- tags: - setup-all - setup-dendrite + - install-all + - install-dendrite + block: + - when: matrix_dendrite_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" + + - when: matrix_dendrite_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_dendrite.yml" - when: run_setup | bool - tags: +- tags: - setup-all - setup-dendrite + block: + - when: not matrix_dendrite_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/register_user.yml" - when: run_dendrite_register_user | bool and matrix_dendrite_enabled | bool - tags: - - register-user - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/self_check_client_api.yml" - delegate_to: 127.0.0.1 - become: false - when: run_self_check | bool and matrix_dendrite_enabled | bool - tags: +- tags: - self-check + block: + - when: matrix_dendrite_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/self_check_client_api.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/self_check_federation_api.yml" - delegate_to: 127.0.0.1 - become: false - when: run_self_check | bool and matrix_dendrite_enabled | bool - tags: - - self-check + - when: matrix_dendrite_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/self_check_federation_api.yml" -- name: Mark matrix-dendrite role as executed - ansible.builtin.set_fact: - matrix_dendrite_role_executed: true - tags: - - always +- tags: + - register-user + block: + - when: matrix_dendrite_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/register_user.yml" diff --git a/roles/custom/matrix-dendrite/tasks/register_user.yml b/roles/custom/matrix-dendrite/tasks/register_user.yml index d37e633bf..8ee18ed2f 100644 --- a/roles/custom/matrix-dendrite/tasks/register_user.yml +++ b/roles/custom/matrix-dendrite/tasks/register_user.yml @@ -1,4 +1,5 @@ --- + - name: Fail if playbook called incorrectly ansible.builtin.fail: msg: "The `username` variable needs to be provided to this playbook, via --extra-vars" @@ -28,6 +29,6 @@ - name: Register user ansible.builtin.command: - cmd: "{{ matrix_local_bin_path }}/matrix-dendrite-create-account {{ username | quote }} {{ password | quote }} {{ '1' if admin == 'yes' else '0' }}" + cmd: "{{ matrix_dendrite_bin_path }}/create-account {{ username | quote }} {{ password | quote }} {{ '1' if admin == 'yes' else '0' }}" register: matrix_dendrite_register_user_result changed_when: matrix_dendrite_register_user_result.rc == 0 diff --git a/roles/custom/matrix-dendrite/tasks/self_check_client_api.yml b/roles/custom/matrix-dendrite/tasks/self_check_client_api.yml index 99b6cb40d..f6eb602c6 100644 --- a/roles/custom/matrix-dendrite/tasks/self_check_client_api.yml +++ b/roles/custom/matrix-dendrite/tasks/self_check_client_api.yml @@ -7,6 +7,8 @@ register: result_matrix_dendrite_client_api ignore_errors: true check_mode: false + delegate_to: 127.0.0.1 + become: false - name: Fail if Matrix Client API not working ansible.builtin.fail: diff --git a/roles/custom/matrix-dendrite/tasks/self_check_federation_api.yml b/roles/custom/matrix-dendrite/tasks/self_check_federation_api.yml index 25b2871ce..bba20ff16 100644 --- a/roles/custom/matrix-dendrite/tasks/self_check_federation_api.yml +++ b/roles/custom/matrix-dendrite/tasks/self_check_federation_api.yml @@ -7,6 +7,8 @@ register: result_matrix_dendrite_federation_api ignore_errors: true check_mode: false + delegate_to: 127.0.0.1 + become: false - name: Fail if Matrix Federation API not working ansible.builtin.fail: diff --git a/roles/custom/matrix-dendrite/tasks/setup_dendrite.yml b/roles/custom/matrix-dendrite/tasks/setup_dendrite.yml deleted file mode 100644 index f74f08c2d..000000000 --- a/roles/custom/matrix-dendrite/tasks/setup_dendrite.yml +++ /dev/null @@ -1,15 +0,0 @@ ---- -- name: Ensure Dendrite paths exist - ansible.builtin.file: - path: "{{ item.path }}" - state: directory - mode: 0750 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - with_items: - - {path: "{{ matrix_dendrite_config_dir_path }}", when: true} - - {path: "{{ matrix_dendrite_ext_path }}", when: true} - - {path: "{{ matrix_dendrite_nats_storage_path }}", when: true} - when: "matrix_dendrite_enabled | bool and item.when" - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/dendrite/setup.yml" diff --git a/roles/custom/matrix-dendrite/tasks/setup_install.yml b/roles/custom/matrix-dendrite/tasks/setup_install.yml new file mode 100644 index 000000000..64c047d1c --- /dev/null +++ b/roles/custom/matrix-dendrite/tasks/setup_install.yml @@ -0,0 +1,127 @@ +--- +- name: Ensure Dendrite paths exist + ansible.builtin.file: + path: "{{ item.path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - path: "{{ matrix_dendrite_config_dir_path }}" + when: true + - path: "{{ matrix_dendrite_bin_path }}" + when: true + - path: "{{ matrix_dendrite_ext_path }}" + when: true + - path: "{{ matrix_dendrite_nats_storage_path }}" + when: true + - path: "{{ matrix_dendrite_docker_src_files_path }}" + when: "{{ matrix_dendrite_container_image_self_build }}" + when: "item.when | bool" + +# This will throw a Permission Denied error if already mounted using fuse +- name: Check Dendrite media store path + ansible.builtin.stat: + path: "{{ matrix_dendrite_media_store_path }}" + register: local_path_media_store_stat + ignore_errors: true + +# This is separate and conditional, to ensure we don't execute it +# if the path already exists or we failed to check, because it's mounted using fuse. +- name: Ensure Dendrite media store path exists + ansible.builtin.file: + path: "{{ matrix_dendrite_media_store_path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + when: "not local_path_media_store_stat.failed and not local_path_media_store_stat.stat.exists" + +- name: Ensure Dendrite Docker image is pulled + community.docker.docker_image: + name: "{{ matrix_dendrite_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_dendrite_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_dendrite_docker_image_force_pull }}" + when: "not matrix_dendrite_container_image_self_build | bool" + register: result + retries: "{{ devture_playbook_help_container_retries_count }}" + delay: "{{ devture_playbook_help_container_retries_delay }}" + until: result is not failed + +# We do this so that the signing key would get generated. +# We don't use the `docker_container` module, because using it with `cap_drop` requires +# a very recent version, which is not available for a lot of people yet. +- name: Generate Dendrite signing key + ansible.builtin.command: + cmd: | + docker run + --rm + --name=matrix-dendrite-config + --entrypoint=generate-keys + --mount type=bind,src={{ matrix_dendrite_config_dir_path }},dst=/data + {{ matrix_dendrite_docker_image }} --private-key=/data/{{ matrix_server_fqn_matrix }}.signing.pem + generate + creates: "{{ matrix_dendrite_config_dir_path }}/{{ matrix_server_fqn_matrix }}.signing.pem" + +- name: Ensure Dendrite server key exists + ansible.builtin.file: + path: "{{ matrix_dendrite_config_dir_path }}/{{ matrix_server_fqn_matrix }}.signing.pem" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure Dendrite configuration installed + ansible.builtin.copy: + content: "{{ matrix_dendrite_configuration | to_nice_yaml(indent=2, width=999999) }}" + dest: "{{ matrix_dendrite_config_dir_path }}/dendrite.yaml" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- when: "matrix_dendrite_container_image_self_build | bool" + block: + - name: Ensure Dendrite repository is present on self-build + ansible.builtin.git: + repo: "{{ matrix_dendrite_container_image_self_build_repo }}" + dest: "{{ matrix_dendrite_docker_src_files_path }}" + version: "{{ matrix_dendrite_docker_image.split(':')[1] }}" + force: "yes" + become: true + become_user: "{{ matrix_user_username }}" + register: matrix_dendrite_git_pull_results + + - name: Check if Dendrite Docker image exists + ansible.builtin.command: "{{ devture_systemd_docker_base_host_command_docker }} images --quiet --filter 'reference={{ matrix_dendrite_docker_image }}'" + register: matrix_dendrite_docker_image_check_result + changed_when: false + + # Invoking the `docker build` command here, instead of calling the `docker_image` Ansible module, + # because the latter does not support BuildKit. + # See: https://github.com/ansible-collections/community.general/issues/514 + - name: Ensure Dendrite Docker image is built + ansible.builtin.command: + cmd: "{{ devture_systemd_docker_base_host_command_docker }} build -t {{ matrix_dendrite_docker_image }} {{ matrix_dendrite_docker_src_files_path }}" + environment: + DOCKER_BUILDKIT: 1 + changed_when: true + when: "matrix_dendrite_git_pull_results.changed | bool or matrix_dendrite_docker_image_check_result.stdout == ''" + +- name: Ensure Dendrite container network is created + community.general.docker_network: + name: "{{ matrix_dendrite_container_network }}" + driver: bridge + +- name: Ensure matrix-dendrite.service installed + ansible.builtin.template: + src: "{{ role_path }}/templates/dendrite/systemd/matrix-dendrite.service.j2" + dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-dendrite.service" + mode: 0644 + +- name: Ensure Dendrite scripts created + ansible.builtin.template: + src: "{{ role_path }}/templates/dendrite/bin/{{ item }}.j2" + dest: "{{ matrix_dendrite_bin_path }}/{{ item }}" + mode: 0750 + with_items: + - create-account diff --git a/roles/custom/matrix-dendrite/tasks/setup_uninstall.yml b/roles/custom/matrix-dendrite/tasks/setup_uninstall.yml new file mode 100644 index 000000000..f6a537b30 --- /dev/null +++ b/roles/custom/matrix-dendrite/tasks/setup_uninstall.yml @@ -0,0 +1,22 @@ +--- + +- name: Check existence of matrix-dendrite service + ansible.builtin.stat: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-dendrite.service" + register: matrix_dendrite_service_stat + +- when: matrix_dendrite_service_stat.stat.exists | bool + block: + - name: Ensure matrix-dendrite is stopped + ansible.builtin.service: + name: matrix-dendrite + state: stopped + daemon_reload: true + + - name: Ensure Dendrite paths don't exist + ansible.builtin.file: + path: "{{ item }}" + state: absent + with_items: + - "{{ devture_systemd_docker_base_systemd_path }}/matrix-dendrite.service" + - "{{ matrix_dendrite_bin_path }}" diff --git a/roles/custom/matrix-dendrite/tasks/validate_config.yml b/roles/custom/matrix-dendrite/tasks/validate_config.yml index 390da9380..0b1540bb1 100644 --- a/roles/custom/matrix-dendrite/tasks/validate_config.yml +++ b/roles/custom/matrix-dendrite/tasks/validate_config.yml @@ -5,7 +5,8 @@ You need to define a required configuration setting (`{{ item }}`) for using Dendrite. when: "vars[item] == ''" with_items: - - "matrix_dendrite_registration_shared_secret" + - matrix_dendrite_client_api_registration_shared_secret + - matrix_dendrite_database_hostname - name: (Deprecation) Catch and report renamed settings ansible.builtin.fail: @@ -13,4 +14,24 @@ Your configuration contains a variable, which now has a different name. Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`). when: "item.old in vars" - with_items: [] + with_items: + - {'old': 'matrix_dendrite_enable_registration_captcha', 'new': 'matrix_dendrite_client_api_enable_registration_captcha'} + - {'old': 'matrix_dendrite_recaptcha_public_key', 'new': 'matrix_dendrite_client_api_recaptcha_public_key'} + - {'old': 'matrix_dendrite_recaptcha_private_key', 'new': 'matrix_dendrite_client_api_recaptcha_private_key'} + - {'old': 'matrix_dendrite_registration_disabled', 'new': 'matrix_dendrite_client_api_registration_disabled'} + - {'old': 'matrix_dendrite_registration_shared_secret', 'new': 'matrix_dendrite_client_api_registration_shared_secret'} + - {'old': 'matrix_dendrite_turn_uris', 'new': 'matrix_dendrite_client_api_turn_uris'} + - {'old': 'matrix_dendrite_turn_client_api_shared_secret', 'new': 'matrix_dendrite_client_api_turn_shared_secret'} + - {'old': 'matrix_dendrite_client_api_turn_client_api_shared_secret', 'new': 'matrix_dendrite_client_api_turn_shared_secret'} + - {'old': 'matrix_dendrite_turn_allow_guests', 'new': 'matrix_dendrite_client_api_turn_allow_guests'} + - {'old': 'matrix_dendrite_rate_limiting_enabled', 'new': 'matrix_dendrite_client_api_rate_limiting_enabled'} + - {'old': 'matrix_dendrite_rate_limiting_threshold', 'new': 'matrix_dendrite_client_api_rate_limiting_threshold'} + - {'old': 'matrix_dendrite_rate_limiting_cooloff_ms', 'new': 'matrix_dendrite_client_api_rate_limiting_cooloff_ms'} + - {'old': 'matrix_dendrite_mediaapi_database', 'new': 'matrix_dendrite_media_api_database'} + - {'old': 'matrix_dendrite_syncapi_database', 'new': 'matrix_dendrite_sync_api_database'} + - {'old': 'matrix_dendrite_userapi_database', 'new': 'matrix_dendrite_user_api_database'} + - {'old': 'matrix_dendrite_userapi_auto_join_rooms', 'new': 'matrix_dendrite_user_api_auto_join_rooms'} + - {'old': 'matrix_dendrite_federationapi_database', 'new': 'matrix_dendrite_federation_api_database'} + - {'old': 'matrix_dendrite_pushserver_database', 'new': 'matrix_dendrite_push_server_database'} + - {'old': 'matrix_dendrite_relayapi_database', 'new': 'matrix_dendrite_relay_api_database'} + - {'old': 'matrix_dendrite_keyserver_database', 'new': 'matrix_dendrite_key_server_database'} diff --git a/roles/custom/matrix-dendrite/templates/dendrite/usr-local-bin/matrix-dendrite-create-account.j2 b/roles/custom/matrix-dendrite/templates/dendrite/bin/create-account.j2 similarity index 100% rename from roles/custom/matrix-dendrite/templates/dendrite/usr-local-bin/matrix-dendrite-create-account.j2 rename to roles/custom/matrix-dendrite/templates/dendrite/bin/create-account.j2 diff --git a/roles/custom/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 b/roles/custom/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 index 86a12d7c2..3c1e56e53 100644 --- a/roles/custom/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 +++ b/roles/custom/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 @@ -175,7 +175,7 @@ client_api: # Prevents new users from being able to register on this homeserver, except when # using the registration shared secret below. - registration_disabled: {{ matrix_dendrite_registration_disabled|to_json }} + registration_disabled: {{ matrix_dendrite_client_api_registration_disabled | to_json }} # Prevents new guest accounts from being created. Guest registration is also # disabled implicitly by setting 'registration_disabled' above. @@ -183,22 +183,25 @@ client_api: # If set, allows registration by anyone who knows the shared secret, regardless of # whether registration is otherwise disabled. - registration_shared_secret: {{ matrix_dendrite_registration_shared_secret | string|to_json }} + registration_shared_secret: {{ matrix_dendrite_client_api_registration_shared_secret | string | to_json }} # Whether to require reCAPTCHA for registration. - enable_registration_captcha: {{ matrix_dendrite_enable_registration_captcha|to_json }} + enable_registration_captcha: {{ matrix_dendrite_client_api_enable_registration_captcha | to_json }} # Settings for ReCAPTCHA. - recaptcha_public_key: {{ matrix_dendrite_recaptcha_public_key|to_json }} - recaptcha_private_key: {{ matrix_dendrite_recaptcha_private_key|to_json }} + recaptcha_public_key: {{ matrix_dendrite_client_api_recaptcha_public_key | to_json }} + recaptcha_private_key: {{ matrix_dendrite_client_api_recaptcha_private_key | to_json }} recaptcha_bypass_secret: "" - recaptcha_siteverify_api: {{ matrix_dendrite_recaptcha_siteverify_api|to_json }} + recaptcha_siteverify_api: {{ matrix_dendrite_client_api_recaptcha_siteverify_api | to_json }} + recaptcha_api_js_url: {{ matrix_dendrite_client_api_recaptcha_api_js_url | to_json }} + recaptcha_form_field: {{ matrix_dendrite_client_api_recaptcha_form_field | to_json }} + recaptcha_sitekey_class: {{ matrix_dendrite_client_api_recaptcha_sitekey_class | to_json }} # TURN server information that this homeserver should send to clients. turn: turn_user_lifetime: "" - turn_uris: {{ matrix_dendrite_turn_uris|to_json }} - turn_shared_secret: {{ matrix_dendrite_turn_shared_secret|to_json }} + turn_uris: {{ matrix_dendrite_client_api_turn_uris | to_json }} + turn_shared_secret: {{ matrix_dendrite_client_api_turn_shared_secret | to_json }} turn_username: "" turn_password: "" @@ -206,9 +209,9 @@ client_api: # threshold number of "slots" have been taken by requests from a specific # host. Each "slot" will be released after the cooloff time in milliseconds. rate_limiting: - enabled: {{ matrix_dendrite_rate_limiting_enabled|to_json }} - threshold: {{ matrix_dendrite_rate_limiting_threshold|to_json }} - cooloff_ms: {{ matrix_dendrite_rate_limiting_cooloff_ms|to_json }} + enabled: {{ matrix_dendrite_client_api_rate_limiting_enabled | to_json }} + threshold: {{ matrix_dendrite_client_api_rate_limiting_threshold | to_json }} + cooloff_ms: {{ matrix_dendrite_client_api_rate_limiting_cooloff_ms | to_json }} exempt_user_ids: # - "@user:domain.com" @@ -220,7 +223,7 @@ federation_api: external_api: listen: http://0.0.0.0:8072 database: - connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_federationapi_database }}?sslmode=disable + connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_federation_api_database }}?sslmode=disable max_open_conns: 10 max_idle_conns: 2 conn_max_lifetime: -1 @@ -263,7 +266,7 @@ key_server: listen: http://0.0.0.0:7779 connect: http://key_server:7779 database: - connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_keyserver_database }}?sslmode=disable + connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_key_server_database }}?sslmode=disable max_open_conns: 10 max_idle_conns: 2 conn_max_lifetime: -1 @@ -276,7 +279,7 @@ media_api: external_api: listen: http://0.0.0.0:8074 database: - connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_mediaapi_database }}?sslmode=disable + connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_media_api_database }}?sslmode=disable max_open_conns: 10 max_idle_conns: 2 conn_max_lifetime: -1 @@ -290,10 +293,10 @@ media_api: max_file_size_bytes: {{ matrix_dendrite_max_file_size_bytes|to_json }} # Whether to dynamically generate thumbnails if needed. - dynamic_thumbnails: false + dynamic_thumbnails: {{ matrix_dendrite_media_api_dynamic_thumbnails|to_json }} # The maximum number of simultaneous thumbnail generators to run. - max_thumbnail_generators: 10 + max_thumbnail_generators: {{ matrix_dendrite_media_api_max_thumbnail_generators|to_json }} # A list of thumbnail sizes to be generated for media content. thumbnail_sizes: @@ -339,7 +342,7 @@ sync_api: external_api: listen: http://0.0.0.0:8073 database: - connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_syncapi_database }}?sslmode=disable + connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_sync_api_database }}?sslmode=disable max_open_conns: 10 max_idle_conns: 2 conn_max_lifetime: -1 @@ -352,7 +355,7 @@ sync_api: # Configuration for the full-text search engine. search: # Whether or not search is enabled. - enabled: false + enabled: {{ matrix_dendrite_sync_api_search_enabled|to_json }} # The path where the search index will be created in. index_path: "/matrix-media-store-parent/searchindex" # The language most likely to be used on the server - used when indexing, to @@ -373,7 +376,7 @@ user_api: listen: http://0.0.0.0:7781 connect: http://user_api:7781 account_database: - connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_userapi_database }}?sslmode=disable + connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_user_api_database }}?sslmode=disable max_open_conns: 10 max_idle_conns: 2 conn_max_lifetime: -1 @@ -382,6 +385,7 @@ user_api: # is considered to be valid in milliseconds. # The default lifetime is 3600000ms (60 minutes). # openid_token_lifetime_ms: 3600000 + auto_join_rooms: {{ matrix_dendrite_user_api_auto_join_rooms | to_json }} # Not in dendrite-config.yaml, but is in build/docker/config/dendrite.yaml # Configuration for the Push Server API. @@ -390,11 +394,17 @@ push_server: listen: http://localhost:7782 connect: http://localhost:7782 database: - connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_pushserver_database }}?sslmode=disable + connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_push_server_database }}?sslmode=disable max_open_conns: 10 max_idle_conns: 2 conn_max_lifetime: -1 +# +# +relay_api: + database: + connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_relay_api_database }}?sslmode=disable + # Configuration for Opentracing. # See https://github.com/matrix-org/dendrite/tree/master/docs/tracing for information on # how this works and how to set it up. @@ -414,3 +424,7 @@ tracing: # Logging configuration, in addition to the standard logging that is sent to # stdout by Dendrite. logging: [] + +# statistics reporting configuration. These statistics contain the server +# name, number of active users and some information on your deployment config. +report_stats: {{ matrix_dendrite_report_stats|to_json }} diff --git a/roles/custom/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 b/roles/custom/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 index b83f00bc4..378cf596e 100644 --- a/roles/custom/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 +++ b/roles/custom/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 @@ -16,19 +16,21 @@ Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-dendrite 2>/dev/null || true' ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-dendrite 2>/dev/null || true' -{% if 'matrix-postgres.service' in matrix_dendrite_systemd_required_services_list %} -# Dendrite is too quick to start in relation to its matrix-postgres dependency. +{% if (devture_postgres_identifier + '.service') in matrix_dendrite_systemd_required_services_list %} +# Dendrite is too quick to start in relation to its Postgres dependency. # Delay Dendrite startup to avoid failing with: "failed to connect to accounts db" ("pq: the database system is starting up"). ExecStartPre={{ matrix_host_command_sleep }} 5 {% endif %} -ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-dendrite \ +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ + --rm \ + --name=matrix-dendrite \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ --read-only \ --tmpfs=/tmp:rw,noexec,nosuid,size={{ matrix_dendrite_tmp_directory_size_mb }}m \ - --network={{ matrix_docker_network }} \ + --network={{ matrix_dendrite_container_network }} \ {% if matrix_dendrite_container_http_host_bind_address and matrix_dendrite_http_bind_port %} -p {{ matrix_dendrite_container_http_host_bind_address }}:{{ matrix_dendrite_http_bind_port }} \ {% endif %} @@ -54,6 +56,12 @@ ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name -https-bind-address {{ matrix_dendrite_https_bind_address }} {% endif %} +{% for network in matrix_dendrite_container_additional_networks %} +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-dendrite +{% endfor %} + +ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-dendrite + ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-dendrite 2>/dev/null || true' ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-dendrite 2>/dev/null || true' ExecReload={{ devture_systemd_docker_base_host_command_docker }} exec matrix-dendrite /bin/sh -c 'kill -HUP 1' diff --git a/roles/custom/matrix-dendrite/vars/main.yml b/roles/custom/matrix-dendrite/vars/main.yml index fcf020c2c..1e7aa378b 100644 --- a/roles/custom/matrix-dendrite/vars/main.yml +++ b/roles/custom/matrix-dendrite/vars/main.yml @@ -2,9 +2,6 @@ matrix_dendrite_client_api_url_endpoint_public: "https://{{ matrix_server_fqn_matrix }}/_matrix/client/versions" matrix_dendrite_federation_api_url_endpoint_public: "https://{{ matrix_server_fqn_matrix }}:{{ matrix_federation_public_port }}/_matrix/federation/v1/version" -# Tells whether this role had executed or not. Toggled to `true` during runtime. -matrix_dendrite_role_executed: false - matrix_dendrite_media_store_parent_path: "{{ matrix_dendrite_media_store_path | dirname }}" matrix_dendrite_media_store_directory_name: "{{ matrix_dendrite_media_store_path | basename }}" diff --git a/roles/custom/matrix-dimension/defaults/main.yml b/roles/custom/matrix-dimension/defaults/main.yml index ea1dde108..e66f90094 100644 --- a/roles/custom/matrix-dimension/defaults/main.yml +++ b/roles/custom/matrix-dimension/defaults/main.yml @@ -3,6 +3,15 @@ matrix_dimension_enabled: false +matrix_dimension_scheme: https + +# The hostname at which Dimension is served. +matrix_dimension_hostname: '' + +# The path at which Dimension is exposed. +# This value must either be `/` or not end with a slash (e.g. `/dimension`). +matrix_dimension_path_prefix: / + # You are required to specify an access token for Dimension to work. # For information on how to acquire an access token, visit https://t2bot.io/docs/access_tokens matrix_dimension_access_token: "" @@ -35,21 +44,129 @@ matrix_dimension_systemd_wanted_services_list: [] matrix_dimension_user_uid: '1000' matrix_dimension_user_gid: '1000' +# The base container network. It will be auto-created by this role if it doesn't exist already. +matrix_dimension_container_network: matrix-dimension + +# A list of additional container networks that the container would be connected to. +# The role does not create these networks, so make sure they already exist. +# Use this to expose this container to another reverse proxy, which runs in a different container network. +matrix_dimension_container_additional_networks: [] + # Controls whether the matrix-dimension container exposes its HTTP port (tcp/8184 in the container). # # Takes an ":" or "" value (e.g. "127.0.0.1:8184"), or empty string to not expose. matrix_dimension_container_http_host_bind_port: '' + +# matrix_dimension_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container. +# See `../templates/labels.j2` for details. +# +# To inject your own other container labels, see `matrix_dimension_container_labels_additional_labels`. +matrix_dimension_container_labels_traefik_enabled: true +matrix_dimension_container_labels_traefik_docker_network: "{{ matrix_dimension_container_network }}" +matrix_dimension_container_labels_traefik_hostname: "{{ matrix_dimension_hostname }}" +# The path prefix must either be `/` or not end with a slash (e.g. `/dimension`). +matrix_dimension_container_labels_traefik_path_prefix: "{{ matrix_dimension_path_prefix }}" +matrix_dimension_container_labels_traefik_rule: "Host(`{{ matrix_dimension_container_labels_traefik_hostname }}`){% if matrix_dimension_container_labels_traefik_path_prefix != '/' %} && PathPrefix(`{{ matrix_dimension_container_labels_traefik_path_prefix }}`){% endif %}" +matrix_dimension_container_labels_traefik_priority: 0 +matrix_dimension_container_labels_traefik_entrypoints: web-secure +matrix_dimension_container_labels_traefik_tls: "{{ matrix_dimension_container_labels_traefik_entrypoints != 'web' }}" +matrix_dimension_container_labels_traefik_tls_certResolver: default # noqa var-naming + +# Controls which additional headers to attach to all HTTP responses. +# To add your own headers, use `matrix_dimension_container_labels_traefik_additional_response_headers_custom` +matrix_dimension_container_labels_traefik_additional_response_headers: "{{ matrix_dimension_container_labels_traefik_additional_response_headers_auto | combine(matrix_dimension_container_labels_traefik_additional_response_headers_custom) }}" +matrix_dimension_container_labels_traefik_additional_response_headers_auto: | + {{ + {} + | combine ({'X-XSS-Protection': matrix_dimension_http_header_xss_protection} if matrix_dimension_http_header_xss_protection else {}) + | combine ({'X-Frame-Options': matrix_dimension_http_header_frame_options} if matrix_dimension_http_header_frame_options else {}) + | combine ({'X-Content-Type-Options': matrix_dimension_http_header_content_type_options} if matrix_dimension_http_header_content_type_options else {}) + | combine ({'Content-Security-Policy': matrix_dimension_http_header_content_security_policy} if matrix_dimension_http_header_content_security_policy else {}) + | combine ({'Permission-Policy': matrix_dimension_http_header_content_permission_policy} if matrix_dimension_http_header_content_permission_policy else {}) + | combine ({'Strict-Transport-Security': matrix_dimension_http_header_strict_transport_security} if matrix_dimension_http_header_strict_transport_security and matrix_dimension_container_labels_traefik_tls else {}) + }} +matrix_dimension_container_labels_traefik_additional_response_headers_custom: {} + +# matrix_dimension_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file. +# See `../templates/labels.j2` for details. +# +# Example: +# matrix_dimension_container_labels_additional_labels: | +# my.label=1 +# another.label="here" +matrix_dimension_container_labels_additional_labels: '' + + # A list of extra arguments to pass to the container matrix_dimension_container_extra_arguments: [] -matrix_dimension_integrations_ui_url: "https://{{ matrix_server_fqn_dimension }}/element" -matrix_dimension_integrations_rest_url: "https://{{ matrix_server_fqn_dimension }}/api/v1/scalar" -matrix_dimension_integrations_widgets_urls: ["https://{{ matrix_server_fqn_dimension }}/widgets"] -matrix_dimension_integrations_jitsi_widget_url: "https://{{ matrix_server_fqn_dimension }}/widgets/jitsi" +# Public facing base URL of the Dimension service. +# It should not end with a slash. +matrix_dimension_base_url: "{{ matrix_dimension_scheme }}://{{ matrix_dimension_hostname }}{{ '' if matrix_dimension_path_prefix == '/' else matrix_dimension_path_prefix }}" + +matrix_dimension_integrations_ui_url: "{{ matrix_dimension_base_url }}/element" +matrix_dimension_integrations_rest_url: "{{ matrix_dimension_base_url }}/api/v1/scalar" +matrix_dimension_integrations_widgets_urls: ["{{ matrix_dimension_base_url }}/widgets"] +matrix_dimension_integrations_jitsi_widget_url: "{{ matrix_dimension_base_url }}/widgets/jitsi" + +matrix_dimension_homeserver_clientServerUrl: '' # noqa var-naming +matrix_dimension_homeserver_federationUrl: '' # noqa var-naming +matrix_dimension_homeserver_mediaUrl: '' # noqa var-naming -matrix_dimension_homeserver_federationUrl: "" # noqa var-naming +# Controls the dimension.publicUrl configuration option +matrix_dimension_dimension_publicUrl: "{{ matrix_dimension_base_url }}" # noqa var-naming +# Specifies the value of the `X-XSS-Protection` header +# Stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. +# +# Learn more about it is here: +# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection +# - https://portswigger.net/web-security/cross-site-scripting/reflected +matrix_dimension_http_header_xss_protection: "1; mode=block" + +# Specifies the value of the `X-Frame-Options` header which controls whether framing can happen. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options +matrix_dimension_http_header_frame_options: '' + +# Specifies the value of the `X-Content-Type-Options` header. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options +matrix_dimension_http_header_content_type_options: nosniff + +# Specifies the value of the `Content-Security-Policy` header. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy +matrix_dimension_http_header_content_security_policy: '' + +# Specifies the value of the `Permission-Policy` header. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permission-Policy +matrix_dimension_http_header_content_permission_policy: "{{ 'interest-cohort=()' if matrix_dimension_floc_optout_enabled else '' }}" + +# Specifies the value of the `Strict-Transport-Security` header. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security +matrix_dimension_http_header_strict_transport_security: "max-age=31536000; includeSubDomains{{ '; preload' if matrix_dimension_hsts_preload_enabled else '' }}" + +# Controls whether to send a "Permissions-Policy interest-cohort=();" header along with all responses +# +# Learn more about what it is here: +# - https://www.eff.org/deeplinks/2021/03/googles-floc-terrible-idea +# - https://paramdeo.com/blog/opting-your-website-out-of-googles-floc-network +# - https://amifloced.org/ +# +# Of course, a better solution is to just stop using browsers (like Chrome), which participate in such tracking practices. +# See: `matrix_dimension_content_permission_policy` +matrix_dimension_floc_optout_enabled: true + +# Controls if HSTS preloading is enabled +# +# In its strongest and recommended form, the [HSTS policy](https://www.chromium.org/hsts) includes all subdomains, and +# indicates a willingness to be "preloaded" into browsers: +# `Strict-Transport-Security: max-age=31536000; includeSubDomains; preload` +# For more information visit: +# - https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security +# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security +# - https://hstspreload.org/#opt-in +# See: `matrix_dimension_http_header_strict_transport_security` +matrix_dimension_hsts_preload_enabled: false # Database-related configuration fields. # @@ -65,7 +182,7 @@ matrix_dimension_sqlite_database_path_in_container: "dimension.db" matrix_dimension_database_username: 'matrix_dimension' matrix_dimension_database_password: 'some-password' -matrix_dimension_database_hostname: 'matrix-postgres' +matrix_dimension_database_hostname: '' matrix_dimension_database_port: 5432 matrix_dimension_database_name: 'matrix_dimension' diff --git a/roles/custom/matrix-dimension/tasks/init.yml b/roles/custom/matrix-dimension/tasks/init.yml deleted file mode 100644 index c60a2fe2e..000000000 --- a/roles/custom/matrix-dimension/tasks/init.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-dimension.service'] }}" - when: matrix_dimension_enabled | bool diff --git a/roles/custom/matrix-dimension/tasks/main.yml b/roles/custom/matrix-dimension/tasks/main.yml index 6eef50d65..1e949d3f2 100644 --- a/roles/custom/matrix-dimension/tasks/main.yml +++ b/roles/custom/matrix-dimension/tasks/main.yml @@ -1,23 +1,20 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: run_setup | bool - tags: +- tags: - setup-all - setup-dimension + - install-all + - install-dimension + block: + - when: matrix_dimension_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_install.yml" - when: run_setup | bool and matrix_dimension_enabled | bool - tags: - - setup-all - - setup-dimension + - when: matrix_dimension_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - when: run_setup | bool and not matrix_dimension_enabled | bool - tags: +- tags: - setup-all - setup-dimension + block: + - when: not matrix_dimension_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" diff --git a/roles/custom/matrix-dimension/tasks/setup_install.yml b/roles/custom/matrix-dimension/tasks/setup_install.yml index 2aeb1e2a7..b1f0c242d 100644 --- a/roles/custom/matrix-dimension/tasks/setup_install.yml +++ b/roles/custom/matrix-dimension/tasks/setup_install.yml @@ -51,8 +51,11 @@ - {'table': 'dimension_bridges', 'column': 'isEnabled', 'default': ''} - {'table': 'dimension_bridges', 'column': 'isPublic', 'default': ''} - - ansible.builtin.set_fact: - matrix_postgres_db_migration_request: + - ansible.builtin.include_role: + name: galaxy/com.devture.ansible.role.postgres + tasks_from: migrate_db_to_postgres + vars: + devture_postgres_db_migration_request: src: "{{ matrix_dimension_sqlite_database_path_local }}" dst: "{{ matrix_dimension_database_connection_string }}" caller: "{{ role_path | basename }}" @@ -63,10 +66,6 @@ additional_psql_statements_list: "{{ matrix_dimension_pgloader_additional_psql_statements_list }}" additional_psql_statements_db_name: "{{ matrix_dimension_database_name }}" - - ansible.builtin.import_role: - name: custom/matrix-postgres - tasks_from: migrate_db_to_postgres - - ansible.builtin.set_fact: matrix_dimension_requires_restart: true @@ -86,6 +85,14 @@ owner: "{{ matrix_user_username }}" group: "{{ matrix_dimension_user_gid }}" +- name: Ensure Dimension labels installed + ansible.builtin.template: + src: "{{ role_path }}/templates/labels.j2" + dest: "{{ matrix_dimension_base_path }}/labels" + mode: 0640 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + - name: Ensure Dimension image is pulled community.docker.docker_image: name: "{{ matrix_dimension_docker_image }}" @@ -121,20 +128,20 @@ pull: true when: "matrix_dimension_container_image_self_build | bool" +- name: Ensure Dimension container network is created + community.general.docker_network: + name: "{{ matrix_dimension_container_network }}" + driver: bridge + - name: Ensure matrix-dimension.service installed ansible.builtin.template: src: "{{ role_path }}/templates/systemd/matrix-dimension.service.j2" dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-dimension.service" mode: 0644 - register: matrix_dimension_systemd_service_result - -- name: Ensure systemd reloaded after matrix-dimension.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_dimension_systemd_service_result.changed | bool" - name: Ensure matrix-dimension.service restarted, if necessary ansible.builtin.service: name: "matrix-dimension.service" state: restarted + daemon_reload: true when: "matrix_dimension_requires_restart | bool" diff --git a/roles/custom/matrix-dimension/tasks/setup_uninstall.yml b/roles/custom/matrix-dimension/tasks/setup_uninstall.yml index 8a5f5c755..239e4d892 100644 --- a/roles/custom/matrix-dimension/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-dimension/tasks/setup_uninstall.yml @@ -5,32 +5,21 @@ path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-dimension.service" register: matrix_dimension_service_stat -- name: Ensure matrix-dimension is stopped - ansible.builtin.service: - name: matrix-dimension - state: stopped - enabled: false - daemon_reload: true - register: stopping_result - when: "matrix_dimension_service_stat.stat.exists | bool" +- when: matrix_dimension_service_stat.stat.exists | bool + block: + - name: Ensure matrix-dimension is stopped + ansible.builtin.service: + name: matrix-dimension + state: stopped + enabled: false + daemon_reload: true -- name: Ensure matrix-dimension.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-dimension.service" - state: absent - when: "matrix_dimension_service_stat.stat.exists | bool" - -- name: Ensure systemd reloaded after matrix-dimension.service removal - ansible.builtin.service: - daemon_reload: true - when: "matrix_dimension_service_stat.stat.exists | bool" - -- name: Ensure Dimension base directory doesn't exist - ansible.builtin.file: - path: "{{ matrix_dimension_base_path }}" - state: absent + - name: Ensure matrix-dimension.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-dimension.service" + state: absent -- name: Ensure Dimension Docker image doesn't exist - community.docker.docker_image: - name: "{{ matrix_dimension_docker_image }}" - state: absent + - name: Ensure Dimension base directory doesn't exist + ansible.builtin.file: + path: "{{ matrix_dimension_base_path }}" + state: absent diff --git a/roles/custom/matrix-dimension/tasks/validate_config.yml b/roles/custom/matrix-dimension/tasks/validate_config.yml index 5af0ba6d6..b001ceedb 100644 --- a/roles/custom/matrix-dimension/tasks/validate_config.yml +++ b/roles/custom/matrix-dimension/tasks/validate_config.yml @@ -1,11 +1,18 @@ --- + - name: Fail if required Dimension settings not defined ansible.builtin.fail: - msg: >- - You need to define a required configuration setting (`{{ item }}`) for using Dimension. + msg: > + You need to define a required configuration setting (`{{ item.name }}`). + when: "item.when | bool and vars[item.name] == ''" with_items: - - "matrix_dimension_access_token" - when: "matrix_dimension_enabled and vars[item] == ''" + - {'name': 'matrix_dimension_hostname', when: true} + - {'name': 'matrix_dimension_container_network', when: true} + - {'name': 'matrix_dimension_access_token', when: true} + - {'name': 'matrix_dimension_homeserver_clientServerUrl', when: true} + - {'name': 'matrix_dimension_homeserver_federationUrl', when: true} + - {'name': 'matrix_dimension_homeserver_mediaUrl', when: true} + - {'name': 'matrix_dimension_database_hostname', when: "{{ matrix_dimension_database_engine == 'postgres' }}"} - name: (Deprecation) Catch and report renamed Dimension variables ansible.builtin.fail: @@ -15,3 +22,31 @@ when: "item.old in vars" with_items: - {'old': 'matrix_dimension_container_expose_port', 'new': ''} + +- when: matrix_dimension_container_labels_traefik_enabled | bool + block: + - name: Fail if required Dimension Traefik settings not defined + ansible.builtin.fail: + msg: >- + You need to define a required configuration setting (`{{ item }}`). + when: "vars[item] == ''" + with_items: + - matrix_dimension_container_labels_traefik_hostname + - matrix_dimension_container_labels_traefik_path_prefix + + # We ensure it doesn't end with a slash, because we handle both (slash and no-slash). + # Knowing that `matrix_dimension_container_labels_traefik_path_prefix` does not end with a slash + # ensures we know how to set these routes up without having to do "does it end with a slash" checks elsewhere. + - name: Fail if matrix_dimension_container_labels_traefik_path_prefix ends with a slash + ansible.builtin.fail: + msg: >- + matrix_dimension_container_labels_traefik_path_prefix (`{{ matrix_dimension_container_labels_traefik_path_prefix }}`) must either be `/` or not end with a slash (e.g. `/dimension`). + when: "matrix_dimension_container_labels_traefik_path_prefix != '/' and matrix_dimension_container_labels_traefik_path_prefix[-1] == '/'" + + - name: Fail if matrix_dimension_container_labels_traefik_path_prefix is not / + ansible.builtin.fail: + msg: >- + matrix_dimension_container_labels_traefik_path_prefix (`{{ matrix_dimension_container_labels_traefik_path_prefix }}`) must currently be set to `/`. + Other values are not supported. + See: https://github.com/turt2live/matrix-dimension/issues/510 + when: "matrix_dimension_container_labels_traefik_path_prefix != '/' and matrix_dimension_container_labels_traefik_path_prefix[-1] == '/'" diff --git a/roles/custom/matrix-dimension/templates/config.yaml.j2 b/roles/custom/matrix-dimension/templates/config.yaml.j2 index 592c65ac8..c387c91b6 100644 --- a/roles/custom/matrix-dimension/templates/config.yaml.j2 +++ b/roles/custom/matrix-dimension/templates/config.yaml.j2 @@ -9,30 +9,30 @@ web: homeserver: # The domain name of the homeserver. This is used in many places, such as with go-neb # setups, to identify the homeserver. - name: "{{ matrix_domain }}" + name: {{ matrix_domain | to_json }} # The URL that Dimension, go-neb, and other services provisioned by Dimension should # use to access the homeserver with. - clientServerUrl: "{{ matrix_homeserver_container_url }}" + clientServerUrl: {{ matrix_dimension_homeserver_clientServerUrl | to_json }} # The URL that Dimension should use when trying to communicate with federated APIs on # the homeserver. If not supplied or left empty Dimension will try to resolve the address # through the normal federation process. - federationUrl: "{{ matrix_dimension_homeserver_federationUrl }}" + federationUrl: {{ matrix_dimension_homeserver_federationUrl | to_json }} # The URL that Dimension will redirect media requests to for downloading media such as # stickers. If not supplied or left empty Dimension will use the clientServerUrl. - mediaUrl: "https://{{ matrix_server_fqn_matrix }}" + mediaUrl: {{ matrix_dimension_homeserver_mediaUrl | to_json }} # The access token Dimension should use for miscellaneous access to the homeserver. This # should be for a user on the configured homeserver: any user will do, however it is # recommended to use a dedicated user (such as @dimension:t2bot.io). For information on # how to acquire an access token, visit https://t2bot.io/docs/access_tokens - accessToken: "{{ matrix_dimension_access_token }}" + accessToken: {{ matrix_dimension_access_token | to_json }} # These users can modify the integrations this Dimension supports. # To access the admin interface, open Dimension in Element and click the settings icon. -admins: {{ matrix_dimension_admins|to_json }} +admins: {{ matrix_dimension_admins | to_json }} # IPs and CIDR ranges listed here will be blocked from being widgets. # Note: Widgets may still be embedded with restricted content, although not through Dimension directly. @@ -72,4 +72,4 @@ goneb: dimension: # This is where Dimension is accessible from clients. Be sure to set this # to your own Dimension instance. - publicUrl: "https://{{ matrix_server_fqn_dimension }}" + publicUrl: {{ matrix_dimension_dimension_publicUrl | to_json }} diff --git a/roles/custom/matrix-dimension/templates/labels.j2 b/roles/custom/matrix-dimension/templates/labels.j2 new file mode 100644 index 000000000..24b570cbb --- /dev/null +++ b/roles/custom/matrix-dimension/templates/labels.j2 @@ -0,0 +1,45 @@ +{% if matrix_dimension_container_labels_traefik_enabled %} +traefik.enable=true + +{% if matrix_dimension_container_labels_traefik_docker_network %} +traefik.docker.network={{ matrix_dimension_container_labels_traefik_docker_network }} +{% endif %} + +{% set middlewares = [] %} + +{% if matrix_dimension_container_labels_traefik_path_prefix != '/' %} +traefik.http.middlewares.matrix-dimension-slashless-redirect.redirectregex.regex=({{ matrix_dimension_container_labels_traefik_path_prefix | quote }})$ +traefik.http.middlewares.matrix-dimension-slashless-redirect.redirectregex.replacement=${1}/ +{% set middlewares = middlewares + ['matrix-dimension-slashless-redirect'] %} +{% endif %} + +{% if matrix_dimension_container_labels_traefik_path_prefix != '/' %} +traefik.http.middlewares.matrix-dimension-strip-prefix.stripprefix.prefixes={{ matrix_dimension_container_labels_traefik_path_prefix }} +{% set middlewares = middlewares + ['matrix-dimension-strip-prefix'] %} +{% endif %} + +{% if matrix_dimension_container_labels_traefik_additional_response_headers.keys() | length > 0 %} +{% for name, value in matrix_dimension_container_labels_traefik_additional_response_headers.items() %} +traefik.http.middlewares.matrix-dimension-add-headers.headers.customresponseheaders.{{ name }}={{ value }} +{% endfor %} +{% set middlewares = middlewares + ['matrix-dimension-add-headers'] %} +{% endif %} + +traefik.http.routers.matrix-dimension.rule={{ matrix_dimension_container_labels_traefik_rule }} +{% if matrix_dimension_container_labels_traefik_priority | int > 0 %} +traefik.http.routers.matrix-dimension.priority={{ matrix_dimension_container_labels_traefik_priority }} +{% endif %} +traefik.http.routers.matrix-dimension.service=matrix-dimension +{% if middlewares | length > 0 %} +traefik.http.routers.matrix-dimension.middlewares={{ middlewares | join(',') }} +{% endif %} +traefik.http.routers.matrix-dimension.entrypoints={{ matrix_dimension_container_labels_traefik_entrypoints }} +traefik.http.routers.matrix-dimension.tls={{ matrix_dimension_container_labels_traefik_tls | to_json }} +{% if matrix_dimension_container_labels_traefik_tls %} +traefik.http.routers.matrix-dimension.tls.certResolver={{ matrix_dimension_container_labels_traefik_tls_certResolver }} +{% endif %} + +traefik.http.services.matrix-dimension.loadbalancer.server.port=8184 +{% endif %} + +{{ matrix_dimension_container_labels_additional_labels }} diff --git a/roles/custom/matrix-dimension/templates/systemd/matrix-dimension.service.j2 b/roles/custom/matrix-dimension/templates/systemd/matrix-dimension.service.j2 index 07428ffa5..0b14a117c 100644 --- a/roles/custom/matrix-dimension/templates/systemd/matrix-dimension.service.j2 +++ b/roles/custom/matrix-dimension/templates/systemd/matrix-dimension.service.j2 @@ -21,25 +21,35 @@ ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_s ExecStartPre=-{{ matrix_host_command_chown }} {{ matrix_dimension_user_uid }}:{{ matrix_dimension_user_gid }} {{ matrix_dimension_sqlite_database_path_local }} {% endif %} -ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-dimension \ +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ + --rm \ + --name=matrix-dimension \ --log-driver=none \ --user={{ matrix_dimension_user_uid }}:{{ matrix_dimension_user_gid }} \ --cap-drop=ALL \ - --network={{ matrix_docker_network }} \ + --network={{ matrix_dimension_container_network }} \ {% if matrix_dimension_widgets_allow_self_signed_ssl_certificates %} -e NODE_TLS_REJECT_UNAUTHORIZED=0 \ {% endif %} {% if matrix_dimension_container_http_host_bind_port %} -p {{ matrix_dimension_container_http_host_bind_port }}:8184 \ {% endif %} + --label-file={{ matrix_dimension_base_path }}/labels \ --mount type=bind,src={{ matrix_dimension_base_path }},dst=/data \ {% for arg in matrix_dimension_container_extra_arguments %} {{ arg }} \ {% endfor %} {{ matrix_dimension_docker_image }} +{% for network in matrix_dimension_container_additional_networks %} +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-dimension +{% endfor %} + +ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-dimension + ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-dimension 2>/dev/null || true' ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-dimension 2>/dev/null || true' + Restart=always RestartSec=30 SyslogIdentifier=matrix-dimension diff --git a/roles/custom/matrix-dynamic-dns/defaults/main.yml b/roles/custom/matrix-dynamic-dns/defaults/main.yml index 77e01d0ee..6369f1096 100644 --- a/roles/custom/matrix-dynamic-dns/defaults/main.yml +++ b/roles/custom/matrix-dynamic-dns/defaults/main.yml @@ -7,7 +7,7 @@ matrix_dynamic_dns_enabled: true # The dynamic dns daemon interval matrix_dynamic_dns_daemon_interval: '300' -matrix_dynamic_dns_version: v3.10.0-ls103 +matrix_dynamic_dns_version: v3.10.0-ls126 # The docker container to use when in mode matrix_dynamic_dns_docker_image: "{{ matrix_dynamic_dns_docker_image_name_prefix }}linuxserver/ddclient:{{ matrix_dynamic_dns_version }}" diff --git a/roles/custom/matrix-dynamic-dns/tasks/init.yml b/roles/custom/matrix-dynamic-dns/tasks/init.yml deleted file mode 100644 index 9c906441f..000000000 --- a/roles/custom/matrix-dynamic-dns/tasks/init.yml +++ /dev/null @@ -1,11 +0,0 @@ ---- -# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 -# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 -- name: Fail if trying to self-build on Ansible < 2.8 - ansible.builtin.fail: - msg: "To self-build the Dynamic DNS image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_dynamic_dns_container_image_self_build and matrix_dynamic_dns_enabled" - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-dynamic-dns.service'] }}" - when: "matrix_dynamic_dns_enabled | bool" diff --git a/roles/custom/matrix-dynamic-dns/tasks/main.yml b/roles/custom/matrix-dynamic-dns/tasks/main.yml index 2f33af86e..8327a84ac 100644 --- a/roles/custom/matrix-dynamic-dns/tasks/main.yml +++ b/roles/custom/matrix-dynamic-dns/tasks/main.yml @@ -1,23 +1,20 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup | bool and matrix_dynamic_dns_enabled | bool" - tags: +- tags: - setup-all - setup-dynamic-dns + - install-all + - install-dynamic-dns + block: + - when: matrix_dynamic_dns_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/install.yml" - when: "run_setup | bool and matrix_dynamic_dns_enabled | bool" - tags: - - setup-all - - setup-dynamic-dns + - when: matrix_dynamic_dns_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/uninstall.yml" - when: "run_setup | bool and not matrix_dynamic_dns_enabled | bool" - tags: +- tags: - setup-all - setup-dynamic-dns + block: + - when: not matrix_dynamic_dns_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" diff --git a/roles/custom/matrix-dynamic-dns/tasks/install.yml b/roles/custom/matrix-dynamic-dns/tasks/setup_install.yml similarity index 92% rename from roles/custom/matrix-dynamic-dns/tasks/install.yml rename to roles/custom/matrix-dynamic-dns/tasks/setup_install.yml index 2367e9cb1..e64cc0a7d 100644 --- a/roles/custom/matrix-dynamic-dns/tasks/install.yml +++ b/roles/custom/matrix-dynamic-dns/tasks/setup_install.yml @@ -61,9 +61,3 @@ src: "{{ role_path }}/templates/systemd/matrix-dynamic-dns.service.j2" dest: "/etc/systemd/system/matrix-dynamic-dns.service" mode: 0644 - register: matrix_dynamic_dns_systemd_service_result - -- name: Ensure systemd reloaded after matrix-dynamic-dns.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_dynamic_dns_systemd_service_result.changed" diff --git a/roles/custom/matrix-dynamic-dns/tasks/setup_uninstall.yml b/roles/custom/matrix-dynamic-dns/tasks/setup_uninstall.yml new file mode 100644 index 000000000..8f9f1b040 --- /dev/null +++ b/roles/custom/matrix-dynamic-dns/tasks/setup_uninstall.yml @@ -0,0 +1,20 @@ +--- + +- name: Check existence of matrix-dynamic-dns service + ansible.builtin.stat: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-dynamic-dns.service" + register: matrix_dynamic_dns_service_stat + +- when: matrix_dynamic_dns_service_stat.stat.exists | bool + block: + - name: Ensure matrix-dynamic-dns is stopped + ansible.builtin.service: + name: matrix-dynamic-dns + state: stopped + enabled: false + daemon_reload: true + + - name: Ensure matrix-dynamic-dns.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-dynamic-dns.service" + state: absent diff --git a/roles/custom/matrix-dynamic-dns/tasks/uninstall.yml b/roles/custom/matrix-dynamic-dns/tasks/uninstall.yml deleted file mode 100644 index 7b4e76671..000000000 --- a/roles/custom/matrix-dynamic-dns/tasks/uninstall.yml +++ /dev/null @@ -1,28 +0,0 @@ ---- - -- name: Check existence of matrix-dynamic-dns service - ansible.builtin.stat: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-dynamic-dns.service" - register: matrix_dynamic_dns_service_stat - -- name: Ensure matrix-dynamic-dns is stopped - ansible.builtin.service: - name: matrix-dynamic-dns - state: stopped - enabled: false - daemon_reload: true - when: "matrix_dynamic_dns_service_stat.stat.exists" - -- name: Ensure matrix-dynamic-dns.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-dynamic-dns.service" - state: absent - when: "matrix_dynamic_dns_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-dynamic-dns.service removal - ansible.builtin.service: - daemon_reload: true - when: "matrix_dynamic_dns_service_stat.stat.exists" - -# Intentionally not removing the Docker image when uninstalling. -# We can't be sure it had been pulled by us in the first place. diff --git a/roles/custom/matrix-email2matrix/tasks/init.yml b/roles/custom/matrix-email2matrix/tasks/init.yml deleted file mode 100644 index 02dbc9ee3..000000000 --- a/roles/custom/matrix-email2matrix/tasks/init.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-email2matrix.service'] }}" - when: matrix_email2matrix_enabled | bool diff --git a/roles/custom/matrix-email2matrix/tasks/main.yml b/roles/custom/matrix-email2matrix/tasks/main.yml index 3adbc6466..acd2c9c1e 100644 --- a/roles/custom/matrix-email2matrix/tasks/main.yml +++ b/roles/custom/matrix-email2matrix/tasks/main.yml @@ -1,23 +1,20 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup | bool and matrix_email2matrix_enabled | bool" - tags: +- tags: - setup-all - setup-email2matrix + - install-all + - install-email2matrix + block: + - when: matrix_email2matrix_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_install.yml" - when: "run_setup | bool and matrix_email2matrix_enabled | bool" - tags: - - setup-all - - setup-email2matrix + - when: matrix_email2matrix_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - when: "run_setup | bool and not matrix_email2matrix_enabled | bool" - tags: +- tags: - setup-all - setup-email2matrix + block: + - when: not matrix_email2matrix_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" diff --git a/roles/custom/matrix-email2matrix/tasks/setup_install.yml b/roles/custom/matrix-email2matrix/tasks/setup_install.yml index 740506338..8cfbc5ea3 100644 --- a/roles/custom/matrix-email2matrix/tasks/setup_install.yml +++ b/roles/custom/matrix-email2matrix/tasks/setup_install.yml @@ -61,9 +61,3 @@ src: "{{ role_path }}/templates/systemd/matrix-email2matrix.service.j2" dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-email2matrix.service" mode: 0644 - register: matrix_email2matrix_systemd_service_result - -- name: Ensure systemd reloaded after matrix-email2matrix.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_email2matrix_systemd_service_result.changed | bool" diff --git a/roles/custom/matrix-email2matrix/tasks/setup_uninstall.yml b/roles/custom/matrix-email2matrix/tasks/setup_uninstall.yml index c9600d0c9..e95ce6617 100644 --- a/roles/custom/matrix-email2matrix/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-email2matrix/tasks/setup_uninstall.yml @@ -5,32 +5,21 @@ path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-email2matrix.service" register: matrix_email2matrix_service_stat -- name: Ensure matrix-email2matrix is stopped - ansible.builtin.service: - name: matrix-email2matrix - state: stopped - enabled: false - daemon_reload: true - register: stopping_result - when: "matrix_email2matrix_service_stat.stat.exists | bool" +- when: matrix_email2matrix_service_stat.stat.exists | bool + block: + - name: Ensure matrix-email2matrix is stopped + ansible.builtin.service: + name: matrix-email2matrix + state: stopped + enabled: false + daemon_reload: true -- name: Ensure matrix-email2matrix.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-email2matrix.service" - state: absent - when: "matrix_email2matrix_service_stat.stat.exists | bool" - -- name: Ensure systemd reloaded after matrix-email2matrix.service removal - ansible.builtin.service: - daemon_reload: true - when: "matrix_email2matrix_service_stat.stat.exists | bool" - -- name: Ensure Email2Matrix data path doesn't exist - ansible.builtin.file: - path: "{{ matrix_email2matrix_base_path }}" - state: absent + - name: Ensure matrix-email2matrix.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-email2matrix.service" + state: absent -- name: Ensure Email2Matrix Docker image doesn't exist - community.docker.docker_image: - name: "{{ matrix_email2matrix_docker_image }}" - state: absent + - name: Ensure Email2Matrix data path doesn't exist + ansible.builtin.file: + path: "{{ matrix_email2matrix_base_path }}" + state: absent diff --git a/roles/custom/matrix-etherpad/defaults/main.yml b/roles/custom/matrix-etherpad/defaults/main.yml deleted file mode 100644 index 540b2a518..000000000 --- a/roles/custom/matrix-etherpad/defaults/main.yml +++ /dev/null @@ -1,102 +0,0 @@ ---- -# Project source code URL: https://github.com/ether/etherpad-lite - -matrix_etherpad_enabled: false - -# standalone = etherpad installed on subdomain (etherpad.DOMAIN) and can be used as-is -# dimension = etherpad installed in subdir of dimension (dimension.DOMAIN/etherpad) and can be used with dimension -matrix_etherpad_mode: standalone - -matrix_etherpad_base_path: "{{ matrix_base_data_path }}/etherpad" - -matrix_etherpad_version: 1.8.18 -matrix_etherpad_docker_image: "{{ matrix_container_global_registry_prefix }}etherpad/etherpad:{{ matrix_etherpad_version }}" -matrix_etherpad_docker_image_force_pull: "{{ matrix_etherpad_docker_image.endswith(':latest') }}" - -# List of systemd services that matrix-etherpad.service depends on. -matrix_etherpad_systemd_required_services_list: ['docker.service'] - -# List of systemd services that matrix-etherpad.service wants -matrix_etherpad_systemd_wanted_services_list: [] - -# Container user has to be able to write to the source file directories until this bug is fixed: -# https://github.com/ether/etherpad-lite/issues/2683 -matrix_etherpad_user_uid: '5001' -matrix_etherpad_user_gid: '5001' - -# Controls whether the matrix-etherpad container exposes its HTTP port (tcp/9001 in the container). -# -# Takes an ":" or "" value (e.g. "127.0.0.1:9001"), or empty string to not expose. -matrix_etherpad_container_http_host_bind_port: '' - -# A list of extra arguments to pass to the container -matrix_etherpad_container_extra_arguments: [] - -# Used only when `matrix_etherpad_mode: dimension` -matrix_etherpad_public_endpoint: '/etherpad' - -# By default, the Etherpad app can be accessed on etherpad subdomain -matrix_etherpad_base_url: "https://{{ matrix_server_fqn_etherpad }}/" - -# Database-related configuration fields. -# -# Etherpad requires a dedicated database -matrix_etherpad_database_engine: 'postgres' - -matrix_etherpad_database_username: 'matrix_etherpad' -matrix_etherpad_database_password: 'some-password' -matrix_etherpad_database_hostname: 'matrix-postgres' -matrix_etherpad_database_port: 5432 -matrix_etherpad_database_name: 'matrix_etherpad' - -# If a admin username and password is set, the /admin web page will be -# available. -matrix_etherpad_admin_username: '' -matrix_etherpad_admin_password: '' - -matrix_etherpad_database_connection_string: 'postgres://{{ matrix_etherpad_database_username }}:{{ matrix_etherpad_database_password }}@{{ matrix_etherpad_database_hostname }}:{{ matrix_etherpad_database_port }}/{{ matrix_etherpad_database_name }}' - -# Variables configuring the etherpad -matrix_etherpad_title: 'Etherpad' -matrix_etherpad_abiword: null -matrix_etherpad_soffice: null -matrix_etherpad_default_pad_text: | - Welcome to Etherpad! - - This pad text is synchronized as you type, so that everyone viewing this page sees the same text. This allows you to collaborate seamlessly on documents! - - Get involved with Etherpad at https://etherpad.org - -# Default Etherpad configuration template which covers the generic use case. -# You can customize it by controlling the various variables inside it. -# -# For a more advanced customization, you can extend the default (see `matrix_etherpad_configuration_extension_json`) -# or completely replace this variable with your own template. -matrix_etherpad_configuration_default: "{{ lookup('template', 'templates/settings.json.j2') }}" - -# Your custom JSON configuration for Etherpad goes here. -# This configuration extends the default starting configuration (`matrix_etherpad_configuration_json`). -# -# You can override individual variables from the default configuration, or introduce new ones. -# -# If you need something more special, you can take full control by -# completely redefining `matrix_etherpad_configuration_json`. -# -# Example configuration extension follows: -# -# matrix_etherpad_configuration_extension_json: | -# { -# "loadTest": true, -# "commitRateLimiting": { -# "duration": 1, -# "points": 10 -# } -# } -# -matrix_etherpad_configuration_extension_json: '{}' - -matrix_etherpad_configuration_extension: "{{ matrix_etherpad_configuration_extension_json | from_json if matrix_etherpad_configuration_extension_json | from_json is mapping else {} }}" - -# Holds the final Etherpad configuration (a combination of the default and its extension). -# You most likely don't need to touch this variable. Instead, see `matrix_etherpad_configuration_json`. -matrix_etherpad_configuration: "{{ matrix_etherpad_configuration_default | combine(matrix_etherpad_configuration_extension, recursive=True) }}" diff --git a/roles/custom/matrix-etherpad/tasks/init.yml b/roles/custom/matrix-etherpad/tasks/init.yml deleted file mode 100644 index d35ed375e..000000000 --- a/roles/custom/matrix-etherpad/tasks/init.yml +++ /dev/null @@ -1,54 +0,0 @@ ---- - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-etherpad.service'] }}" - when: matrix_etherpad_enabled | bool - -- when: matrix_etherpad_enabled | bool and matrix_etherpad_mode == 'dimension' - tags: - - always - block: - - name: Fail if matrix-nginx-proxy role already executed - ansible.builtin.fail: - msg: >- - Trying to append Etherpad's reverse-proxying configuration to matrix-nginx-proxy, - but it's pointless since the matrix-nginx-proxy role had already executed. - To fix this, please change the order of roles in your playbook, - so that the matrix-nginx-proxy role would run after the matrix-etherpad role. - when: matrix_nginx_proxy_role_executed | default(False) | bool - - - name: Generate Etherpad proxying configuration for matrix-nginx-proxy - ansible.builtin.set_fact: - matrix_etherpad_matrix_nginx_proxy_configuration: | - rewrite ^{{ matrix_etherpad_public_endpoint }}$ {{ matrix_nginx_proxy_x_forwarded_proto_value }}://$server_name{{ matrix_etherpad_public_endpoint }}/ permanent; - - location {{ matrix_etherpad_public_endpoint }}/ { - {% if matrix_nginx_proxy_enabled | default(False) %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver 127.0.0.11 valid=5s; - proxy_pass http://matrix-etherpad:9001/; - {# These are proxy directives needed specifically by Etherpad #} - proxy_buffering off; - proxy_http_version 1.1; # recommended with keepalive connections - proxy_pass_header Server; - proxy_set_header Host $host; - proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }}; # for EP to set secure cookie flag when https is used - # WebSocket proxying - from http://nginx.org/en/docs/http/websocket.html - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - {% else %} - {# Generic configuration for use outside of our container setup #} - # A good guide for setting up your Etherpad behind nginx: - # https://docs.gandi.net/en/cloud/tutorials/etherpad_lite.html - proxy_pass http://127.0.0.1:9001/; - {% endif %} - } - - - name: Register Etherpad proxying configuration with matrix-nginx-proxy - ansible.builtin.set_fact: - matrix_nginx_proxy_proxy_dimension_additional_server_configuration_blocks: | - {{ - matrix_nginx_proxy_proxy_dimension_additional_server_configuration_blocks | default([]) - + - [matrix_etherpad_matrix_nginx_proxy_configuration] - }} diff --git a/roles/custom/matrix-etherpad/tasks/main.yml b/roles/custom/matrix-etherpad/tasks/main.yml deleted file mode 100644 index caf0dda50..000000000 --- a/roles/custom/matrix-etherpad/tasks/main.yml +++ /dev/null @@ -1,23 +0,0 @@ ---- - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: run_setup | bool and matrix_etherpad_enabled | bool - tags: - - setup-all - - setup-etherpad - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_install.yml" - when: run_setup | bool and matrix_etherpad_enabled | bool - tags: - - setup-all - - setup-etherpad - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - when: run_setup | bool and not matrix_etherpad_enabled | bool - tags: - - setup-all - - setup-etherpad diff --git a/roles/custom/matrix-etherpad/tasks/setup_install.yml b/roles/custom/matrix-etherpad/tasks/setup_install.yml deleted file mode 100644 index bb5e0e53e..000000000 --- a/roles/custom/matrix-etherpad/tasks/setup_install.yml +++ /dev/null @@ -1,40 +0,0 @@ ---- - -- name: Ensure Etherpad base path exists - ansible.builtin.file: - path: "{{ matrix_etherpad_base_path }}" - state: directory - mode: 0770 - owner: "{{ matrix_etherpad_user_uid }}" - group: "{{ matrix_etherpad_user_gid }}" - -- name: Ensure Etherpad config installed - ansible.builtin.copy: - content: "{{ matrix_etherpad_configuration | to_nice_json }}" - dest: "{{ matrix_etherpad_base_path }}/settings.json" - mode: 0640 - owner: "{{ matrix_etherpad_user_uid }}" - group: "{{ matrix_etherpad_user_gid }}" - -- name: Ensure Etherpad image is pulled - community.docker.docker_image: - name: "{{ matrix_etherpad_docker_image }}" - source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_etherpad_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_etherpad_docker_image_force_pull }}" - register: result - retries: "{{ devture_playbook_help_container_retries_count }}" - delay: "{{ devture_playbook_help_container_retries_delay }}" - until: result is not failed - -- name: Ensure matrix-etherpad.service installed - ansible.builtin.template: - src: "{{ role_path }}/templates/systemd/matrix-etherpad.service.j2" - dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-etherpad.service" - mode: 0644 - register: matrix_etherpad_systemd_service_result - -- name: Ensure systemd reloaded after matrix-etherpad.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_etherpad_systemd_service_result.changed | bool" diff --git a/roles/custom/matrix-etherpad/tasks/setup_uninstall.yml b/roles/custom/matrix-etherpad/tasks/setup_uninstall.yml deleted file mode 100644 index 7d93b9ab2..000000000 --- a/roles/custom/matrix-etherpad/tasks/setup_uninstall.yml +++ /dev/null @@ -1,36 +0,0 @@ ---- - -- name: Check existence of matrix-etherpad service - ansible.builtin.stat: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-etherpad.service" - register: matrix_etherpad_service_stat - -- name: Ensure matrix-etherpad is stopped - ansible.builtin.service: - name: matrix-etherpad - state: stopped - enabled: false - daemon_reload: true - register: stopping_result - when: "matrix_etherpad_service_stat.stat.exists | bool" - -- name: Ensure matrix-etherpad.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-etherpad.service" - state: absent - when: "matrix_etherpad_service_stat.stat.exists | bool" - -- name: Ensure systemd reloaded after matrix-etherpad.service removal - ansible.builtin.service: - daemon_reload: true - when: "matrix_etherpad_service_stat.stat.exists | bool" - -- name: Ensure Etherpad base directory doesn't exist - ansible.builtin.file: - path: "{{ matrix_etherpad_base_path }}" - state: absent - -- name: Ensure Etherpad Docker image doesn't exist - community.docker.docker_image: - name: "{{ matrix_etherpad_docker_image }}" - state: absent diff --git a/roles/custom/matrix-etherpad/tasks/validate_config.yml b/roles/custom/matrix-etherpad/tasks/validate_config.yml deleted file mode 100644 index 10ddc5843..000000000 --- a/roles/custom/matrix-etherpad/tasks/validate_config.yml +++ /dev/null @@ -1,13 +0,0 @@ ---- - -- name: Fail if no database is configured for Etherpad - ansible.builtin.fail: - msg: >- - Etherpad requires a dedicated Postgres database. Please enable the built in one, or configure an external DB by redefining "matrix_etherpad_database_hostname" - when: matrix_etherpad_database_hostname == "matrix-postgres" and not matrix_postgres_enabled - -- name: Fail if wrong mode selected - ansible.builtin.fail: - msg: >- - You're using Etherpad in 'dimension' mode (`matrix_etherpad_serving_mode: dimension`), which tries to host Etherpad at the Dimension subdomain - `{{ matrix_server_fqn_dimension }}`. However, this isn't possible because Dimension is not enabled. To resolve the problem, either enable Dimension (`matrix_dimension_enabled: true`) or switch Etherpad to standalone mode (`matrix_etherpad_mode: standalone`) and have it served on its own domain (`{{ matrix_server_fqn_etherpad }}`). - when: matrix_etherpad_enabled | bool and matrix_etherpad_mode == 'dimension' and not matrix_dimension_enabled | default(False) | bool diff --git a/roles/custom/matrix-etherpad/templates/settings.json.j2 b/roles/custom/matrix-etherpad/templates/settings.json.j2 deleted file mode 100644 index cc45d1905..000000000 --- a/roles/custom/matrix-etherpad/templates/settings.json.j2 +++ /dev/null @@ -1,116 +0,0 @@ -{ - "title": {{ matrix_etherpad_title|to_json }}, - "favicon": "favicon.ico", - "skinName": "colibris", - "skinVariants": "super-light-toolbar super-light-editor light-background", - "ip": "::", - "port": 9001, - "showSettingsInAdminPage": true, - "dbType": {{ matrix_etherpad_database_engine|to_json }}, - "dbSettings": { - "database": {{ matrix_etherpad_database_name|to_json }}, - "host": {{ matrix_etherpad_database_hostname|to_json }}, - "password": {{ matrix_etherpad_database_password|to_json }}, - "port": {{ matrix_etherpad_database_port|to_json }}, - "user": {{ matrix_etherpad_database_username|to_json }} - }, - "defaultPadText" : {{ matrix_etherpad_default_pad_text|to_json }}, - "suppressErrorsInPadText": false, - "requireSession": false, - "editOnly": false, - "minify": true, - "maxAge": 21600, - "abiword": {{ matrix_etherpad_abiword|to_json }}, - "soffice": {{ matrix_etherpad_soffice|to_json }}, - "tidyHtml": null, - "allowUnknownFileEnds": true, - "requireAuthentication": false, - "requireAuthorization": false, - "trustProxy": true, - "cookie": { - "sameSite": "Lax" - }, - "disableIPlogging": true, - "automaticReconnectionTimeout": 0, - "scrollWhenFocusLineIsOutOfViewport": { - "percentage": { - "editionAboveViewport": 0, - "editionBelowViewport": 0 - }, - "duration": 0, - "scrollWhenCaretIsInTheLastLineOfViewport": false, - "percentageToScrollWhenUserPressesArrowUp": 0 - }, - "socketTransportProtocols" : ["xhr-polling", "jsonp-polling", "htmlfile"], - "socketIo": { - "maxHttpBufferSize": 10000 - }, - "loadTest": false, - "dumpOnUncleanExit": false, - "indentationOnNewLine": false, - "importExportRateLimiting": { - "windowMs": 90000, - "max": 10 - }, - "importMaxFileSize": 52428800, - "commitRateLimiting": { - "duration": 1, - "points": 10 - }, - "exposeVersion": false, - "padOptions": { - "noColors": false, - "showControls": true, - "showChat": false, - "showLineNumbers": true, - "useMonospaceFont": false, - "userName": false, - "userColor": false, - "rtl": false, - "alwaysShowChat": false, - "chatAndUsers": false, - "lang": "en-gb" - }, -{% if matrix_etherpad_admin_username != "" and matrix_etherpad_admin_password != "" %} - "users": { - {{ matrix_etherpad_admin_username|to_json }}: { - "password": {{ matrix_etherpad_admin_password|to_json }}, - "is_admin": true - } - }, -{% endif %} - "padShortcutEnabled" : { - "altF9": true, - "altC": true, - "cmdShift2": true, - "delete": true, - "return": true, - "esc": true, - "cmdS": true, - "tab": true, - "cmdZ": true, - "cmdY": true, - "cmdI": true, - "cmdB": true, - "cmdU": true, - "cmd5": true, - "cmdShiftL": true, - "cmdShiftN": true, - "cmdShift1": true, - "cmdShiftC": true, - "cmdH": true, - "ctrlHome": true, - "pageUp": true, - "pageDown": true - }, - "loglevel": "WARN", - "logconfig" : - { "appenders": [ - { "type": "console", - "layout": {"type": "messagePassThrough"} - } - ] - }, - "customLocaleStrings": {}, - "enableAdminUITests": false -} diff --git a/roles/custom/matrix-etherpad/templates/systemd/matrix-etherpad.service.j2 b/roles/custom/matrix-etherpad/templates/systemd/matrix-etherpad.service.j2 deleted file mode 100644 index e0a104815..000000000 --- a/roles/custom/matrix-etherpad/templates/systemd/matrix-etherpad.service.j2 +++ /dev/null @@ -1,44 +0,0 @@ -#jinja2: lstrip_blocks: "True" -[Unit] -Description=Matrix Etherpad -{% for service in matrix_etherpad_systemd_required_services_list %} -Requires={{ service }} -After={{ service }} -{% endfor %} -{% for service in matrix_etherpad_systemd_wanted_services_list %} -Wants={{ service }} -{% endfor %} -DefaultDependencies=no - -[Service] -Type=simple -Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" -ExecStartPre=-{{ devture_systemd_docker_base_host_command_docker }} kill matrix-etherpad -ExecStartPre=-{{ devture_systemd_docker_base_host_command_docker }} rm matrix-etherpad - -ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-etherpad \ - --log-driver=none \ - --user={{ matrix_etherpad_user_uid }}:{{ matrix_etherpad_user_gid }} \ - --cap-drop=ALL \ - --network={{ matrix_docker_network }} \ - {% if matrix_etherpad_container_http_host_bind_port %} - -p {{ matrix_etherpad_container_http_host_bind_port }}:9001 \ - {% endif %} - --mount type=bind,src={{ matrix_etherpad_base_path }},dst=/data \ - {% for arg in matrix_etherpad_container_extra_arguments %} - {{ arg }} \ - {% endfor %} - {{ matrix_etherpad_docker_image }} \ - node --experimental-worker src/node/server.js \ - --settings /data/settings.json --credentials /data/credentials.json \ - --sessionkey /data/sessionkey.json --apikey /data/apijey.json - - -ExecStop=-{{ devture_systemd_docker_base_host_command_docker }} kill matrix-etherpad -ExecStop=-{{ devture_systemd_docker_base_host_command_docker }} rm matrix-etherpad -Restart=always -RestartSec=30 -SyslogIdentifier=matrix-etherpad - -[Install] -WantedBy=multi-user.target diff --git a/roles/custom/matrix-grafana/defaults/main.yml b/roles/custom/matrix-grafana/defaults/main.yml deleted file mode 100644 index 7c5e8d993..000000000 --- a/roles/custom/matrix-grafana/defaults/main.yml +++ /dev/null @@ -1,65 +0,0 @@ ---- -# matrix-grafana is open source visualization and analytics software -# See: https://github.com/matrix-org/synapse/blob/master/docs/metrics-howto.md -# Project source code URL: https://github.com/grafana/grafana - -matrix_grafana_enabled: true - -matrix_grafana_version: 9.2.4 -matrix_grafana_docker_image: "{{ matrix_container_global_registry_prefix }}grafana/grafana:{{ matrix_grafana_version }}" -matrix_grafana_docker_image_force_pull: "{{ matrix_grafana_docker_image.endswith(':latest') }}" - -# matrix_grafana_dashboard_download_urls holds a list of URLs of dashboards to download -matrix_grafana_dashboard_download_urls: [] - -matrix_grafana_base_path: "{{ matrix_base_data_path }}/grafana" -matrix_grafana_config_path: "{{ matrix_grafana_base_path }}/config" -matrix_grafana_data_path: "{{ matrix_grafana_base_path }}/data" - -# Allow viewing Grafana without logging in -matrix_grafana_anonymous_access: false - -# When `false`, sends a `X-Frame-Options: deny` HTTP header, which allows Grafana from being embeded in a frame. -# Read more here: https://grafana.com/docs/grafana/latest/administration/configuration/#allow_embedding -matrix_grafana_allow_embedding: false - -# specify organization name that should be used for unauthenticated users -# if you change this in the Grafana admin panel, this needs to be updated -# to match to keep anonymous logins working -matrix_grafana_anonymous_access_org_name: 'Main Org.' - - -# default admin credentials, you are asked to change these on first login -matrix_grafana_default_admin_user: admin -matrix_grafana_default_admin_password: admin - -# Set to true to add the Content-Security-Policy header to your requests. -# CSP allows to control resources that the user agent can load and helps -# prevent XSS attacks. -# [Content Security Policy](https://grafana.com/docs/grafana/latest/administration/configuration/#content_security_policy) -matrix_grafana_content_security_policy: true - -# specify content security policy template to customized template -# added https: and http: url schemes (ignored by browsers supporting 'strict-dynamic') to be backward compatible with older browsers. -# [Content Security Policy Browser Test] (https://content-security-policy.com/browser-test/) -# [Content Security Policy Reference](https://content-security-policy.com/script-src/) -matrix_grafana_content_security_policy_customized: false -matrix_grafana_content_security_policy_template: "script-src 'self' 'unsafe-eval' 'unsafe-inline' http: https: 'strict-dynamic' $NONCE;object-src 'none';font-src 'self';style-src 'self' 'unsafe-inline' blob:;img-src * data:;base-uri 'self';connect-src 'self' grafana.com ws://$ROOT_PATH wss://$ROOT_PATH;manifest-src 'self';media-src 'none';form-action 'self';" - -# matrix_grafana_default_home_dashboard_path influences the `default_home_dashboard_path` grafana.ini setting, -# which is an in-container path for the default dashboard. -matrix_grafana_default_home_dashboard_path: /etc/grafana/dashboards/node-exporter-full.json - -# A list of extra arguments to pass to the container -matrix_grafana_container_extra_arguments: [] - -# List of systemd services that matrix-grafana.service depends on -matrix_grafana_systemd_required_services_list: ['docker.service'] - -# List of systemd services that matrix-grafana.service wants -matrix_grafana_systemd_wanted_services_list: [] - -# Controls whether the matrix-grafana container exposes its HTTP port (tcp/3000 in the container). -# -# Takes an ":" or "" value (e.g. "127.0.0.1:3000"), or empty string to not expose. -matrix_grafana_container_http_host_bind_port: '' diff --git a/roles/custom/matrix-grafana/tasks/init.yml b/roles/custom/matrix-grafana/tasks/init.yml deleted file mode 100644 index 7b363ee77..000000000 --- a/roles/custom/matrix-grafana/tasks/init.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-grafana.service'] }}" - when: matrix_grafana_enabled | bool diff --git a/roles/custom/matrix-grafana/tasks/main.yml b/roles/custom/matrix-grafana/tasks/main.yml deleted file mode 100644 index 34a3f415b..000000000 --- a/roles/custom/matrix-grafana/tasks/main.yml +++ /dev/null @@ -1,16 +0,0 @@ ---- - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup | bool and matrix_grafana_enabled | bool" - tags: - - setup-all - - setup-grafana - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup.yml" - tags: - - setup-all - - setup-grafana diff --git a/roles/custom/matrix-grafana/tasks/setup.yml b/roles/custom/matrix-grafana/tasks/setup.yml deleted file mode 100644 index eabd25e5f..000000000 --- a/roles/custom/matrix-grafana/tasks/setup.yml +++ /dev/null @@ -1,118 +0,0 @@ ---- - -# -# Tasks related to setting up matrix-grafana -# - -- name: Ensure matrix-grafana image is pulled - community.docker.docker_image: - name: "{{ matrix_grafana_docker_image }}" - source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_grafana_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_grafana_docker_image_force_pull }}" - when: "matrix_grafana_enabled | bool" - register: result - retries: "{{ devture_playbook_help_container_retries_count }}" - delay: "{{ devture_playbook_help_container_retries_delay }}" - until: result is not failed - -- name: Ensure grafana paths exists - ansible.builtin.file: - path: "{{ item }}" - state: directory - mode: 0750 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - with_items: - - "{{ matrix_grafana_base_path }}" - - "{{ matrix_grafana_config_path }}" - - "{{ matrix_grafana_config_path }}/provisioning" - - "{{ matrix_grafana_config_path }}/provisioning/datasources" - - "{{ matrix_grafana_config_path }}/provisioning/dashboards" - - "{{ matrix_grafana_config_path }}/dashboards" - - "{{ matrix_grafana_data_path }}" - when: matrix_grafana_enabled | bool - -- name: Ensure grafana.ini present - ansible.builtin.template: - src: "{{ role_path }}/templates/grafana.ini.j2" - dest: "{{ matrix_grafana_config_path }}/grafana.ini" - mode: 0440 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - when: matrix_grafana_enabled | bool - -- name: Ensure provisioning/datasources/default.yaml present - ansible.builtin.template: - src: "{{ role_path }}/templates/datasources.yaml.j2" - dest: "{{ matrix_grafana_config_path }}/provisioning/datasources/default.yaml" - mode: 0440 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - when: matrix_grafana_enabled | bool - -- name: Ensure provisioning/dashboards/default.yaml present - ansible.builtin.template: - src: "{{ role_path }}/templates/dashboards.yaml.j2" - dest: "{{ matrix_grafana_config_path }}/provisioning/dashboards/default.yaml" - mode: 0440 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - when: matrix_grafana_enabled | bool - -- name: Ensure dashboard(s) downloaded - ansible.builtin.get_url: - url: "{{ item }}" - dest: "{{ matrix_grafana_config_path }}/dashboards/" - force: true - mode: 0440 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - with_items: "{{ matrix_grafana_dashboard_download_urls }}" - when: matrix_grafana_enabled | bool - register: result - retries: "{{ devture_playbook_help_geturl_retries_count }}" - delay: "{{ devture_playbook_help_geturl_retries_delay }}" - until: result is not failed - -- name: Ensure matrix-grafana.service installed - ansible.builtin.template: - src: "{{ role_path }}/templates/systemd/matrix-grafana.service.j2" - dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-grafana.service" - mode: 0644 - register: matrix_grafana_systemd_service_result - when: matrix_grafana_enabled | bool - -- name: Ensure systemd reloaded after matrix-grafana.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_grafana_enabled | bool and matrix_grafana_systemd_service_result.changed" - -# -# Tasks related to getting rid of matrix-grafana (if it was previously enabled) -# - -- name: Check existence of matrix-grafana service - ansible.builtin.stat: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-grafana.service" - register: matrix_grafana_service_stat - -- name: Ensure matrix-grafana is stopped - ansible.builtin.service: - name: matrix-grafana - state: stopped - enabled: false - daemon_reload: true - register: stopping_result - when: "not matrix_grafana_enabled | bool and matrix_grafana_service_stat.stat.exists" - -- name: Ensure matrix-grafana.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-grafana.service" - state: absent - when: "not matrix_grafana_enabled | bool and matrix_grafana_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-grafana.service removal - ansible.builtin.service: - daemon_reload: true - when: "not matrix_grafana_enabled | bool and matrix_grafana_service_stat.stat.exists" diff --git a/roles/custom/matrix-grafana/tasks/validate_config.yml b/roles/custom/matrix-grafana/tasks/validate_config.yml deleted file mode 100644 index 21c44dc83..000000000 --- a/roles/custom/matrix-grafana/tasks/validate_config.yml +++ /dev/null @@ -1,16 +0,0 @@ ---- - -- name: Fail if Prometheus not enabled - ansible.builtin.fail: - msg: > - You need to enable `matrix_prometheus_enabled` to use Prometheus as data source for Grafana. - when: "not matrix_prometheus_enabled" - -- name: (Deprecation) Catch and report renamed settings - ansible.builtin.fail: - msg: >- - Your configuration contains a variable, which now has a different name. - Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`). - when: "item.old in vars" - with_items: - - {'old': 'matrix_grafana_dashboard_download_urls_all', 'new': 'matrix_grafana_dashboard_download_urls'} diff --git a/roles/custom/matrix-grafana/templates/dashboards.yaml.j2 b/roles/custom/matrix-grafana/templates/dashboards.yaml.j2 deleted file mode 100644 index aae42ba29..000000000 --- a/roles/custom/matrix-grafana/templates/dashboards.yaml.j2 +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: 1 - -providers: - - name: {{ matrix_server_fqn_matrix }} - Dashboards - folder: '' # The folder where to place the dashboards - type: file - allowUiUpdates: true - options: - path: /etc/grafana/dashboards diff --git a/roles/custom/matrix-grafana/templates/datasources.yaml.j2 b/roles/custom/matrix-grafana/templates/datasources.yaml.j2 deleted file mode 100644 index 6ccbe3742..000000000 --- a/roles/custom/matrix-grafana/templates/datasources.yaml.j2 +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: 1 - -datasources: - - name: {{ matrix_server_fqn_matrix }} - Prometheus - type: prometheus - # Access mode - proxy (server in the UI) or direct (browser in the UI). - access: proxy - url: http://matrix-prometheus:9090 diff --git a/roles/custom/matrix-grafana/templates/grafana.ini.j2 b/roles/custom/matrix-grafana/templates/grafana.ini.j2 deleted file mode 100644 index ac609f914..000000000 --- a/roles/custom/matrix-grafana/templates/grafana.ini.j2 +++ /dev/null @@ -1,29 +0,0 @@ -[server] -root_url = "https://{{ matrix_server_fqn_grafana }}" - -[security] -# default admin user, created on startup -admin_user = "{{ matrix_grafana_default_admin_user }}" - -# default admin password, can be changed before first start of grafana, or in profile settings -admin_password = """{{ matrix_grafana_default_admin_password }}""" - -# specify content_security_policy to add the Content-Security-Policy header to your requests -content_security_policy = "{{ matrix_grafana_content_security_policy }}" - -# specify content security policy template to customized template -{% if matrix_grafana_content_security_policy_customized %} -content_security_policy_template = """{{ matrix_grafana_content_security_policy_template }}""" -{% endif %} - -allow_embedding = {{ matrix_grafana_allow_embedding }} - -[auth.anonymous] -# enable anonymous access -enabled = {{ matrix_grafana_anonymous_access }} - -# specify organization name that should be used for unauthenticated users -org_name = "{{ matrix_grafana_anonymous_access_org_name }}" - -[dashboards] -default_home_dashboard_path = {{ matrix_grafana_default_home_dashboard_path }} diff --git a/roles/custom/matrix-jitsi/defaults/main.yml b/roles/custom/matrix-jitsi/defaults/main.yml deleted file mode 100644 index e1fcc318a..000000000 --- a/roles/custom/matrix-jitsi/defaults/main.yml +++ /dev/null @@ -1,269 +0,0 @@ ---- -# Project source code URL: https://github.com/jitsi/docker-jitsi-meet - -matrix_jitsi_enabled: true - -matrix_jitsi_base_path: "{{ matrix_base_data_path }}/jitsi" - -matrix_jitsi_enable_auth: false -matrix_jitsi_enable_guests: false -matrix_jitsi_enable_recording: false -matrix_jitsi_enable_transcriptions: false -matrix_jitsi_enable_jaas_components: false -matrix_jitsi_enable_p2p: true -matrix_jitsi_enable_av_moderation: true -matrix_jitsi_enable_breakout_rooms: true - -# Authentication type, must be one of internal, jwt or ldap. -# Currently only internal and ldap mechanisms are supported by this playbook. -matrix_jitsi_auth_type: internal - -# A list of Jitsi (Prosody) accounts to create using the internal authentication mechanism. -# -# Accounts added here and subsquently removed will not be automatically removed -# from the Prosody server until user account cleaning is integrated into the playbook. -# -# Example: -# matrix_jitsi_prosody_auth_internal_accounts: -# - username: "jitsi-moderator" -# password: "secret-password" -# - username: "another-user" -# password: "another-password" -matrix_jitsi_prosody_auth_internal_accounts: [] - -# Configuration options for LDAP authentication. For details see upstream: -# https://github.com/jitsi/docker-jitsi-meet#authentication-using-ldap. -# Defaults are taken from: -# https://github.com/jitsi/docker-jitsi-meet/blob/master/prosody/rootfs/defaults/saslauthd.conf -matrix_jitsi_ldap_url: "" -matrix_jitsi_ldap_base: "" -matrix_jitsi_ldap_binddn: "" -matrix_jitsi_ldap_bindpw: "" -matrix_jitsi_ldap_filter: "uid=%u" -matrix_jitsi_ldap_auth_method: "bind" -matrix_jitsi_ldap_version: "3" -matrix_jitsi_ldap_use_tls: false -matrix_jitsi_ldap_tls_ciphers: "" -matrix_jitsi_ldap_tls_check_peer: false -matrix_jitsi_ldap_tls_cacert_file: "/etc/ssl/certs/ca-certificates.crt" -matrix_jitsi_ldap_tls_cacert_dir: "/etc/ssl/certs" -matrix_jitsi_ldap_start_tls: false - -matrix_jitsi_timezone: UTC - -matrix_jitsi_xmpp_domain: meet.jitsi -matrix_jitsi_xmpp_server: xmpp.meet.jitsi -matrix_jitsi_xmpp_auth_domain: auth.meet.jitsi -matrix_jitsi_xmpp_bosh_url_base: http://{{ matrix_jitsi_xmpp_server }}:5280 -matrix_jitsi_xmpp_guest_domain: guest.meet.jitsi -matrix_jitsi_xmpp_muc_domain: muc.meet.jitsi -matrix_jitsi_xmpp_internal_muc_domain: internal-muc.meet.jitsi -matrix_jitsi_xmpp_modules: '' - -matrix_jitsi_recorder_domain: recorder.meet.jitsi - - -matrix_jitsi_jibri_brewery_muc: jibribrewery -matrix_jitsi_jibri_pending_timeout: 90 -matrix_jitsi_jibri_xmpp_user: jibri -matrix_jitsi_jibri_xmpp_password: '' -matrix_jitsi_jibri_recorder_user: recorder -matrix_jitsi_jibri_recorder_password: '' - -matrix_jitsi_enable_lobby: false - -matrix_jitsi_version: stable-7882 -matrix_jitsi_container_image_tag: "{{ matrix_jitsi_version }}" # for backward-compatibility - -matrix_jitsi_web_docker_image: "{{ matrix_container_global_registry_prefix }}jitsi/web:{{ matrix_jitsi_container_image_tag }}" -matrix_jitsi_web_docker_image_force_pull: "{{ matrix_jitsi_web_docker_image.endswith(':latest') }}" - -matrix_jitsi_web_base_path: "{{ matrix_base_data_path }}/jitsi/web" -matrix_jitsi_web_config_path: "{{ matrix_jitsi_web_base_path }}/config" -matrix_jitsi_web_transcripts_path: "{{ matrix_jitsi_web_base_path }}/transcripts" -matrix_jitsi_web_crontabs_path: "{{ matrix_jitsi_web_base_path }}/crontabs" - -matrix_jitsi_web_public_url: "https://{{ matrix_server_fqn_jitsi }}" - -# STUN servers used in the web UI. Feel free to point them to your own STUN server. -# Addresses need to be prefixed with one of `stun:`, `turn:` or `turns:`. -matrix_jitsi_web_stun_servers: ['stun:meet-jit-si-turnrelay.jitsi.net:443'] - -# Setting up TURN -# Default set with Coturn container -matrix_jitsi_turn_credentials: "{{ matrix_coturn_turn_static_auth_secret }}" -matrix_jitsi_turn_host: "turn.{{ matrix_server_fqn_matrix }}" -matrix_jitsi_turns_host: "turn.{{ matrix_server_fqn_matrix }}" -matrix_jitsi_turn_port: "{{ matrix_coturn_container_stun_plain_host_bind_port }}" -matrix_jitsi_turns_port: "{{ matrix_coturn_container_stun_tls_host_bind_port }}" - -# Controls whether Etherpad will be available within Jitsi -matrix_jitsi_etherpad_enabled: false - -# Controls whether the matrix-jitsi-web container exposes its HTTP port (tcp/80 in the container). -# -# Takes an ":" or "" value (e.g. "127.0.0.1:13080"), or empty string to not expose. -matrix_jitsi_web_container_http_host_bind_port: '' - -# A list of extra arguments to pass to the container -matrix_jitsi_web_container_extra_arguments: [] - -# List of systemd services that matrix-jitsi-web.service depends on -matrix_jitsi_web_systemd_required_services_list: ['docker.service'] - - -# Custom configuration to be appended to `interface_config.js`, passed to Jitsi Web. -# -# Note: not to be confused with `matrix_jitsi_web_custom_config_extension`. -# -# For interface configuration, the flow is like this: -# - a default `interface_config.js` is generated from within the docker image -# - the contents of `matrix_jitsi_web_custom_interface_config_extension` is appended and can define new settings or override defaults. -# -# Example: -# matrix_jitsi_web_custom_interface_config_extension: | -# interfaceConfig.LANG_DETECTION = false; -# interfaceConfig.SHOW_JITSI_WATERMARK = false; -# interfaceConfig.DISABLE_VIDEO_BACKGROUND = true; -matrix_jitsi_web_custom_interface_config_extension: '' - - -# Controls after which participant audio will be muted. If not specified, defaults to Jitsi's default value (likely 10) -matrix_jitsi_web_config_start_audio_muted_after_nth_participant: ~ -# Controls after which participant video will be muted. If not specified, defaults to Jitsi's default value (likely 10) -matrix_jitsi_web_config_start_video_muted_after_nth_participant: ~ - -matrix_jitsi_web_config_defaultLanguage: 'en' # noqa var-naming - -# Ideal and also maximum resolution width. If not specified, defaults to Jitsi's default value (likely 1280) -matrix_jitsi_web_config_resolution_width_ideal_and_max: ~ -# Minimum resolution width. If not specified, defaults to Jitsi's default value (likely 320) -matrix_jitsi_web_config_resolution_width_min: ~ -# Ideal and also maximum resolution height. If not specified, defaults to Jitsi's default value (likely 720) -matrix_jitsi_web_config_resolution_height_ideal_and_max: ~ -# Minimum resolution height. If not specified, defaults to Jitsi's default value (likely 180) -matrix_jitsi_web_config_resolution_height_min: ~ - -# Custom configuration to be injected into `custom-config.js`, passed to Jitsi Web. -# This configuration gets appended to the final configuration that Jitsi Web uses. -# -# Note: not to be confused with `matrix_jitsi_web_custom_interface_config_extension`. -# -# The flow is like this: -# - some default configuration is automatically generated based on the environment variables passed to the Jitsi Web container -# - the contents of `custom-config.js` is appended to it (see `templates/web/custom-config.js.j2`) -# - said `custom-config.js` contains your custom contents specified in `matrix_jitsi_web_custom_config_extension`. -# -# Example: -# matrix_jitsi_web_custom_config_extension: | -# if (!config.hasOwnProperty('testing')) config.testing = {}; -# config.testing.p2pTestMode = true -matrix_jitsi_web_custom_config_extension: '' - -# Additional environment variables to pass to the Jitsi Web container. -# You can use this to further influence the default configuration generated by the Jitsi Web container on every startup. -# Besides influencing the final configuration by passing environment variables, you can also inject custom configuration -# by using `matrix_jitsi_web_custom_config_extension`. -# -# Example: -# matrix_jitsi_web_environment_variables_extension: | -# ENABLE_FILE_RECORDING_SERVICE=1 -# DROPBOX_APPKEY=something -# DROPBOX_REDIRECT_URI=something -matrix_jitsi_web_environment_variables_extension: '' - - -matrix_jitsi_prosody_docker_image: "{{ matrix_container_global_registry_prefix }}jitsi/prosody:{{ matrix_jitsi_container_image_tag }}" -matrix_jitsi_prosody_docker_image_force_pull: "{{ matrix_jitsi_prosody_docker_image.endswith(':latest') }}" - -matrix_jitsi_prosody_base_path: "{{ matrix_base_data_path }}/jitsi/prosody" -matrix_jitsi_prosody_config_path: "{{ matrix_jitsi_prosody_base_path }}/config" -matrix_jitsi_prosody_plugins_path: "{{ matrix_jitsi_prosody_base_path }}/prosody-plugins-custom" - -# A list of extra arguments to pass to the container -matrix_jitsi_prosody_container_extra_arguments: [] - -# List of systemd services that matrix-jitsi-prosody.service depends on -matrix_jitsi_prosody_systemd_required_services_list: ['docker.service'] - -# Neccessary Port binding for those disabling the integrated nginx proxy -matrix_jitsi_prosody_container_http_host_bind_port: '' - -matrix_jitsi_jicofo_docker_image: "{{ matrix_container_global_registry_prefix }}jitsi/jicofo:{{ matrix_jitsi_container_image_tag }}" -matrix_jitsi_jicofo_docker_image_force_pull: "{{ matrix_jitsi_jicofo_docker_image.endswith(':latest') }}" - -matrix_jitsi_jicofo_base_path: "{{ matrix_base_data_path }}/jitsi/jicofo" -matrix_jitsi_jicofo_config_path: "{{ matrix_jitsi_jicofo_base_path }}/config" - -# A list of extra arguments to pass to the container -matrix_jitsi_jicofo_container_extra_arguments: [] - -# List of systemd services that matrix-jitsi-jicofo.service depends on -matrix_jitsi_jicofo_systemd_required_services_list: ['docker.service', 'matrix-jitsi-prosody.service'] - -matrix_jitsi_jicofo_component_secret: '' -matrix_jitsi_jicofo_auth_user: focus -matrix_jitsi_jicofo_auth_password: '' - -matrix_jitsi_jvb_docker_image: "{{ matrix_container_global_registry_prefix }}jitsi/jvb:{{ matrix_jitsi_container_image_tag }}" -matrix_jitsi_jvb_docker_image_force_pull: "{{ matrix_jitsi_jvb_docker_image.endswith(':latest') }}" - -matrix_jitsi_jvb_base_path: "{{ matrix_base_data_path }}/jitsi/jvb" -matrix_jitsi_jvb_config_path: "{{ matrix_jitsi_jvb_base_path }}/config" - -# A list of extra arguments to pass to the container -matrix_jitsi_jvb_container_extra_arguments: [] - -# List of systemd services that matrix-jitsi-jvb.service depends on -matrix_jitsi_jvb_systemd_required_services_list: ['docker.service', 'matrix-jitsi-prosody.service'] - -matrix_jitsi_jvb_auth_user: jvb -matrix_jitsi_jvb_auth_password: '' - -# STUN servers used by JVB on the server-side, so it can discover its own external IP address. -# Pointing this to a STUN server running on the same Docker network may lead to incorrect IP address discovery. -matrix_jitsi_jvb_stun_servers: ['meet-jit-si-turnrelay.jitsi.net:443'] - -matrix_jitsi_jvb_brewery_muc: jvbbrewery -matrix_jitsi_jvb_rtp_udp_port: 10000 -matrix_jitsi_jvb_rtp_tcp_port: 4443 - -# Custom configuration to be injected into `custom-sip-communicator.properties`, passed to Jitsi JVB. -# This configuration gets appended to the final configuration that Jitsi JVB uses. -# -# The flow is like this: -# - some default configuration is automatically generated based on the environment variables passed to the Jitsi JVB container -# - the contents of `custom-sip-communicator.properties` is appended to it (see `templates/jvb/custom-sip-communicator.properties.j2`) -# - said `custom-sip-communicator.properties` contains your custom contents specified in `matrix_jitsi_jvb_custom_config_extension`. -# -# Example: -# matrix_jitsi_jvb_custom_config_extension: | -# org.jitsi.videobridge.xmpp.user.shard.DISABLE_CERTIFICATE_VERIFICATION=false -# org.jitsi.videobridge.ENABLE_STATISTICS=false -matrix_jitsi_jvb_custom_config_extension: '' - -# Additional environment variables to pass to the Jitsi JVB container. -# You can use this to further influence the default configuration generated by the Jitsi JVB container on every startup. -# Besides influencing the final configuration by passing environment variables, you can also inject custom configuration -# by using `matrix_jitsi_jvb_custom_config_extension`. -# -# Example: -# matrix_jitsi_jvb_environment_variables_extension: | -# SOME_VARIABLE=1 -# ANOTHER_VARIABLE=something -matrix_jitsi_jvb_environment_variables_extension: '' - -# Controls whether the matrix-jitsi-jvb container exposes its RTP UDP port (udp/10000 in the container). -# -# Takes an ":" or "" value (e.g. "127.0.0.1:10000"), or empty string to not expose. -matrix_jitsi_jvb_container_rtp_udp_host_bind_port: "{{ matrix_jitsi_jvb_rtp_udp_port }}" - -# Controls whether the matrix-jitsi-jvb container exposes its RTP UDP port (udp/4443 in the container). -# -# Takes an ":" or "" value (e.g. "127.0.0.1:4443"), or empty string to not expose. -matrix_jitsi_jvb_container_rtp_tcp_host_bind_port: "{{ matrix_jitsi_jvb_rtp_tcp_port }}" - -# Controls whether the matrix-jitsi-jvb container exposes its Colibri WebSocket port (tcp/9090 in the container). -# -# Takes an ":" or "" value (e.g. "127.0.0.1:12090"), or empty string to not expose. -matrix_jitsi_jvb_container_colibri_ws_host_bind_port: '' diff --git a/roles/custom/matrix-jitsi/tasks/init.yml b/roles/custom/matrix-jitsi/tasks/init.yml deleted file mode 100644 index 8606c4b3e..000000000 --- a/roles/custom/matrix-jitsi/tasks/init.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-jitsi-web.service', 'matrix-jitsi-prosody.service', 'matrix-jitsi-jicofo.service', 'matrix-jitsi-jvb.service'] }}" - when: matrix_jitsi_enabled | bool - -- name: Fail if on an unsupported architecture - ansible.builtin.fail: - msg: "Jitsi only supports the amd64 architecture right now. See https://github.com/jitsi/docker-jitsi-meet/issues/1069 and https://github.com/jitsi/docker-jitsi-meet/issues/1214" - when: matrix_jitsi_enabled | bool and matrix_architecture not in ['amd64', 'arm64'] diff --git a/roles/custom/matrix-jitsi/tasks/main.yml b/roles/custom/matrix-jitsi/tasks/main.yml deleted file mode 100644 index 7da6ebf95..000000000 --- a/roles/custom/matrix-jitsi/tasks/main.yml +++ /dev/null @@ -1,41 +0,0 @@ ---- - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup | bool and matrix_jitsi_enabled | bool" - tags: - - setup-all - - setup-jitsi - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_jitsi_base.yml" - when: run_setup | bool - tags: - - setup-all - - setup-jitsi - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_jitsi_web.yml" - when: run_setup | bool - tags: - - setup-all - - setup-jitsi - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_jitsi_prosody.yml" - when: run_setup | bool - tags: - - setup-all - - setup-jitsi - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_jitsi_jicofo.yml" - when: run_setup | bool - tags: - - setup-all - - setup-jitsi - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_jitsi_jvb.yml" - when: run_setup | bool - tags: - - setup-all - - setup-jitsi diff --git a/roles/custom/matrix-jitsi/tasks/setup_jitsi_base.yml b/roles/custom/matrix-jitsi/tasks/setup_jitsi_base.yml deleted file mode 100644 index c52c19021..000000000 --- a/roles/custom/matrix-jitsi/tasks/setup_jitsi_base.yml +++ /dev/null @@ -1,24 +0,0 @@ ---- - -- ansible.builtin.import_role: - name: custom/matrix-base - tasks_from: ensure_openssl_installed - -# -# Tasks related to setting up jitsi -# - -- name: Ensure Matrix jitsi base path exists - ansible.builtin.file: - path: "{{ item.path }}" - state: directory - mode: 0750 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - with_items: - - {path: "{{ matrix_jitsi_base_path }}", when: true} - when: matrix_jitsi_enabled | bool and item.when - -# -# Tasks related to getting rid of jitsi (if it was previously enabled) -# diff --git a/roles/custom/matrix-jitsi/tasks/setup_jitsi_jicofo.yml b/roles/custom/matrix-jitsi/tasks/setup_jitsi_jicofo.yml deleted file mode 100644 index d93953086..000000000 --- a/roles/custom/matrix-jitsi/tasks/setup_jitsi_jicofo.yml +++ /dev/null @@ -1,102 +0,0 @@ ---- - -# -# Tasks related to setting up jitsi-jicofo -# - -- name: Ensure Matrix jitsi-jicofo path exists - ansible.builtin.file: - path: "{{ item.path }}" - state: directory - mode: 0777 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - with_items: - - {path: "{{ matrix_jitsi_jicofo_base_path }}", when: true} - - {path: "{{ matrix_jitsi_jicofo_config_path }}", when: true} - when: matrix_jitsi_enabled | bool and item.when - -- name: Ensure jitsi-jicofo Docker image is pulled - community.docker.docker_image: - name: "{{ matrix_jitsi_jicofo_docker_image }}" - source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_jitsi_jicofo_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_jitsi_jicofo_docker_image_force_pull }}" - when: matrix_jitsi_enabled | bool - register: result - retries: "{{ devture_playbook_help_container_retries_count }}" - delay: "{{ devture_playbook_help_container_retries_delay }}" - until: result is not failed - -- name: Ensure jitsi-jicofo environment variables file created - ansible.builtin.template: - src: "{{ role_path }}/templates/jicofo/env.j2" - dest: "{{ matrix_jitsi_jicofo_base_path }}/env" - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - mode: 0640 - when: matrix_jitsi_enabled | bool - -- name: Ensure jitsi-jicofo configuration files created - ansible.builtin.template: - src: "{{ role_path }}/templates/jicofo/{{ item }}.j2" - dest: "{{ matrix_jitsi_jicofo_config_path }}/{{ item }}" - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - mode: 0644 - with_items: - - sip-communicator.properties - - logging.properties - when: matrix_jitsi_enabled | bool - -- name: Ensure matrix-jitsi-jicofo.service installed - ansible.builtin.template: - src: "{{ role_path }}/templates/jicofo/matrix-jitsi-jicofo.service.j2" - dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-jitsi-jicofo.service" - mode: 0644 - register: matrix_jitsi_jicofo_systemd_service_result - when: matrix_jitsi_enabled | bool - -- name: Ensure systemd reloaded after matrix-jitsi-jicofo.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_jitsi_enabled and matrix_jitsi_jicofo_systemd_service_result.changed" - -# -# Tasks related to getting rid of jitsi-jicofo (if it was previously enabled) -# - -- name: Check existence of matrix-jitsi-jicofo service - ansible.builtin.stat: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-jitsi-jicofo.service" - register: matrix_jitsi_jicofo_service_stat - when: "not matrix_jitsi_enabled | bool" - -- name: Ensure matrix-jitsi-jicofo is stopped - ansible.builtin.service: - name: matrix-jitsi-jicofo - state: stopped - enabled: false - daemon_reload: true - register: stopping_result - when: "not matrix_jitsi_enabled | bool and matrix_jitsi_jicofo_service_stat.stat.exists" - -- name: Ensure matrix-jitsi-jicofo.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-jitsi-jicofo.service" - state: absent - when: "not matrix_jitsi_enabled | bool and matrix_jitsi_jicofo_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-jitsi-jicofo.service removal - ansible.builtin.service: - daemon_reload: true - when: "not matrix_jitsi_enabled | bool and matrix_jitsi_jicofo_service_stat.stat.exists" - -- name: Ensure Matrix jitsi-jicofo paths doesn't exist - ansible.builtin.file: - path: "{{ matrix_jitsi_jicofo_base_path }}" - state: absent - when: "not matrix_jitsi_enabled | bool" - -# Intentionally not removing the Docker image when uninstalling. -# We can't be sure it had been pulled by us in the first place. diff --git a/roles/custom/matrix-jitsi/tasks/setup_jitsi_jvb.yml b/roles/custom/matrix-jitsi/tasks/setup_jitsi_jvb.yml deleted file mode 100644 index 966572af5..000000000 --- a/roles/custom/matrix-jitsi/tasks/setup_jitsi_jvb.yml +++ /dev/null @@ -1,102 +0,0 @@ ---- - -# -# Tasks related to setting up jitsi-jvb -# - -- name: Ensure Matrix jitsi-jvb path exists - ansible.builtin.file: - path: "{{ item.path }}" - state: directory - mode: 0777 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - with_items: - - {path: "{{ matrix_jitsi_jvb_base_path }}", when: true} - - {path: "{{ matrix_jitsi_jvb_config_path }}", when: true} - when: matrix_jitsi_enabled | bool and item.when - -- name: Ensure jitsi-jvb Docker image is pulled - community.docker.docker_image: - name: "{{ matrix_jitsi_jvb_docker_image }}" - source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_jitsi_jvb_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_jitsi_jvb_docker_image_force_pull }}" - when: matrix_jitsi_enabled | bool - register: result - retries: "{{ devture_playbook_help_container_retries_count }}" - delay: "{{ devture_playbook_help_container_retries_delay }}" - until: result is not failed - -- name: Ensure jitsi-jvb configuration files created - ansible.builtin.template: - src: "{{ role_path }}/templates/jvb/{{ item }}.j2" - dest: "{{ matrix_jitsi_jvb_config_path }}/{{ item }}" - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - mode: 0644 - with_items: - - custom-sip-communicator.properties - - logging.properties - when: matrix_jitsi_enabled | bool - -- name: Ensure jitsi-jvb environment variables file created - ansible.builtin.template: - src: "{{ role_path }}/templates/jvb/env.j2" - dest: "{{ matrix_jitsi_jvb_base_path }}/env" - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - mode: 0640 - when: matrix_jitsi_enabled | bool - -- name: Ensure matrix-jitsi-jvb.service installed - ansible.builtin.template: - src: "{{ role_path }}/templates/jvb/matrix-jitsi-jvb.service.j2" - dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-jitsi-jvb.service" - mode: 0644 - register: matrix_jitsi_jvb_systemd_service_result - when: matrix_jitsi_enabled | bool - -- name: Ensure systemd reloaded after matrix-jitsi-jvb.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_jitsi_enabled and matrix_jitsi_jvb_systemd_service_result.changed" - -# -# Tasks related to getting rid of jitsi-jvb (if it was previously enabled) -# - -- name: Check existence of matrix-jitsi-jvb service - ansible.builtin.stat: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-jitsi-jvb.service" - register: matrix_jitsi_jvb_service_stat - when: "not matrix_jitsi_enabled | bool" - -- name: Ensure matrix-jitsi-jvb is stopped - ansible.builtin.service: - name: matrix-jitsi-jvb - state: stopped - enabled: false - daemon_reload: true - register: stopping_result - when: "not matrix_jitsi_enabled | bool and matrix_jitsi_jvb_service_stat.stat.exists" - -- name: Ensure matrix-jitsi-jvb.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-jitsi-jvb.service" - state: absent - when: "not matrix_jitsi_enabled | bool and matrix_jitsi_jvb_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-jitsi-jvb.service removal - ansible.builtin.service: - daemon_reload: true - when: "not matrix_jitsi_enabled | bool and matrix_jitsi_jvb_service_stat.stat.exists" - -- name: Ensure Matrix jitsi-jvb paths doesn't exist - ansible.builtin.file: - path: "{{ matrix_jitsi_jvb_base_path }}" - state: absent - when: "not matrix_jitsi_enabled | bool" - -# Intentionally not removing the Docker image when uninstalling. -# We can't be sure it had been pulled by us in the first place. diff --git a/roles/custom/matrix-jitsi/tasks/setup_jitsi_prosody.yml b/roles/custom/matrix-jitsi/tasks/setup_jitsi_prosody.yml deleted file mode 100644 index 1a1656b2c..000000000 --- a/roles/custom/matrix-jitsi/tasks/setup_jitsi_prosody.yml +++ /dev/null @@ -1,99 +0,0 @@ ---- - -# -# Tasks related to setting up jitsi-prosody -# - -- name: Ensure Matrix jitsi-prosody environment exists - ansible.builtin.file: - path: "{{ item.path }}" - state: directory - mode: 0777 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - with_items: - - {path: "{{ matrix_jitsi_prosody_base_path }}", when: true} - - {path: "{{ matrix_jitsi_prosody_config_path }}", when: true} - - {path: "{{ matrix_jitsi_prosody_plugins_path }}", when: true} - when: matrix_jitsi_enabled | bool and item.when - -- name: Ensure jitsi-prosody Docker image is pulled - community.docker.docker_image: - name: "{{ matrix_jitsi_prosody_docker_image }}" - source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_jitsi_prosody_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_jitsi_prosody_docker_image_force_pull }}" - when: matrix_jitsi_enabled | bool - register: result - retries: "{{ devture_playbook_help_container_retries_count }}" - delay: "{{ devture_playbook_help_container_retries_delay }}" - until: result is not failed - -- name: Ensure jitsi-prosody environment variables file is created - ansible.builtin.template: - src: "{{ role_path }}/templates/prosody/env.j2" - dest: "{{ matrix_jitsi_prosody_base_path }}/env" - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - mode: 0640 - when: matrix_jitsi_enabled | bool - -- name: Ensure matrix-jitsi-prosody.service file is installed - ansible.builtin.template: - src: "{{ role_path }}/templates/prosody/matrix-jitsi-prosody.service.j2" - dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-jitsi-prosody.service" - mode: 0644 - register: matrix_jitsi_prosody_systemd_service_result - when: matrix_jitsi_enabled | bool - -- name: Ensure systemd service is reloaded after matrix-jitsi-prosody.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_jitsi_enabled and matrix_jitsi_prosody_systemd_service_result.changed" - -- name: Ensure authentication is properly configured - ansible.builtin.include_tasks: - file: "{{ role_path }}/tasks/util/setup_jitsi_auth.yml" - when: - - matrix_jitsi_enabled | bool - - matrix_jitsi_enable_auth | bool - - -# -# Tasks related to getting rid of jitsi-prosody (if it was previously enabled) -# - -- name: Ensure matrix-jitsi-prosody.service file exists - ansible.builtin.stat: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-jitsi-prosody.service" - register: matrix_jitsi_prosody_service_stat - when: "not matrix_jitsi_enabled | bool" - -- name: Ensure matrix-jitsi-prosody is stopped - ansible.builtin.service: - name: matrix-jitsi-prosody - state: stopped - enabled: false - daemon_reload: true - register: stopping_result - when: "not matrix_jitsi_enabled | bool and matrix_jitsi_prosody_service_stat.stat.exists" - -- name: Ensure matrix-jitsi-prosody.service file doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-jitsi-prosody.service" - state: absent - when: "not matrix_jitsi_enabled | bool and matrix_jitsi_prosody_service_stat.stat.exists" - -- name: Ensure systemd is reloaded after matrix-jitsi-prosody.service removal - ansible.builtin.service: - daemon_reload: true - when: "not matrix_jitsi_enabled | bool and matrix_jitsi_prosody_service_stat.stat.exists" - -- name: Ensure Matrix jitsi-prosody paths doesn't exist - ansible.builtin.file: - path: "{{ matrix_jitsi_prosody_base_path }}" - state: absent - when: "not matrix_jitsi_enabled | bool" - -# Intentionally not removing the Docker image when uninstalling. -# We can't be sure it had been pulled by us in the first place. diff --git a/roles/custom/matrix-jitsi/tasks/setup_jitsi_web.yml b/roles/custom/matrix-jitsi/tasks/setup_jitsi_web.yml deleted file mode 100644 index b6d3241b5..000000000 --- a/roles/custom/matrix-jitsi/tasks/setup_jitsi_web.yml +++ /dev/null @@ -1,104 +0,0 @@ ---- - -# -# Tasks related to setting up jitsi-web -# - -- name: Ensure Matrix jitsi-web path exists - ansible.builtin.file: - path: "{{ item.path }}" - state: directory - mode: 0777 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - with_items: - - {path: "{{ matrix_jitsi_web_base_path }}", when: true} - - {path: "{{ matrix_jitsi_web_config_path }}", when: true} - - {path: "{{ matrix_jitsi_web_transcripts_path }}", when: true} - - {path: "{{ matrix_jitsi_web_crontabs_path }}", when: true} - when: matrix_jitsi_enabled | bool and item.when - -- name: Ensure jitsi-web Docker image is pulled - community.docker.docker_image: - name: "{{ matrix_jitsi_web_docker_image }}" - source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_jitsi_web_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_jitsi_web_docker_image_force_pull }}" - when: matrix_jitsi_enabled | bool - register: result - retries: "{{ devture_playbook_help_container_retries_count }}" - delay: "{{ devture_playbook_help_container_retries_delay }}" - until: result is not failed - -- name: Ensure jitsi-web environment variables file created - ansible.builtin.template: - src: "{{ role_path }}/templates/web/env.j2" - dest: "{{ matrix_jitsi_web_base_path }}/env" - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - mode: 0640 - when: matrix_jitsi_enabled | bool - -- name: Ensure jitsi-web configuration files created - ansible.builtin.template: - src: "{{ role_path }}/templates/web/{{ item }}.j2" - dest: "{{ matrix_jitsi_web_config_path }}/{{ item }}" - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - mode: 0644 - with_items: - - custom-config.js - - custom-interface_config.js - when: matrix_jitsi_enabled | bool - -- name: Ensure matrix-jitsi-web.service installed - ansible.builtin.template: - src: "{{ role_path }}/templates/web/matrix-jitsi-web.service.j2" - dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-jitsi-web.service" - mode: 0644 - register: matrix_jitsi_web_systemd_service_result - when: matrix_jitsi_enabled | bool - -- name: Ensure systemd reloaded after matrix-jitsi-web.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_jitsi_enabled and matrix_jitsi_web_systemd_service_result.changed" - -# -# Tasks related to getting rid of jitsi-web (if it was previously enabled) -# - -- name: Check existence of matrix-jitsi-web service - ansible.builtin.stat: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-jitsi-web.service" - register: matrix_jitsi_web_service_stat - when: "not matrix_jitsi_enabled | bool" - -- name: Ensure matrix-jitsi-web is stopped - ansible.builtin.service: - name: matrix-jitsi-web - state: stopped - enabled: false - daemon_reload: true - register: stopping_result - when: "not matrix_jitsi_enabled | bool and matrix_jitsi_web_service_stat.stat.exists" - -- name: Ensure matrix-jitsi-web.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-jitsi-web.service" - state: absent - when: "not matrix_jitsi_enabled | bool and matrix_jitsi_web_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-jitsi-web.service removal - ansible.builtin.service: - daemon_reload: true - when: "not matrix_jitsi_enabled | bool and matrix_jitsi_web_service_stat.stat.exists" - -- name: Ensure Matrix jitsi-web paths doesn't exist - ansible.builtin.file: - path: "{{ matrix_jitsi_web_base_path }}" - state: absent - when: "not matrix_jitsi_enabled | bool" - -# Intentionally not removing the Docker image when uninstalling. -# We can't be sure it had been pulled by us in the first place. diff --git a/roles/custom/matrix-jitsi/tasks/util/setup_jitsi_auth.yml b/roles/custom/matrix-jitsi/tasks/util/setup_jitsi_auth.yml deleted file mode 100644 index 4edc5431b..000000000 --- a/roles/custom/matrix-jitsi/tasks/util/setup_jitsi_auth.yml +++ /dev/null @@ -1,41 +0,0 @@ ---- -# -# Start Necessary Services -# - -- name: Ensure matrix-jitsi-prosody container is running - ansible.builtin.systemd: - state: started - name: matrix-jitsi-prosody - register: matrix_jitsi_prosody_start_result - - -# -# Tasks related to configuring Jitsi internal authentication -# - -- name: Ensure Jitsi internal authentication users are configured - ansible.builtin.shell: "{{ devture_systemd_docker_base_host_command_docker }} exec matrix-jitsi-prosody prosodyctl --config /config/prosody.cfg.lua register {{ item.username | quote }} meet.jitsi {{ item.password | quote }}" - with_items: "{{ matrix_jitsi_prosody_auth_internal_accounts }}" - when: - - matrix_jitsi_auth_type == "internal" - - matrix_jitsi_prosody_auth_internal_accounts|length > 0 - register: matrix_jitsi_user_configuration_result - changed_when: matrix_jitsi_user_configuration_result.rc == 0 - -# -# Tasks related to configuring other Jitsi authentication mechanisms -# - -# -# Tasks related to cleaning after Jitsi authentication configuration -# - -# -# Stop Necessary Services -# -- name: Ensure matrix-jitsi-prosody container is stopped if necessary - ansible.builtin.systemd: - state: stopped - name: matrix-jitsi-prosody - when: matrix_jitsi_prosody_start_result.changed | bool diff --git a/roles/custom/matrix-jitsi/tasks/validate_config.yml b/roles/custom/matrix-jitsi/tasks/validate_config.yml deleted file mode 100644 index df87b7589..000000000 --- a/roles/custom/matrix-jitsi/tasks/validate_config.yml +++ /dev/null @@ -1,68 +0,0 @@ ---- - -- name: Fail if required Jitsi settings not defined - ansible.builtin.fail: - msg: >- - You need to define a required configuration setting (`{{ item }}`) to properly configure Jitsi. - - If you're setting up Jitsi for the first time, you may have missed a step. - Refer to our setup instructions (docs/configuring-playbook-jitsi.md). - - If you had previously setup Jitsi successfully and are only now facing this error, - it means that your installation is most likely using default passwords previously defined by the playbook. - These defaults are insecure. Jitsi should be rebuilt with secure values. - Refer to the "Rebuilding your Jitsi installation" section in our setup instructions (docs/configuring-playbook-jitsi.md). - when: "vars[item] == ''" - with_items: - - "matrix_jitsi_jibri_xmpp_password" - - "matrix_jitsi_jibri_recorder_password" - - "matrix_jitsi_jicofo_auth_password" - - "matrix_jitsi_jvb_auth_password" - - -- name: Fail if a Jitsi internal authentication account is not defined - ansible.builtin.fail: - msg: >- - At least one Jitsi user needs to be defined in `matrix_jitsi_prosody_auth_internal_accounts` when using internal authentication. - If you're setting up Jitsi for the first time, you may have missed a step. - Refer to our setup instructions (docs/configuring-playbook-jitsi.md). - when: - - matrix_jitsi_enable_auth | bool - - matrix_jitsi_auth_type == 'internal' - - matrix_jitsi_prosody_auth_internal_accounts|length == 0 - - -- name: (Deprecation) Catch and report renamed settings - ansible.builtin.fail: - msg: >- - Your configuration contains a variable, which now has a different name. - Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`). - when: "item.old in vars" - with_items: - - {'old': 'matrix_jitsi_web_config_constraints_enabled', 'new': ''} - - {'old': 'matrix_jitsi_web_config_constraints_video_aspectRatio', 'new': ''} - - {'old': 'matrix_jitsi_web_config_constraints_video_height_ideal', 'new': 'matrix_jitsi_web_config_resolution_height_ideal_and_max'} - - {'old': 'matrix_jitsi_web_config_constraints_video_height_max', 'new': 'matrix_jitsi_web_config_resolution_height_ideal_and_max'} - - {'old': 'matrix_jitsi_web_config_constraints_video_height_min', 'new': 'matrix_jitsi_web_config_resolution_height_min'} - - {'old': 'matrix_jitsi_web_config_disableAudioLevels', 'new': ''} - - {'old': 'matrix_jitsi_web_config_enableLayerSuspension', 'new': ''} - - {'old': 'matrix_jitsi_web_config_channelLastN', 'new': ''} - - {'old': 'matrix_jitsi_web_config_testing_p2pTestMode', 'new': ''} - - {'old': 'matrix_jitsi_web_config_start_with_audio_muted', 'new': ''} - - {'old': 'matrix_jitsi_web_config_start_with_video_muted', 'new': ''} - - {'old': 'matrix_jitsi_web_interface_config_show_watermark_for_guests', 'new': ''} - - {'old': 'matrix_jitsi_web_interface_config_invitation_powered_by', 'new': ''} - - {'old': 'matrix_jisti_web_interface_config_show_deep_linking_image', 'new': 'matrix_jitsi_web_interface_config_show_deep_linking_image'} - - {'old': 'matrix_jitsi_web_interface_config_lang_detection', 'new': '/dev/null || true' -ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-jitsi-jicofo 2>/dev/null || true' - -ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-jitsi-jicofo \ - --log-driver=none \ - --network={{ matrix_docker_network }} \ - --env-file={{ matrix_jitsi_jicofo_base_path }}/env \ - --mount type=bind,src={{ matrix_jitsi_jicofo_config_path }},dst=/config \ - {% for arg in matrix_jitsi_jicofo_container_extra_arguments %} - {{ arg }} \ - {% endfor %} - {{ matrix_jitsi_jicofo_docker_image }} - -ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-jitsi-jicofo 2>/dev/null || true' -ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-jitsi-jicofo 2>/dev/null || true' -Restart=always -RestartSec=30 -SyslogIdentifier=matrix-jitsi-jicofo - -[Install] -WantedBy=multi-user.target diff --git a/roles/custom/matrix-jitsi/templates/jicofo/sip-communicator.properties.j2 b/roles/custom/matrix-jitsi/templates/jicofo/sip-communicator.properties.j2 deleted file mode 100644 index c62e04ffe..000000000 --- a/roles/custom/matrix-jitsi/templates/jicofo/sip-communicator.properties.j2 +++ /dev/null @@ -1,9 +0,0 @@ -org.jitsi.jicofo.ALWAYS_TRUST_MODE_ENABLED=true -org.jitsi.jicofo.BRIDGE_MUC={{ matrix_jitsi_jvb_brewery_muc }}@{{ matrix_jitsi_xmpp_internal_muc_domain }} - -org.jitsi.jicofo.jibri.BREWERY={{ matrix_jitsi_jibri_brewery_muc }}@{{ matrix_jitsi_xmpp_internal_muc_domain }} -org.jitsi.jicofo.jibri.PENDING_TIMEOUT=90 - -{% if matrix_jitsi_enable_auth %} -org.jitsi.jicofo.auth.URL=XMPP:{{ matrix_jitsi_xmpp_domain }} -{% endif %} diff --git a/roles/custom/matrix-jitsi/templates/jvb/custom-sip-communicator.properties.j2 b/roles/custom/matrix-jitsi/templates/jvb/custom-sip-communicator.properties.j2 deleted file mode 100644 index 44b6b8c2c..000000000 --- a/roles/custom/matrix-jitsi/templates/jvb/custom-sip-communicator.properties.j2 +++ /dev/null @@ -1,7 +0,0 @@ -org.jitsi.videobridge.xmpp.user.shard.DISABLE_CERTIFICATE_VERIFICATION=true - -org.jitsi.videobridge.ENABLE_STATISTICS=true -org.jitsi.videobridge.STATISTICS_TRANSPORT=muc -org.jitsi.videobridge.STATISTICS_INTERVAL=5000 - -{{ matrix_jitsi_jvb_custom_config_extension }} diff --git a/roles/custom/matrix-jitsi/templates/jvb/env.j2 b/roles/custom/matrix-jitsi/templates/jvb/env.j2 deleted file mode 100644 index 41d343b31..000000000 --- a/roles/custom/matrix-jitsi/templates/jvb/env.j2 +++ /dev/null @@ -1,31 +0,0 @@ -DOCKER_HOST_ADDRESS -ENABLE_COLIBRI_WEBSOCKET -ENABLE_OCTO -JVB_AUTH_USER={{ matrix_jitsi_jvb_auth_user }} -JVB_AUTH_PASSWORD={{ matrix_jitsi_jvb_auth_password }} -JVB_BREWERY_MUC={{ matrix_jitsi_jvb_brewery_muc }} -JVB_PORT={{ matrix_jitsi_jvb_rtp_udp_port }} -JVB_TCP_HARVESTER_DISABLED=true -JVB_TCP_PORT={{ matrix_jitsi_jvb_rtp_tcp_port }} -JVB_TCP_MAPPED_PORT={{ matrix_jitsi_jvb_rtp_tcp_port }} -{% if matrix_jitsi_jvb_stun_servers|length > 0 %} -JVB_STUN_SERVERS={{ matrix_jitsi_jvb_stun_servers|join(',') }} -{% endif %} -JVB_OCTO_BIND_ADDRESS -JVB_OCTO_PUBLIC_ADDRESS -JVB_OCTO_BIND_PORT -JVB_OCTO_REGION -JVB_WS_DOMAIN -JVB_WS_SERVER_ID -PUBLIC_URL={{ matrix_jitsi_web_public_url }} -SENTRY_DSN="${JVB_SENTRY_DSN:-0}" -SENTRY_ENVIRONMENT -SENTRY_RELEASE -COLIBRI_REST_ENABLED -SHUTDOWN_REST_ENABLED -TZ={{ matrix_jitsi_timezone }} -XMPP_AUTH_DOMAIN={{ matrix_jitsi_xmpp_auth_domain }} -XMPP_INTERNAL_MUC_DOMAIN={{ matrix_jitsi_xmpp_internal_muc_domain }} -XMPP_SERVER={{ matrix_jitsi_xmpp_server }} - -{{ matrix_jitsi_jvb_environment_variables_extension }} diff --git a/roles/custom/matrix-jitsi/templates/jvb/logging.properties.j2 b/roles/custom/matrix-jitsi/templates/jvb/logging.properties.j2 deleted file mode 100644 index ff1d30a64..000000000 --- a/roles/custom/matrix-jitsi/templates/jvb/logging.properties.j2 +++ /dev/null @@ -1,20 +0,0 @@ -{% raw %} -{{ if .Env.SENTRY_DSN | default "0" | toBool }} -handlers=java.util.logging.ConsoleHandler,io.sentry.jul.SentryHandler -{{ else }} -handlers= java.util.logging.ConsoleHandler -{{ end }} -{% endraw %} - -java.util.logging.ConsoleHandler.level = ALL -java.util.logging.ConsoleHandler.formatter = net.java.sip.communicator.util.ScLogFormatter - -net.java.sip.communicator.util.ScLogFormatter.programname=JVB - -.level=INFO - -org.jitsi.videobridge.xmpp.ComponentImpl.level=FINE -io.sentry.jul.SentryHandler.level=WARNING - -# All of the INFO level logs from MediaStreamImpl are unnecessary in the context of jitsi-videobridge. -org.jitsi.impl.neomedia.MediaStreamImpl.level=WARNING diff --git a/roles/custom/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2 b/roles/custom/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2 deleted file mode 100644 index 922d201a7..000000000 --- a/roles/custom/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2 +++ /dev/null @@ -1,43 +0,0 @@ -#jinja2: lstrip_blocks: "True" -[Unit] -Description=Matrix jitsi-jvb server -{% for service in matrix_jitsi_jvb_systemd_required_services_list %} -Requires={{ service }} -After={{ service }} -{% endfor %} -DefaultDependencies=no - -[Service] -Type=simple -Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" -ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-jitsi-jvb 2>/dev/null || true' -ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-jitsi-jvb 2>/dev/null || true' - -ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-jitsi-jvb \ - --log-driver=none \ - --network={{ matrix_docker_network }} \ - --network-alias=jvb.meet.jitsi \ - --env-file={{ matrix_jitsi_jvb_base_path }}/env \ - {% if matrix_jitsi_jvb_container_rtp_udp_host_bind_port %} - -p {{ matrix_jitsi_jvb_container_rtp_udp_host_bind_port }}:{{ matrix_jitsi_jvb_rtp_udp_port }}/udp \ - {% endif %} - {% if matrix_jitsi_jvb_container_rtp_tcp_host_bind_port %} - -p {{ matrix_jitsi_jvb_container_rtp_tcp_host_bind_port }}:{{ matrix_jitsi_jvb_rtp_tcp_port }} \ - {% endif %} - {% if matrix_jitsi_jvb_container_colibri_ws_host_bind_port %} - -p {{ matrix_jitsi_jvb_container_colibri_ws_host_bind_port }}:9090 \ - {% endif %} - --mount type=bind,src={{ matrix_jitsi_jvb_config_path }},dst=/config \ - {% for arg in matrix_jitsi_jvb_container_extra_arguments %} - {{ arg }} \ - {% endfor %} - {{ matrix_jitsi_jvb_docker_image }} - -ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-jitsi-jvb 2>/dev/null || true' -ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-jitsi-jvb 2>/dev/null || true' -Restart=always -RestartSec=30 -SyslogIdentifier=matrix-jitsi-jvb - -[Install] -WantedBy=multi-user.target diff --git a/roles/custom/matrix-jitsi/templates/prosody/env.j2 b/roles/custom/matrix-jitsi/templates/prosody/env.j2 deleted file mode 100644 index 941f2c253..000000000 --- a/roles/custom/matrix-jitsi/templates/prosody/env.j2 +++ /dev/null @@ -1,60 +0,0 @@ -AUTH_TYPE={{ matrix_jitsi_auth_type }} -DISABLE_POLLS -ENABLE_AUTH={{ 1 if matrix_jitsi_enable_auth else 0 }} -ENABLE_AV_MODERATION={{1 if matrix_jitsi_enable_av_moderation else 0}} -ENABLE_BREAKOUT_ROOMS={{1 if matrix_jitsi_enable_breakout_rooms else 0}} -ENABLE_GUESTS={{ 1 if matrix_jitsi_enable_guests else 0 }} -ENABLE_LOBBY={{ 1 if matrix_jitsi_enable_lobby else 0 }} -ENABLE_XMPP_WEBSOCKET -GLOBAL_CONFIG -GLOBAL_MODULES -JIBRI_RECORDER_USER={{ matrix_jitsi_jibri_recorder_user }} -JIBRI_RECORDER_PASSWORD={{ matrix_jitsi_jibri_recorder_password }} -JIBRI_XMPP_USER={{ matrix_jitsi_jibri_xmpp_user }} -JIBRI_XMPP_PASSWORD={{ matrix_jitsi_jibri_xmpp_password }} -JICOFO_AUTH_USER={{ matrix_jitsi_jicofo_auth_user }} -JICOFO_AUTH_PASSWORD={{ matrix_jitsi_jicofo_auth_password }} -JICOFO_COMPONENT_SECRET -JIGASI_XMPP_USER= -JIGASI_XMPP_PASSWORD= -JVB_AUTH_USER={{ matrix_jitsi_jvb_auth_user }} -JVB_AUTH_PASSWORD={{ matrix_jitsi_jvb_auth_password }} -JWT_APP_ID -JWT_APP_SECRET -JWT_ACCEPTED_ISSUERS -JWT_ACCEPTED_AUDIENCES -JWT_ASAP_KEYSERVER -JWT_ALLOW_EMPTY -JWT_AUTH_TYPE -JWT_TOKEN_AUTH_MODULE -LOG_LEVEL -LDAP_AUTH_METHOD={{ matrix_jitsi_ldap_auth_method }} -LDAP_BASE={{ matrix_jitsi_ldap_base }} -LDAP_BINDDN={{ matrix_jitsi_ldap_binddn }} -LDAP_BINDPW={{ matrix_jitsi_ldap_bindpw }} -LDAP_FILTER={{ matrix_jitsi_ldap_filter }} -LDAP_VERSION={{ matrix_jitsi_ldap_version }} -LDAP_TLS_CIPHERS={{ matrix_jitsi_ldap_tls_ciphers }} -LDAP_TLS_CHECK_PEER={{ 1 if matrix_jitsi_ldap_tls_check_peer else 0 }} -LDAP_TLS_CACERT_FILE={{ matrix_jitsi_ldap_tls_cacert_file }} -LDAP_TLS_CACERT_DIR={{ matrix_jitsi_ldap_tls_cacert_dir }} -LDAP_START_TLS={{ 1 if matrix_jitsi_ldap_start_tls else 0 }} -LDAP_URL={{ matrix_jitsi_ldap_url }} -LDAP_USE_TLS={{ 1 if matrix_jitsi_ldap_use_tls else 0 }} -PUBLIC_URL={{ matrix_jitsi_web_public_url }} -TURN_CREDENTIALS={{ matrix_jitsi_turn_credentials }} -TURN_HOST={{ matrix_jitsi_turn_host }} -TURNS_HOST={{ matrix_jitsi_turns_host }} -TURN_PORT={{ matrix_jitsi_turn_port }} -TURNS_PORT={{ matrix_jitsi_turns_port }} -TZ={{ matrix_jitsi_timezone }} -XMPP_DOMAIN={{ matrix_jitsi_xmpp_domain }} -XMPP_AUTH_DOMAIN={{ matrix_jitsi_xmpp_auth_domain }} -XMPP_GUEST_DOMAIN={{ matrix_jitsi_xmpp_guest_domain }} -XMPP_MUC_DOMAIN={{ matrix_jitsi_xmpp_muc_domain }} -XMPP_INTERNAL_MUC_DOMAIN={{ matrix_jitsi_xmpp_internal_muc_domain }} -XMPP_MODULES={{ matrix_jitsi_xmpp_modules }} -XMPP_MUC_MODULES= -XMPP_INTERNAL_MUC_MODULES= -XMPP_RECORDER_DOMAIN={{ matrix_jitsi_recorder_domain }} -XMPP_CROSS_DOMAIN=true diff --git a/roles/custom/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 b/roles/custom/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 deleted file mode 100644 index 0b2592aed..000000000 --- a/roles/custom/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 +++ /dev/null @@ -1,38 +0,0 @@ -#jinja2: lstrip_blocks: "True" -[Unit] -Description=Matrix jitsi-prosody server -{% for service in matrix_jitsi_prosody_systemd_required_services_list %} -Requires={{ service }} -After={{ service }} -{% endfor %} -DefaultDependencies=no - -[Service] -Type=simple -Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" -ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-jitsi-prosody 2>/dev/null || true' -ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-jitsi-prosody 2>/dev/null || true' - -ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-jitsi-prosody \ - --log-driver=none \ - --network={{ matrix_docker_network }} \ - --network-alias={{ matrix_jitsi_xmpp_server }} \ - {% if matrix_jitsi_prosody_container_http_host_bind_port %} - -p {{ matrix_jitsi_prosody_container_http_host_bind_port }}:5280 \ - {% endif %} - --env-file={{ matrix_jitsi_prosody_base_path }}/env \ - --mount type=bind,src={{ matrix_jitsi_prosody_config_path }},dst=/config \ - --mount type=bind,src={{ matrix_jitsi_prosody_plugins_path }},dst=/prosody-plugins-custom \ - {% for arg in matrix_jitsi_prosody_container_extra_arguments %} - {{ arg }} \ - {% endfor %} - {{ matrix_jitsi_prosody_docker_image }} - -ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-jitsi-prosody 2>/dev/null || true' -ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-jitsi-prosody 2>/dev/null || true' -Restart=always -RestartSec=30 -SyslogIdentifier=matrix-jitsi-prosody - -[Install] -WantedBy=multi-user.target diff --git a/roles/custom/matrix-jitsi/templates/web/custom-config.js.j2 b/roles/custom/matrix-jitsi/templates/web/custom-config.js.j2 deleted file mode 100644 index bbe85798a..000000000 --- a/roles/custom/matrix-jitsi/templates/web/custom-config.js.j2 +++ /dev/null @@ -1,18 +0,0 @@ -config.defaultLanguage = {{ matrix_jitsi_web_config_defaultLanguage|to_json }}; - - -if (!config.hasOwnProperty('p2p')) config.p2p = {% raw %}{}{% endraw %}; - -{% if matrix_jitsi_web_stun_servers|length > 0 %} -config.p2p.stunServers = [ - {% for url in matrix_jitsi_web_stun_servers %} - { urls: {{ url|to_json }} }{% if not loop.last %},{% endif %} - {% endfor %} -]; -{% endif %} - -{% if matrix_jitsi_etherpad_enabled %} -config.etherpad_base = {{ (matrix_jitsi_etherpad_base + '/p/') |to_json }} -{% endif %} - -{{ matrix_jitsi_web_custom_config_extension }} diff --git a/roles/custom/matrix-jitsi/templates/web/custom-interface_config.js.j2 b/roles/custom/matrix-jitsi/templates/web/custom-interface_config.js.j2 deleted file mode 100644 index 0ad470fce..000000000 --- a/roles/custom/matrix-jitsi/templates/web/custom-interface_config.js.j2 +++ /dev/null @@ -1,3 +0,0 @@ - -{{ matrix_jitsi_web_custom_interface_config_extension }} - diff --git a/roles/custom/matrix-jitsi/templates/web/env.j2 b/roles/custom/matrix-jitsi/templates/web/env.j2 deleted file mode 100644 index 3e9f51b71..000000000 --- a/roles/custom/matrix-jitsi/templates/web/env.j2 +++ /dev/null @@ -1,111 +0,0 @@ -AMPLITUDE_ID -ANALYTICS_SCRIPT_URLS -ANALYTICS_WHITELISTED_EVENTS -CALLSTATS_CUSTOM_SCRIPT_URL -CALLSTATS_ID -CALLSTATS_SECRET -CHROME_EXTENSION_BANNER_JSON -CONFCODE_URL -CONFIG_EXTERNAL_CONNECT -DEFAULT_LANGUAGE -DEPLOYMENTINFO_ENVIRONMENT -DEPLOYMENTINFO_ENVIRONMENT_TYPE -DEPLOYMENTINFO_REGION -DEPLOYMENTINFO_SHARD -DEPLOYMENTINFO_USERREGION -DESKTOP_SHARING_FRAMERATE_MIN -DESKTOP_SHARING_FRAMERATE_MAX -DIALIN_NUMBERS_URL -DIALOUT_AUTH_URL -DIALOUT_CODES_URL -DISABLE_AUDIO_LEVELS -DISABLE_DEEP_LINKING -DISABLE_HTTPS=0 -DISABLE_POLLS -DISABLE_REACTIONS -DROPBOX_APPKEY -DROPBOX_REDIRECT_URI -DYNAMIC_BRANDING_URL -ENABLE_AUDIO_PROCESSING -ENABLE_AUTH={{ 1 if matrix_jitsi_enable_auth else 0 }} -ENABLE_BREAKOUT_ROOMS={{1 if matrix_jitsi_enable_breakout_rooms else 0}} -ENABLE_CALENDAR -ENABLE_COLIBRI_WEBSOCKET -ENABLE_FILE_RECORDING_SERVICE -ENABLE_FILE_RECORDING_SERVICE_SHARING -ENABLE_FLOC=0 -ENABLE_GUESTS={{ 1 if matrix_jitsi_enable_guests else 0 }} -ENABLE_HSTS=0 -ENABLE_HTTP_REDIRECT=0 -ENABLE_IPV6 -ENABLE_LETSENCRYPT=0 -ENABLE_LIPSYNC -ENABLE_NO_AUDIO_DETECTION -ENABLE_NOISY_MIC_DETECTION -ENABLE_PREJOIN_PAGE -ENABLE_P2P={{ 1 if matrix_jitsi_enable_p2p else 0 }} -ENABLE_WELCOME_PAGE -ENABLE_CLOSE_PAGE -ENABLE_RECORDING={{ 1 if matrix_jitsi_enable_recording else 0 }} -ENABLE_REMB -ENABLE_REQUIRE_DISPLAY_NAME -ENABLE_SIMULCAST -ENABLE_STATS_ID -ENABLE_STEREO -ENABLE_SUBDOMAINS -ENABLE_TALK_WHILE_MUTED -ENABLE_TCC -ENABLE_TRANSCRIPTIONS={{ 1 if matrix_jitsi_enable_transcriptions else 0 }} -ENABLE_XMPP_WEBSOCKET -ENABLE_JAAS_COMPONENTS={{ 1 if matrix_jitsi_enable_jaas_components else false }} -ETHERPAD_PUBLIC_URL -ETHERPAD_URL_BASE={{ (matrix_jitsi_etherpad_base + '/') if matrix_jitsi_etherpad_enabled else ''}} -GOOGLE_ANALYTICS_ID -GOOGLE_API_APP_CLIENT_ID -INVITE_SERVICE_URL -JICOFO_AUTH_USER={{ matrix_jitsi_jicofo_auth_user }} -LETSENCRYPT_DOMAIN={{ matrix_server_fqn_jitsi }} -LETSENCRYPT_EMAIL={{ matrix_ssl_lets_encrypt_support_email }} -LETSENCRYPT_USE_STAGING=0 -MATOMO_ENDPOINT -MATOMO_SITE_ID -MICROSOFT_API_APP_CLIENT_ID -NGINX_RESOLVER -NGINX_WORKER_PROCESSES -NGINX_WORKER_CONNECTIONS -PEOPLE_SEARCH_URL -PUBLIC_URL={{ matrix_jitsi_web_public_url }} -RESOLUTION={{ matrix_jitsi_web_config_resolution_height_ideal_and_max }} -RESOLUTION_MIN={{ matrix_jitsi_web_config_resolution_height_min }} -RESOLUTION_WIDTH={{ matrix_jitsi_web_config_resolution_width_ideal_and_max }} -RESOLUTION_WIDTH_MIN={{ matrix_jitsi_web_config_resolution_width_min }} -START_AUDIO_MUTED={{ matrix_jitsi_web_config_start_audio_muted_after_nth_participant }} -START_AUDIO_ONLY -START_BITRATE -START_SILENT -START_WITH_AUDIO_MUTED -START_VIDEO_MUTED={{ matrix_jitsi_web_config_start_video_muted_after_nth_participant }} -START_WITH_VIDEO_MUTED -TESTING_CAP_SCREENSHARE_BITRATE -TESTING_OCTO_PROBABILITY -TOKEN_AUTH_URL -TZ={{ matrix_jitsi_timezone }} -VIDEOQUALITY_BITRATE_H264_LOW -VIDEOQUALITY_BITRATE_H264_STANDARD -VIDEOQUALITY_BITRATE_H264_HIGH -VIDEOQUALITY_BITRATE_VP8_LOW -VIDEOQUALITY_BITRATE_VP8_STANDARD -VIDEOQUALITY_BITRATE_VP8_HIGH -VIDEOQUALITY_BITRATE_VP9_LOW -VIDEOQUALITY_BITRATE_VP9_STANDARD -VIDEOQUALITY_BITRATE_VP9_HIGH -VIDEOQUALITY_ENFORCE_PREFERRED_CODEC -VIDEOQUALITY_PREFERRED_CODEC -XMPP_AUTH_DOMAIN={{ matrix_jitsi_xmpp_auth_domain }} -XMPP_BOSH_URL_BASE={{ matrix_jitsi_xmpp_bosh_url_base }} -XMPP_DOMAIN={{ matrix_jitsi_xmpp_domain }} -XMPP_GUEST_DOMAIN={{ matrix_jitsi_xmpp_guest_domain }} -XMPP_MUC_DOMAIN={{ matrix_jitsi_xmpp_muc_domain }} -XMPP_RECORDER_DOMAIN={{ matrix_jitsi_recorder_domain }} - -{{ matrix_jitsi_web_environment_variables_extension }} diff --git a/roles/custom/matrix-jitsi/templates/web/matrix-jitsi-web.service.j2 b/roles/custom/matrix-jitsi/templates/web/matrix-jitsi-web.service.j2 deleted file mode 100644 index fcb5f2213..000000000 --- a/roles/custom/matrix-jitsi/templates/web/matrix-jitsi-web.service.j2 +++ /dev/null @@ -1,39 +0,0 @@ -#jinja2: lstrip_blocks: "True" -[Unit] -Description=Matrix jitsi-web server -{% for service in matrix_jitsi_web_systemd_required_services_list %} -Requires={{ service }} -After={{ service }} -{% endfor %} -DefaultDependencies=no - -[Service] -Type=simple -Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" -ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-jitsi-web 2>/dev/null || true' -ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-jitsi-web 2>/dev/null || true' - -ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-jitsi-web \ - --log-driver=none \ - --network={{ matrix_docker_network }} \ - --network-alias={{ matrix_jitsi_xmpp_domain }} \ - --env-file={{ matrix_jitsi_web_base_path }}/env \ - {% if matrix_jitsi_web_container_http_host_bind_port %} - -p {{ matrix_jitsi_web_container_http_host_bind_port }}:80 \ - {% endif %} - --mount type=bind,src={{ matrix_jitsi_web_config_path }},dst=/config \ - --mount type=bind,src={{ matrix_jitsi_web_transcripts_path }},dst=/usr/share/jitsi-meet/transcripts \ - --mount type=bind,src={{ matrix_jitsi_web_crontabs_path }},dst=/var/spool/cron/crontabs \ - {% for arg in matrix_jitsi_web_container_extra_arguments %} - {{ arg }} \ - {% endfor %} - {{ matrix_jitsi_web_docker_image }} - -ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-jitsi-web 2>/dev/null || true' -ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-jitsi-web 2>/dev/null || true' -Restart=always -RestartSec=30 -SyslogIdentifier=matrix-jitsi-web - -[Install] -WantedBy=multi-user.target diff --git a/roles/custom/matrix-ldap-registration-proxy/tasks/init.yml b/roles/custom/matrix-ldap-registration-proxy/tasks/init.yml deleted file mode 100644 index 406236095..000000000 --- a/roles/custom/matrix-ldap-registration-proxy/tasks/init.yml +++ /dev/null @@ -1,57 +0,0 @@ ---- -# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 -# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 -- name: Fail if trying to self-build on Ansible < 2.8 - ansible.builtin.fail: - msg: "To self-build the matrix_ldap_registration_proxy image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_ldap_registration_proxy_container_image_self_build and matrix_ldap_registration_proxy_enabled | bool" - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-ldap-registration-proxy.service'] }}" - when: matrix_ldap_registration_proxy_enabled | bool - -- when: matrix_ldap_registration_proxy_enabled | bool - tags: - - always - block: - - name: Fail if matrix-nginx-proxy role already executed - ansible.builtin.fail: - msg: >- - Trying to append Matrix LDAP registration proxy's reverse-proxying configuration to matrix-nginx-proxy, - but it's pointless since the matrix-nginx-proxy role had already executed. - To fix this, please change the order of roles in your playbook, - so that the matrix-nginx-proxy role would run after the matrix-bridge-mautrix-telegram role. - when: matrix_nginx_proxy_role_executed | default(False) | bool - - - name: Generate Matrix LDAP registration proxy proxying configuration for matrix-nginx-proxy - ansible.builtin.set_fact: - matrix_ldap_registration_proxy_matrix_nginx_proxy_configuration: | - location {{ matrix_ldap_registration_proxy_registration_endpoint }} { - {% if matrix_nginx_proxy_enabled | default(False) %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver 127.0.0.11 valid=5s; - set $backend "{{ matrix_ldap_registration_proxy_registration_addr_with_container }}"; - proxy_pass http://$backend/register; - {% else %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://{{ matrix_ldap_registration_proxy_registration_addr_sans_container }}/register; - {% endif %} - } - - - name: Register Matrix LDAP registration proxy proxying configuration with matrix-nginx-proxy - ansible.builtin.set_fact: - matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: | - {{ - matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks | default([]) - + - [matrix_ldap_registration_proxy_matrix_nginx_proxy_configuration] - }} - - name: Warn about reverse-proxying if matrix-nginx-proxy not used - ansible.builtin.debug: - msg: >- - NOTE: You've enabled the Matrix LDAP registration proxy bridge but are not using the matrix-nginx-proxy - reverse proxy. - Please make sure that you're proxying the `{{ matrix_ldap_registration_proxy_public_endpoint }}` - URL endpoint to the matrix-ldap-proxy container. - You can expose the container's port using the `matrix_ldap_registration_proxy_container_http_host_bind_port` variable. - when: "not matrix_nginx_proxy_enabled | default(False) | bool" diff --git a/roles/custom/matrix-ldap-registration-proxy/tasks/inject_into_nginx_proxy.yml b/roles/custom/matrix-ldap-registration-proxy/tasks/inject_into_nginx_proxy.yml new file mode 100644 index 000000000..472503c9a --- /dev/null +++ b/roles/custom/matrix-ldap-registration-proxy/tasks/inject_into_nginx_proxy.yml @@ -0,0 +1,44 @@ +--- + +- name: Fail if matrix-nginx-proxy role already executed + ansible.builtin.fail: + msg: >- + Trying to append Matrix LDAP registration proxy's reverse-proxying configuration to matrix-nginx-proxy, + but it's pointless since the matrix-nginx-proxy role had already executed. + To fix this, please change the order of roles in your playbook, + so that the matrix-nginx-proxy role would run after the matrix-bridge-mautrix-telegram role. + when: matrix_nginx_proxy_role_executed | default(False) | bool + +- name: Generate Matrix LDAP registration proxy proxying configuration for matrix-nginx-proxy + ansible.builtin.set_fact: + matrix_ldap_registration_proxy_matrix_nginx_proxy_configuration: | + location {{ matrix_ldap_registration_proxy_registration_endpoint }} { + {% if matrix_nginx_proxy_enabled | default(False) %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "{{ matrix_ldap_registration_proxy_registration_addr_with_container }}"; + proxy_pass http://$backend/register; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://{{ matrix_ldap_registration_proxy_registration_addr_sans_container }}/register; + {% endif %} + } + +- name: Register Matrix LDAP registration proxy proxying configuration with matrix-nginx-proxy + ansible.builtin.set_fact: + matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: | + {{ + matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks | default([]) + + + [matrix_ldap_registration_proxy_matrix_nginx_proxy_configuration] + }} + +- name: Warn about reverse-proxying if matrix-nginx-proxy not used + ansible.builtin.debug: + msg: >- + NOTE: You've enabled the Matrix LDAP registration proxy bridge but are not using the matrix-nginx-proxy + reverse proxy. + Please make sure that you're proxying the `{{ matrix_ldap_registration_proxy_public_endpoint }}` + URL endpoint to the matrix-ldap-proxy container. + You can expose the container's port using the `matrix_ldap_registration_proxy_container_http_host_bind_port` variable. + when: "not matrix_nginx_proxy_enabled | default(False) | bool" diff --git a/roles/custom/matrix-ldap-registration-proxy/tasks/main.yml b/roles/custom/matrix-ldap-registration-proxy/tasks/main.yml index 5815774ec..cc71ae82c 100644 --- a/roles/custom/matrix-ldap-registration-proxy/tasks/main.yml +++ b/roles/custom/matrix-ldap-registration-proxy/tasks/main.yml @@ -1,23 +1,29 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup | bool and matrix_ldap_registration_proxy_enabled | bool" - tags: +- tags: - setup-all - - setup-matrix-ldap-registration-proxy + - setup-nginx-proxy + - install-all + - install-nginx-proxy + block: + - when: matrix_ldap_registration_proxy_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_install.yml" - when: "run_setup | bool and matrix_ldap_registration_proxy_enabled | bool" - tags: +- tags: - setup-all - setup-matrix-ldap-registration-proxy + - install-all + - install-matrix-ldap-registration-proxy + block: + - when: matrix_ldap_registration_proxy_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" + + - when: matrix_ldap_registration_proxy_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - when: "run_setup | bool and not matrix_ldap_registration_proxy_enabled | bool" - tags: +- tags: - setup-all - setup-matrix-ldap-registration-proxy + block: + - when: not matrix_ldap_registration_proxy_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" diff --git a/roles/custom/matrix-ldap-registration-proxy/tasks/setup_install.yml b/roles/custom/matrix-ldap-registration-proxy/tasks/setup_install.yml index 3ac8f9b8d..3814b1391 100644 --- a/roles/custom/matrix-ldap-registration-proxy/tasks/setup_install.yml +++ b/roles/custom/matrix-ldap-registration-proxy/tasks/setup_install.yml @@ -12,9 +12,6 @@ - {path: "{{ matrix_ldap_registration_proxy_docker_src_files_path }}", when: true} when: "item.when | bool" -- ansible.builtin.set_fact: - matrix_ldap_registration_proxy_requires_restart: false - - name: Ensure matrix_ldap_registration_proxy repository is present on self-build ansible.builtin.git: repo: "{{ matrix_ldap_registration_proxy_container_image_self_build_repo }}" @@ -49,15 +46,3 @@ src: "{{ role_path }}/templates/systemd/matrix-ldap-registration-proxy.service.j2" dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-ldap-registration-proxy.service" mode: 0644 - register: matrix_ldap_registration_proxy_systemd_service_result - -- name: Ensure systemd reloaded after matrix-ldap-registration-proxy.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_ldap_registration_proxy_systemd_service_result.changed | bool" - -- name: Ensure matrix-ldap-registration-proxy.service restarted, if necessary - ansible.builtin.service: - name: "matrix-ldap-registration-proxy.service" - state: restarted - when: "matrix_ldap_registration_proxy_requires_restart | bool" diff --git a/roles/custom/matrix-ldap-registration-proxy/tasks/setup_uninstall.yml b/roles/custom/matrix-ldap-registration-proxy/tasks/setup_uninstall.yml index ed19ad9c1..1d99b4062 100644 --- a/roles/custom/matrix-ldap-registration-proxy/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-ldap-registration-proxy/tasks/setup_uninstall.yml @@ -5,32 +5,21 @@ path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-ldap-registration-proxy.service" register: matrix_ldap_registration_proxy_service_stat -- name: Ensure matrix-matrix_ldap_registration_proxy is stopped - ansible.builtin.service: - name: matrix-matrix_ldap_registration_proxy - state: stopped - enabled: false - daemon_reload: true - register: stopping_result - when: "matrix_ldap_registration_proxy_service_stat.stat.exists | bool" +- when: matrix_ldap_registration_proxy_service_stat.stat.exists | bool + block: + - name: Ensure matrix-matrix_ldap_registration_proxy is stopped + ansible.builtin.service: + name: matrix-matrix_ldap_registration_proxy + state: stopped + enabled: false + daemon_reload: true -- name: Ensure matrix-ldap-registration-proxy.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-ldap-registration-proxy.service" - state: absent - when: "matrix_ldap_registration_proxy_service_stat.stat.exists | bool" - -- name: Ensure systemd reloaded after matrix-ldap-registration-proxy.service removal - ansible.builtin.service: - daemon_reload: true - when: "matrix_ldap_registration_proxy_service_stat.stat.exists | bool" - -- name: Ensure Matrix matrix_ldap_registration_proxy paths don't exist - ansible.builtin.file: - path: "{{ matrix_ldap_registration_proxy_base_path }}" - state: absent + - name: Ensure matrix-ldap-registration-proxy.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-ldap-registration-proxy.service" + state: absent -- name: Ensure matrix_ldap_registration_proxy Docker image doesn't exist - community.docker.docker_image: - name: "{{ matrix_ldap_registration_proxy_docker_image }}" - state: absent + - name: Ensure Matrix matrix_ldap_registration_proxy paths don't exist + ansible.builtin.file: + path: "{{ matrix_ldap_registration_proxy_base_path }}" + state: absent diff --git a/roles/custom/matrix-ma1sd/defaults/main.yml b/roles/custom/matrix-ma1sd/defaults/main.yml index 3755a46ab..9dc32ce7b 100644 --- a/roles/custom/matrix-ma1sd/defaults/main.yml +++ b/roles/custom/matrix-ma1sd/defaults/main.yml @@ -35,6 +35,13 @@ matrix_ma1sd_systemd_required_services_list: ['docker.service'] # List of systemd services that matrix-ma1sd.service wants matrix_ma1sd_systemd_wanted_services_list: [] +# A list of additional container networks that matrix-ma1sd would be connected to. +# The playbook does not create these networks, so make sure they already exist. +# +# Use this to expose matrix-ma1sd to another docker network, that matrix-ma1sd might have to reach for authentication (e.g. an ldap instance) +# +matrix_ma1sd_container_additional_networks: [] + # Your identity server is private by default. # To ensure maximum discovery, you can make your identity server # also forward lookups to the central matrix.org Identity server @@ -57,7 +64,7 @@ matrix_ma1sd_sqlite_database_path_in_container: "/var/ma1sd/ma1sd.db" matrix_ma1sd_database_username: 'matrix_ma1sd' matrix_ma1sd_database_password: 'some-password' -matrix_ma1sd_database_hostname: 'matrix-postgres' +matrix_ma1sd_database_hostname: '' matrix_ma1sd_database_port: 5432 matrix_ma1sd_database_name: 'matrix_ma1sd' diff --git a/roles/custom/matrix-ma1sd/tasks/init.yml b/roles/custom/matrix-ma1sd/tasks/init.yml deleted file mode 100644 index 48226aa07..000000000 --- a/roles/custom/matrix-ma1sd/tasks/init.yml +++ /dev/null @@ -1,11 +0,0 @@ ---- -# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 -# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 -- name: Fail if trying to self-build on Ansible < 2.8 - ansible.builtin.fail: - msg: "To self-build the ma1sd image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_ma1sd_container_image_self_build and matrix_ma1sd_enabled | bool" - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-ma1sd.service'] }}" - when: matrix_ma1sd_enabled | bool diff --git a/roles/custom/matrix-ma1sd/tasks/main.yml b/roles/custom/matrix-ma1sd/tasks/main.yml index f55e7891c..a9c4ec8b0 100644 --- a/roles/custom/matrix-ma1sd/tasks/main.yml +++ b/roles/custom/matrix-ma1sd/tasks/main.yml @@ -1,30 +1,25 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup | bool and matrix_ma1sd_enabled | bool" - tags: +- tags: - setup-all - setup-ma1sd + - install-all + - install-ma1sd + block: + - when: matrix_ma1sd_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_install.yml" - when: "run_setup | bool and matrix_ma1sd_enabled | bool" - tags: - - setup-all - - setup-ma1sd + - when: matrix_ma1sd_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - when: "run_setup | bool and not matrix_ma1sd_enabled | bool" - tags: - - setup-all +- tags: - setup-ma1sd + block: + - when: not matrix_ma1sd_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/self_check_ma1sd.yml" - delegate_to: 127.0.0.1 - become: false - when: "run_self_check | bool and matrix_ma1sd_enabled | bool" - tags: +- tags: - self-check + block: + - when: matrix_ma1sd_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/self_check.yml" diff --git a/roles/custom/matrix-ma1sd/tasks/migrate_mxisd.yml b/roles/custom/matrix-ma1sd/tasks/migrate_mxisd.yml deleted file mode 100644 index ee7228959..000000000 --- a/roles/custom/matrix-ma1sd/tasks/migrate_mxisd.yml +++ /dev/null @@ -1,80 +0,0 @@ ---- - -# This task is for migrating existing mxisd data when transitioning to the ma1sd fork. - -- name: Check for existent mxisd data - ansible.builtin.stat: - path: "{{ matrix_base_data_path }}/mxisd/data" - register: ma1sd_migrate_mxisd_data_dir_stat - -- name: Warn if mxisd data detected - ansible.builtin.debug: - msg: > - You seem to have an existing mxisd folder in `{{ matrix_base_data_path }}/mxisd`. - We are going to migrate it to ma1sd and rename the folder to mxisd.migrated. - when: "ma1sd_migrate_mxisd_data_dir_stat.stat.exists" - -- name: Check existence of old matrix-mxisd service - ansible.builtin.stat: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mxisd.service" - register: matrix_mxisd_service_stat - -- name: Ensure matrix-mxisd is stopped - ansible.builtin.service: - name: matrix-mxisd - state: stopped - enabled: false - daemon_reload: true - when: "matrix_mxisd_service_stat.stat.exists" - -- name: Check existence of matrix-ma1sd service - ansible.builtin.stat: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-ma1sd.service" - register: matrix_ma1sd_service_stat - when: "ma1sd_migrate_mxisd_data_dir_stat.stat.exists" - -- name: Ensure matrix-ma1sd is stopped - ansible.builtin.service: - name: matrix-ma1sd - state: stopped - daemon_reload: true - when: "ma1sd_migrate_mxisd_data_dir_stat.stat.exists and matrix_ma1sd_service_stat.stat.exists" - -# We use shell commands for the migration, because the Ansible copy module cannot -# recursively copy remote directories (like `/matrix/mxisd/data/sign.key`) in older versions of Ansible. -- when: "ma1sd_migrate_mxisd_data_dir_stat.stat.exists" - block: - - name: Copy mxisd data files to ma1sd folder - ansible.builtin.command: - cmd: "cp -ar {{ matrix_base_data_path }}/mxisd/data {{ matrix_ma1sd_base_path }}" - register: matrix_ma1sd_migrate_mxisd_data_files_copying_result - changed_when: matrix_ma1sd_migrate_mxisd_data_files_copying_result.rc == 0 - - - name: Check existence of mxisd.db file - ansible.builtin.stat: - path: "{{ matrix_ma1sd_data_path }}/mxisd.db" - register: matrix_ma1sd_mxisd_db_stat - - - name: Rename database (mxisd.db -> ma1sd.db) - ansible.builtin.command: - cmd: "mv {{ matrix_ma1sd_data_path }}/mxisd.db {{ matrix_ma1sd_data_path }}/ma1sd.db" - register: matrix_ma1sd_migrate_mxisd_move_db_result - changed_when: matrix_ma1sd_migrate_mxisd_move_db_result.rc == 0 - when: "matrix_ma1sd_mxisd_db_stat.stat.exists" - - - name: Rename mxisd folder - ansible.builtin.command: - cmd: "mv {{ matrix_base_data_path }}/mxisd {{ matrix_base_data_path }}/mxisd.migrated" - register: matrix_ma1sd_migrate_mxisd_move_directory_result - changed_when: matrix_ma1sd_migrate_mxisd_move_directory_result.rc == 0 - -- name: Ensure outdated matrix-mxisd.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mxisd.service" - state: absent - when: "matrix_mxisd_service_stat.stat.exists" - -- name: Ensure systemd reloaded after removing outdated matrix-mxisd.service - ansible.builtin.service: - daemon_reload: true - when: "matrix_mxisd_service_stat.stat.exists" diff --git a/roles/custom/matrix-ma1sd/tasks/self_check_ma1sd.yml b/roles/custom/matrix-ma1sd/tasks/self_check.yml similarity index 95% rename from roles/custom/matrix-ma1sd/tasks/self_check_ma1sd.yml rename to roles/custom/matrix-ma1sd/tasks/self_check.yml index 6fde9dd2f..66765727e 100644 --- a/roles/custom/matrix-ma1sd/tasks/self_check_ma1sd.yml +++ b/roles/custom/matrix-ma1sd/tasks/self_check.yml @@ -11,6 +11,8 @@ check_mode: false register: result_ma1sd ignore_errors: true + delegate_to: 127.0.0.1 + become: false - name: Fail if ma1sd Identity Service not working ansible.builtin.fail: diff --git a/roles/custom/matrix-ma1sd/tasks/setup_install.yml b/roles/custom/matrix-ma1sd/tasks/setup_install.yml index b9668a053..5800b45a7 100644 --- a/roles/custom/matrix-ma1sd/tasks/setup_install.yml +++ b/roles/custom/matrix-ma1sd/tasks/setup_install.yml @@ -13,9 +13,6 @@ - {path: "{{ matrix_ma1sd_docker_src_files_path }}", when: "{{ matrix_ma1sd_container_image_self_build }}"} when: "item.when | bool" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/migrate_mxisd.yml" - - # These (SQLite -> Postgres) migration tasks are usually at the top, # but we'd like to run them after `migrate_mxisd.yml`, which requires the ma1sd paths to exist. - ansible.builtin.set_fact: @@ -30,8 +27,11 @@ - when: "matrix_ma1sd_sqlite_database_path_local_stat_result.stat.exists | bool" block: - - ansible.builtin.set_fact: - matrix_postgres_db_migration_request: + - ansible.builtin.include_role: + name: galaxy/com.devture.ansible.role.postgres + tasks_from: migrate_db_to_postgres + vars: + devture_postgres_db_migration_request: src: "{{ matrix_ma1sd_sqlite_database_path_local }}" dst: "{{ matrix_ma1sd_database_connection_string }}" caller: "{{ role_path | basename }}" @@ -40,10 +40,6 @@ systemd_services_to_stop: ['matrix-ma1sd.service'] pgloader_options: ['--with "quote identifiers"'] - - ansible.builtin.import_role: - name: custom/matrix-postgres - tasks_from: migrate_db_to_postgres - - ansible.builtin.set_fact: matrix_ma1sd_requires_restart: true @@ -93,6 +89,7 @@ chdir: "{{ matrix_ma1sd_docker_src_files_path }}" environment: DOCKER_BUILDKIT: 1 + changed_when: true when: matrix_ma1sd_git_pull_results.changed - name: Ensure ma1sd Docker image is tagged correctly @@ -159,15 +156,10 @@ src: "{{ role_path }}/templates/systemd/matrix-ma1sd.service.j2" dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-ma1sd.service" mode: 0644 - register: matrix_ma1sd_systemd_service_result - -- name: Ensure systemd reloaded after matrix-ma1sd.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_ma1sd_systemd_service_result.changed | bool" - name: Ensure matrix-ma1sd.service restarted, if necessary ansible.builtin.service: name: "matrix-ma1sd.service" state: restarted + daemon_reload: true when: "matrix_ma1sd_requires_restart | bool" diff --git a/roles/custom/matrix-ma1sd/tasks/setup_uninstall.yml b/roles/custom/matrix-ma1sd/tasks/setup_uninstall.yml index c7e8bf633..b27df269e 100644 --- a/roles/custom/matrix-ma1sd/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-ma1sd/tasks/setup_uninstall.yml @@ -5,32 +5,21 @@ path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-ma1sd.service" register: matrix_ma1sd_service_stat -- name: Ensure matrix-ma1sd is stopped - ansible.builtin.service: - name: matrix-ma1sd - state: stopped - enabled: false - daemon_reload: true - register: stopping_result - when: "matrix_ma1sd_service_stat.stat.exists | bool" +- when: matrix_ma1sd_service_stat.stat.exists | bool + block: + - name: Ensure matrix-ma1sd is stopped + ansible.builtin.service: + name: matrix-ma1sd + state: stopped + enabled: false + daemon_reload: true -- name: Ensure matrix-ma1sd.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-ma1sd.service" - state: absent - when: "matrix_ma1sd_service_stat.stat.exists | bool" - -- name: Ensure systemd reloaded after matrix-ma1sd.service removal - ansible.builtin.service: - daemon_reload: true - when: "matrix_ma1sd_service_stat.stat.exists | bool" - -- name: Ensure Matrix ma1sd paths don't exist - ansible.builtin.file: - path: "{{ matrix_ma1sd_base_path }}" - state: absent + - name: Ensure matrix-ma1sd.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-ma1sd.service" + state: absent -- name: Ensure ma1sd Docker image doesn't exist - community.docker.docker_image: - name: "{{ matrix_ma1sd_docker_image }}" - state: absent + - name: Ensure Matrix ma1sd paths don't exist + ansible.builtin.file: + path: "{{ matrix_ma1sd_base_path }}" + state: absent diff --git a/roles/custom/matrix-ma1sd/tasks/validate_config.yml b/roles/custom/matrix-ma1sd/tasks/validate_config.yml index af12dd3f1..b490a5c62 100644 --- a/roles/custom/matrix-ma1sd/tasks/validate_config.yml +++ b/roles/custom/matrix-ma1sd/tasks/validate_config.yml @@ -42,11 +42,12 @@ - name: Fail if required ma1sd settings not defined ansible.builtin.fail: msg: > - You need to define a required configuration setting (`{{ item }}`) for using ma1sd. - when: "vars[item] == ''" + You need to define a required configuration setting (`{{ item.name }}`). + when: "item.when | bool and vars[item.name] == ''" with_items: - - "matrix_ma1sd_threepid_medium_email_connectors_smtp_host" - - "matrix_ma1sd_dns_overwrite_homeserver_client_value" + - {'name': 'matrix_ma1sd_threepid_medium_email_connectors_smtp_host', when: true} + - {'name': 'matrix_ma1sd_dns_overwrite_homeserver_client_value', when: true} + - {'name': 'matrix_ma1sd_database_hostname', when: "{{ matrix_ma1sd_database_engine == 'postgres' }}"} - name: (Deprecation) Catch and report renamed ma1sd variables ansible.builtin.fail: diff --git a/roles/custom/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2 b/roles/custom/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2 index 9dbddbbf1..55505ab69 100644 --- a/roles/custom/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2 +++ b/roles/custom/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2 @@ -18,7 +18,9 @@ ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_s # ma1sd writes an SQLite shared library (libsqlitejdbc.so) to /tmp and executes it from there, # so /tmp needs to be mounted with an exec option. -ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-ma1sd \ +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ + --rm \ + --name=matrix-ma1sd \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ @@ -38,6 +40,12 @@ ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name {% endfor %} {{ matrix_ma1sd_docker_image }} +{% for network in matrix_ma1sd_container_additional_networks %} +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-ma1sd +{% endfor %} + +ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-ma1sd + ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-ma1sd 2>/dev/null || true' ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-ma1sd 2>/dev/null || true' Restart=always diff --git a/roles/custom/matrix-mailer/defaults/main.yml b/roles/custom/matrix-mailer/defaults/main.yml index 48cd638ce..71e87532a 100644 --- a/roles/custom/matrix-mailer/defaults/main.yml +++ b/roles/custom/matrix-mailer/defaults/main.yml @@ -10,7 +10,7 @@ matrix_mailer_container_image_self_build_repository_url: "https://github.com/dev matrix_mailer_container_image_self_build_src_files_path: "{{ matrix_mailer_base_path }}/docker-src" matrix_mailer_container_image_self_build_version: "{{ matrix_mailer_docker_image.split(':')[1] }}" -matrix_mailer_version: 4.95-r0-4 +matrix_mailer_version: 4.96-r1-0 matrix_mailer_docker_image: "{{ matrix_mailer_docker_image_name_prefix }}devture/exim-relay:{{ matrix_mailer_version }}" matrix_mailer_docker_image_name_prefix: "{{ 'localhost/' if matrix_mailer_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_mailer_docker_image_force_pull: "{{ matrix_mailer_docker_image.endswith(':latest') }}" diff --git a/roles/custom/matrix-mailer/tasks/init.yml b/roles/custom/matrix-mailer/tasks/init.yml deleted file mode 100644 index 487ed0c9c..000000000 --- a/roles/custom/matrix-mailer/tasks/init.yml +++ /dev/null @@ -1,11 +0,0 @@ ---- -# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 -# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 -- name: Fail if trying to self-build on Ansible < 2.8 - ansible.builtin.fail: - msg: "To self-build the Matrix Mailer image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mailer_container_image_self_build and matrix_mailer_enabled" - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mailer.service'] }}" - when: matrix_mailer_enabled | bool diff --git a/roles/custom/matrix-mailer/tasks/main.yml b/roles/custom/matrix-mailer/tasks/main.yml index e49ff26d6..00fa0884e 100644 --- a/roles/custom/matrix-mailer/tasks/main.yml +++ b/roles/custom/matrix-mailer/tasks/main.yml @@ -1,11 +1,17 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always +- tags: + - setup-all + - setup-mailer + - install-all + - install-mailer + block: + - when: matrix_mailer_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_mailer.yml" - when: run_setup | bool - tags: +- tags: - setup-all - setup-mailer + block: + - when: not matrix_mailer_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" diff --git a/roles/custom/matrix-mailer/tasks/setup_mailer.yml b/roles/custom/matrix-mailer/tasks/setup_install.yml similarity index 53% rename from roles/custom/matrix-mailer/tasks/setup_mailer.yml rename to roles/custom/matrix-mailer/tasks/setup_install.yml index 5d81565a2..c03d0af64 100644 --- a/roles/custom/matrix-mailer/tasks/setup_mailer.yml +++ b/roles/custom/matrix-mailer/tasks/setup_install.yml @@ -1,9 +1,5 @@ --- -# -# Tasks related to setting up the mailer -# - - name: Ensure mailer base path exists ansible.builtin.file: path: "{{ item.path }}" @@ -14,14 +10,13 @@ with_items: - {path: "{{ matrix_mailer_base_path }}", when: true} - {path: "{{ matrix_mailer_container_image_self_build_src_files_path }}", when: "{{ matrix_mailer_container_image_self_build }}"} - when: "matrix_mailer_enabled | bool and item.when" + when: item.when | bool - name: Ensure mailer environment variables file created ansible.builtin.template: src: "{{ role_path }}/templates/env-mailer.j2" dest: "{{ matrix_mailer_base_path }}/env-mailer" mode: 0640 - when: matrix_mailer_enabled | bool - name: Ensure exim-relay repository is present on self-build ansible.builtin.git: @@ -32,7 +27,7 @@ become: true become_user: "{{ matrix_user_username }}" register: matrix_mailer_git_pull_results - when: "matrix_mailer_enabled | bool and matrix_mailer_container_image_self_build | bool" + when: matrix_mailer_container_image_self_build | bool - name: Ensure exim-relay Docker image is built community.docker.docker_image: @@ -44,7 +39,7 @@ dockerfile: Dockerfile path: "{{ matrix_mailer_container_image_self_build_src_files_path }}" pull: true - when: "matrix_mailer_enabled | bool and matrix_mailer_container_image_self_build | bool" + when: matrix_mailer_container_image_self_build | bool - name: Ensure exim-relay image is pulled community.docker.docker_image: @@ -52,7 +47,7 @@ source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" force_source: "{{ matrix_mailer_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mailer_docker_image_force_pull }}" - when: "matrix_mailer_enabled | bool and not matrix_mailer_container_image_self_build | bool" + when: "not matrix_mailer_container_image_self_build | bool" register: result retries: "{{ devture_playbook_help_container_retries_count }}" delay: "{{ devture_playbook_help_container_retries_delay }}" @@ -63,52 +58,3 @@ src: "{{ role_path }}/templates/systemd/matrix-mailer.service.j2" dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mailer.service" mode: 0644 - register: matrix_mailer_systemd_service_result - when: matrix_mailer_enabled | bool - -- name: Ensure systemd reloaded after matrix-mailer.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_mailer_enabled | bool and matrix_mailer_systemd_service_result.changed" - -# -# Tasks related to getting rid of the mailer (if it was previously enabled) -# - -- name: Check existence of matrix-mailer service - ansible.builtin.stat: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mailer.service" - register: matrix_mailer_service_stat - when: "not matrix_mailer_enabled | bool" - -- name: Ensure matrix-mailer is stopped - ansible.builtin.service: - name: matrix-mailer - state: stopped - enabled: false - daemon_reload: true - register: stopping_result - when: "not matrix_mailer_enabled | bool and matrix_mailer_service_stat.stat.exists" - -- name: Ensure matrix-mailer.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mailer.service" - state: absent - when: "not matrix_mailer_enabled | bool and matrix_mailer_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-mailer.service removal - ansible.builtin.service: - daemon_reload: true - when: "not matrix_mailer_enabled | bool and matrix_mailer_service_stat.stat.exists" - -- name: Ensure Matrix mailer environment variables path doesn't exist - ansible.builtin.file: - path: "{{ matrix_mailer_base_path }}" - state: absent - when: "not matrix_mailer_enabled | bool" - -- name: Ensure mailer Docker image doesn't exist - community.docker.docker_image: - name: "{{ matrix_mailer_docker_image }}" - state: absent - when: "not matrix_mailer_enabled | bool" diff --git a/roles/custom/matrix-mailer/tasks/setup_uninstall.yml b/roles/custom/matrix-mailer/tasks/setup_uninstall.yml new file mode 100644 index 000000000..fce8a4362 --- /dev/null +++ b/roles/custom/matrix-mailer/tasks/setup_uninstall.yml @@ -0,0 +1,25 @@ +--- + +- name: Check existence of matrix-mailer service + ansible.builtin.stat: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mailer.service" + register: matrix_mailer_service_stat + +- when: matrix_mailer_service_stat.stat.exists | bool + block: + - name: Ensure matrix-mailer is stopped + ansible.builtin.service: + name: matrix-mailer + state: stopped + enabled: false + daemon_reload: true + + - name: Ensure matrix-mailer.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mailer.service" + state: absent + + - name: Ensure Matrix mailer path doesn't exist + ansible.builtin.file: + path: "{{ matrix_mailer_base_path }}" + state: absent diff --git a/roles/custom/matrix-media-repo/defaults/main.yml b/roles/custom/matrix-media-repo/defaults/main.yml new file mode 100644 index 000000000..312e02588 --- /dev/null +++ b/roles/custom/matrix-media-repo/defaults/main.yml @@ -0,0 +1,698 @@ +--- +# matrix-media-repo is a highly customizable multi-domain media repository for Matrix. +# Intended for medium to large environments consisting of several homeservers, this +# media repo de-duplicates media (including remote media) while being fully compliant +# with the specification. +# See: https://github.com/turt2live/matrix-media-repo + +matrix_media_repo_enabled: false + +# matrix_media_repo_identifier controls the identifier of this media-repo instance, which influences: +# - the default storage path +# - the names of systemd services +matrix_media_repo_identifier: matrix-media-repo + +matrix_media_repo_container_image_self_build: false +matrix_media_repo_container_image_self_build_repo: "https://github.com/turt2live/matrix-media-repo.git" + +matrix_media_repo_docker_image_path: "turt2live/matrix-media-repo" +matrix_media_repo_docker_image: "{{ matrix_media_repo_docker_image_name_prefix }}{{ matrix_media_repo_docker_image_path }}:{{ matrix_media_repo_docker_image_tag }}" +matrix_media_repo_docker_image_name_prefix: "{{ 'localhost/' if matrix_media_repo_container_image_self_build else matrix_container_global_registry_prefix }}" +matrix_media_repo_docker_image_tag: "v1.2.13" +matrix_media_repo_docker_image_force_pull: "{{ matrix_media_repo_docker_image.endswith(':latest') }}" + +matrix_media_repo_base_path: "{{ matrix_base_data_path }}/{{ matrix_media_repo_identifier }}" +matrix_media_repo_config_path: "{{ matrix_media_repo_base_path }}/config" +matrix_media_repo_data_path: "{{ matrix_media_repo_base_path }}/data" +matrix_media_repo_docker_src_files_path: "{{ matrix_media_repo_base_path }}/docker-src" + +# List of systemd services that matrix-conduit.service depends on +matrix_media_repo_systemd_required_services_list: ["docker.service"] + +# List of systemd services that matrix-conduit.service wants +matrix_media_repo_systemd_wanted_services_list: [] + +# The base container network. It will be auto-created by this role if it doesn't exist already. +matrix_media_repo_container_network: "{{ matrix_docker_network }}" + +# A list of additional container networks that the container would be connected to. +# The role does not create these networks, so make sure they already exist. +# Use this to expose this container to another reverse proxy, which runs in a different container network. +matrix_media_repo_container_additional_networks: [] + +# Controls whether the matrix-media-repo container exposes its HTTP port (tcp/8000 in the container). +# +# Takes an ":" or "" value (e.g. "127.0.0.1:8000"), or empty string to not expose. +matrix_media_repo_container_http_host_bind_port: "" + +# Controls whether the matrix-media-repo container exposes its metrics port (tcp/9000 in the container). +# +# Takes an ":" or "" value (e.g. "127.0.0.1:9000"), or empty string to not expose. +matrix_media_repo_container_metrics_host_bind_port: "" + +# Extra arguments for the Docker container +matrix_media_repo_container_extra_arguments: [] + +# matrix_media_repo_dashboard_urls contains a list of URLs with Grafana dashboard definitions. +# If the Grafana role is enabled, these dashboards will be downloaded. +matrix_media_repo_dashboard_urls: + - https://raw.githubusercontent.com/spantaleev/matrix-docker-ansible-deploy/master/roles/custom/matrix-media-repo/templates/grafana/media-repo.json + +# ***************************************************************************** +# Configuration File Settings +# ***************************************************************************** + +# General repo configuration +matrix_media_repo_bind_address: '0.0.0.0' +matrix_media_repo_port: 8000 + +# Where to store the logs, relative to where the repo is started from. Logs will be automatically +# rotated every day and held for 14 days. To disable the repo logging to files, set this to +# "-" (including quotation marks). +# +# Note: to change the log directory you'll have to restart the repository. This setting cannot be +# live reloaded. +matrix_media_repo_log_directory: "-" + +# Set to true to enable color coding in your logs. Note that this may cause escape sequences to +# appear in logs which render them unreadable, which is why colors are disabled by default. +matrix_media_repo_log_colors: false + +# Set to true to enable JSON logging for consumption by things like logstash. Note that this is +# incompatible with the log color option and will always render without colors. +matrix_media_repo_json_logs: false + +# The log level to log at. Note that this will need to be at least "info" to receive support. +# +# Values (in increasing spam): panic | fatal | error | warn | info | debug | trace +matrix_media_repo_log_level: "info" + +# If true, the media repo will accept any X-Forwarded-For header without validation. In most cases +# this option should be left as "false". Note that the media repo already expects an X-Forwarded-For +# header, but validates it to ensure the IP being given makes sense. +matrix_media_repo_trust_any_forwarded_address: false + +# If false, the media repo will not use the X-Forwarded-Host header commonly added by reverse proxies. +# Typically this should remain as true, though in some circumstances it may need to be disabled. +# See https://github.com/turt2live/matrix-media-repo/issues/202 for more information. +matrix_media_repo_use_forwarded_host: true + +# Options for dealing with federation + +# On a per-host basis, the number of consecutive failures in calling the host before the +# media repo will back off. This defaults to 20 if not given. Note that 404 errors from +# the remote server do not count towards this. +matrix_media_repo_federation_backoff_at: 20 + +# The database configuration for the media repository +# Do NOT put your homeserver's existing database credentials here. Create a new database and +# user instead. Using the same server is fine, just not the same username and database. +matrix_media_repo_database_username: "matrix_media_repo" +matrix_media_repo_database_password: "your_password" +matrix_media_repo_database_hostname: "{{ devture_postgres_identifier }}" +matrix_media_repo_database_port: 5432 +matrix_media_repo_database_name: "matrix_media_repo" + +# Currently only "postgres" is supported. +matrix_media_repo_database_postgres: "postgres://{{ matrix_media_repo_database_username }}:{{ matrix_media_repo_database_password }}@{{ matrix_media_repo_database_hostname }}:{{ matrix_media_repo_database_port }}/{{ matrix_media_repo_database_name }}?sslmode=disable" + +# The database pooling options + +# The maximum number of connects to hold open. More of these allow for more concurrent +# processes to happen. +matrix_media_repo_database_max_connections: 25 + +# The maximum number of connects to leave idle. More of these reduces the time it takes +# to serve requests in low-traffic scenarios. +matrix_media_repo_database_max_idle_connections: 5 + +# The configuration for the homeservers this media repository is known to control. Servers +# not listed here will not be able to upload media. +matrix_media_repo_homeservers: + homeservers: + # This should match the server_name of your homeserver, and the Host header + # provided to the media repo. + - name: "{{ matrix_server_fqn_matrix }}" + + # The base URL to where the homeserver can actually be reached + csApi: "http://{{ matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container }}" + + # The number of consecutive failures in calling this homeserver before the + # media repository will start backing off. This defaults to 10 if not given. + backoffAt: 10 + + # The kind of admin API the homeserver supports. If set to "matrix", + # the media repo will use the Synapse-defined endpoints under the + # unstable client-server API. When this is "synapse", the new /_synapse + # endpoints will be used instead. Unknown values are treated as the + # default, "matrix". + adminApiKind: "{{ 'synapse' if matrix_homeserver_implementation == 'synapse' else 'matrix' }}" + +# Options for controlling how access tokens work with the media repo. It is recommended that if +# you are going to use these options that the `/logout` and `/logout/all` client-server endpoints +# be proxied through this process. They will also be called on the homeserver, and the response +# sent straight through the client - they are simply used to invalidate the cache faster for +# a particular user. Without these, the access tokens might still work for a short period of time +# after the user has already invalidated them. +# +# This will also cache errors from the homeserver. +# +# Note that when this config block is used outside of a per-domain config, all hosts will be +# subject to the same cache. This also means that application services on limited homeservers +# could be authorized on the wrong domain. +# +# *************************************************************************** +# * IT IS HIGHLY RECOMMENDED TO USE PER-DOMAIN CONFIGS WITH THIS FEATURE. * +# *************************************************************************** +matrix_media_repo_access_tokens: + accessTokens: + # The maximum time a cached access token will be considered valid. Set to zero (the default) + # to disable the cache and constantly hit the homeserver. This is recommended to be set to + # 43200 (12 hours) on servers with the logout endpoints proxied through the media repo, and + # zero for servers who do not proxy the endpoints through. + maxCacheTimeSeconds: 43200 + + # Whether or not to use the `appservices` config option below. If disabled (the default), + # the regular access token cache will be used for each user, potentially leading to high + # memory usage. + useLocalAppserviceConfig: false + + # The application services (and their namespaces) registered on the homeserver. Only used + # if `useLocalAppserviceConfig` is enabled (recommended). + # + # Usually the appservice will provide you with these config details - they'll just need + # translating from the appservice registration to here. Note that this does not require + # all options from the registration, and only requires the bare minimum required to run + # the media repo. + # appservices: + # - id: Name_of_appservice_for_your_reference + # asToken: Secret_token_for_appservices_to_use + # senderUserId: "@_example_bridge:yourdomain.com" + # userNamespaces: + # - regex: "@_example_bridge_.+:yourdomain.com" + # # A note about regexes: it is best to suffix *all* namespaces with the homeserver + # # domain users are valid for, as otherwise the appservice can use any user with + # # any domain name it feels like, even if that domain is not configured with the + # # media repo. This will lead to inaccurate reporting in the case of the media + # # repo, and potentially leading to media being considered "remote". + +# These users have full access to the administrative functions of the media repository. +# See docs/admin.md for information on what these people can do. They must belong to one of the +# configured homeservers above. +matrix_media_repo_admins: + admins: [] +# admins: +# - "@your_username:example.org" + +# Shared secret auth is useful for applications building on top of the media repository, such +# as a management interface. The `token` provided here is treated as a repository administrator +# when shared secret auth is enabled: if the `token` is used in place of an access token, the' +# request will be authorized. This is not limited to any particular domain, giving applications +# the ability to use it on any configured hostname. +# Set this to true to enable shared secret auth. +matrix_media_repo_shared_secret_auth_enabled: false + +# Use a secure value here to prevent unauthorized access to the media repository. +matrix_media_repo_shared_secret_auth_token: "PutSomeRandomSecureValueHere" + +# Datastores are places where media should be persisted. This isn't dedicated for just uploads: +# thumbnails and other misc data is also stored in these places. The media repo, when looking +# for a datastore to use, will always use the smallest datastore first. +matrix_media_repo_datastores: + datastores: + - type: file + enabled: true # Enable this to set up data storage. + # Datastores can be split into many areas when handling uploads. Media is still de-duplicated + # across all datastores (local content which duplicates remote content will re-use the remote + # content's location). This option is useful if your datastore is becoming very large, or if + # you want faster storage for a particular kind of media. + # + # The kinds available are: + # thumbnails - Used to store thumbnails of media (local and remote). + # remote_media - Original copies of remote media (servers not configured by this repo). + # local_media - Original uploads for local media. + # archives - Archives of content (GDPR and similar requests). + forKinds: ["thumbnails", "remote_media", "local_media", "archives"] + opts: + path: /data/media + + - type: s3 + enabled: false # Enable this to set up s3 uploads + forKinds: ["thumbnails", "remote_media", "local_media", "archives"] + opts: + # The s3 uploader needs a temporary location to buffer files to reduce memory usage on + # small file uploads. If the file size is unknown, the file is written to this location + # before being uploaded to s3 (then the file is deleted). If you aren't concerned about + # memory usage, set this to an empty string. + tempPath: "/tmp/mediarepo_s3_upload" + endpoint: sfo2.digitaloceanspaces.com + accessKeyId: "" + accessSecret: "" + ssl: true + bucketName: "your-media-bucket" + # An optional region for where this S3 endpoint is located. Typically not needed, though + # some providers will need this (like Scaleway). Uncomment to use. + # region: "sfo2" + # An optional storage class for tuning how the media is stored at s3. + # See https://aws.amazon.com/s3/storage-classes/ for details; uncomment to use. + # storageClass: STANDARD + + # The media repo does support an IPFS datastore, but only if the IPFS feature is enabled. If + # the feature is not enabled, this will not work. Note that IPFS support is experimental at + # the moment and not recommended for general use. + # + # NOTE: Everything you upload to IPFS will be publicly accessible, even when the media repo + # puts authentication on the download endpoints. Only use this option for cases where you + # expect your media to be publicly accessible. + - type: ipfs + enabled: false # Enable this to use IPFS support + forKinds: ["local_media"] + # The IPFS datastore currently has no options. It will use the daemon or HTTP API configured + # in the IPFS section of your main config. + opts: {} + +# Options for controlling archives. Archives are exports of a particular user's content for +# the purpose of GDPR or moving media to a different server. + +# Whether archiving is enabled or not. Default enabled. +matrix_media_repo_archiving_enabled: true +# If true, users can request a copy of their own data. By default, only repository administrators +# can request a copy. +# This includes the ability for homeserver admins to request a copy of their own server's +# data, as known to the repo. +matrix_media_repo_archiving_self_service: false +# The number of bytes to target per archive before breaking up the files. This is independent +# of any file upload limits and will require a similar amount of memory when performing an export. +# The file size is also a target, not a guarantee - it is possible to have files that are smaller +# or larger than the target. This is recommended to be approximately double the size of your +# file upload limit, provided there is enough memory available for the demand of exporting. +matrix_media_repo_archiving_target_bytes_per_part: 209715200 # 200mb default + +# The file upload settings for the media repository +matrix_media_repo_uploads: + uploads: + # The maximum individual file size a user can upload. + maxBytes: 104857600 # 100MB default, 0 to disable + + # The minimum number of bytes to let people upload. This is recommended to be non-zero to + # ensure that the "cost" of running the media repo is worthwhile - small file uploads tend + # to waste more CPU and database resources than small files, thus a default of 100 bytes + # is applied here as an approximate break-even point. + minBytes: 100 # 100 bytes by default + + # The number of bytes to claim as the maximum size for uploads for the limits API. If this + # is not provided then the maxBytes setting will be used instead. This is useful to provide + # if the media repo's settings and the reverse proxy do not match for maximum request size. + # This is purely for informational reasons and does not actually limit any functionality. + # Set this to -1 to indicate that there is no limit. Zero will force the use of maxBytes. + reportedMaxBytes: 0 + + # Options for limiting how much content a user can upload. Quotas are applied to content + # associated with a user regardless of de-duplication. Quotas which affect remote servers + # or users will not take effect. When a user exceeds their quota they will be unable to + # upload any more media. + quotas: + # Whether or not quotas are enabled/enforced. Note that even when disabled the media repo + # will track how much media a user has uploaded. This is disabled by default. + enabled: false + + # The quota rules that affect users. The first rule to match the uploader will take effect. + # An implied rule which matches all users and has no quota is always last in this list, + # meaning that if no rules are supplied then users will be able to upload anything. Similarly, + # if no rules match a user then the implied rule will match, allowing the user to have no + # quota. The quota will let the user upload to 1 media past their quota, meaning that from + # a statistics perspective the user might exceed their quota however only by a small amount. + users: + - glob: "@*:*" # Affect all users. Use asterisks (*) to match any character. + maxBytes: 53687063712 # 50GB default, 0 to disable + +# Settings related to downloading files from the media repository + +# The maximum number of bytes to download from other servers +matrix_media_repo_downloads_max_bytes: 104857600 # 100MB default, 0 to disable + +# The number of workers to use when downloading remote media. Raise this number if remote +# media is downloading slowly or timing out. +# +# Maximum memory usage = numWorkers multiplied by the maximum download size +# Average memory usage is dependent on how many concurrent downloads your users are doing. +matrix_media_repo_downloads_num_workers: 10 + +# How long, in minutes, to cache errors related to downloading remote media. Once this time +# has passed, the media is able to be re-requested. +matrix_media_repo_downloads_failure_cache_minutes: 5 + +# The cache control settings for downloads. This can help speed up downloads for users by +# keeping popular media in the cache. This cache is also used for thumbnails. +matrix_media_repo_downloads_cache_enabled: true + +# The maximum size of cache to have. Higher numbers are better. +matrix_media_repo_downloads_cache_max_size_bytes: 1048576000 # 1GB default + +# The maximum file size to cache. This should normally be the same size as your maximum +# upload size. +matrix_media_repo_downloads_cache_max_file_size_bytes: 104857600 # 100MB default + +# The number of minutes to track how many downloads a file gets +matrix_media_repo_downloads_cache_tracked_minutes: 30 + +# The number of downloads a file must receive in the window above (trackedMinutes) in +# order to be cached. +matrix_media_repo_downloads_cache_min_downloads: 5 + +# The minimum amount of time an item should remain in the cache. This prevents the cache +# from cycling out the file if it needs more room during this time. Note that the media +# repo regularly cleans out media which is past this point from the cache, so this number +# may need increasing depending on your use case. If the maxSizeBytes is reached for the +# media repo, and some cached items are still under this timer, new items will not be able +# to enter the cache. When this happens, consider raising maxSizeBytes or lowering this +# timer. +matrix_media_repo_downloads_cache_min_cache_time_seconds: 300 + +# The minimum amount of time an item should remain outside the cache once it is removed. +matrix_media_repo_downloads_cache_min_evicted_time_seconds: 60 + +# How many days after a piece of remote content is downloaded before it expires. It can be +# re-downloaded on demand, this just helps free up space in your datastore. Set to zero or +# negative to disable. Defaults to disabled. +matrix_media_repo_downloads_expire_after_days: 0 + +# URL Preview settings +matrix_media_repo_url_previews: + urlPreviews: + enabled: true # If enabled, the preview_url routes will be accessible + maxPageSizeBytes: 10485760 # 10MB default, 0 to disable + + # If true, the media repository will try to provide previews for URLs with invalid or unsafe + # certificates. If false (the default), the media repo will fail requests to said URLs. + previewUnsafeCertificates: false + + # Note: URL previews are limited to a given number of words, which are then limited to a number + # of characters, taking off the last word if it needs to. This also applies for the title. + + numWords: 50 # The number of words to include in a preview (maximum) + maxLength: 200 # The maximum number of characters for a description + + numTitleWords: 30 # The maximum number of words to include in a preview's title + maxTitleLength: 150 # The maximum number of characters for a title + + # The mime types to preview when OpenGraph previews cannot be rendered. OpenGraph previews are + # calculated on anything matching "text/*". To have a thumbnail in the preview the URL must be + # an image and the image's type must be allowed by the thumbnailer. + filePreviewTypes: + - "image/*" + + # The number of workers to use when generating url previews. Raise this number if url + # previews are slow or timing out. + # + # Maximum memory usage = numWorkers multiplied by the maximum page size + # Average memory usage is dependent on how many concurrent urls your users are previewing. + numWorkers: 10 + + # Either allowedNetworks or disallowedNetworks must be provided. If both are provided, they + # will be merged. URL previews will be disabled if neither is supplied. Each entry must be + # a CIDR range. + disallowedNetworks: + - "127.0.0.1/8" + - "10.0.0.0/8" + - "172.16.0.0/12" + - "192.168.0.0/16" + - "100.64.0.0/10" + - "169.254.0.0/16" + - '::1/128' + - 'fe80::/64' + - 'fc00::/7' + allowedNetworks: + # "Everything". The blacklist will help limit this. + # This is the default value for this field. + - "0.0.0.0/0" + + # How many days after a preview is generated before it expires and is deleted. The preview + # can be regenerated safely - this just helps free up some space in your database. Set to + # zero or negative to disable. Defaults to disabled. + expireAfterDays: 0 + + # The default Accept-Language header to supply when generating URL previews when one isn't + # supplied by the client. + # Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Accept-Language + defaultLanguage: "en-US,en" + + # When true, oEmbed previews will be enabled. Typically these kinds of previews are used for + # sites that do not support OpenGraph or page scraping, such as Twitter. For information on + # specifying providers for oEmbed, including your own, see the following documentation: + # https://docs.t2bot.io/matrix-media-repo/url-previews/oembed.html + # Defaults to disabled. + oEmbed: false + +# The thumbnail configuration for the media repository. +matrix_media_repo_thumbnails: + thumbnails: + # The maximum number of bytes an image can be before the thumbnailer refuses. + maxSourceBytes: 10485760 # 10MB default, 0 to disable + + # The maximum number of pixels an image can have before the thumbnailer refuses. Note that + # this only applies to image types: file types like audio and video are affected solely by + # the maxSourceBytes. + maxPixels: 32000000 # 32M default + + # The number of workers to use when generating thumbnails. Raise this number if thumbnails + # are slow to generate or timing out. + # + # Maximum memory usage = numWorkers multiplied by the maximum image source size + # Average memory usage is dependent on how many thumbnails are being generated by your users + numWorkers: 100 + + # All thumbnails are generated into one of the sizes listed here. The first size is used as + # the default for when no width or height is requested. The media repository will return + # either an exact match or the next largest size of thumbnail. + sizes: + - width: 32 + height: 32 + - width: 96 + height: 96 + - width: 320 + height: 240 + - width: 640 + height: 480 + - width: 768 # This size is primarily used for audio thumbnailing. + height: 240 + - width: 800 + height: 600 + + # To allow for thumbnails to be any size, not just in the sizes specified above, set this to + # true (default false). When enabled, whatever size requested by the client will be generated + # up to a maximum of the largest possible dimensions in the `sizes` list. For best results, + # specify only one size in the `sizes` list when this option is enabled. + dynamicSizing: false + + # The content types to thumbnail when requested. Types that are not supported by the media repo + # will not be thumbnailed (adding application/json here won't work). Clients may still not request + # thumbnails for these types - this won't make clients automatically thumbnail these file types. + types: + - "image/jpeg" + - "image/jpg" + - "image/png" + - "image/apng" + - "image/gif" + - "image/heif" + - "image/webp" + # - "image/svg+xml" # Be sure to have ImageMagick installed to thumbnail SVG files + - "audio/mpeg" + - "audio/ogg" + - "audio/wav" + - "audio/flac" + # - "video/mp4" # Be sure to have ffmpeg installed to thumbnail video files + + # Animated thumbnails can be CPU intensive to generate. To disable the generation of animated + # thumbnails, set this to false. If disabled, regular thumbnails will be returned. + allowAnimated: true + + # Default to animated thumbnails, if available + defaultAnimated: false + + # The maximum file size to thumbnail when a capable animated thumbnail is requested. If the image + # is larger than this, the thumbnail will be generated as a static image. + maxAnimateSizeBytes: 10485760 # 10MB default, 0 to disable + + # On a scale of 0 (start of animation) to 1 (end of animation), where should the thumbnailer try + # and thumbnail animated content? Defaults to 0.5 (middle of animation). + stillFrame: 0.5 + + # How many days after a thumbnail is generated before it expires and is deleted. The thumbnail + # can be regenerated safely - this just helps free up some space in your datastores. Set to + # zero or negative to disable. Defaults to disabled. + expireAfterDays: 0 + +# Controls for the rate limit functionality + +# Set this to false if rate limiting is handled at a higher level or you don't want it enabled. +matrix_media_repo_rate_limit_enabled: true + +# The number of requests per second before an IP will be rate limited. Must be a whole number. +matrix_media_repo_rate_limit_requests_per_second: 1 + +# The number of requests an IP can send at once before the rate limit is actually considered. +matrix_media_repo_rate_limit_burst: 10 + +# Identicons are generated avatars for a given username. Some clients use these to give users a +# default avatar after signing up. Identicons are not part of the official matrix spec, therefore +# this feature is completely optional. +matrix_media_repo_identicons_enabled: true + +# The quarantine media settings. + +# If true, when a thumbnail of quarantined media is requested an image will be returned. If no +# image is given in the thumbnailPath below then a generated image will be provided. This does +# not affect regular downloads of files. +matrix_media_repo_quarantine_replace_thumbnails: true + +# If true, when media which has been quarantined is requested an image will be returned. If +# no image is given in the thumbnailPath below then a generated image will be provided. This +# will replace media which is not an image (ie: quarantining a PDF will replace the PDF with +# an image). +matrix_media_repo_quarantine_replace_downloads: false + +# If provided, the given image will be returned as a thumbnail for media that is quarantined. +matrix_media_repo_quarantine_thumbnail_path: "" + +# If true, administrators of the configured homeservers may quarantine media for their server +# only. Global administrators can quarantine any media (local or remote) regardless of this +# flag. +matrix_media_repo_quarantine_allow_local_admins: true + +# The various timeouts that the media repo will use. + +# The maximum amount of time the media repo should spend trying to fetch a resource that is +# being previewed. +matrix_media_repo_timeouts_url_preview_timeout_seconds: 10 + +# The maximum amount of time the media repo will spend making remote requests to other repos +# or homeservers. This is primarily used to download media. +matrix_media_repo_timeouts_federation_timeout_seconds: 120 + +# The maximum amount of time the media repo will spend talking to your configured homeservers. +# This is usually used to verify a user's identity. +matrix_media_repo_timeouts_client_server_timeout_seconds: 30 + +# Prometheus metrics configuration +# For an example Grafana dashboard, import the following JSON: +# https://github.com/turt2live/matrix-media-repo/blob/master/docs/grafana.json + +# If true, the bindAddress and port below will serve GET /metrics for Prometheus to scrape. +matrix_media_repo_metrics_enabled: false + +# The address to listen on. Typically "127.0.0.1" or "0.0.0.0" for all interfaces. +matrix_media_repo_metrics_bind_address: "0.0.0.0" + +# The port to listen on. Cannot be the same as the general web server port. +matrix_media_repo_metrics_port: 9000 + +# Plugins are optional pieces of the media repo used to extend the functionality offered. +# Currently there are only antispam plugins, but in future there should be more options. +# Plugins are not supported on per-domain paths and are instead repo-wide. For more +# information on writing plugins, please visit #matrix-media-repo:t2bot.io on Matrix. +matrix_media_repo_plugins: + plugins: [] + + # An example OCR plugin to block images with certain text. Note that the Docker image + # for the media repo automatically ships this at /plugins/plugin_antispam_ocr +# - exec: /plugins/plugin_antispam_ocr +# config: +# # The URL to your OCR server (https://github.com/otiai10/ocrserver) +# ocrServer: "http://localhost:8080" +# # The keywords to scan for. The image must contain at least one of the keywords +# # from each list to qualify for spam. +# keywordGroups: +# - - elon +# - musk +# - elonmusk +# - - bitcoin +# # The minimum (and maximum) sizes of images to process. +# minSizeBytes: 20000 +# maxSizeBytes: 200000 +# # The types of files to process +# types: ["image/png", "image/jpeg", "image/jpg"] +# # The user ID regex to check against +# userIds: "@telegram_.*" +# # How much of the image's height, starting from the top, to consider before +# # discarding the rest. Set to 1.0 to consider the whole image. +# percentageOfHeight: 0.35 + +# Options for controlling various MSCs/unstable features of the media repo +# Sections of this config might disappear or be added over time. By default all +# features are disabled in here and must be explicitly enabled to be used. +matrix_media_repo_feature_support: + featureSupport: + # MSC2248 - Blurhash + MSC2448: + # Whether or not this MSC is enabled for use in the media repo + enabled: false + + # Maximum dimensions for converting a blurhash to an image. When no width and + # height options are supplied, the default will be half these values. + maxWidth: 1024 + maxHeight: 1024 + + # Thumbnail size in pixels to use to generate the blurhash string + thumbWidth: 64 + thumbHeight: 64 + + # The X and Y components to use. Higher numbers blur less, lower numbers blur more. + xComponents: 4 + yComponents: 3 + + # The amount of contrast to apply when converting a blurhash to an image. Lower values + # make the effect more subtle, larger values make it stronger. + punch: 1 + + # IPFS Support + # This is currently experimental and might not work at all. + IPFS: + # Whether or not IPFS support is enabled for use in the media repo. + enabled: false + + # Options for the built in IPFS daemon + builtInDaemon: + # Enable this to spawn an in-process IPFS node to use instead of a localhost + # HTTP agent. If this is disabled, the media repo will assume you have an HTTP + # IPFS agent running and accessible. Defaults to using a daemon (true). + enabled: true + + # If the Daemon is enabled, set this to the location where the IPFS files should + # be stored. If you're using Docker, this should be something like "/data/ipfs" + # so it can be mapped to a volume. + repoPath: "./ipfs" + + # Support for redis as a cache mechanism + # + # Note: Enabling Redis support will mean that the existing cache mechanism will do nothing. + # It can be safely disabled once Redis support is enabled. + # + # See docs/redis.md for more information on how this works and how to set it up. + redis: + # Whether or not use Redis instead of in-process caching. + enabled: false + + # The Redis shards that should be used by the media repo in the ring. The names of the + # shards are for your reference and have no bearing on the connection, but must be unique. + shards: + - name: "server1" + addr: ":7000" + - name: "server2" + addr: ":7001" + - name: "server3" + addr: ":7002" + +# Optional sentry (https://sentry.io/) configuration for the media repo + +# Whether or not to set up error reporting. Defaults to off. +matrix_media_repo_sentry_enabled: false + +# Get this value from the setup instructions in Sentry +matrix_media_repo_sentry_dsn: "https://examplePublicKey@ingest.sentry.io/0" + +# Optional environment flag. Defaults to an empty string. +matrix_media_repo_sentry_environment: "" + +# Whether or not to turn on sentry's built in debugging. This will increase log output. +matrix_media_repo_sentry_debug: false diff --git a/roles/custom/matrix-media-repo/tasks/main.yml b/roles/custom/matrix-media-repo/tasks/main.yml new file mode 100644 index 000000000..03c26ec5b --- /dev/null +++ b/roles/custom/matrix-media-repo/tasks/main.yml @@ -0,0 +1,17 @@ +--- + +- tags: + - setup-all + - setup-matrix-media-repo + - install-all + - install-matrix-media-repo + block: + - when: matrix_media_repo_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" + +- tags: + - setup-all + - setup-matrix-media-repo + block: + - when: not matrix_media_repo_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" diff --git a/roles/custom/matrix-media-repo/tasks/setup_install.yml b/roles/custom/matrix-media-repo/tasks/setup_install.yml new file mode 100644 index 000000000..3bcbed966 --- /dev/null +++ b/roles/custom/matrix-media-repo/tasks/setup_install.yml @@ -0,0 +1,88 @@ +--- + +- name: Ensure media-repo paths exist + ansible.builtin.file: + path: "{{ item.path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - path: "{{ matrix_media_repo_base_path }}" + when: true + - path: "{{ matrix_media_repo_config_path }}" + when: true + - path: "{{ matrix_media_repo_data_path }}" + when: true + - path: "{{ matrix_media_repo_docker_src_files_path }}" + when: "{{ matrix_media_repo_container_image_self_build }}" + when: "item.when | bool" + +- name: Ensure media-repo support files installed + ansible.builtin.template: + src: "{{ role_path }}/templates/media-repo/{{ item }}.j2" + dest: "{{ matrix_media_repo_base_path }}/{{ item }}" + mode: 0640 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - env + +- name: Ensure media-repo configuration installed + ansible.builtin.template: + src: "{{ role_path }}/templates/media-repo/media-repo.yaml.j2" + dest: "{{ matrix_media_repo_config_path }}/media-repo.yaml" + mode: 0640 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure media-repo Docker image is pulled + community.docker.docker_image: + name: "{{ matrix_media_repo_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_media_repo_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_media_repo_docker_image_force_pull }}" + when: "not matrix_media_repo_container_image_self_build | bool" + register: result + retries: "{{ devture_playbook_help_container_retries_count }}" + delay: "{{ devture_playbook_help_container_retries_delay }}" + until: result is not failed + +- when: "matrix_media_repo_container_image_self_build | bool" + block: + - name: Ensure media-repo repository is present on self-build + ansible.builtin.git: + repo: "{{ matrix_media_repo_container_image_self_build_repo }}" + dest: "{{ matrix_media_repo_docker_src_files_path }}" + version: "{{ matrix_media_repo_docker_image.split(':')[1] }}" + force: "yes" + become: true + become_user: "{{ matrix_user_username }}" + register: matrix_media_repo_git_pull_results + + - name: Check if media-repo Docker image exists + ansible.builtin.command: "{{ devture_systemd_docker_base_host_command_docker }} images --quiet --filter 'reference={{ matrix_media_repo_docker_image }}'" + register: matrix_media_repo_docker_image_check_result + changed_when: false + + # Invoking the `docker build` command here, instead of calling the `docker_image` Ansible module, + # because the latter does not support BuildKit. + # See: https://github.com/ansible-collections/community.general/issues/514 + - name: Ensure media-repo Docker image is built + ansible.builtin.command: + cmd: "{{ devture_systemd_docker_base_host_command_docker }} build -t {{ matrix_media_repo_docker_image }} {{ matrix_media_repo_docker_src_files_path }}" + environment: + DOCKER_BUILDKIT: 1 + changed_when: true + when: "matrix_media_repo_git_pull_results.changed | bool or matrix_media_repo_docker_image_check_result.stdout == ''" + +- name: Ensure media-repo container network is created + community.general.docker_network: + name: "{{ matrix_media_repo_container_network }}" + driver: bridge + +- name: Ensure media-repo service installed + ansible.builtin.template: + src: "{{ role_path }}/templates/media-repo/systemd/matrix-media-repo.service.j2" + dest: "{{ devture_systemd_docker_base_systemd_path }}/{{ matrix_media_repo_identifier }}.service" + mode: 0640 diff --git a/roles/custom/matrix-media-repo/tasks/setup_uninstall.yml b/roles/custom/matrix-media-repo/tasks/setup_uninstall.yml new file mode 100644 index 000000000..449cd48b8 --- /dev/null +++ b/roles/custom/matrix-media-repo/tasks/setup_uninstall.yml @@ -0,0 +1,19 @@ +--- + +- name: Check existence of media-repo service + ansible.builtin.stat: + path: "{{ devture_systemd_docker_base_systemd_path }}/{{ matrix_media_repo_identifier }}.service" + register: matrix_media_repo_service_stat + +- when: matrix_media_repo_service_stat.stat.exists | bool + block: + - name: Ensure media-repo is stopped + ansible.builtin.systemd: + name: "{{ matrix_media_repo_identifier }}" + state: stopped + daemon_reload: true + + - name: Ensure media-repo service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/{{ matrix_media_repo_identifier }}.service" + state: absent diff --git a/roles/custom/matrix-media-repo/templates/grafana/media-repo.json b/roles/custom/matrix-media-repo/templates/grafana/media-repo.json new file mode 100644 index 000000000..1fb68e0a9 --- /dev/null +++ b/roles/custom/matrix-media-repo/templates/grafana/media-repo.json @@ -0,0 +1,991 @@ +{ + "__inputs": [ + { + "name": "DS_PROMETHEUS", + "label": "Prometheus", + "description": "", + "type": "datasource", + "pluginId": "prometheus", + "pluginName": "Prometheus" + } + ], + "__elements": {}, + "__requires": [ + { + "type": "grafana", + "id": "grafana", + "name": "Grafana", + "version": "9.3.1" + }, + { + "type": "datasource", + "id": "prometheus", + "name": "Prometheus", + "version": "1.0.0" + }, + { + "type": "panel", + "id": "timeseries", + "name": "Time series", + "version": "" + } + ], + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": { + "type": "grafana", + "uid": "-- Grafana --" + }, + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "target": { + "limit": 100, + "matchAny": false, + "tags": [], + "type": "dashboard" + }, + "type": "dashboard" + } + ] + }, + "description": "", + "editable": true, + "fiscalYearStartMonth": 0, + "graphTooltip": 0, + "id": 9, + "links": [], + "liveNow": false, + "panels": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 10, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "never", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "links": [], + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green" + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "hertz" + }, + "overrides": [] + }, + "gridPos": { + "h": 9, + "w": 12, + "x": 0, + "y": 0 + }, + "id": 2, + "links": [], + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "9.5.3", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "expr": "rate(media_http_requests_total[2m])", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ '{{host}}: {{method}} {{action}}' }}", + "refId": "A" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "expr": "rate(media_invalid_http_requests_total[2m])", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ 'Invalid Host: {{method}} {{action}}' }}", + "refId": "B" + } + ], + "title": "HTTP Requsts", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 10, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "never", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "links": [], + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green" + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "hertz" + }, + "overrides": [] + }, + "gridPos": { + "h": 9, + "w": 12, + "x": 12, + "y": 0 + }, + "id": 3, + "links": [], + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "9.5.3", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "expr": "rate(media_http_responses_total[2m])", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ '{{host}}: {{method}} {{action}} {{statusCode}}' }}", + "refId": "A" + } + ], + "title": "HTTP Responses", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 10, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "never", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "links": [], + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green" + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "bytes" + }, + "overrides": [] + }, + "gridPos": { + "h": 9, + "w": 12, + "x": 0, + "y": 9 + }, + "id": 8, + "links": [], + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "9.5.3", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "expr": "go_memstats_alloc_bytes", + "format": "time_series", + "interval": "", + "intervalFactor": 1, + "legendFormat": "memory usage (alloc)", + "refId": "B" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "expr": "go_memstats_sys_bytes", + "interval": "", + "legendFormat": "memory usage (sys)", + "refId": "C" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "expr": "go_memstats_heap_alloc_bytes", + "interval": "", + "legendFormat": "heap usage (alloc)", + "refId": "A" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "expr": "go_memstats_heap_idle_bytes", + "interval": "", + "legendFormat": "heap usage (idle)", + "refId": "D" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "expr": "go_memstats_heap_inuse_bytes", + "interval": "", + "legendFormat": "heap usage (used)", + "refId": "E" + } + ], + "title": "Memory Usage", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 10, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "never", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "links": [], + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green" + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "bytes" + }, + "overrides": [] + }, + "gridPos": { + "h": 9, + "w": 12, + "x": 12, + "y": 9 + }, + "id": 4, + "links": [], + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "9.5.3", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "expr": "media_cache_num_bytes_used", + "format": "time_series", + "interval": "", + "intervalFactor": 1, + "legendFormat": "{{ 'size of cache: {{cache}}' }}", + "refId": "B" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "expr": "media_cache_num_live_bytes_used", + "interval": "", + "legendFormat": "{{ 'live size of cache: {{cache}}' }}", + "refId": "C" + } + ], + "title": "Cache Size (Bytes)", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 10, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "never", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "links": [], + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green" + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "short" + }, + "overrides": [] + }, + "gridPos": { + "h": 9, + "w": 12, + "x": 0, + "y": 18 + }, + "id": 9, + "links": [], + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "9.5.3", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "expr": "media_cache_num_items", + "format": "time_series", + "interval": "", + "intervalFactor": 1, + "legendFormat": "{{ 'items in cache: {{cache}}' }}", + "refId": "B" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "expr": "media_cache_num_live_items", + "interval": "", + "legendFormat": "{{ 'live items in cache: {{cache}}' }}", + "refId": "C" + } + ], + "title": "Cache Size (# of items)", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 10, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "never", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "links": [], + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green" + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "hertz" + }, + "overrides": [] + }, + "gridPos": { + "h": 9, + "w": 12, + "x": 12, + "y": 18 + }, + "id": 5, + "links": [], + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "9.5.3", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "expr": "rate(media_cache_hits_total[2m])", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ 'hits in {{cache}}' }}", + "refId": "A" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "expr": "rate(media_cache_misses_total[2m])", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ 'misses in {{cache}}' }}", + "refId": "B" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "expr": "rate(media_cache_evictions_total[2m])", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ 'evictions due to {{reason}} in {{cache}}' }}", + "refId": "C" + } + ], + "title": "Cache Operations", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 10, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "never", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "links": [], + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green" + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "hertz" + }, + "overrides": [] + }, + "gridPos": { + "h": 9, + "w": 12, + "x": 0, + "y": 27 + }, + "id": 6, + "links": [], + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "9.5.3", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "expr": "rate(media_thumbnails_generated_total[2m])", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ '{{origin}} {{width}}x{{height}} {{method}} animated={{animated}}' }}", + "refId": "A" + } + ], + "title": "Thumbnail Generation", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 10, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "never", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "links": [], + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green" + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "hertz" + }, + "overrides": [] + }, + "gridPos": { + "h": 9, + "w": 12, + "x": 12, + "y": 27 + }, + "id": 7, + "links": [], + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "9.5.3", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "expr": "rate(media_downloaded_total[2m])", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ 'downloads from {{origin}}' }}", + "refId": "A" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "expr": "rate(media_url_previews_generated_total[2m])", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ 'preview with engine: {{type}}' }}", + "refId": "B" + } + ], + "title": "Resource Handling", + "type": "timeseries" + } + ], + "refresh": "1m", + "schemaVersion": 38, + "style": "dark", + "tags": [], + "templating": { + "list": [ + { + "current": { + "selected": true, + "text": "Prometheus", + "value": "Prometheus" + }, + "hide": 0, + "includeAll": false, + "multi": false, + "name": "DS_PROMETHEUS", + "options": [], + "query": "prometheus", + "queryValue": "", + "refresh": 1, + "regex": "", + "skipUrlSync": false, + "type": "datasource" + } + ] + }, + "time": { + "from": "now-1h", + "to": "now" + }, + "timepicker": { + "refresh_intervals": [ + "5s", + "10s", + "30s", + "1m", + "5m", + "15m", + "30m", + "1h", + "2h", + "1d" + ], + "time_options": [ + "5m", + "15m", + "1h", + "6h", + "12h", + "24h", + "2d", + "7d", + "30d" + ] + }, + "timezone": "", + "title": "Media Repo Dashboard", + "uid": "xJUZ3xfmk", + "version": 2, + "weekStart": "" +} \ No newline at end of file diff --git a/roles/custom/matrix-media-repo/templates/media-repo/env.j2 b/roles/custom/matrix-media-repo/templates/media-repo/env.j2 new file mode 100644 index 000000000..8b26f77d7 --- /dev/null +++ b/roles/custom/matrix-media-repo/templates/media-repo/env.j2 @@ -0,0 +1 @@ +REPO_CONFIG=/config/media-repo.yaml diff --git a/roles/custom/matrix-media-repo/templates/media-repo/media-repo.yaml.j2 b/roles/custom/matrix-media-repo/templates/media-repo/media-repo.yaml.j2 new file mode 100644 index 000000000..c304c1c2c --- /dev/null +++ b/roles/custom/matrix-media-repo/templates/media-repo/media-repo.yaml.j2 @@ -0,0 +1,619 @@ +# General repo configuration +repo: + bindAddress: {{ matrix_media_repo_bind_address | to_json }} + port: {{ matrix_media_repo_port | to_json }} + + # Where to store the logs, relative to where the repo is started from. Logs will be automatically + # rotated every day and held for 14 days. To disable the repo logging to files, set this to + # "-" (including quotation marks). + # + # Note: to change the log directory you'll have to restart the repository. This setting cannot be + # live reloaded. + logDirectory: {{ matrix_media_repo_log_directory | to_json }} + + # Set to true to enable color coding in your logs. Note that this may cause escape sequences to + # appear in logs which render them unreadable, which is why colors are disabled by default. + logColors: {{ matrix_media_repo_log_colors | to_json }} + + # Set to true to enable JSON logging for consumption by things like logstash. Note that this is + # incompatible with the log color option and will always render without colors. + jsonLogs: {{ matrix_media_repo_json_logs | to_json }} + + # The log level to log at. Note that this will need to be at least "info" to receive support. + # + # Values (in increasing spam): panic | fatal | error | warn | info | debug | trace + logLevel: {{ matrix_media_repo_log_level | to_json }} + + # If true, the media repo will accept any X-Forwarded-For header without validation. In most cases + # this option should be left as "false". Note that the media repo already expects an X-Forwarded-For + # header, but validates it to ensure the IP being given makes sense. + trustAnyForwardedAddress: {{ matrix_media_repo_trust_any_forwarded_address | to_json }} + + # If false, the media repo will not use the X-Forwarded-Host header commonly added by reverse proxies. + # Typically this should remain as true, though in some circumstances it may need to be disabled. + # See https://github.com/turt2live/matrix-media-repo/issues/202 for more information. + useForwardedHost: {{ matrix_media_repo_use_forwarded_host | to_json }} + +# Options for dealing with federation +federation: + # On a per-host basis, the number of consecutive failures in calling the host before the + # media repo will back off. This defaults to 20 if not given. Note that 404 errors from + # the remote server do not count towards this. + backoffAt: {{ matrix_media_repo_federation_backoff_at | to_json }} + +# The database configuration for the media repository +# Do NOT put your homeserver's existing database credentials here. Create a new database and +# user instead. Using the same server is fine, just not the same username and database. +database: + # Currently only "postgres" is supported. + postgres: {{ matrix_media_repo_database_postgres | to_json }} + + # The database pooling options + pool: + # The maximum number of connects to hold open. More of these allow for more concurrent + # processes to happen. + maxConnections: {{ matrix_media_repo_database_max_connections | to_json }} + + # The maximum number of connects to leave idle. More of these reduces the time it takes + # to serve requests in low-traffic scenarios. + maxIdleConnections: {{ matrix_media_repo_database_max_idle_connections | to_json }} + +# The configuration for the homeservers this media repository is known to control. Servers +# not listed here will not be able to upload media. +#homeservers: +# - name: example.org # This should match the server_name of your homeserver, and the Host header +# # provided to the media repo. +# csApi: "https://example.org/" # The base URL to where the homeserver can actually be reached +# backoffAt: 10 # The number of consecutive failures in calling this homeserver before the +# # media repository will start backing off. This defaults to 10 if not given. +# adminApiKind: "matrix" # The kind of admin API the homeserver supports. If set to "matrix", +# # the media repo will use the Synapse-defined endpoints under the +# # unstable client-server API. When this is "synapse", the new /_synapse +# # endpoints will be used instead. Unknown values are treated as the +# # default, "matrix". +{{ matrix_media_repo_homeservers | to_json | from_json | to_nice_yaml(indent=2, width=999999, sort_keys=false) }} + +# Options for controlling how access tokens work with the media repo. It is recommended that if +# you are going to use these options that the `/logout` and `/logout/all` client-server endpoints +# be proxied through this process. They will also be called on the homeserver, and the response +# sent straight through the client - they are simply used to invalidate the cache faster for +# a particular user. Without these, the access tokens might still work for a short period of time +# after the user has already invalidated them. +# +# This will also cache errors from the homeserver. +# +# Note that when this config block is used outside of a per-domain config, all hosts will be +# subject to the same cache. This also means that application services on limited homeservers +# could be authorized on the wrong domain. +# +# *************************************************************************** +# * IT IS HIGHLY RECOMMENDED TO USE PER-DOMAIN CONFIGS WITH THIS FEATURE. * +# *************************************************************************** +# accessTokens: +# # The maximum time a cached access token will be considered valid. Set to zero (the default) +# # to disable the cache and constantly hit the homeserver. This is recommended to be set to +# # 43200 (12 hours) on servers with the logout endpoints proxied through the media repo, and +# # zero for servers who do not proxy the endpoints through. +# maxCacheTimeSeconds: 0 +# +# # Whether or not to use the `appservices` config option below. If disabled (the default), +# # the regular access token cache will be used for each user, potentially leading to high +# # memory usage. +# useLocalAppserviceConfig: false +# +# # The application services (and their namespaces) registered on the homeserver. Only used +# # if `useLocalAppserviceConfig` is enabled (recommended). +# # +# # Usually the appservice will provide you with these config details - they'll just need +# # translating from the appservice registration to here. Note that this does not require +# # all options from the registration, and only requires the bare minimum required to run +# # the media repo. +# appservices: +# - id: Name_of_appservice_for_your_reference +# asToken: Secret_token_for_appservices_to_use +# senderUserId: "@_example_bridge:yourdomain.com" +# userNamespaces: +# - regex: "@_example_bridge_.+:yourdomain.com" +# # A note about regexes: it is best to suffix *all* namespaces with the homeserver +# # domain users are valid for, as otherwise the appservice can use any user with +# # any domain name it feels like, even if that domain is not configured with the +# # media repo. This will lead to inaccurate reporting in the case of the media +# # repo, and potentially leading to media being considered "remote". +{{ matrix_media_repo_access_tokens | to_json | from_json | to_nice_yaml(indent=2, width=999999, sort_keys=false) }} + +# These users have full access to the administrative functions of the media repository. +# See docs/admin.md for information on what these people can do. They must belong to one of the +# configured homeservers above. +{{ matrix_media_repo_admins | to_json | from_json | to_nice_yaml(indent=2, width=999999, sort_keys=false) }} + +# Shared secret auth is useful for applications building on top of the media repository, such +# as a management interface. The `token` provided here is treated as a repository administrator +# when shared secret auth is enabled: if the `token` is used in place of an access token, the' +# request will be authorized. This is not limited to any particular domain, giving applications +# the ability to use it on any configured hostname. +sharedSecretAuth: + # Set this to true to enable shared secret auth. + enabled: {{ matrix_media_repo_shared_secret_auth_enabled | to_json }} + + # Use a secure value here to prevent unauthorized access to the media repository. + token: {{ matrix_media_repo_shared_secret_auth_token | to_json }} + +# Datastores are places where media should be persisted. This isn't dedicated for just uploads: +# thumbnails and other misc data is also stored in these places. The media repo, when looking +# for a datastore to use, will always use the smallest datastore first. +# datastores: +# - type: file +# enabled: false # Enable this to set up data storage. +# # Datastores can be split into many areas when handling uploads. Media is still de-duplicated +# # across all datastores (local content which duplicates remote content will re-use the remote +# # content's location). This option is useful if your datastore is becoming very large, or if +# # you want faster storage for a particular kind of media. +# # +# # The kinds available are: +# # thumbnails - Used to store thumbnails of media (local and remote). +# # remote_media - Original copies of remote media (servers not configured by this repo). +# # local_media - Original uploads for local media. +# # archives - Archives of content (GDPR and similar requests). +# forKinds: ["thumbnails"] +# opts: +# path: /var/matrix/media +# +# - type: s3 +# enabled: false # Enable this to set up s3 uploads +# forKinds: ["thumbnails", "remote_media", "local_media", "archives"] +# opts: +# # The s3 uploader needs a temporary location to buffer files to reduce memory usage on +# # small file uploads. If the file size is unknown, the file is written to this location +# # before being uploaded to s3 (then the file is deleted). If you aren't concerned about +# # memory usage, set this to an empty string. +# tempPath: "/tmp/mediarepo_s3_upload" +# endpoint: sfo2.digitaloceanspaces.com +# accessKeyId: "" +# accessSecret: "" +# ssl: true +# bucketName: "your-media-bucket" +# # An optional region for where this S3 endpoint is located. Typically not needed, though +# # some providers will need this (like Scaleway). Uncomment to use. +# #region: "sfo2" +# +# # The media repo does support an IPFS datastore, but only if the IPFS feature is enabled. If +# # the feature is not enabled, this will not work. Note that IPFS support is experimental at +# # the moment and not recommended for general use. +# # +# # NOTE: Everything you upload to IPFS will be publicly accessible, even when the media repo +# # puts authentication on the download endpoints. Only use this option for cases where you +# # expect your media to be publicly accessible. +# - type: ipfs +# enabled: false # Enable this to use IPFS support +# forKinds: ["local_media"] +# # The IPFS datastore currently has no options. It will use the daemon or HTTP API configured +# # in the IPFS section of your main config. +# opts: {} +{{ matrix_media_repo_datastores | to_json | from_json | to_nice_yaml(indent=2, width=999999, sort_keys=false) }} + +# Options for controlling archives. Archives are exports of a particular user's content for +# the purpose of GDPR or moving media to a different server. +archiving: + # Whether archiving is enabled or not. Default enabled. + enabled: {{ matrix_media_repo_archiving_enabled | to_json }} + # If true, users can request a copy of their own data. By default, only repository administrators + # can request a copy. + # This includes the ability for homeserver admins to request a copy of their own server's + # data, as known to the repo. + selfService: {{ matrix_media_repo_archiving_self_service | to_json }} + # The number of bytes to target per archive before breaking up the files. This is independent + # of any file upload limits and will require a similar amount of memory when performing an export. + # The file size is also a target, not a guarantee - it is possible to have files that are smaller + # or larger than the target. This is recommended to be approximately double the size of your + # file upload limit, provided there is enough memory available for the demand of exporting. + targetBytesPerPart: {{ matrix_media_repo_archiving_target_bytes_per_part | to_json }} # 200mb default + +# The file upload settings for the media repository +# uploads: +# # The maximum individual file size a user can upload. +# maxBytes: 104857600 # 100MB default, 0 to disable +# +# # The minimum number of bytes to let people upload. This is recommended to be non-zero to +# # ensure that the "cost" of running the media repo is worthwhile - small file uploads tend +# # to waste more CPU and database resources than small files, thus a default of 100 bytes +# # is applied here as an approximate break-even point. +# minBytes: 100 # 100 bytes by default +# +# # The number of bytes to claim as the maximum size for uploads for the limits API. If this +# # is not provided then the maxBytes setting will be used instead. This is useful to provide +# # if the media repo's settings and the reverse proxy do not match for maximum request size. +# # This is purely for informational reasons and does not actually limit any functionality. +# # Set this to -1 to indicate that there is no limit. Zero will force the use of maxBytes. +# #reportedMaxBytes: 104857600 +# +# # Options for limiting how much content a user can upload. Quotas are applied to content +# # associated with a user regardless of de-duplication. Quotas which affect remote servers +# # or users will not take effect. When a user exceeds their quota they will be unable to +# # upload any more media. +# quotas: +# # Whether or not quotas are enabled/enforced. Note that even when disabled the media repo +# # will track how much media a user has uploaded. This is disabled by default. +# enabled: false +# +# # The quota rules that affect users. The first rule to match the uploader will take effect. +# # An implied rule which matches all users and has no quota is always last in this list, +# # meaning that if no rules are supplied then users will be able to upload anything. Similarly, +# # if no rules match a user then the implied rule will match, allowing the user to have no +# # quota. The quota will let the user upload to 1 media past their quota, meaning that from +# # a statistics perspective the user might exceed their quota however only by a small amount. +# users: +# - glob: "@*:*" # Affect all users. Use asterisks (*) to match any character. +# maxBytes: 53687063712 # 50GB default, 0 to disable +{{ matrix_media_repo_uploads | to_json | from_json | to_nice_yaml(indent=2, width=999999, sort_keys=false) }} + +# Settings related to downloading files from the media repository +downloads: + # The maximum number of bytes to download from other servers + maxBytes: {{ matrix_media_repo_downloads_max_bytes | to_json }} # 100MB default, 0 to disable + + # The number of workers to use when downloading remote media. Raise this number if remote + # media is downloading slowly or timing out. + # + # Maximum memory usage = numWorkers multiplied by the maximum download size + # Average memory usage is dependent on how many concurrent downloads your users are doing. + numWorkers: {{ matrix_media_repo_downloads_num_workers | to_json }} + + # How long, in minutes, to cache errors related to downloading remote media. Once this time + # has passed, the media is able to be re-requested. + failureCacheMinutes: {{ matrix_media_repo_downloads_failure_cache_minutes | to_json }} + + # The cache control settings for downloads. This can help speed up downloads for users by + # keeping popular media in the cache. This cache is also used for thumbnails. + cache: + enabled: {{ matrix_media_repo_downloads_cache_enabled | to_json }} + + # The maximum size of cache to have. Higher numbers are better. + maxSizeBytes: {{ matrix_media_repo_downloads_cache_max_size_bytes | to_json }} # 1GB default + + # The maximum file size to cache. This should normally be the same size as your maximum + # upload size. + maxFileSizeBytes: {{ matrix_media_repo_downloads_cache_max_file_size_bytes | to_json }} # 100MB default + + # The number of minutes to track how many downloads a file gets + trackedMinutes: {{ matrix_media_repo_downloads_cache_tracked_minutes | to_json }} + + # The number of downloads a file must receive in the window above (trackedMinutes) in + # order to be cached. + minDownloads: {{ matrix_media_repo_downloads_cache_min_downloads | to_json }} + + # The minimum amount of time an item should remain in the cache. This prevents the cache + # from cycling out the file if it needs more room during this time. Note that the media + # repo regularly cleans out media which is past this point from the cache, so this number + # may need increasing depending on your use case. If the maxSizeBytes is reached for the + # media repo, and some cached items are still under this timer, new items will not be able + # to enter the cache. When this happens, consider raising maxSizeBytes or lowering this + # timer. + minCacheTimeSeconds: {{ matrix_media_repo_downloads_cache_min_cache_time_seconds | to_json }} + + # The minimum amount of time an item should remain outside the cache once it is removed. + minEvictedTimeSeconds: {{ matrix_media_repo_downloads_cache_min_evicted_time_seconds | to_json }} + + # How many days after a piece of remote content is downloaded before it expires. It can be + # re-downloaded on demand, this just helps free up space in your datastore. Set to zero or + # negative to disable. Defaults to disabled. + expireAfterDays: {{ matrix_media_repo_downloads_expire_after_days | to_json }} + +# URL Preview settings +# urlPreviews: +# enabled: true # If enabled, the preview_url routes will be accessible +# maxPageSizeBytes: 10485760 # 10MB default, 0 to disable +# +# # If true, the media repository will try to provide previews for URLs with invalid or unsafe +# # certificates. If false (the default), the media repo will fail requests to said URLs. +# previewUnsafeCertificates: false +# +# # Note: URL previews are limited to a given number of words, which are then limited to a number +# # of characters, taking off the last word if it needs to. This also applies for the title. +# +# numWords: 50 # The number of words to include in a preview (maximum) +# maxLength: 200 # The maximum number of characters for a description +# +# numTitleWords: 30 # The maximum number of words to include in a preview's title +# maxTitleLength: 150 # The maximum number of characters for a title +# +# # The mime types to preview when OpenGraph previews cannot be rendered. OpenGraph previews are +# # calculated on anything matching "text/*". To have a thumbnail in the preview the URL must be +# # an image and the image's type must be allowed by the thumbnailer. +# filePreviewTypes: +# - "image/*" +# +# # The number of workers to use when generating url previews. Raise this number if url +# # previews are slow or timing out. +# # +# # Maximum memory usage = numWorkers multiplied by the maximum page size +# # Average memory usage is dependent on how many concurrent urls your users are previewing. +# numWorkers: 10 +# +# # Either allowedNetworks or disallowedNetworks must be provided. If both are provided, they +# # will be merged. URL previews will be disabled if neither is supplied. Each entry must be +# # a CIDR range. +# disallowedNetworks: +# - "127.0.0.1/8" +# - "10.0.0.0/8" +# - "172.16.0.0/12" +# - "192.168.0.0/16" +# - "100.64.0.0/10" +# - "169.254.0.0/16" +# - '::1/128' +# - 'fe80::/64' +# - 'fc00::/7' +# allowedNetworks: +# - "0.0.0.0/0" # "Everything". The blacklist will help limit this. +# # This is the default value for this field. +# +# # How many days after a preview is generated before it expires and is deleted. The preview +# # can be regenerated safely - this just helps free up some space in your database. Set to +# # zero or negative to disable. Defaults to disabled. +# expireAfterDays: 0 +# +# # The default Accept-Language header to supply when generating URL previews when one isn't +# # supplied by the client. +# # Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Accept-Language +# defaultLanguage: "en-US,en" +# +# # When true, oEmbed previews will be enabled. Typically these kinds of previews are used for +# # sites that do not support OpenGraph or page scraping, such as Twitter. For information on +# # specifying providers for oEmbed, including your own, see the following documentation: +# # https://docs.t2bot.io/matrix-media-repo/url-previews/oembed.html +# # Defaults to disabled. +# oEmbed: false +{{ matrix_media_repo_url_previews | to_json | from_json | to_nice_yaml(indent=2, width=999999, sort_keys=false)}} + +# The thumbnail configuration for the media repository. +# thumbnails: +# # The maximum number of bytes an image can be before the thumbnailer refuses. +# maxSourceBytes: 10485760 # 10MB default, 0 to disable +# +# # The maximum number of pixels an image can have before the thumbnailer refuses. Note that +# # this only applies to image types: file types like audio and video are affected solely by +# # the maxSourceBytes. +# maxPixels: 32000000 # 32M default +# +# # The number of workers to use when generating thumbnails. Raise this number if thumbnails +# # are slow to generate or timing out. +# # +# # Maximum memory usage = numWorkers multiplied by the maximum image source size +# # Average memory usage is dependent on how many thumbnails are being generated by your users +# numWorkers: 100 +# +# # All thumbnails are generated into one of the sizes listed here. The first size is used as +# # the default for when no width or height is requested. The media repository will return +# # either an exact match or the next largest size of thumbnail. +# sizes: +# - width: 32 +# height: 32 +# - width: 96 +# height: 96 +# - width: 320 +# height: 240 +# - width: 640 +# height: 480 +# - width: 768 # This size is primarily used for audio thumbnailing. +# height: 240 +# - width: 800 +# height: 600 +# +# # To allow for thumbnails to be any size, not just in the sizes specified above, set this to +# # true (default false). When enabled, whatever size requested by the client will be generated +# # up to a maximum of the largest possible dimensions in the `sizes` list. For best results, +# # specify only one size in the `sizes` list when this option is enabled. +# dynamicSizing: false +# +# # The content types to thumbnail when requested. Types that are not supported by the media repo +# # will not be thumbnailed (adding application/json here won't work). Clients may still not request +# # thumbnails for these types - this won't make clients automatically thumbnail these file types. +# types: +# - "image/jpeg" +# - "image/jpg" +# - "image/png" +# - "image/apng" +# - "image/gif" +# - "image/heif" +# - "image/webp" +# #- "image/svg+xml" # Be sure to have ImageMagick installed to thumbnail SVG files +# - "audio/mpeg" +# - "audio/ogg" +# - "audio/wav" +# - "audio/flac" +# #- "video/mp4" # Be sure to have ffmpeg installed to thumbnail video files +# +# # Animated thumbnails can be CPU intensive to generate. To disable the generation of animated +# # thumbnails, set this to false. If disabled, regular thumbnails will be returned. +# allowAnimated: true +# +# # Default to animated thumbnails, if available +# defaultAnimated: false +# +# # The maximum file size to thumbnail when a capable animated thumbnail is requested. If the image +# # is larger than this, the thumbnail will be generated as a static image. +# maxAnimateSizeBytes: 10485760 # 10MB default, 0 to disable +# +# # On a scale of 0 (start of animation) to 1 (end of animation), where should the thumbnailer try +# # and thumbnail animated content? Defaults to 0.5 (middle of animation). +# stillFrame: 0.5 +# +# # How many days after a thumbnail is generated before it expires and is deleted. The thumbnail +# # can be regenerated safely - this just helps free up some space in your datastores. Set to +# # zero or negative to disable. Defaults to disabled. +# expireAfterDays: 0 +{{ matrix_media_repo_thumbnails | to_json | from_json | to_nice_yaml(indent=2, width=999999, sort_keys=false) }} + +# Controls for the rate limit functionality +rateLimit: + # Set this to false if rate limiting is handled at a higher level or you don't want it enabled. + enabled: {{ matrix_media_repo_rate_limit_enabled | to_json }} + + # The number of requests per second before an IP will be rate limited. Must be a whole number. + requestsPerSecond: {{ matrix_media_repo_rate_limit_requests_per_second | to_json }} + + # The number of requests an IP can send at once before the rate limit is actually considered. + burst: {{ matrix_media_repo_rate_limit_burst | to_json }} + +# Identicons are generated avatars for a given username. Some clients use these to give users a +# default avatar after signing up. Identicons are not part of the official matrix spec, therefore +# this feature is completely optional. +identicons: + enabled: {{ matrix_media_repo_identicons_enabled | to_json }} + +# The quarantine media settings. +quarantine: + # If true, when a thumbnail of quarantined media is requested an image will be returned. If no + # image is given in the thumbnailPath below then a generated image will be provided. This does + # not affect regular downloads of files. + replaceThumbnails: {{ matrix_media_repo_quarantine_replace_thumbnails | to_json }} + + # If true, when media which has been quarantined is requested an image will be returned. If + # no image is given in the thumbnailPath below then a generated image will be provided. This + # will replace media which is not an image (ie: quarantining a PDF will replace the PDF with + # an image). + replaceDownloads: {{ matrix_media_repo_quarantine_replace_downloads | to_json }} + + # If provided, the given image will be returned as a thumbnail for media that is quarantined. + #thumbnailPath: "/path/to/thumbnail.png" + thumbnailPath: {{ "" if matrix_media_repo_quarantine_thumbnail_path == "" else matrix_media_repo_quarantine_thumbnail_path | to_json }} + + # If true, administrators of the configured homeservers may quarantine media for their server + # only. Global administrators can quarantine any media (local or remote) regardless of this + # flag. + allowLocalAdmins: {{ matrix_media_repo_quarantine_allow_local_admins | to_json }} + +# The various timeouts that the media repo will use. +timeouts: + # The maximum amount of time the media repo should spend trying to fetch a resource that is + # being previewed. + urlPreviewTimeoutSeconds: {{ matrix_media_repo_timeouts_url_preview_timeout_seconds | to_json }} + + # The maximum amount of time the media repo will spend making remote requests to other repos + # or homeservers. This is primarily used to download media. + federationTimeoutSeconds: {{ matrix_media_repo_timeouts_federation_timeout_seconds | to_json }} + + # The maximum amount of time the media repo will spend talking to your configured homeservers. + # This is usually used to verify a user's identity. + clientServerTimeoutSeconds: {{ matrix_media_repo_timeouts_client_server_timeout_seconds | to_json }} + +# Prometheus metrics configuration +# For an example Grafana dashboard, import the following JSON: +# https://github.com/turt2live/matrix-media-repo/blob/master/docs/grafana.json +metrics: + # If true, the bindAddress and port below will serve GET /metrics for Prometheus to scrape. + enabled: {{ matrix_media_repo_metrics_enabled | to_json }} + + # The address to listen on. Typically "127.0.0.1" or "0.0.0.0" for all interfaces. + bindAddress: {{ matrix_media_repo_metrics_bind_address | to_json }} + + # The port to listen on. Cannot be the same as the general web server port. + port: {{ matrix_media_repo_metrics_port | to_json }} + +# Plugins are optional pieces of the media repo used to extend the functionality offered. +# Currently there are only antispam plugins, but in future there should be more options. +# Plugins are not supported on per-domain paths and are instead repo-wide. For more +# information on writing plugins, please visit #matrix-media-repo:t2bot.io on Matrix. + +# An example OCR plugin to block images with certain text. Note that the Docker image +# for the media repo automatically ships this at /plugins/plugin_antispam_ocr +# - exec: /plugins/plugin_antispam_ocr +# config: +# # The URL to your OCR server (https://github.com/otiai10/ocrserver) +# ocrServer: "http://localhost:8080" +# # The keywords to scan for. The image must contain at least one of the keywords +# # from each list to qualify for spam. +# keywordGroups: +# - - elon +# - musk +# - elonmusk +# - - bitcoin +# # The minimum (and maximum) sizes of images to process. +# minSizeBytes: 20000 +# maxSizeBytes: 200000 +# # The types of files to process +# types: ["image/png", "image/jpeg", "image/jpg"] +# # The user ID regex to check against +# userIds: "@telegram_.*" +# # How much of the image's height, starting from the top, to consider before +# # discarding the rest. Set to 1.0 to consider the whole image. +# percentageOfHeight: 0.35 +{{ matrix_media_repo_plugins | to_json | from_json | to_nice_yaml(indent=2, width=999999, sort_keys=false) }} + +# Options for controlling various MSCs/unstable features of the media repo +# Sections of this config might disappear or be added over time. By default all +# features are disabled in here and must be explicitly enabled to be used. +# featureSupport: +# # MSC2248 - Blurhash +# MSC2448: +# # Whether or not this MSC is enabled for use in the media repo +# enabled: false +# +# # Maximum dimensions for converting a blurhash to an image. When no width and +# # height options are supplied, the default will be half these values. +# maxWidth: 1024 +# maxHeight: 1024 +# +# # Thumbnail size in pixels to use to generate the blurhash string +# thumbWidth: 64 +# thumbHeight: 64 +# +# # The X and Y components to use. Higher numbers blur less, lower numbers blur more. +# xComponents: 4 +# yComponents: 3 +# +# # The amount of contrast to apply when converting a blurhash to an image. Lower values +# # make the effect more subtle, larger values make it stronger. +# punch: 1 +# +# # IPFS Support +# # This is currently experimental and might not work at all. +# IPFS: +# # Whether or not IPFS support is enabled for use in the media repo. +# enabled: false +# +# # Options for the built in IPFS daemon +# builtInDaemon: +# # Enable this to spawn an in-process IPFS node to use instead of a localhost +# # HTTP agent. If this is disabled, the media repo will assume you have an HTTP +# # IPFS agent running and accessible. Defaults to using a daemon (true). +# enabled: true +# +# # If the Daemon is enabled, set this to the location where the IPFS files should +# # be stored. If you're using Docker, this should be something like "/data/ipfs" +# # so it can be mapped to a volume. +# repoPath: "./ipfs" +# +# # Support for redis as a cache mechanism +# # +# # Note: Enabling Redis support will mean that the existing cache mechanism will do nothing. +# # It can be safely disabled once Redis support is enabled. +# # +# # See docs/redis.md for more information on how this works and how to set it up. +# redis: +# # Whether or not use Redis instead of in-process caching. +# enabled: false +# +# # The Redis shards that should be used by the media repo in the ring. The names of the +# # shards are for your reference and have no bearing on the connection, but must be unique. +# shards: +# - name: "server1" +# addr: ":7000" +# - name: "server2" +# addr: ":7001" +# - name: "server3" +# addr: ":7002" +{{ matrix_media_repo_feature_support | to_json | from_json | to_nice_yaml(indent=2, width=999999, sort_keys=false) }} + +# Optional sentry (https://sentry.io/) configuration for the media repo +sentry: + # Whether or not to set up error reporting. Defaults to off. + enabled: {{ matrix_media_repo_sentry_enabled | to_json }} + + # Get this value from the setup instructions in Sentry + dsn: {{ matrix_media_repo_sentry_dsn | to_json }} + + # Optional environment flag. Defaults to an empty string. + environment: {{ "" if matrix_media_repo_sentry_environment == "" else matrix_media_repo_sentry_environment | to_json }} + + # Whether or not to turn on sentry's built in debugging. This will increase log output. + debug: {{ matrix_media_repo_sentry_debug | to_json }} \ No newline at end of file diff --git a/roles/custom/matrix-media-repo/templates/media-repo/systemd/matrix-media-repo.service.j2 b/roles/custom/matrix-media-repo/templates/media-repo/systemd/matrix-media-repo.service.j2 new file mode 100644 index 000000000..0e73cb6ce --- /dev/null +++ b/roles/custom/matrix-media-repo/templates/media-repo/systemd/matrix-media-repo.service.j2 @@ -0,0 +1,56 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=Matrix media-repo +{% for service in matrix_media_repo_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +{% for service in matrix_media_repo_systemd_wanted_services_list %} +Wants={{ service }} +{% endfor %} +DefaultDependencies=no + +[Service] +Type=simple +Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" +ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill {{ matrix_media_repo_identifier }} 2>/dev/null || true' +ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm {{ matrix_media_repo_identifier }} 2>/dev/null || true' + +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ + --rm \ + --name={{ matrix_media_repo_identifier }} \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --network={{ matrix_docker_network }} \ + --env-file={{ matrix_media_repo_base_path }}/env \ + {% if matrix_media_repo_container_http_host_bind_port %} + -p {{ matrix_media_repo_container_http_host_bind_port }}:{{ matrix_media_repo_port }} \ + {% endif %} + {% if matrix_media_repo_metrics_enabled and matrix_media_repo_container_metrics_host_bind_port %} + -p {{ matrix_media_repo_container_metrics_host_bind_port }}:{{ matrix_media_repo_metrics_port }} \ + {% endif %} + --mount type=bind,src={{ matrix_media_repo_config_path }},dst=/config,ro \ + --mount type=bind,src={{ matrix_media_repo_data_path }},dst=/data \ + --workdir='/data' \ + --entrypoint='media_repo' \ + {% for arg in matrix_media_repo_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_media_repo_docker_image }} + +{% for network in matrix_media_repo_container_additional_networks %} +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} {{ matrix_media_repo_identifier }} +{% endfor %} + +ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach {{ matrix_media_repo_identifier }} + +ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill {{ matrix_media_repo_identifier }} 2>/dev/null || true' +ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm {{ matrix_media_repo_identifier }} 2>/dev/null || true' +ExecReload={{ devture_systemd_docker_base_host_command_docker }} exec {{ matrix_media_repo_identifier }} /bin/sh -c 'kill -HUP 1' +Restart=always +RestartSec=30 +SyslogIdentifier={{ matrix_media_repo_identifier }} + +[Install] +WantedBy=multi-user.target diff --git a/roles/custom/matrix-nginx-proxy/defaults/main.yml b/roles/custom/matrix-nginx-proxy/defaults/main.yml index e0d489c3f..c34e92a92 100644 --- a/roles/custom/matrix-nginx-proxy/defaults/main.yml +++ b/roles/custom/matrix-nginx-proxy/defaults/main.yml @@ -1,7 +1,7 @@ --- # Project source code URL: https://github.com/nginx/nginx matrix_nginx_proxy_enabled: true -matrix_nginx_proxy_version: 1.23.2-alpine +matrix_nginx_proxy_version: 1.25.1-alpine # We use an official nginx image, which we fix-up to run unprivileged. # An alternative would be an `nginxinc/nginx-unprivileged` image, but @@ -21,6 +21,10 @@ matrix_nginx_proxy_systemd_required_services_list: ['docker.service'] # List of systemd services that matrix-nginx-proxy.service wants matrix_nginx_proxy_systemd_wanted_services_list: [] +# The base container network. +# Also see: matrix_nginx_proxy_container_additional_networks +matrix_nginx_proxy_container_network: "{{ matrix_docker_network }}" + # A list of additional container networks that matrix-nginx-proxy would be connected to. # The playbook does not create these networks, so make sure they already exist. # @@ -36,6 +40,39 @@ matrix_nginx_proxy_container_additional_networks: [] # Contains definition objects like this: `{"src": "/outside", "dst": "/inside", "options": "rw|ro|slave|.."} matrix_nginx_proxy_container_additional_volumes: [] +# matrix_nginx_proxy_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container. +# See `../templates/labels.j2` for details. +# +# To inject your own other container labels, see `matrix_nginx_proxy_container_labels_additional_labels`. +matrix_nginx_proxy_container_labels_traefik_enabled: false +matrix_nginx_proxy_container_labels_traefik_docker_network: "{{ matrix_nginx_proxy_container_network }}" +matrix_nginx_proxy_container_labels_traefik_entrypoints: web-secure +matrix_nginx_proxy_container_labels_traefik_tls_certResolver: default # noqa var-naming + +matrix_nginx_proxy_container_labels_traefik_proxy_base_domain_enabled: "{{ matrix_nginx_proxy_base_domain_serving_enabled }}" +matrix_nginx_proxy_container_labels_traefik_proxy_base_domain_hostname: "{{ matrix_nginx_proxy_base_domain_hostname }}" +matrix_nginx_proxy_container_labels_traefik_proxy_base_domain_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}" +matrix_nginx_proxy_container_labels_traefik_proxy_base_domain_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_base_domain_hostname }}`)" + +matrix_nginx_proxy_container_labels_traefik_proxy_matrix_enabled: false +matrix_nginx_proxy_container_labels_traefik_proxy_matrix_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}" +matrix_nginx_proxy_container_labels_traefik_proxy_matrix_client_hostname: "{{ matrix_server_fqn_matrix }}" +matrix_nginx_proxy_container_labels_traefik_proxy_matrix_client_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_client_hostname }}`)" +matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_hostname: "{{ matrix_server_fqn_matrix }}" +matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_hostname }}`)" +matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_entrypoint: "{{ matrix_federation_traefik_entrypoint }}" +matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_entrypoints: "{{ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_entrypoint }}" + +# matrix_nginx_proxy_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file. +# See `../templates/labels.j2` for details. +# +# Example: +# matrix_nginx_proxy_container_labels_additional_labels: | +# my.label=1 +# another.label="here" +matrix_nginx_proxy_container_labels_additional_labels: '' + + # A list of extra arguments to pass to the container matrix_nginx_proxy_container_extra_arguments: [] @@ -192,6 +229,10 @@ matrix_nginx_proxy_proxy_matrix_federation_port: 8448 matrix_nginx_proxy_proxy_dimension_enabled: false matrix_nginx_proxy_proxy_dimension_hostname: "{{ matrix_server_fqn_dimension }}" +# Controls whether proxying the rageshake domain should be done. +matrix_nginx_proxy_proxy_rageshake_enabled: false +matrix_nginx_proxy_proxy_rageshake_hostname: "{{ matrix_server_fqn_rageshake }}" + # Controls whether proxying the etherpad domain should be done. matrix_nginx_proxy_proxy_etherpad_enabled: false matrix_nginx_proxy_proxy_etherpad_hostname: "{{ matrix_server_fqn_etherpad }}" @@ -296,6 +337,11 @@ matrix_nginx_proxy_proxy_matrix_identity_api_enabled: false matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container: "matrix-ma1sd:{{ matrix_ma1sd_container_port }}" matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container: "127.0.0.1:{{ matrix_ma1sd_container_port }}" +# Controls whether proxying for the media repo (`/_matrix/media`) should be done (on the matrix domain) +matrix_nginx_proxy_proxy_media_repo_enabled: false +matrix_nginx_proxy_proxy_media_repo_addr_with_container: "matrix-media-repo:{{ matrix_media_repo_port }}" +matrix_nginx_proxy_proxy_media_repo_addr_sans_container: "127.0.0.1:{{ matrix_media_repo_port }}" + # The addresses where the Matrix Client API is. # Certain extensions (like matrix-corporal) may override this in order to capture all traffic. matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container: "matrix-nginx-proxy:12080" @@ -381,6 +427,9 @@ matrix_nginx_proxy_proxy_buscarron_additional_server_configuration_blocks: [] # A list of strings containing additional configuration blocks to add to Dimension's server configuration (matrix-dimension.conf). matrix_nginx_proxy_proxy_dimension_additional_server_configuration_blocks: [] +# A list of strings containing additional configuration blocks to add to Rageshake's server configuration (matrix-rageshake.conf). +matrix_nginx_proxy_proxy_rageshake_additional_server_configuration_blocks: [] + # A list of strings containing additional configuration blocks to add to etherpad's server configuration (matrix-etherpad.conf). matrix_nginx_proxy_proxy_etherpad_additional_server_configuration_blocks: [] @@ -561,7 +610,7 @@ matrix_ssl_lets_encrypt_staging: false # Learn more here: https://eff-certbot.readthedocs.io/en/stable/using.html#changing-the-acme-server matrix_ssl_lets_encrypt_server: '' -matrix_ssl_lets_encrypt_certbot_docker_image: "{{ matrix_container_global_registry_prefix }}certbot/certbot:{{ matrix_ssl_architecture }}-v1.31.0" +matrix_ssl_lets_encrypt_certbot_docker_image: "{{ matrix_container_global_registry_prefix }}certbot/certbot:{{ matrix_ssl_architecture }}-v2.0.0" matrix_ssl_lets_encrypt_certbot_docker_image_force_pull: "{{ matrix_ssl_lets_encrypt_certbot_docker_image.endswith(':latest') }}" matrix_ssl_lets_encrypt_certbot_standalone_http_port: 2402 matrix_ssl_lets_encrypt_support_email: ~ @@ -574,12 +623,13 @@ matrix_ssl_lets_encrypt_support_email: ~ matrix_ssl_lets_encrypt_container_standalone_http_host_bind_port: '80' # Specify key type of the private key algorithm. -# Learn more here: https://eff-certbot.readthedocs.io/en/stable/using.html#using-ecdsa-keys -matrix_ssl_lets_encrypt_key_type: rsa +# Learn more here: https://eff-certbot.readthedocs.io/en/stable/using.html#rsa-and-ecdsa-keys +matrix_ssl_lets_encrypt_key_type: ecdsa matrix_ssl_base_path: "{{ matrix_base_data_path }}/ssl" matrix_ssl_config_dir_path: "{{ matrix_ssl_base_path }}/config" matrix_ssl_log_dir_path: "{{ matrix_ssl_base_path }}/log" +matrix_ssl_bin_dir_path: "{{ matrix_ssl_base_path }}/bin" # If you'd like to start some service before a certificate is obtained, specify it here. # This could be something like `matrix-dynamic-dns`, etc. @@ -646,31 +696,17 @@ matrix_nginx_proxy_proxy_matrix_nginx_status_enabled: false matrix_nginx_proxy_proxy_matrix_nginx_status_allowed_addresses: ['{{ ansible_default_ipv4.address }}'] -# synapse worker activation and endpoint mappings -matrix_nginx_proxy_synapse_workers_enabled: false -matrix_nginx_proxy_synapse_workers_list: [] -matrix_nginx_proxy_synapse_generic_worker_client_server_locations: [] -matrix_nginx_proxy_synapse_generic_worker_federation_locations: [] -matrix_nginx_proxy_synapse_stream_writer_typing_stream_worker_client_server_locations: [] -matrix_nginx_proxy_synapse_stream_writer_to_device_stream_worker_client_server_locations: [] -matrix_nginx_proxy_synapse_stream_writer_account_data_stream_worker_client_server_locations: [] -matrix_nginx_proxy_synapse_stream_writer_receipts_stream_worker_client_server_locations: [] -matrix_nginx_proxy_synapse_stream_writer_presence_stream_worker_client_server_locations: [] -matrix_nginx_proxy_synapse_media_repository_locations: [] -matrix_nginx_proxy_synapse_user_dir_locations: [] - -# synapse content caching -matrix_nginx_proxy_synapse_cache_enabled: false -matrix_nginx_proxy_synapse_cache_path: "{{ '/tmp/synapse-cache' if matrix_nginx_proxy_enabled else matrix_nginx_proxy_data_path + '/synapse-cache' }}" -matrix_nginx_proxy_synapse_cache_keys_zone_name: "STATIC" -matrix_nginx_proxy_synapse_cache_keys_zone_size: "10m" -matrix_nginx_proxy_synapse_cache_inactive_time: "48h" -matrix_nginx_proxy_synapse_cache_max_size_mb: 1024 -matrix_nginx_proxy_synapse_cache_proxy_cache_valid_time: "24h" - - # The amount of worker processes and connections # Consider increasing these when you are expecting high amounts of traffic # http://nginx.org/en/docs/ngx_core_module.html#worker_connections matrix_nginx_proxy_worker_processes: auto matrix_nginx_proxy_worker_connections: 1024 + +# A mapping of JVB server ids to hostname/ipa addresses used to add additional jvb blocks +# to the Jitsi's server configuration (matrix-jitsi.conf) +# Note: avoid using the JVB server id "jvb-1" as this is reserved for the main host. +# Example: +# matrix_nginx_proxy_proxy_jitsi_additional_jvbs: +# jvb-2: 192.168.0.1 +# jvb-3: 192.168.0.2 +matrix_nginx_proxy_proxy_jitsi_additional_jvbs: {} diff --git a/roles/custom/matrix-nginx-proxy/tasks/init.yml b/roles/custom/matrix-nginx-proxy/tasks/init.yml deleted file mode 100644 index eb4249cb8..000000000 --- a/roles/custom/matrix-nginx-proxy/tasks/init.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-nginx-proxy.service'] }}" - when: matrix_nginx_proxy_enabled | bool - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + [item.name] }}" - when: "item.applicable | bool and item.enableable | bool" - with_items: "{{ matrix_ssl_renewal_systemd_units_list }}" diff --git a/roles/custom/matrix-nginx-proxy/tasks/main.yml b/roles/custom/matrix-nginx-proxy/tasks/main.yml index 9c34d1f56..7a702fb37 100644 --- a/roles/custom/matrix-nginx-proxy/tasks/main.yml +++ b/roles/custom/matrix-nginx-proxy/tasks/main.yml @@ -1,7 +1,4 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always # Always validating the configuration, even if `matrix_nginx_proxy: false`. # This role performs actions even if the role is disabled, so we need @@ -11,6 +8,8 @@ tags: - setup-all - setup-nginx-proxy + - install-all + - install-nginx-proxy - ansible.builtin.import_tasks: "{{ role_path }}/tasks/ssl/main.yml" when: run_setup | bool @@ -18,22 +17,25 @@ - setup-all - setup-nginx-proxy - setup-ssl + - install-all + - install-nginx-proxy + - install-ssl - ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_nginx_proxy.yml" when: run_setup | bool tags: - setup-all - setup-nginx-proxy + - install-all + - install-nginx-proxy -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/self_check_well_known.yml" - delegate_to: 127.0.0.1 - become: false - when: run_self_check | bool - tags: +- tags: - self-check + block: + - ansible.builtin.include_tasks: "{{ role_path }}/tasks/self_check_well_known.yml" - name: Mark matrix-nginx-proxy role as executed - ansible.builtin.set_fact: - matrix_nginx_proxy_role_executed: true tags: - always + ansible.builtin.set_fact: + matrix_nginx_proxy_role_executed: true diff --git a/roles/custom/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml b/roles/custom/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml index 3b1cfc28e..2c54d6759 100644 --- a/roles/custom/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml +++ b/roles/custom/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml @@ -12,17 +12,23 @@ # - name: Ensure Matrix nginx-proxy paths exist ansible.builtin.file: - path: "{{ item.path }}" + path: "{{ item }}" state: directory mode: 0750 owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" with_items: - - {path: "{{ matrix_nginx_proxy_base_path }}", when: true} - - {path: "{{ matrix_nginx_proxy_data_path }}", when: true} - - {path: "{{ matrix_nginx_proxy_confd_path }}", when: true} - - {path: "{{ matrix_nginx_proxy_synapse_cache_path }}", when: "{{ matrix_nginx_proxy_synapse_cache_enabled and not matrix_nginx_proxy_enabled }}"} - when: item.when | bool + - "{{ matrix_nginx_proxy_base_path }}" + - "{{ matrix_nginx_proxy_data_path }}" + - "{{ matrix_nginx_proxy_confd_path }}" + +- name: Ensure Matrix nginx-proxy labels file is created + ansible.builtin.template: + src: "{{ role_path }}/templates/labels.j2" + dest: "{{ matrix_nginx_proxy_base_path }}/labels" + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + mode: 0640 - name: Ensure Matrix nginx-proxy configured (main config override) ansible.builtin.template: @@ -123,6 +129,13 @@ mode: 0644 when: matrix_nginx_proxy_proxy_dimension_enabled | bool +- name: Ensure Matrix nginx-proxy configuration for rageshake domain exists + ansible.builtin.template: + src: "{{ role_path }}/templates/nginx/conf.d/matrix-rageshake.conf.j2" + dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-rageshake.conf" + mode: 0644 + when: matrix_nginx_proxy_proxy_rageshake_enabled | bool + - name: Ensure Matrix nginx-proxy configuration for etherpad domain exists ansible.builtin.template: src: "{{ role_path }}/templates/nginx/conf.d/matrix-etherpad.conf.j2" @@ -223,14 +236,8 @@ src: "{{ role_path }}/templates/systemd/matrix-nginx-proxy.service.j2" dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-nginx-proxy.service" mode: 0644 - register: matrix_nginx_proxy_systemd_service_result when: matrix_nginx_proxy_enabled | bool -- name: Ensure systemd reloaded after matrix-nginx-proxy.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_nginx_proxy_enabled and matrix_nginx_proxy_systemd_service_result.changed" - # # Tasks related to getting rid of matrix-nginx-proxy (if it was previously enabled) @@ -248,7 +255,6 @@ state: stopped enabled: false daemon_reload: true - register: stopping_result when: "not matrix_nginx_proxy_enabled | bool and matrix_nginx_proxy_service_stat.stat.exists" - name: Ensure matrix-nginx-proxy.service doesn't exist @@ -257,11 +263,6 @@ state: absent when: "not matrix_nginx_proxy_enabled | bool and matrix_nginx_proxy_service_stat.stat.exists" -- name: Ensure systemd reloaded after matrix-nginx-proxy.service removal - ansible.builtin.service: - daemon_reload: true - when: "not matrix_nginx_proxy_enabled | bool and matrix_nginx_proxy_service_stat.stat.exists" - - name: Ensure Matrix nginx-proxy configuration for matrix domain deleted ansible.builtin.file: path: "{{ matrix_nginx_proxy_confd_path }}/matrix-domain.conf" @@ -274,6 +275,12 @@ state: absent when: "not matrix_nginx_proxy_proxy_riot_compat_redirect_enabled | bool" +- name: Ensure Matrix nginx-proxy configuration for Element domain deleted + ansible.builtin.file: + path: "{{ matrix_nginx_proxy_confd_path }}/matrix-client-element.conf" + state: absent + when: "not matrix_nginx_proxy_proxy_element_enabled | bool" + - name: Ensure Matrix nginx-proxy configuration for Hydrogen domain deleted ansible.builtin.file: path: "{{ matrix_nginx_proxy_confd_path }}/matrix-client-hydrogen.conf" @@ -298,6 +305,12 @@ state: absent when: "not matrix_nginx_proxy_proxy_dimension_enabled | bool" +- name: Ensure Matrix nginx-proxy configuration for rageshake domain deleted + ansible.builtin.file: + path: "{{ matrix_nginx_proxy_confd_path }}/matrix-rageshake.conf" + state: absent + when: "not matrix_nginx_proxy_proxy_rageshake_enabled | bool" + - name: Ensure Matrix nginx-proxy configuration for goneb domain deleted ansible.builtin.file: path: "{{ matrix_nginx_proxy_confd_path }}/matrix-bot-go-neb.conf" diff --git a/roles/custom/matrix-nginx-proxy/tasks/ssl/main.yml b/roles/custom/matrix-nginx-proxy/tasks/ssl/main.yml index e9d270cfe..6eff8cbf7 100644 --- a/roles/custom/matrix-nginx-proxy/tasks/ssl/main.yml +++ b/roles/custom/matrix-nginx-proxy/tasks/ssl/main.yml @@ -24,6 +24,7 @@ with_items: - "{{ matrix_ssl_log_dir_path }}" - "{{ matrix_ssl_config_dir_path }}" + - "{{ matrix_ssl_bin_dir_path }}" when: "matrix_ssl_retrieval_method != 'none'" diff --git a/roles/custom/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml b/roles/custom/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml index 77361f3ff..a1b14e3b2 100644 --- a/roles/custom/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml +++ b/roles/custom/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml @@ -1,17 +1,4 @@ --- - -# This is a cleanup/migration task, because of to the new way we manage cronjobs (`cron` module) and the new script name. -# This migration task can be removed some time in the future. -- name: (Migration) Remove deprecated Let's Encrypt SSL certificate management files - ansible.builtin.file: - path: "{{ item }}" - state: absent - with_items: - - "{{ matrix_local_bin_path }}/matrix-ssl-certificates-renew" - - "{{ matrix_cron_path }}/matrix-ssl-certificate-renewal" - - "{{ matrix_cron_path }}/matrix-nginx-proxy-periodic-restarter" - - "/etc/cron.d/matrix-ssl-lets-encrypt" - # # Tasks related to setting up Let's Encrypt's management of certificates # @@ -36,8 +23,8 @@ - name: Ensure Let's Encrypt SSL renewal script installed ansible.builtin.template: - src: "{{ role_path }}/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2" - dest: "{{ matrix_local_bin_path }}/matrix-ssl-lets-encrypt-certificates-renew" + src: "{{ role_path }}/templates/bin/lets-encrypt-certificates-renew.j2" + dest: "{{ matrix_ssl_bin_dir_path }}/lets-encrypt-certificates-renew" mode: 0755 - name: Ensure SSL renewal systemd units installed @@ -63,5 +50,5 @@ - name: Ensure Let's Encrypt SSL renewal script removed ansible.builtin.file: - path: "{{ matrix_local_bin_path }}/matrix-ssl-lets-encrypt-certificates-renew" + path: "{{ matrix_ssl_bin_dir_path }}/lets-encrypt-certificates-renew" state: absent diff --git a/roles/custom/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml b/roles/custom/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml index b10791a7f..a175b831a 100644 --- a/roles/custom/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml +++ b/roles/custom/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml @@ -51,6 +51,7 @@ --agree-tos --email={{ matrix_ssl_lets_encrypt_support_email }} -d {{ domain_name }} + changed_when: true when: domain_name_needs_cert | bool register: result_certbot_direct ignore_errors: true @@ -81,6 +82,7 @@ --agree-tos --email={{ matrix_ssl_lets_encrypt_support_email }} -d {{ domain_name }} + changed_when: true when: "domain_name_needs_cert and result_certbot_direct.failed" register: result_certbot_proxy ignore_errors: true diff --git a/roles/custom/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed.yml b/roles/custom/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed.yml index 7ebdec790..b17e4e565 100644 --- a/roles/custom/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed.yml +++ b/roles/custom/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed.yml @@ -1,6 +1,6 @@ --- -- ansible.builtin.import_role: +- ansible.builtin.include_role: name: custom/matrix-base tasks_from: ensure_openssl_installed when: "matrix_ssl_retrieval_method == 'self-signed'" diff --git a/roles/custom/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed_obtain_for_domain.yml b/roles/custom/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed_obtain_for_domain.yml index d0b254a26..c0f195191 100644 --- a/roles/custom/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed_obtain_for_domain.yml +++ b/roles/custom/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed_obtain_for_domain.yml @@ -28,16 +28,19 @@ # # We'll do it in a more manual way. - name: Generate SSL certificate - ansible.builtin.command: | - openssl req -x509 \ - -sha256 \ - -newkey rsa:4096 \ - -nodes \ - -subj "/CN={{ domain_name }}" \ - -keyout {{ matrix_ssl_certificate_cert_key_path }} \ - -out {{ matrix_ssl_certificate_cert_path }} \ - -days 3650 when: "not matrix_ssl_certificate_cert_path_stat_result.stat.exists" + ansible.builtin.command: + cmd: | + openssl req -x509 \ + -sha256 \ + -newkey rsa:4096 \ + -nodes \ + -subj "/CN={{ domain_name }}" \ + -keyout {{ matrix_ssl_certificate_cert_key_path }} \ + -out {{ matrix_ssl_certificate_cert_path }} \ + -days 3650 + # Well, this creates 2 files, but Ansible can only check 1. + creates: "{{ matrix_ssl_certificate_cert_path }}" - name: Adjust SSL certificate file ownership ansible.builtin.file: diff --git a/roles/custom/matrix-nginx-proxy/tasks/validate_config.yml b/roles/custom/matrix-nginx-proxy/tasks/validate_config.yml index f7d18c9e4..8d63876a8 100644 --- a/roles/custom/matrix-nginx-proxy/tasks/validate_config.yml +++ b/roles/custom/matrix-nginx-proxy/tasks/validate_config.yml @@ -14,6 +14,8 @@ - {'old': 'matrix_nginx_proxy_proxy_riot_enabled', 'new': 'matrix_nginx_proxy_proxy_element_enabled'} - {'old': 'matrix_ssl_lets_encrypt_renew_cron_time_definition', 'new': ''} - {'old': 'matrix_nginx_proxy_reload_cron_time_definition', 'new': ''} + - {'old': 'matrix_nginx_proxy_container_labels_traefik_proxy_matrix_rule', 'new': ''} + - {'old': 'matrix_nginx_proxy_container_labels_traefik_proxy_matrix_hostname', 'new': ''} - name: Fail on unknown matrix_ssl_retrieval_method ansible.builtin.fail: diff --git a/roles/custom/matrix-nginx-proxy/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2 b/roles/custom/matrix-nginx-proxy/templates/bin/lets-encrypt-certificates-renew.j2 similarity index 95% rename from roles/custom/matrix-nginx-proxy/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2 rename to roles/custom/matrix-nginx-proxy/templates/bin/lets-encrypt-certificates-renew.j2 index 89113629b..5f235ea26 100644 --- a/roles/custom/matrix-nginx-proxy/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2 +++ b/roles/custom/matrix-nginx-proxy/templates/bin/lets-encrypt-certificates-renew.j2 @@ -12,7 +12,7 @@ docker run \ --name=matrix-certbot \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ - --network="{{ matrix_docker_network }}" \ + --network="{{ matrix_nginx_proxy_container_network }}" \ -p 127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}:8080 \ --mount type=bind,src={{ matrix_ssl_config_dir_path }},dst=/etc/letsencrypt \ --mount type=bind,src={{ matrix_ssl_log_dir_path }},dst=/var/log/letsencrypt \ diff --git a/roles/custom/matrix-nginx-proxy/templates/labels.j2 b/roles/custom/matrix-nginx-proxy/templates/labels.j2 new file mode 100644 index 000000000..e15d94231 --- /dev/null +++ b/roles/custom/matrix-nginx-proxy/templates/labels.j2 @@ -0,0 +1,49 @@ +{% if matrix_nginx_proxy_container_labels_traefik_enabled %} +traefik.enable=true + +{% if matrix_nginx_proxy_container_labels_traefik_docker_network %} +traefik.docker.network={{ matrix_nginx_proxy_container_labels_traefik_docker_network }} +{% endif %} + + +{% if matrix_nginx_proxy_container_labels_traefik_proxy_base_domain_enabled %} +# Base domain +traefik.http.routers.matrix-nginx-proxy-base-domain.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_base_domain_rule }} +traefik.http.routers.matrix-nginx-proxy-base-domain.service=matrix-nginx-proxy-web +traefik.http.routers.matrix-nginx-proxy-base-domain.tls={{ matrix_nginx_proxy_container_labels_traefik_proxy_base_domain_tls | to_json }} +{% if matrix_nginx_proxy_container_labels_traefik_proxy_base_domain_tls %} +traefik.http.routers.matrix-nginx-proxy-base-domain.tls.certResolver={{ matrix_nginx_proxy_container_labels_traefik_tls_certResolver }} +{% endif %} +traefik.http.routers.matrix-nginx-proxy-base-domain.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_entrypoints }} +{% endif %} + + +{% if matrix_nginx_proxy_container_labels_traefik_proxy_matrix_enabled %} +# Matrix Client +traefik.http.routers.matrix-nginx-proxy-matrix-client.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_client_rule }} +traefik.http.routers.matrix-nginx-proxy-matrix-client.service=matrix-nginx-proxy-web +traefik.http.routers.matrix-nginx-proxy-matrix-client.tls={{ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_tls | to_json }} +{% if matrix_nginx_proxy_container_labels_traefik_proxy_matrix_tls %} +traefik.http.routers.matrix-nginx-proxy-matrix-client.tls.certResolver={{ matrix_nginx_proxy_container_labels_traefik_tls_certResolver }} +{% endif %} +traefik.http.routers.matrix-nginx-proxy-matrix-client.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_entrypoints }} + +# Matrix Federation +traefik.http.routers.matrix-nginx-proxy-matrix-federation.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_rule }} +traefik.http.routers.matrix-nginx-proxy-matrix-federation.service=matrix-nginx-proxy-federation +traefik.http.routers.matrix-nginx-proxy-matrix-federation.tls={{ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_tls | to_json }} +{% if matrix_nginx_proxy_container_labels_traefik_proxy_matrix_tls %} +traefik.http.routers.matrix-nginx-proxy-matrix-federation.tls.certResolver={{ matrix_nginx_proxy_container_labels_traefik_tls_certResolver }} +{% endif %} +traefik.http.routers.matrix-nginx-proxy-matrix-federation.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_entrypoints }} +{% endif %} + +traefik.http.services.matrix-nginx-proxy-web.loadbalancer.server.port=8080 + +{% if matrix_nginx_proxy_proxy_matrix_federation_api_enabled %} +traefik.http.services.matrix-nginx-proxy-federation.loadbalancer.server.port={{ matrix_nginx_proxy_proxy_matrix_federation_port }} +{% endif %} + +{% endif %} + +{{ matrix_nginx_proxy_container_labels_additional_labels }} diff --git a/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 b/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 index 44978dc40..07350b1a0 100644 --- a/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 +++ b/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 @@ -1,7 +1,10 @@ #jinja2: lstrip_blocks: "True" {% macro render_vhost_directives() %} + absolute_redirect off; root {{ matrix_nginx_proxy_data_path_in_container if matrix_nginx_proxy_enabled else matrix_nginx_proxy_data_path }}{{ matrix_nginx_proxy_data_path_extension }}; + index index.html index.htm; + try_files $uri $uri/ =404; gzip on; gzip_types text/plain application/json; diff --git a/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 b/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 index 63d45bc63..8ecaf64e9 100644 --- a/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 +++ b/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 @@ -94,6 +94,96 @@ } {% endif %} + {% if matrix_nginx_proxy_proxy_media_repo_enabled %} + # Redirect all media endpoints to the media-repo + location ^~ /_matrix/media { + {% if matrix_nginx_proxy_enabled %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s; + set $backend "{{ matrix_nginx_proxy_proxy_media_repo_addr_with_container }}"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://{{ matrix_nginx_proxy_proxy_media_repo_addr_sans_container }}; + {% endif %} + + # Make sure this matches your homeserver in media-repo.yaml + # You may have to manually specify it if using delegation or the + # incoming Host doesn't match. + proxy_set_header Host $host; + + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $remote_addr; + } + + # Redirect other endpoints registered by the media-repo to its container + # /_matrix/client/r0/logout + # /_matrix/client/r0/logout/all + location ^~ /_matrix/client/(r0|v1|v3|unstable)/(logout|logout/all) { + {% if matrix_nginx_proxy_enabled %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s; + set $backend "{{ matrix_nginx_proxy_proxy_media_repo_addr_with_container }}"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://{{ matrix_nginx_proxy_proxy_media_repo_addr_sans_container }}; + {% endif %} + + # Make sure this matches your homeserver in media-repo.yaml + # You may have to manually specify it if using delegation or the + # incoming Host doesn't match. + proxy_set_header Host $host; + + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $remote_addr; + } + + # Redirect other endpoints registered by the media-repo to its container + # /_matrix/client/r0/admin/purge_media_cache + # /_matrix/client/r0/admin/quarantine_media/{roomId:[^/]+} + location ^~ /_matrix/client/(r0|v1|v3|unstable)/admin/(purge_media_cache|quarantine_media/.*) { + {% if matrix_nginx_proxy_enabled %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s; + set $backend "{{ matrix_nginx_proxy_proxy_media_repo_addr_with_container }}"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://{{ matrix_nginx_proxy_proxy_media_repo_addr_sans_container }}; + {% endif %} + + # Make sure this matches your homeserver in media-repo.yaml + # You may have to manually specify it if using delegation or the + # incoming Host doesn't match. + proxy_set_header Host $host; + + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $remote_addr; + } + + # Redirect other endpoints registered by the media-repo to its container + location ^~ /_matrix/client/unstable/io.t2bot.media { + {% if matrix_nginx_proxy_enabled %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s; + set $backend "{{ matrix_nginx_proxy_proxy_media_repo_addr_with_container }}"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://{{ matrix_nginx_proxy_proxy_media_repo_addr_sans_container }}; + {% endif %} + + # Make sure this matches your homeserver in media-repo.yaml + # You may have to manually specify it if using delegation or the + # incoming Host doesn't match. + proxy_set_header Host $host; + + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $remote_addr; + } + {% endif %} + {% if matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled %} location ^~ /_matrix/client/r0/user_directory/search { {% if matrix_nginx_proxy_enabled %} diff --git a/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 b/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 index aa4b6b446..5493c2b00 100644 --- a/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 +++ b/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 @@ -34,7 +34,7 @@ } # colibri (JVB) websockets - location ~ ^/colibri-ws/([a-zA-Z0-9-\.]+)/(.*) { + location ~ ^/colibri-ws/jvb-1/(.*) { {% if matrix_nginx_proxy_enabled %} resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s; set $backend "matrix-jitsi-jvb:9090"; @@ -53,13 +53,29 @@ tcp_nodelay on; } + {% for id, ip_address in matrix_nginx_proxy_proxy_jitsi_additional_jvbs.items() %} + # colibri (JVB) websockets for additional JVBs + location ~ ^/colibri-ws/{{ id | regex_escape }}/(.*) { + proxy_pass http://{{ ip_address }}:9090/colibri-ws/{{ id }}/$1$is_args$args; + + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }}; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + + proxy_http_version 1.1; + + tcp_nodelay on; + } + {% endfor %} + # XMPP websocket location = /xmpp-websocket { {% if matrix_nginx_proxy_enabled %} resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s; - set $backend {{ matrix_jitsi_xmpp_bosh_url_base }}; - proxy_pass $backend/xmpp-websocket; + set $backend {{ jitsi_xmpp_bosh_url_base }}; + proxy_pass $backend$request_uri; {% else %} {# Generic configuration for use outside of our container setup #} proxy_pass http://127.0.0.1:5280; diff --git a/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-ntfy.conf.j2 b/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-ntfy.conf.j2 index fbae47e17..7d5c8a0ed 100644 --- a/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-ntfy.conf.j2 +++ b/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-ntfy.conf.j2 @@ -21,7 +21,7 @@ {% if matrix_nginx_proxy_enabled %} {# Use the embedded DNS resolver in Docker containers to discover the service #} resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s; - set $backend "matrix-ntfy:8080"; + set $backend "matrix-ntfy:80"; proxy_pass http://$backend; {% else %} {# Generic configuration for use outside of our container setup #} diff --git a/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-rageshake.conf.j2 b/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-rageshake.conf.j2 new file mode 100644 index 000000000..5da96684a --- /dev/null +++ b/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-rageshake.conf.j2 @@ -0,0 +1,100 @@ +#jinja2: lstrip_blocks: "True" + +{% macro render_vhost_directives() %} + gzip on; + gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; + {% if matrix_nginx_proxy_hsts_preload_enabled %} + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + {% else %} + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + {% endif %} + add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}"; + add_header X-Content-Type-Options nosniff; + {% if matrix_nginx_proxy_floc_optout_enabled %} + add_header Permissions-Policy interest-cohort=() always; + {% endif %} + +{% for configuration_block in matrix_nginx_proxy_proxy_rageshake_additional_server_configuration_blocks %} + {{- configuration_block }} +{% endfor %} + + location / { + {% if matrix_nginx_proxy_enabled %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s; + set $backend "matrix-rageshake:9110"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://127.0.0.1:9110; + {% endif %} + + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }}; + } +{% endmacro %} + +server { + listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }}; + listen [::]:{{ 8080 if matrix_nginx_proxy_enabled else 80 }}; + + server_name {{ matrix_nginx_proxy_proxy_rageshake_hostname }}; + + server_tokens off; + root /dev/null; + + {% if matrix_nginx_proxy_https_enabled %} + location /.well-known/acme-challenge { + {% if matrix_nginx_proxy_enabled %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s; + set $backend "matrix-certbot:8080"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}; + {% endif %} + } + + location / { + return 301 https://$http_host$request_uri; + } + {% else %} + {{ render_vhost_directives() }} + {% endif %} +} + +{% if matrix_nginx_proxy_https_enabled %} +server { + listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; + listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; + + server_name {{ matrix_nginx_proxy_proxy_rageshake_hostname }}; + + server_tokens off; + root /dev/null; + + ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_rageshake_hostname }}/fullchain.pem; + ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_rageshake_hostname }}/privkey.pem; + + ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; + {% if matrix_nginx_proxy_ssl_ciphers != '' %} + ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; + {% endif %} + ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; + + {% if matrix_nginx_proxy_ocsp_stapling_enabled %} + ssl_stapling on; + ssl_stapling_verify on; + ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_rageshake_hostname }}/chain.pem; + {% endif %} + + {% if matrix_nginx_proxy_ssl_session_tickets_off %} + ssl_session_tickets off; + {% endif %} + ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }}; + ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }}; + + {{ render_vhost_directives() }} +} +{% endif %} diff --git a/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 b/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 index da1893299..4d121e7d9 100644 --- a/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 +++ b/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 @@ -1,70 +1,5 @@ #jinja2: lstrip_blocks: "True" -{% set generic_workers = matrix_nginx_proxy_synapse_workers_list | selectattr('type', 'equalto', 'generic_worker') | list %} -{% set stream_writer_typing_stream_workers = matrix_nginx_proxy_synapse_workers_list | selectattr('type', 'equalto', 'stream_writer') | selectattr('stream_writer_stream', 'equalto', 'typing') | list %} -{% set stream_writer_to_device_stream_workers = matrix_nginx_proxy_synapse_workers_list | selectattr('type', 'equalto', 'stream_writer') | selectattr('stream_writer_stream', 'equalto', 'to_device') | list %} -{% set stream_writer_account_data_stream_workers = matrix_nginx_proxy_synapse_workers_list | selectattr('type', 'equalto', 'stream_writer') | selectattr('stream_writer_stream', 'equalto', 'account_data') | list %} -{% set stream_writer_receipts_stream_workers = matrix_nginx_proxy_synapse_workers_list | selectattr('type', 'equalto', 'stream_writer') | selectattr('stream_writer_stream', 'equalto', 'receipts') | list %} -{% set stream_writer_presence_stream_workers = matrix_nginx_proxy_synapse_workers_list | selectattr('type', 'equalto', 'stream_writer') | selectattr('stream_writer_stream', 'equalto', 'presence') | list %} -{% set media_repository_workers = matrix_nginx_proxy_synapse_workers_list | selectattr('type', 'equalto', 'media_repository') | list %} -{% set user_dir_workers = matrix_nginx_proxy_synapse_workers_list | selectattr('type', 'equalto', 'user_dir') | list %} - -{% macro render_worker_upstream(name, workers, matrix_nginx_proxy_enabled) %} -{% if workers | length > 0 %} - upstream {{ name }} { - {% for worker in workers %} - {% if matrix_nginx_proxy_enabled %} - server "{{ worker.name }}:{{ worker.port }}"; - {% else %} - server "127.0.0.1:{{ worker.port }}"; - {% endif %} - {% endfor %} - } -{% endif %} -{% endmacro %} - -{% macro render_locations_to_upstream(locations, upstream_name) %} - {% for location in locations %} - location ~ {{ location }} { - proxy_pass http://{{ upstream_name }}$request_uri; - proxy_set_header Host $host; - } - {% endfor %} -{% endmacro %} - -{% if matrix_nginx_proxy_synapse_workers_enabled %} - {% if matrix_nginx_proxy_synapse_cache_enabled %} - proxy_cache_path {{ matrix_nginx_proxy_synapse_cache_path }} levels=1:2 keys_zone={{ matrix_nginx_proxy_synapse_cache_keys_zone_name }}:{{ matrix_nginx_proxy_synapse_cache_keys_zone_size }} inactive={{ matrix_nginx_proxy_synapse_cache_inactive_time }} max_size={{ matrix_nginx_proxy_synapse_cache_max_size_mb }}m; - {% endif %} - # Round Robin "upstream" pools for workers - - {% if generic_workers |length > 0 %} - upstream generic_workers_upstream { - # ensures that requests from the same client will always be passed - # to the same server (except when this server is unavailable) - hash $http_x_forwarded_for; - - {% for worker in generic_workers %} - {% if matrix_nginx_proxy_enabled %} - server "{{ worker.name }}:{{ worker.port }}"; - {% else %} - server "127.0.0.1:{{ worker.port }}"; - {% endif %} - {% endfor %} - } - {% endif %} - - {{ render_worker_upstream('stream_writer_typing_stream_workers_upstream', stream_writer_typing_stream_workers, matrix_nginx_proxy_enabled) }} - {{ render_worker_upstream('stream_writer_to_device_stream_workers_upstream', stream_writer_to_device_stream_workers, matrix_nginx_proxy_enabled) }} - {{ render_worker_upstream('stream_writer_account_data_stream_workers_upstream', stream_writer_account_data_stream_workers, matrix_nginx_proxy_enabled) }} - {{ render_worker_upstream('stream_writer_receipts_stream_workers_upstream', stream_writer_receipts_stream_workers, matrix_nginx_proxy_enabled) }} - {{ render_worker_upstream('stream_writer_presence_stream_workers_upstream', stream_writer_presence_stream_workers, matrix_nginx_proxy_enabled) }} - - {{ render_worker_upstream('media_repository_workers_upstream', media_repository_workers, matrix_nginx_proxy_enabled) }} - - {{ render_worker_upstream('user_dir_workers_upstream', user_dir_workers, matrix_nginx_proxy_enabled) }} -{% endif %} - server { listen 12080; {% if matrix_nginx_proxy_enabled %} @@ -77,71 +12,6 @@ server { gzip on; gzip_types text/plain application/json; - {% if matrix_nginx_proxy_synapse_workers_enabled %} - {# Workers redirects BEGIN #} - - {% if generic_workers | length > 0 %} - # https://matrix-org.github.io/synapse/latest/workers.html#synapseappgeneric_worker - {{ render_locations_to_upstream(matrix_nginx_proxy_synapse_generic_worker_client_server_locations, 'generic_workers_upstream') }} - {% endif %} - - {% if stream_writer_typing_stream_workers | length > 0 %} - # https://matrix-org.github.io/synapse/latest/workers.html#the-typing-stream - {{ render_locations_to_upstream(matrix_nginx_proxy_synapse_stream_writer_typing_stream_worker_client_server_locations, 'stream_writer_typing_stream_workers_upstream') }} - {% endif %} - - {% if stream_writer_to_device_stream_workers | length > 0 %} - # https://matrix-org.github.io/synapse/latest/workers.html#the-to_device-stream - {{ render_locations_to_upstream(matrix_nginx_proxy_synapse_stream_writer_to_device_stream_worker_client_server_locations, 'stream_writer_to_device_stream_workers_upstream') }} - {% endif %} - - {% if stream_writer_account_data_stream_workers | length > 0 %} - # https://matrix-org.github.io/synapse/latest/workers.html#the-account_data-stream - {{ render_locations_to_upstream(matrix_nginx_proxy_synapse_stream_writer_account_data_stream_worker_client_server_locations, 'stream_writer_account_data_stream_workers_upstream') }} - {% endif %} - - {% if stream_writer_receipts_stream_workers | length > 0 %} - # https://matrix-org.github.io/synapse/latest/workers.html#the-receipts-stream - {{ render_locations_to_upstream(matrix_nginx_proxy_synapse_stream_writer_receipts_stream_worker_client_server_locations, 'stream_writer_receipts_stream_workers_upstream') }} - {% endif %} - - {% if stream_writer_presence_stream_workers | length > 0 %} - # https://matrix-org.github.io/synapse/latest/workers.html#the-presence-stream - {{ render_locations_to_upstream(matrix_nginx_proxy_synapse_stream_writer_presence_stream_worker_client_server_locations, 'stream_writer_presence_stream_workers_upstream') }} - {% endif %} - - {% if media_repository_workers | length > 0 %} - # https://matrix-org.github.io/synapse/latest/workers.html#synapseappmedia_repository - {% for location in matrix_nginx_proxy_synapse_media_repository_locations %} - location ~ {{ location }} { - proxy_pass http://media_repository_workers_upstream$request_uri; - proxy_set_header Host $host; - - client_body_buffer_size 25M; - client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb }}M; - proxy_max_temp_file_size 0; - - {% if matrix_nginx_proxy_synapse_cache_enabled %} - proxy_buffering on; - proxy_cache {{ matrix_nginx_proxy_synapse_cache_keys_zone_name }}; - proxy_cache_valid any {{ matrix_nginx_proxy_synapse_cache_proxy_cache_valid_time }}; - proxy_force_ranges on; - add_header X-Cache-Status $upstream_cache_status; - {% endif %} - } - {% endfor %} - {% endif %} - - {% if user_dir_workers | length > 0 %} - # https://matrix-org.github.io/synapse/latest/workers.html#updating-the-user-directory - # If matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled is set, requests may not reach here, - # but could be captured early on (see `matrix-domain.conf.j2`) and forwarded elsewhere (to an identity server, etc.). - {{ render_locations_to_upstream(matrix_nginx_proxy_synapse_user_dir_locations, 'user_dir_workers_upstream') }} - {% endif %} - {# Workers redirects END #} - {% endif %} - - {% for configuration_block in matrix_nginx_proxy_proxy_synapse_additional_server_configuration_blocks %} {{- configuration_block }} {% endfor %} @@ -180,34 +50,6 @@ server { gzip on; gzip_types text/plain application/json; - {% if matrix_nginx_proxy_synapse_workers_enabled %} - {% if generic_workers | length > 0 %} - # https://matrix-org.github.io/synapse/latest/workers.html#synapseappgeneric_worker - {{ render_locations_to_upstream(matrix_nginx_proxy_synapse_generic_worker_federation_locations, 'generic_workers_upstream') }} - {% endif %} - {% if media_repository_workers | length > 0 %} - # https://matrix-org.github.io/synapse/latest/workers.html#synapseappmedia_repository - {% for location in matrix_nginx_proxy_synapse_media_repository_locations %} - location ~ {{ location }} { - proxy_pass http://media_repository_workers_upstream$request_uri; - proxy_set_header Host $host; - - client_body_buffer_size 25M; - client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb }}M; - proxy_max_temp_file_size 0; - - {% if matrix_nginx_proxy_synapse_cache_enabled %} - proxy_buffering on; - proxy_cache {{ matrix_nginx_proxy_synapse_cache_keys_zone_name }}; - proxy_cache_valid any {{ matrix_nginx_proxy_synapse_cache_proxy_cache_valid_time }}; - proxy_force_ranges on; - add_header X-Cache-Status $upstream_cache_status; - {% endif %} - } - {% endfor %} - {% endif %} - {% endif %} - location / { {% if matrix_nginx_proxy_enabled %} {# Use the embedded DNS resolver in Docker containers to discover the service #} diff --git a/roles/custom/matrix-nginx-proxy/templates/nginx/nginx.conf.j2 b/roles/custom/matrix-nginx-proxy/templates/nginx/nginx.conf.j2 index 1084d8cab..6b56878a1 100644 --- a/roles/custom/matrix-nginx-proxy/templates/nginx/nginx.conf.j2 +++ b/roles/custom/matrix-nginx-proxy/templates/nginx/nginx.conf.j2 @@ -39,12 +39,23 @@ http { {% if matrix_nginx_proxy_access_log_enabled %} access_log /var/log/nginx/access.log main; - {% else %} + {% endif %} + + {% if matrix_nginx_proxy_access_log_syslog_integration_enabled %} + log_format prometheus_fmt 'matrix-nginx-proxy $server_name - $upstream_addr - $remote_addr - $remote_user [$time_local] ' + '$host "$request" ' + '$status "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + access_log syslog:server={{ matrix_nginx_proxy_access_log_syslog_integration_server_port }},tag=matrix_nginx_proxy prometheus_fmt; + {% endif %} + + {% if not matrix_nginx_proxy_access_log_enabled and not matrix_nginx_proxy_access_log_syslog_integration_enabled %} access_log off; {% endif %} - + proxy_connect_timeout {{ matrix_nginx_proxy_connect_timeout }}; - proxy_send_timeout {{ matrix_nginx_proxy_send_timeout }}; + proxy_send_timeout {{ matrix_nginx_proxy_send_timeout }}; proxy_read_timeout {{ matrix_nginx_proxy_read_timeout }}; send_timeout {{ matrix_nginx_send_timeout }}; diff --git a/roles/custom/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 b/roles/custom/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 index ee32be38e..f302c92e0 100755 --- a/roles/custom/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 +++ b/roles/custom/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 @@ -16,16 +16,16 @@ Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-nginx-proxy 2>/dev/null || true' ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-nginx-proxy 2>/dev/null || true' -ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-nginx-proxy \ +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ + --rm \ + --name=matrix-nginx-proxy \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ --read-only \ --tmpfs=/tmp:rw,noexec,nosuid,size={{ matrix_nginx_proxy_tmp_directory_size_mb }}m \ - {% if matrix_nginx_proxy_synapse_cache_enabled %} - --tmpfs=/tmp/synapse-cache:rw,noexec,nosuid,size={{ matrix_nginx_proxy_tmp_cache_directory_size_mb }}m\ - {% endif %} - --network={{ matrix_docker_network }} \ + --label-file={{ matrix_nginx_proxy_base_path }}/labels \ + --network={{ matrix_nginx_proxy_container_network }} \ {% if matrix_nginx_proxy_container_http_host_bind_port %} -p {{ matrix_nginx_proxy_container_http_host_bind_port }}:8080 \ {% endif %} @@ -51,9 +51,11 @@ ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name {{ matrix_nginx_proxy_docker_image }} {% for network in matrix_nginx_proxy_container_additional_networks %} -ExecStartPost={{ devture_systemd_docker_base_host_command_sh }} -c 'attempt=0; while [ $attempt -le 29 ]; do attempt=$(( $attempt + 1 )); if [ "`docker inspect -f {{ '{{.State.Running}}' }} matrix-nginx-proxy 2> /dev/null`" = "true" ]; then break; fi; sleep 1; done; {{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-nginx-proxy' +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-nginx-proxy {% endfor %} +ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-nginx-proxy + ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-nginx-proxy 2>/dev/null || true' ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-nginx-proxy 2>/dev/null || true' ExecReload={{ devture_systemd_docker_base_host_command_docker }} exec matrix-nginx-proxy /usr/sbin/nginx -s reload diff --git a/roles/custom/matrix-nginx-proxy/templates/systemd/matrix-ssl-lets-encrypt-certificates-renew.service.j2 b/roles/custom/matrix-nginx-proxy/templates/systemd/matrix-ssl-lets-encrypt-certificates-renew.service.j2 index c7f372d9a..b2f07aca7 100644 --- a/roles/custom/matrix-nginx-proxy/templates/systemd/matrix-ssl-lets-encrypt-certificates-renew.service.j2 +++ b/roles/custom/matrix-nginx-proxy/templates/systemd/matrix-ssl-lets-encrypt-certificates-renew.service.j2 @@ -4,4 +4,4 @@ Description=Renews Let's Encrypt SSL certificates [Service] Type=oneshot Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" -ExecStart={{ matrix_local_bin_path }}/matrix-ssl-lets-encrypt-certificates-renew +ExecStart={{ matrix_ssl_bin_dir_path }}/lets-encrypt-certificates-renew diff --git a/roles/custom/matrix-nginx-proxy/vars/main.yml b/roles/custom/matrix-nginx-proxy/vars/main.yml index 1a9ed929c..34abf1903 100644 --- a/roles/custom/matrix-nginx-proxy/vars/main.yml +++ b/roles/custom/matrix-nginx-proxy/vars/main.yml @@ -7,12 +7,20 @@ matrix_ssl_renewal_systemd_units_list: - name: matrix-ssl-lets-encrypt-certificates-renew.service applicable: "{{ matrix_ssl_retrieval_method == 'lets-encrypt' }}" enableable: false + priority: 5000 + groups: ['matrix', 'nginx', 'ssl', 'reverse-proxies'] - name: matrix-ssl-lets-encrypt-certificates-renew.timer applicable: "{{ matrix_ssl_retrieval_method == 'lets-encrypt' }}" enableable: true + priority: 5000 + groups: ['matrix', 'nginx', 'ssl', 'reverse-proxies'] - name: matrix-ssl-nginx-proxy-reload.service applicable: "{{ matrix_ssl_retrieval_method == 'lets-encrypt' and matrix_nginx_proxy_enabled | bool }}" enableable: false + priority: 5000 + groups: ['matrix', 'nginx', 'ssl', 'reverse-proxies'] - name: matrix-ssl-nginx-proxy-reload.timer applicable: "{{ matrix_ssl_retrieval_method == 'lets-encrypt' and matrix_nginx_proxy_enabled | bool }}" enableable: true + priority: 5000 + groups: ['matrix', 'nginx', 'ssl', 'reverse-proxies'] diff --git a/roles/custom/matrix-ntfy/defaults/main.yml b/roles/custom/matrix-ntfy/defaults/main.yml deleted file mode 100644 index 762439806..000000000 --- a/roles/custom/matrix-ntfy/defaults/main.yml +++ /dev/null @@ -1,48 +0,0 @@ ---- -# Project source code URL: https://github.com/binwiederhier/ntfy - -matrix_ntfy_enabled: true - -matrix_ntfy_base_path: "{{ matrix_base_data_path }}/ntfy" -matrix_ntfy_config_dir_path: "{{ matrix_ntfy_base_path }}/config" -matrix_ntfy_data_path: "{{ matrix_ntfy_base_path }}/data" - -matrix_ntfy_version: v1.28.0 -matrix_ntfy_docker_image: "{{ matrix_container_global_registry_prefix }}binwiederhier/ntfy:{{ matrix_ntfy_version }}" -matrix_ntfy_docker_image_force_pull: "{{ matrix_ntfy_docker_image.endswith(':latest') }}" - -# Public facing base URL of the ntfy service -matrix_ntfy_base_url: "https://{{ matrix_server_fqn_ntfy }}" - -# Controls whether the container exposes its HTTP port (tcp/80 in the container). -# -# Takes an ":" or "" value (e.g. "127.0.0.1:2586"), or empty string to not expose. -matrix_ntfy_container_http_host_bind_port: '' - -# A list of extra arguments to pass to the container (`docker run` command) -matrix_ntfy_container_extra_arguments: [] - -# Controls whether the self-check feature should validate SSL certificates. -matrix_ntfy_self_check_validate_certificates: true - -# Default ntfy configuration template which covers the generic use case. -# You can customize it by controlling the various variables inside it. -# -# For a more advanced customization, you can extend the default (see `matrix_ntfy_configuration_extension_yaml`) -# or completely replace this variable with your own template. -matrix_ntfy_configuration_yaml: "{{ lookup('template', 'templates/ntfy/server.yml.j2') }}" - -matrix_ntfy_configuration_extension_yaml: | - # Your custom YAML configuration for ntfy goes here. - # This configuration extends the default starting configuration (`matrix_ntfy_configuration_yaml`). - # - # You can override individual variables from the default configuration, or introduce new ones. - # - # If you need something more special, you can take full control by - # completely redefining `matrix_ntfy_configuration_yaml`. - -matrix_ntfy_configuration_extension: "{{ matrix_ntfy_configuration_extension_yaml | from_yaml if matrix_ntfy_configuration_extension_yaml | from_yaml is mapping else {} }}" - -# Holds the final ntfy configuration (a combination of the default and its extension). -# You most likely don't need to touch this variable. Instead, see `matrix_ntfy_configuration_yaml`. -matrix_ntfy_configuration: "{{ matrix_ntfy_configuration_yaml | from_yaml | combine(matrix_ntfy_configuration_extension, recursive=True) }}" diff --git a/roles/custom/matrix-ntfy/tasks/init.yml b/roles/custom/matrix-ntfy/tasks/init.yml deleted file mode 100644 index 6222ada0c..000000000 --- a/roles/custom/matrix-ntfy/tasks/init.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-ntfy.service'] }}" - when: matrix_ntfy_enabled | bool diff --git a/roles/custom/matrix-ntfy/tasks/main.yml b/roles/custom/matrix-ntfy/tasks/main.yml deleted file mode 100644 index 200d38c4a..000000000 --- a/roles/custom/matrix-ntfy/tasks/main.yml +++ /dev/null @@ -1,24 +0,0 @@ ---- - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_install.yml" - when: "run_setup | bool and matrix_ntfy_enabled | bool" - tags: - - setup-all - - setup-ntfy - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - when: "run_setup | bool and not matrix_ntfy_enabled | bool" - tags: - - setup-all - - setup-ntfy - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/self_check.yml" - delegate_to: 127.0.0.1 - become: false - when: "run_self_check | bool and matrix_ntfy_enabled | bool" - tags: - - self-check diff --git a/roles/custom/matrix-ntfy/tasks/self_check.yml b/roles/custom/matrix-ntfy/tasks/self_check.yml deleted file mode 100644 index 02529f35e..000000000 --- a/roles/custom/matrix-ntfy/tasks/self_check.yml +++ /dev/null @@ -1,25 +0,0 @@ ---- - -# Query an arbitrary ntfy topic using ntfy's UnifiedPush topic name syntax. -# Expect an empty response (because we query 'since=1s'). - -- ansible.builtin.set_fact: - matrix_ntfy_url_endpoint_public: "{{ matrix_ntfy_base_url }}/upSELFCHECK123/json?poll=1&since=1s" - -- name: Check ntfy - ansible.builtin.uri: - url: "{{ matrix_ntfy_url_endpoint_public }}" - follow_redirects: none - validate_certs: "{{ matrix_ntfy_self_check_validate_certificates }}" - register: matrix_ntfy_self_check_result - check_mode: false - ignore_errors: true - -- name: Fail if ntfy not working - ansible.builtin.fail: - msg: "Failed checking ntfy is up at `{{ matrix_server_fqn_ntfy }}` (checked endpoint: `{{ matrix_ntfy_url_endpoint_public }}`). Is ntfy running? Is port 443 open in your firewall? Full error: {{ matrix_ntfy_self_check_result }}" - when: "matrix_ntfy_self_check_result.failed" - -- name: Report working ntfy - ansible.builtin.debug: - msg: "ntfy at `{{ matrix_server_fqn_ntfy }}` is working (checked endpoint: `{{ matrix_ntfy_url_endpoint_public }}`)" diff --git a/roles/custom/matrix-ntfy/tasks/setup_install.yml b/roles/custom/matrix-ntfy/tasks/setup_install.yml deleted file mode 100644 index 5ad8e507d..000000000 --- a/roles/custom/matrix-ntfy/tasks/setup_install.yml +++ /dev/null @@ -1,44 +0,0 @@ ---- - -- name: Ensure matrix-ntfy image is pulled - community.docker.docker_image: - name: "{{ matrix_ntfy_docker_image }}" - source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_ntfy_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_ntfy_docker_image_force_pull }}" - register: result - retries: "{{ devture_playbook_help_container_retries_count }}" - delay: "{{ devture_playbook_help_container_retries_delay }}" - until: result is not failed - -- name: Ensure matrix-ntfy paths exists - ansible.builtin.file: - path: "{{ item }}" - state: directory - mode: 0750 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - with_items: - - "{{ matrix_ntfy_base_path }}" - - "{{ matrix_ntfy_config_dir_path }}" - - "{{ matrix_ntfy_data_path }}" - -- name: Ensure matrix-ntfy config installed - ansible.builtin.copy: - content: "{{ matrix_ntfy_configuration | to_nice_yaml(indent=2, width=999999) }}" - dest: "{{ matrix_ntfy_config_dir_path }}/server.yml" - mode: 0644 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - -- name: Ensure matrix-ntfy.service installed - ansible.builtin.template: - src: "{{ role_path }}/templates/systemd/matrix-ntfy.service.j2" - dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-ntfy.service" - mode: 0644 - register: matrix_ntfy_systemd_service_result - -- name: Ensure systemd reloaded after matrix-ntfy.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_ntfy_systemd_service_result.changed" diff --git a/roles/custom/matrix-ntfy/tasks/setup_uninstall.yml b/roles/custom/matrix-ntfy/tasks/setup_uninstall.yml deleted file mode 100644 index e0eedfd83..000000000 --- a/roles/custom/matrix-ntfy/tasks/setup_uninstall.yml +++ /dev/null @@ -1,36 +0,0 @@ ---- - -- name: Check existence of matrix-ntfy service - ansible.builtin.stat: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-ntfy.service" - register: matrix_ntfy_service_stat - -- name: Ensure matrix-ntfy is stopped - ansible.builtin.service: - name: matrix-ntfy - state: stopped - enabled: false - daemon_reload: true - register: stopping_result - when: "matrix_ntfy_service_stat.stat.exists" - -- name: Ensure matrix-ntfy.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-ntfy.service" - state: absent - when: "matrix_ntfy_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-ntfy.service removal - ansible.builtin.service: - daemon_reload: true - when: "matrix_ntfy_service_stat.stat.exists" - -- name: Ensure matrix-ntfy path doesn't exist - ansible.builtin.file: - path: "{{ matrix_ntfy_base_path }}" - state: absent - -- name: Ensure ntfy Docker image doesn't exist - community.docker.docker_image: - name: "{{ matrix_ntfy_docker_image }}" - state: absent diff --git a/roles/custom/matrix-ntfy/templates/ntfy/server.yml.j2 b/roles/custom/matrix-ntfy/templates/ntfy/server.yml.j2 deleted file mode 100644 index 096991a70..000000000 --- a/roles/custom/matrix-ntfy/templates/ntfy/server.yml.j2 +++ /dev/null @@ -1,4 +0,0 @@ -base_url: {{ matrix_ntfy_base_url }} -behind_proxy: true -cache_file: /data/cache.db -listen-http: :8080 diff --git a/roles/custom/matrix-ntfy/templates/systemd/matrix-ntfy.service.j2 b/roles/custom/matrix-ntfy/templates/systemd/matrix-ntfy.service.j2 deleted file mode 100644 index a10cb5844..000000000 --- a/roles/custom/matrix-ntfy/templates/systemd/matrix-ntfy.service.j2 +++ /dev/null @@ -1,38 +0,0 @@ -#jinja2: lstrip_blocks: "True" -[Unit] -Description=matrix-ntfy -After=docker.service -Requires=docker.service -DefaultDependencies=no - -[Service] -Type=simple -Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" -ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-ntfy 2>/dev/null || true' -ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-ntfy 2>/dev/null || true' - -ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-ntfy \ - --log-driver=none \ - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ - --cap-drop=ALL \ - --read-only \ - {% for arg in matrix_ntfy_container_extra_arguments %} - {{ arg }} \ - {% endfor %} - --network={{ matrix_docker_network }} \ - {% if matrix_ntfy_container_http_host_bind_port %} - -p {{ matrix_ntfy_container_http_host_bind_port }}:8080 \ - {% endif %} - --mount type=bind,src={{ matrix_ntfy_config_dir_path }},dst=/etc/ntfy,ro \ - --mount type=bind,src={{ matrix_ntfy_data_path }},dst=/data \ - {{ matrix_ntfy_docker_image }} \ - serve - -ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-ntfy 2>/dev/null || true' -ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-ntfy 2>/dev/null || true' -Restart=always -RestartSec=30 -SyslogIdentifier=matrix-ntfy - -[Install] -WantedBy=multi-user.target diff --git a/roles/custom/matrix-postgres-backup/defaults/main.yml b/roles/custom/matrix-postgres-backup/defaults/main.yml deleted file mode 100644 index abdfa74c5..000000000 --- a/roles/custom/matrix-postgres-backup/defaults/main.yml +++ /dev/null @@ -1,45 +0,0 @@ ---- -# Project source code URL: https://github.com/prodrigestivill/docker-postgres-backup-local - -matrix_postgres_backup_enabled: false - -matrix_postgres_backup_connection_hostname: "matrix-postgres" -matrix_postgres_backup_connection_port: 5432 -matrix_postgres_backup_connection_username: "matrix" -matrix_postgres_backup_connection_password: "" - -matrix_postgres_backup_extra_opts: "-Z9 --schema=public --blobs" -matrix_postgres_backup_schedule: "@daily" -matrix_postgres_backup_keep_days: 7 -matrix_postgres_backup_keep_weeks: 4 -matrix_postgres_backup_keep_months: 12 -matrix_postgres_backup_healthcheck_port: "8080" -matrix_postgres_backup_databases: [] -matrix_postgres_backup_path: "{{ matrix_base_data_path }}/postgres-backup" - -# Specifies where the Postgres data is. -# We use this to autodetect the Postgres version during playbook runtime (by parsing the `PG_VERSION` file contained there). -# You can leave this empty to prevent auto-detection. -matrix_postgres_backup_postgres_data_path: "" - -matrix_postgres_backup_architecture: amd64 - -# matrix_postgres_backup_docker_image_distro controls whether we use Alpine-based images (`-alpine`) or the normal Debian-based images. -# Alpine-based Postgres images are smaller and we usually prefer them, but they don't work on ARM32 (tested on a Raspberry Pi 3 running Raspbian 10.7). -# On ARM32, `-alpine` images fail with the following error: -# > LOG: startup process (PID 37) was terminated by signal 11: Segmentation fault -matrix_postgres_backup_docker_image_distro: "{{ 'alpine' if matrix_postgres_backup_architecture in ['amd64', 'arm64'] else 'debian' }}" - -matrix_postgres_backup_docker_image_v9: "{{ matrix_container_global_registry_prefix }}prodrigestivill/postgres-backup-local:9.6-{{ matrix_postgres_backup_docker_image_distro }}-2aa03d1" -matrix_postgres_backup_docker_image_v10: "{{ matrix_container_global_registry_prefix }}prodrigestivill/postgres-backup-local:10-{{ matrix_postgres_backup_docker_image_distro }}-2cf00a5" -matrix_postgres_backup_docker_image_v11: "{{ matrix_container_global_registry_prefix }}prodrigestivill/postgres-backup-local:11-{{ matrix_postgres_backup_docker_image_distro }}-2cf00a5" -matrix_postgres_backup_docker_image_v12: "{{ matrix_container_global_registry_prefix }}prodrigestivill/postgres-backup-local:12-{{ matrix_postgres_backup_docker_image_distro }}-2cf00a5" -matrix_postgres_backup_docker_image_v13: "{{ matrix_container_global_registry_prefix }}prodrigestivill/postgres-backup-local:13-{{ matrix_postgres_backup_docker_image_distro }}-2cf00a5" -matrix_postgres_backup_docker_image_v14: "{{ matrix_container_global_registry_prefix }}prodrigestivill/postgres-backup-local:14-{{ matrix_postgres_backup_docker_image_distro }}-2cf00a5" -matrix_postgres_backup_docker_image_v15: "{{ matrix_container_global_registry_prefix }}prodrigestivill/postgres-backup-local:15-{{ matrix_postgres_backup_docker_image_distro }}-2cf00a5" -matrix_postgres_backup_docker_image_latest: "{{ matrix_postgres_backup_docker_image_v15 }}" - -# This variable is assigned at runtime. Overriding its value has no effect. -matrix_postgres_backup_docker_image_to_use: '{{ matrix_postgres_backup_docker_image_latest }}' - -matrix_postgres_backup_docker_image_force_pull: "{{ matrix_postgres_backup_docker_image_to_use.endswith(':latest') }}" diff --git a/roles/custom/matrix-postgres-backup/tasks/init.yml b/roles/custom/matrix-postgres-backup/tasks/init.yml deleted file mode 100644 index 5ece870a4..000000000 --- a/roles/custom/matrix-postgres-backup/tasks/init.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-postgres-backup.service'] }}" - when: matrix_postgres_backup_enabled | bool diff --git a/roles/custom/matrix-postgres-backup/tasks/main.yml b/roles/custom/matrix-postgres-backup/tasks/main.yml deleted file mode 100644 index 1403fa5b2..000000000 --- a/roles/custom/matrix-postgres-backup/tasks/main.yml +++ /dev/null @@ -1,17 +0,0 @@ ---- - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup | bool and matrix_postgres_backup_enabled | bool" - tags: - - setup-all - - setup-postgres-backup - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_postgres_backup.yml" - when: run_setup | bool - tags: - - setup-all - - setup-postgres-backup diff --git a/roles/custom/matrix-postgres-backup/tasks/setup_postgres_backup.yml b/roles/custom/matrix-postgres-backup/tasks/setup_postgres_backup.yml deleted file mode 100644 index 6066ee491..000000000 --- a/roles/custom/matrix-postgres-backup/tasks/setup_postgres_backup.yml +++ /dev/null @@ -1,112 +0,0 @@ ---- - -# -# Tasks related to setting up postgres backup -# -- ansible.builtin.import_role: - name: custom/matrix-postgres - tasks_from: detect_existing_postgres_version - when: 'matrix_postgres_backup_enabled | bool and matrix_postgres_backup_postgres_data_path != ""' - -# If we have found an existing version (installed from before), we use its corresponding Docker image. -# If not, we install using the latest Postgres. -# -# Upgrading is supposed to be performed separately and explicitly (see `upgrade_postgres.yml`). -- ansible.builtin.set_fact: - matrix_postgres_backup_docker_image_to_use: "{{ matrix_postgres_backup_docker_image_latest if matrix_postgres_backup_detected_version_corresponding_docker_image | default('') == '' else matrix_postgres_backup_detected_version_corresponding_docker_image }}" - when: matrix_postgres_backup_enabled | bool - -- name: Ensure postgres backup Docker image is pulled - community.docker.docker_image: - name: "{{ matrix_postgres_backup_docker_image_to_use }}" - source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_postgres_backup_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_postgres_backup_docker_image_force_pull }}" - when: matrix_postgres_backup_enabled | bool - register: result - retries: "{{ devture_playbook_help_container_retries_count }}" - delay: "{{ devture_playbook_help_container_retries_delay }}" - until: result is not failed - -- name: Ensure Postgres backup paths exist - ansible.builtin.file: - path: "{{ item }}" - state: directory - mode: 0700 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - with_items: - - "{{ matrix_postgres_backup_path }}" - when: matrix_postgres_backup_enabled | bool - -- name: Ensure Postgres environment variables file created - ansible.builtin.template: - src: "{{ role_path }}/templates/{{ item }}.j2" - dest: "{{ matrix_postgres_backup_path }}/{{ item }}" - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - mode: 0640 - with_items: - - "env-postgres-backup" - when: matrix_postgres_backup_enabled | bool - -- name: Ensure matrix-postgres-backup.service installed - ansible.builtin.template: - src: "{{ role_path }}/templates/systemd/matrix-postgres-backup.service.j2" - dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-postgres-backup.service" - mode: 0644 - register: matrix_postgres_backup_systemd_service_result - when: matrix_postgres_backup_enabled | bool - -- name: Ensure systemd reloaded after matrix-postgres-backup.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_postgres_backup_enabled | bool and matrix_postgres_backup_systemd_service_result.changed" - -# -# Tasks related to getting rid of postgres backup (if it was previously enabled) -# - -- name: Check existence of matrix-postgres-backup service - ansible.builtin.stat: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-postgres-backup.service" - register: matrix_postgres_backup_service_stat - when: "not matrix_postgres_backup_enabled | bool" - -- name: Ensure matrix-postgres-backup is stopped - ansible.builtin.service: - name: matrix-postgres-backup - state: stopped - enabled: false - daemon_reload: true - when: "not matrix_postgres_backup_enabled | bool and matrix_postgres_backup_service_stat.stat.exists" - -- name: Ensure matrix-postgres-backup.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-postgres-backup.service" - state: absent - when: "not matrix_postgres_backup_enabled | bool and matrix_postgres_backup_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-postgres-backup.service removal - ansible.builtin.service: - daemon_reload: true - when: "not matrix_postgres_backup_enabled | bool and matrix_postgres_backup_service_stat.stat.exists" - -- name: Check existence of matrix-postgres-backup backup path - ansible.builtin.stat: - path: "{{ matrix_postgres_backup_path }}" - register: matrix_postgres_backup_path_stat - when: "not matrix_postgres_backup_enabled | bool" - -# We just want to notify the user. Deleting data is too destructive. -- name: Inject warning if matrix-postgres backup data remains - ansible.builtin.set_fact: - devture_playbook_runtime_messages_list: | - {{ - devture_playbook_runtime_messages_list | default([]) - + - [ - "NOTE: You are not using the local backup service to backup the PostgreSQL database, but some old data remains from before in `{{ matrix_postgres_backup_path }}`. Feel free to delete it." - ] - }} - when: "not matrix_postgres_backup_enabled | bool and matrix_postgres_backup_path_stat.stat.exists" diff --git a/roles/custom/matrix-postgres-backup/tasks/validate_config.yml b/roles/custom/matrix-postgres-backup/tasks/validate_config.yml deleted file mode 100644 index aab68eafa..000000000 --- a/roles/custom/matrix-postgres-backup/tasks/validate_config.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- - -- name: Fail if required Postgres settings not defined - ansible.builtin.fail: - msg: >- - You need to define a required configuration setting (`{{ item }}`). - when: "vars[item] == ''" - with_items: - - "matrix_postgres_backup_connection_hostname" - - "matrix_postgres_backup_connection_username" - - "matrix_postgres_backup_connection_password" - - "matrix_postgres_backup_connection_port" - - "matrix_postgres_backup_schedule" - - "matrix_postgres_backup_keep_days" - - "matrix_postgres_backup_keep_weeks" - - "matrix_postgres_backup_keep_months" - - "matrix_postgres_backup_path" - - "matrix_postgres_backup_databases" - -- name: (Deprecation) Catch and report renamed settings - ansible.builtin.fail: - msg: >- - Your configuration contains a variable, which now has a different name. - Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`). - when: "item.old in vars" - with_items: - - {'old': 'matrix_postgres_backup_docker_image_suffix', 'new': 'matrix_postgres_backup_docker_image_distro'} diff --git a/roles/custom/matrix-postgres-backup/templates/env-postgres-backup.j2 b/roles/custom/matrix-postgres-backup/templates/env-postgres-backup.j2 deleted file mode 100644 index 5a3a1ffd6..000000000 --- a/roles/custom/matrix-postgres-backup/templates/env-postgres-backup.j2 +++ /dev/null @@ -1,12 +0,0 @@ -#jinja2: lstrip_blocks: "True" -POSTGRES_USER={{ matrix_postgres_backup_connection_username }} -POSTGRES_PASSWORD={{ matrix_postgres_backup_connection_password }} -POSTGRES_HOST={{ matrix_postgres_backup_connection_hostname }} -POSTGRES_DB={{ matrix_postgres_backup_databases|join(', ') }} -POSTGRES_EXTRA_OPTS={{ matrix_postgres_backup_extra_opts }} -SCHEDULE={{ matrix_postgres_backup_schedule }} -BACKUP_KEEP_DAYS={{ matrix_postgres_backup_keep_days }} -BACKUP_KEEP_WEEKS={{ matrix_postgres_backup_keep_weeks }} -BACKUP_KEEP_MONTHS={{ matrix_postgres_backup_keep_months }} -HEALTHCHECK_PORT={{ matrix_postgres_backup_healthcheck_port }} -POSTGRES_PORT={{ matrix_postgres_backup_connection_port }} \ No newline at end of file diff --git a/roles/custom/matrix-postgres-backup/templates/systemd/matrix-postgres-backup.service.j2 b/roles/custom/matrix-postgres-backup/templates/systemd/matrix-postgres-backup.service.j2 deleted file mode 100644 index 618eb548e..000000000 --- a/roles/custom/matrix-postgres-backup/templates/systemd/matrix-postgres-backup.service.j2 +++ /dev/null @@ -1,31 +0,0 @@ -#jinja2: lstrip_blocks: "True" -[Unit] -Description=Automatic Backup of Matrix Postgres server -After=docker.service -Requires=docker.service -DefaultDependencies=no - -[Service] -Type=simple -Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" -ExecStartPre=-{{ devture_systemd_docker_base_host_command_docker }} stop matrix-postgres-backup -ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-postgres-backup 2>/dev/null || true' - -ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-postgres-backup \ - --log-driver=none \ - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ - --cap-drop=ALL \ - --read-only \ - --network={{ matrix_docker_network }} \ - --env-file={{ matrix_postgres_backup_path }}/env-postgres-backup \ - --mount type=bind,src={{ matrix_postgres_backup_path }},dst=/backups \ - {{ matrix_postgres_backup_docker_image_to_use }} - -ExecStop=-{{ devture_systemd_docker_base_host_command_docker }} stop matrix-postgres-backup -ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-postgres-backup 2>/dev/null || true' -Restart=always -RestartSec=30 -SyslogIdentifier=matrix-postgres-backup - -[Install] -WantedBy=multi-user.target diff --git a/roles/custom/matrix-postgres/defaults/main.yml b/roles/custom/matrix-postgres/defaults/main.yml deleted file mode 100644 index 5a0cdb6c6..000000000 --- a/roles/custom/matrix-postgres/defaults/main.yml +++ /dev/null @@ -1,133 +0,0 @@ ---- -# Project source code URL: https://github.com/postgres/postgres - -# Controls if the Postgres server managed by the playbook is enabled. -# You can turn it off and use an external Postgres server by setting this to `false`. -# Doing this has various downsides. See `docs/configuring-playbook-external-postgres.md` to learn more. -matrix_postgres_enabled: true - -matrix_postgres_connection_hostname: "matrix-postgres" -matrix_postgres_connection_port: 5432 -matrix_postgres_connection_username: "matrix" -matrix_postgres_connection_password: "" -matrix_postgres_db_name: "matrix" - -matrix_postgres_base_path: "{{ matrix_base_data_path }}/postgres" -matrix_postgres_data_path: "{{ matrix_postgres_base_path }}/data" - -# matrix_postgres_systemd_services_to_stop_for_maintenance_list specifies the list of systemd services to stop before vacuuming or upgrading. -# These services will be restarted after the operation completes. -matrix_postgres_systemd_services_to_stop_for_maintenance_list: [] - -matrix_postgres_architecture: amd64 - -# matrix_postgres_docker_image_suffix controls whether we use Alpine-based images (`-alpine`) or the normal Debian-based images. -# Alpine-based Postgres images are smaller and we usually prefer them, but they don't work on ARM32 (tested on a Raspberry Pi 3 running Raspbian 10.7). -# On ARM32, `-alpine` images fail with the following error: -# > LOG: startup process (PID 37) was terminated by signal 11: Segmentation fault -matrix_postgres_docker_image_suffix: "{{ '-alpine' if matrix_postgres_architecture in ['amd64', 'arm64'] else '' }}" - -matrix_postgres_docker_image_v9: "{{ matrix_container_global_registry_prefix }}postgres:9.6.24{{ matrix_postgres_docker_image_suffix }}" -matrix_postgres_docker_image_v10: "{{ matrix_container_global_registry_prefix }}postgres:10.22{{ matrix_postgres_docker_image_suffix }}" -matrix_postgres_docker_image_v11: "{{ matrix_container_global_registry_prefix }}postgres:11.17{{ matrix_postgres_docker_image_suffix }}" -matrix_postgres_docker_image_v12: "{{ matrix_container_global_registry_prefix }}postgres:12.12{{ matrix_postgres_docker_image_suffix }}" -matrix_postgres_docker_image_v13: "{{ matrix_container_global_registry_prefix }}postgres:13.8{{ matrix_postgres_docker_image_suffix }}" -matrix_postgres_docker_image_v14: "{{ matrix_container_global_registry_prefix }}postgres:14.5{{ matrix_postgres_docker_image_suffix }}" -matrix_postgres_docker_image_v15: "{{ matrix_container_global_registry_prefix }}postgres:15.0{{ matrix_postgres_docker_image_suffix }}" -matrix_postgres_docker_image_latest: "{{ matrix_postgres_docker_image_v15 }}" - -# This variable is assigned at runtime. Overriding its value has no effect. -matrix_postgres_docker_image_to_use: '{{ matrix_postgres_docker_image_latest }}' - -matrix_postgres_docker_image_force_pull: "{{ matrix_postgres_docker_image_to_use.endswith(':latest') }}" - -# A list of extra arguments to pass to the container -matrix_postgres_container_extra_arguments: [] - -# A list of extra arguments to pass to the postgres process -# e.g. "-c 'max_connections=200'" -matrix_postgres_process_extra_arguments: [] - -# Controls whether the matrix-postgres container exposes a port (tcp/5432 in the -# container) that can be used to access the database from outside the container (e.g. with psql) -# -# psql postgresql://username:password@localhost:/database_name -# -# Takes an ":" or "" value (e.g. "127.0.0.1:5432"), or empty string to not expose. -matrix_postgres_container_postgres_bind_port: "" - -# A list of additional (databases and their credentials) to create. -# -# Example: -# matrix_postgres_additional_databases: -# - name: matrix_appservice_discord -# username: matrix_appservice_discord -# password: some_password -# - name: matrix_appservice_slack -# username: matrix_appservice_slack -# password: some_password -matrix_postgres_additional_databases: [] - -# A list of roles/users to avoid creating when importing (or upgrading) the database. -# If a dump file contains the roles and they've also been created beforehand (see `matrix_postgres_additional_databases`), -# importing would fail. -# We either need to not create them or to ignore the `CREATE ROLE` statements in the dump. -matrix_postgres_import_roles_to_ignore: | - {{ - ( - [matrix_postgres_connection_username] - + - matrix_postgres_additional_databases|map(attribute='username') | list - ) | unique - }} - -# When importing an existing Postgres database (when restoring a backup) or when doing a Postgres upgrade (which dumps & restores), we'd like to avoid: -# - creating users (`CREATE ROLE ..`) -# - updating passwords for users (`ALTER ROLE matrix WITH SUPERUSER INHERIT NOCREATEROLE NOCREATEDB LOGIN NOREPLICATION NOBYPASSRLS PASSWORD 'md5...`) -# -# Both of these operations are done by the playbook anyway. -# Updating passwords is especially undesirable, because older versions hash passwords using md5 and export them as md5 hashes in the dump file, -# which is unsupported by default by newer Postgres versions (v14+). -# When users are created and passwords are set by the playbook, they end up hashed as `scram-sha-256` on Postgres v14+. -# If an md5-hashed password is restored on top, Postgres v14+ will refuse to authenticate users with it by default. -# -# We also allow for the role name to be quoted, which is rare, but might happen for role names which are special keywords (e.g. `default`). -matrix_postgres_import_roles_ignore_regex: "^(CREATE|ALTER) ROLE \\\"?({{ matrix_postgres_import_roles_to_ignore | join('|') }})\\\"?(;| WITH)" # noqa jinja[spacing] - -# A list of databases to avoid creating when importing (or upgrading) the database. -# If a dump file contains the databases and they've also been created beforehand (see `matrix_postgres_additional_databases`), -# importing would fail. -# We either need to not create them or to ignore the `CREATE DATABASE` statements in the dump. -matrix_postgres_import_databases_to_ignore: | - {{ - ( - [matrix_postgres_db_name] - + - matrix_postgres_additional_databases|map(attribute='name') | list - ) | unique - }} - -# We also allow for the database name to be quoted, which is rare, but might happen for database names which are special keywords (e.g. `default`). -matrix_postgres_import_databases_ignore_regex: "^CREATE DATABASE \\\"?({{ matrix_postgres_import_databases_to_ignore | join('|') }})\\\"?\\s" # noqa jinja[spacing] - -# The number of seconds to wait after starting `matrix-postgres.service` -# and before trying to run queries for creating additional databases/users against it. -# -# For most (subsequent) runs, Postgres would already be running, so no waiting will be happening at all. -# -# On ARM, we wait some more. ARM32 devices are especially known for being slow. -# ARM64 likely don't need such a long delay, but it doesn't hurt too much having it. -matrix_postgres_additional_databases_postgres_start_wait_timeout_seconds: "{{ 45 if matrix_postgres_architecture in ['arm32', 'arm64'] else 15 }}" - - -matrix_postgres_pgloader_container_image_self_build: false -matrix_postgres_pgloader_container_image_self_build_repo: "https://github.com/illagrenan/pgloader-docker.git" -matrix_postgres_pgloader_container_image_self_build_repo_branch: "v{{ matrix_postgres_pgloader_docker_image_tag }}" -matrix_postgres_pgloader_container_image_self_build_src_path: "{{ matrix_postgres_base_path }}/pgloader-container-src" - -# We use illagrenan/pgloader, instead of the more official dimitri/pgloader image, -# because the official one only provides a `latest` tag. -matrix_postgres_pgloader_docker_image: "{{ matrix_postgres_pgloader_docker_image_name_prefix }}illagrenan/pgloader:{{ matrix_postgres_pgloader_docker_image_tag }}" -matrix_postgres_pgloader_docker_image_name_prefix: "{{ 'localhost/' if matrix_postgres_pgloader_container_image_self_build else matrix_container_global_registry_prefix }}" -matrix_postgres_pgloader_docker_image_tag: "3.6.2" -matrix_postgres_pgloader_docker_image_force_pull: "{{ matrix_postgres_pgloader_docker_image.endswith(':latest') }}" diff --git a/roles/custom/matrix-postgres/tasks/detect_existing_postgres_version.yml b/roles/custom/matrix-postgres/tasks/detect_existing_postgres_version.yml deleted file mode 100644 index 1be8291b6..000000000 --- a/roles/custom/matrix-postgres/tasks/detect_existing_postgres_version.yml +++ /dev/null @@ -1,75 +0,0 @@ ---- - -# This utility aims to determine if there is some existing Postgres version in use or not. -# If there is, it also tries to detect the Docker image that corresponds to that version. -# -# This utility is intentionally not in `tasks/util`, because if it were, it wouldn't be possible -# to include it in other roles via the import_role module: https://docs.ansible.com/ansible/latest/collections/ansible/builtin/import_role_module.html - - -- name: Fail detection if expectation fails (Postgres not enabled) - ansible.builtin.fail: - msg: "Trying to detect the version of the built-in Postgres server, but Postgres installation is not enabled (`matrix_postgres_enabled: false`)" - when: not matrix_postgres_enabled - -- name: Initialize Postgres version determination variables (default to empty) - ansible.builtin.set_fact: - matrix_postgres_detection_pg_version_path: "{{ matrix_postgres_data_path }}/PG_VERSION" - matrix_postgres_detected_existing: false - matrix_postgres_detected_version: "" - matrix_postgres_detected_version_corresponding_docker_image: "" - -- name: Determine existing Postgres version (check PG_VERSION file) - ansible.builtin.stat: - path: "{{ matrix_postgres_detection_pg_version_path }}" - register: result_pg_version_stat - -- ansible.builtin.set_fact: - matrix_postgres_detected_existing: true - when: "result_pg_version_stat.stat.exists" - -- name: Determine existing Postgres version (read PG_VERSION file) - ansible.builtin.slurp: - src: "{{ matrix_postgres_detection_pg_version_path }}" - register: result_pg_version - when: matrix_postgres_detected_existing | bool - -- name: Determine existing Postgres version (make sense of PG_VERSION file) - ansible.builtin.set_fact: - matrix_postgres_detected_version: "{{ result_pg_version['content'] | b64decode | replace('\n', '') }}" - when: matrix_postgres_detected_existing | bool - -- name: Determine corresponding Docker image to detected version (assume default of latest) - ansible.builtin.set_fact: - matrix_postgres_detected_version_corresponding_docker_image: "{{ matrix_postgres_docker_image_latest }}" - when: "matrix_postgres_detected_version != ''" - -- name: Determine corresponding Docker image to detected version (use 9.x, if detected) - ansible.builtin.set_fact: - matrix_postgres_detected_version_corresponding_docker_image: "{{ matrix_postgres_docker_image_v9 }}" - when: "matrix_postgres_detected_version.startswith('9.')" - -- name: Determine corresponding Docker image to detected version (use 10.x, if detected) - ansible.builtin.set_fact: - matrix_postgres_detected_version_corresponding_docker_image: "{{ matrix_postgres_docker_image_v10 }}" - when: "matrix_postgres_detected_version == '10' or matrix_postgres_detected_version.startswith('10.')" - -- name: Determine corresponding Docker image to detected version (use 11.x, if detected) - ansible.builtin.set_fact: - matrix_postgres_detected_version_corresponding_docker_image: "{{ matrix_postgres_docker_image_v11 }}" - when: "matrix_postgres_detected_version == '11' or matrix_postgres_detected_version.startswith('11.')" - -- name: Determine corresponding Docker image to detected version (use 12.x, if detected) - ansible.builtin.set_fact: - matrix_postgres_detected_version_corresponding_docker_image: "{{ matrix_postgres_docker_image_v12 }}" - when: "matrix_postgres_detected_version == '12' or matrix_postgres_detected_version.startswith('12.')" - -- name: Determine corresponding Docker image to detected version (use 13.x, if detected) - ansible.builtin.set_fact: - matrix_postgres_detected_version_corresponding_docker_image: "{{ matrix_postgres_docker_image_v13 }}" - when: "matrix_postgres_detected_version == '13' or matrix_postgres_detected_version.startswith('13.')" - -- name: Determine corresponding Docker image to detected version (use 14.x, if detected) - ansible.builtin.set_fact: - matrix_postgres_detected_version_corresponding_docker_image: "{{ matrix_postgres_docker_image_v14 }}" - when: "matrix_postgres_detected_version == '14' or matrix_postgres_detected_version.startswith('14.')" diff --git a/roles/custom/matrix-postgres/tasks/import_generic_sqlite_db.yml b/roles/custom/matrix-postgres/tasks/import_generic_sqlite_db.yml deleted file mode 100644 index c3fff5208..000000000 --- a/roles/custom/matrix-postgres/tasks/import_generic_sqlite_db.yml +++ /dev/null @@ -1,102 +0,0 @@ ---- - -# Pre-checks - -- name: Fail if Postgres not enabled - ansible.builtin.fail: - msg: "Postgres via the matrix-postgres role is not enabled (`matrix_postgres_enabled`). Cannot import." - when: "not matrix_postgres_enabled | bool" - -- name: Fail if playbook called incorrectly - ansible.builtin.fail: - msg: "The `sqlite_database_path` variable needs to be provided to this playbook, via --extra-vars" - when: "sqlite_database_path is not defined or sqlite_database_path.startswith('<')" - -- name: Check if the provided SQLite database file exists - ansible.builtin.stat: - path: "{{ sqlite_database_path }}" - register: sqlite_database_path_stat_result - -- name: Fail if provided SQLite database file doesn't exist - ansible.builtin.fail: - msg: "File cannot be found on the server at {{ sqlite_database_path }}" - when: "not sqlite_database_path_stat_result.stat.exists" - -# We either expect `postgres_db_connection_string` specifying a full Postgres database connection string, -# or `postgres_connection_string_variable_name`, specifying a name of a variable, which contains a valid connection string. - -- when: 'postgres_connection_string_variable_name is defined' - block: - - name: Fail if postgres_connection_string_variable_name points to an undefined variable - ansible.builtin.fail: - msg: "postgres_connection_string_variable_name is defined, but there is no variable with the name `{{ postgres_connection_string_variable_name }}`" - when: "postgres_connection_string_variable_name not in vars" - - - name: Get Postgres connection string from variable - ansible.builtin.set_fact: - postgres_db_connection_string: "{{ lookup('vars', postgres_connection_string_variable_name) }}" - -- name: Fail if playbook called incorrectly - ansible.builtin.fail: - msg: >- - Either a `postgres_db_connection_string` variable or a `postgres_connection_string_variable_name` needs to be provided to this playbook, via `--extra-vars`. - Example: `--extra-vars="postgres_db_connection_string=postgresql://username:password@localhost:/database_name"` or `--extra-vars="postgres_connection_string_variable_name=matrix_appservice_discord_database_connString"` - when: "postgres_db_connection_string is not defined or not postgres_db_connection_string.startswith('postgresql://')" - - -# Defaults - -- name: Set postgres_start_wait_time, if not provided - ansible.builtin.set_fact: - postgres_start_wait_time: 15 - when: "postgres_start_wait_time | default('') == ''" - - -# Actual import work - -- name: Ensure matrix-postgres is started - ansible.builtin.service: - name: matrix-postgres - state: started - daemon_reload: true - register: matrix_postgres_service_start_result - -- name: Wait a bit, so that Postgres can start - ansible.builtin.wait_for: - timeout: "{{ postgres_start_wait_time }}" - delegate_to: 127.0.0.1 - become: false - when: "matrix_postgres_service_start_result.changed | bool" - -- name: Import SQLite database from {{ sqlite_database_path }} into Postgres # noqa name[template] - ansible.builtin.command: - cmd: >- - {{ devture_systemd_docker_base_host_command_docker }} run - --rm - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} - --cap-drop=ALL - --network={{ matrix_docker_network }} - --mount type=bind,src={{ sqlite_database_path }},dst=/in.db,ro - --entrypoint=/bin/sh - {{ matrix_postgres_pgloader_docker_image }} - -c - 'pgloader /in.db {{ postgres_db_connection_string }}' - register: matrix_postgres_import_generic_sqlite_db_import_result - changed_when: matrix_postgres_import_generic_sqlite_db_import_result.rc == 0 - -- name: Archive SQLite database ({{ sqlite_database_path }} -> {{ sqlite_database_path }}.backup) # noqa name[template] - ansible.builtin.command: - cmd: "mv {{ sqlite_database_path }} {{ sqlite_database_path }}.backup" - register: matrix_postgres_import_generic_sqlite_db_move_result - changed_when: matrix_postgres_import_generic_sqlite_db_move_result.rc == 0 - -- name: Inject result - ansible.builtin.set_fact: - devture_playbook_runtime_messages_list: | - {{ - devture_playbook_runtime_messages_list | default([]) - + - [ - "NOTE: Your SQLite database file has been imported into Postgres. The original file has been moved from `{{ sqlite_database_path }}` to `{{ sqlite_database_path }}.backup`. When you've confirmed that the import went well and everything works, you should be able to safely delete this file." - ] - }} diff --git a/roles/custom/matrix-postgres/tasks/import_postgres.yml b/roles/custom/matrix-postgres/tasks/import_postgres.yml deleted file mode 100644 index d21333adc..000000000 --- a/roles/custom/matrix-postgres/tasks/import_postgres.yml +++ /dev/null @@ -1,114 +0,0 @@ ---- - -# Pre-checks - -- name: Fail if Postgres not enabled - ansible.builtin.fail: - msg: "Postgres via the matrix-postgres role is not enabled (`matrix_postgres_enabled`). Cannot import." - when: "not matrix_postgres_enabled | bool" - -- name: Fail if playbook called incorrectly - ansible.builtin.fail: - msg: "The `server_path_postgres_dump` variable needs to be provided to this playbook, via --extra-vars" - when: "server_path_postgres_dump is not defined or server_path_postgres_dump.startswith('<')" - -- name: Check if the provided Postgres dump file exists - ansible.builtin.stat: - path: "{{ server_path_postgres_dump }}" - register: result_server_path_postgres_dump_stat - -- name: Fail if provided Postgres dump file doesn't exists - ansible.builtin.fail: - msg: "File cannot be found on the server at {{ server_path_postgres_dump }}" - when: "not result_server_path_postgres_dump_stat.stat.exists" - - -# Defaults - -- name: Set postgres_start_wait_time, if not provided - ansible.builtin.set_fact: - postgres_start_wait_time: 15 - when: "postgres_start_wait_time | default('') == ''" - -- name: Set postgres_import_wait_time, if not provided - ansible.builtin.set_fact: - postgres_import_wait_time: "{{ 7 * 86400 }}" - when: "postgres_import_wait_time | default('') == ''" - -# By default, we connect and import into the main (`matrix`) database. -# Single-database dumps for Synapse may wish to import into `synapse` instead. -- name: Set postgres_default_import_database, if not provided - ansible.builtin.set_fact: - postgres_default_import_database: "{{ matrix_postgres_db_name }}" - when: "postgres_default_import_database | default('') == ''" - -# Actual import work - -- name: Ensure matrix-postgres is started - ansible.builtin.service: - name: matrix-postgres - state: started - daemon_reload: true - register: matrix_postgres_import_start_result - -- name: Wait a bit, so that Postgres can start - when: matrix_postgres_import_start_result.changed | bool - ansible.builtin.wait_for: - timeout: "{{ postgres_start_wait_time }}" - delegate_to: 127.0.0.1 - become: false - -- ansible.builtin.import_tasks: tasks/detect_existing_postgres_version.yml - -- name: Abort, if no existing Postgres version detected - ansible.builtin.fail: - msg: "Could not find existing Postgres installation" - when: "not matrix_postgres_detected_existing | bool" - -# Starting the database container had automatically created the default -# role (`matrix_postgres_connection_username`) and database (`matrix_postgres_db_name`). -# The dump most likely contains those same entries and would try to re-create them, leading to errors. -# We need to skip over those lines. -- name: Generate Postgres database import command - ansible.builtin.set_fact: - matrix_postgres_import_command: >- - {{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-postgres-import - --log-driver=none - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} - --cap-drop=ALL - --network={{ matrix_docker_network }} - --env-file={{ matrix_postgres_base_path }}/env-postgres-psql - --mount type=bind,src={{ server_path_postgres_dump }},dst=/{{ server_path_postgres_dump | basename }},ro - --entrypoint=/bin/sh - {{ matrix_postgres_docker_image_latest }} - -c "cat /{{ server_path_postgres_dump | basename }} | - {{ 'gunzip |' if server_path_postgres_dump.endswith('.gz') else '' }} - grep -vE '{{ matrix_postgres_import_roles_ignore_regex }}' | - grep -vE '{{ matrix_postgres_import_databases_ignore_regex }}' | - psql -v ON_ERROR_STOP=1 -h matrix-postgres --dbname={{ postgres_default_import_database }}" - tags: - - skip_ansible_lint - -# This is a hack. -# See: https://ansibledaily.com/print-to-standard-output-without-escaping/ -# -# We want to run `debug: msg=".."`, but that dumps it as JSON and escapes double quotes within it, -# which ruins the command (`matrix_postgres_import_command`) -- name: Note about Postgres importing alternative - ansible.builtin.set_fact: - dummy: true - with_items: - - >- - Importing Postgres database using the following command: `{{ matrix_postgres_import_command }}`. - If this crashes, you can stop Postgres (`systemctl stop matrix-postgres`), - delete its existing data (`rm -rf {{ matrix_postgres_data_path }}/*`), start it again (`systemctl start matrix-postgres`) - and manually run the above import command directly on the server. - -- name: Perform Postgres database import - ansible.builtin.command: - cmd: "{{ matrix_postgres_import_command }}" - async: "{{ postgres_import_wait_time }}" - poll: 10 - register: matrix_postgres_import_postgres_command_result - failed_when: not matrix_postgres_import_postgres_command_result.finished or matrix_postgres_import_postgres_command_result.rc != 0 - changed_when: matrix_postgres_import_postgres_command_result.finished and matrix_postgres_import_postgres_command_result.rc == 0 diff --git a/roles/custom/matrix-postgres/tasks/init.yml b/roles/custom/matrix-postgres/tasks/init.yml deleted file mode 100644 index 659380f10..000000000 --- a/roles/custom/matrix-postgres/tasks/init.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-postgres.service'] }}" - when: matrix_postgres_enabled | bool diff --git a/roles/custom/matrix-postgres/tasks/main.yml b/roles/custom/matrix-postgres/tasks/main.yml deleted file mode 100644 index 8e21b3c63..000000000 --- a/roles/custom/matrix-postgres/tasks/main.yml +++ /dev/null @@ -1,45 +0,0 @@ ---- - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup | bool and matrix_postgres_enabled | bool" - tags: - - setup-all - - setup-postgres - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_postgres.yml" - when: run_setup | bool - tags: - - setup-all - - setup-postgres - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/import_postgres.yml" - when: run_postgres_import | bool - tags: - - import-postgres - -# The `run_postgres_import_sqlite_db` variable had better be renamed to be consistent, -# but that's a breaking change which may cause trouble for people. -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/import_synapse_sqlite_db.yml" - when: run_postgres_import_sqlite_db | bool - tags: - - import-synapse-sqlite-db - -# Perhaps we need a new variable here, instead of `run_postgres_import_sqlite_db`. -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/import_generic_sqlite_db.yml" - when: run_postgres_import_sqlite_db | bool - tags: - - import-generic-sqlite-db - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/upgrade_postgres.yml" - when: run_postgres_upgrade | bool - tags: - - upgrade-postgres - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/run_vacuum.yml" - when: run_postgres_vacuum | bool - tags: - - run-postgres-vacuum diff --git a/roles/custom/matrix-postgres/tasks/migrate_db_to_postgres.yml b/roles/custom/matrix-postgres/tasks/migrate_db_to_postgres.yml deleted file mode 100644 index dca284ad1..000000000 --- a/roles/custom/matrix-postgres/tasks/migrate_db_to_postgres.yml +++ /dev/null @@ -1,176 +0,0 @@ ---- - -- name: Fail if Postgres not enabled - ansible.builtin.fail: - msg: "Postgres via the matrix-postgres role is not enabled (`matrix_postgres_enabled`). Cannot migrate." - when: "not matrix_postgres_enabled | bool" - -- name: Fail if util called incorrectly (missing matrix_postgres_db_migration_request) - ansible.builtin.fail: - msg: "The `matrix_postgres_db_migration_request` variable needs to be provided to this util." - when: "matrix_postgres_db_migration_request is not defined" - -- name: Fail if util called incorrectly (invalid matrix_postgres_db_migration_request) - ansible.builtin.fail: - msg: "The `matrix_postgres_db_migration_request` variable needs to contain `{{ item }}`." - with_items: - - src - - dst - - caller - - engine_variable_name - - systemd_services_to_stop - when: "item not in matrix_postgres_db_migration_request" - -- name: Check if the provided source database file exists - ansible.builtin.stat: - path: "{{ matrix_postgres_db_migration_request.src }}" - register: matrix_postgres_db_migration_request_src_stat_result - -- name: Fail if provided source database file doesn't exist - ansible.builtin.fail: - msg: "File cannot be found on the server at {{ matrix_postgres_db_migration_request.src }}" - when: "not matrix_postgres_db_migration_request_src_stat_result.stat.exists" - -- when: "matrix_postgres_pgloader_container_image_self_build | bool" - block: - - name: Ensure pgloader repository is present on self-build - ansible.builtin.git: - repo: "{{ matrix_postgres_pgloader_container_image_self_build_repo }}" - dest: "{{ matrix_postgres_pgloader_container_image_self_build_src_path }}" - version: "{{ matrix_postgres_pgloader_container_image_self_build_repo_branch }}" - force: "yes" - become: true - become_user: "{{ matrix_user_username }}" - register: matrix_postgres_pgloader_git_pull_results - - # If `stable` is used, we hit an error when processing /opt/src/pgloader/build/quicklisp/dists/quicklisp/software/uax-15-20201220-git/data/CompositionExclusions.txt: - # > the octet sequence #(194) cannot be decoded - # - # The issue is described here and is not getting fixed for months: https://github.com/dimitri/pgloader/pull/1179 - # - # Although we're not using the dimitri/pgloader image, the one we're using suffers from the same problem. - - name: Switch pgloader base image from Debian stable (likely 10.x/Buster) to Bullseye - ansible.builtin.lineinfile: - path: "{{ matrix_postgres_pgloader_container_image_self_build_src_path }}/Dockerfile" - regexp: "{{ item.match }}" - line: "{{ item.replace }}" - with_items: - - match: '^FROM debian:stable-slim as builder$' - replace: 'FROM debian:bullseye-slim as builder' - - match: '^FROM debian:stable-slim$' - replace: 'FROM debian:bullseye-slim' - - - name: Ensure pgloader Docker image is built - community.docker.docker_image: - name: "{{ matrix_postgres_pgloader_docker_image }}" - source: build - force_source: "{{ matrix_postgres_pgloader_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_postgres_pgloader_git_pull_results.changed }}" - build: - dockerfile: Dockerfile - path: "{{ matrix_postgres_pgloader_container_image_self_build_src_path }}" - pull: true - -- name: Ensure pgloader Docker image is pulled - community.docker.docker_image: - name: "{{ matrix_postgres_pgloader_docker_image }}" - source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_postgres_pgloader_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_postgres_pgloader_docker_image_force_pull }}" - when: "not matrix_postgres_pgloader_container_image_self_build" - -# Defaults - -- name: Set postgres_start_wait_time, if not provided - ansible.builtin.set_fact: - postgres_start_wait_time: 15 - when: "postgres_start_wait_time | default('') == ''" - -# Actual import work - -# matrix-postgres is most likely started already -- name: Ensure matrix-postgres is started - ansible.builtin.service: - name: matrix-postgres - state: started - daemon_reload: true - register: matrix_postgres_service_start_result - -- name: Wait a bit, so that Postgres can start - ansible.builtin.wait_for: - timeout: "{{ postgres_start_wait_time }}" - delegate_to: 127.0.0.1 - become: false - when: "matrix_postgres_service_start_result.changed | bool" - -# We only stop services here, leaving it to the caller to start them later. -# -# We can't start them, because they probably need to be reconfigured too (changing the configuration from using SQLite to Postgres, etc.), -# before starting. -# -# Since the caller will be starting them, it might make sense to leave stopping to it as well. -# However, we don't do it, because it's simpler having it here, and it also gets to happen only if we'll be doing an import. -# If we bailed out (somewhere above), nothing would have gotten stopped. It's nice to leave this running in such cases. -- name: Ensure systemd services blocking the database import are stopped - ansible.builtin.service: - name: "{{ item }}" - state: stopped - failed_when: false - with_items: "{{ matrix_postgres_db_migration_request.systemd_services_to_stop }}" - -- name: Import {{ matrix_postgres_db_migration_request.engine_old }} database from {{ matrix_postgres_db_migration_request.src }} into Postgres # noqa name[template] - ansible.builtin.command: - cmd: >- - {{ devture_systemd_docker_base_host_command_docker }} run - --rm - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} - --cap-drop=ALL - --network={{ matrix_docker_network }} - --mount type=bind,src={{ matrix_postgres_db_migration_request.src }},dst=/in.db,ro - --entrypoint=/bin/sh - {{ matrix_postgres_pgloader_docker_image }} - -c - 'pgloader {{ matrix_postgres_db_migration_request.pgloader_options | default([]) | join(' ') }} /in.db {{ matrix_postgres_db_migration_request.dst }}' - register: matrix_postgres_migrate_db_to_postgres_import_result - changed_when: matrix_postgres_migrate_db_to_postgres_import_result.rc == 0 - -- when: "matrix_postgres_db_migration_request.additional_psql_statements_list | default([]) | length > 0" - block: - - ansible.builtin.import_role: - name: custom/matrix-postgres - tasks_from: detect_existing_postgres_version - - - ansible.builtin.set_fact: - matrix_postgres_docker_image_to_use: "{{ matrix_postgres_docker_image_latest if matrix_postgres_detected_version_corresponding_docker_image == '' else matrix_postgres_detected_version_corresponding_docker_image }}" - - - name: Execute additional Postgres SQL migration statements - ansible.builtin.command: - cmd: >- - {{ devture_systemd_docker_base_host_command_docker }} run - --rm - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} - --cap-drop=ALL - --env-file={{ matrix_postgres_base_path }}/env-postgres-psql - --network={{ matrix_docker_network }} - {{ matrix_postgres_docker_image_to_use }} - psql --host=matrix-postgres --dbname={{ matrix_postgres_db_migration_request.additional_psql_statements_db_name }} --command='{{ item }}' - with_items: "{{ matrix_postgres_db_migration_request.additional_psql_statements_list }}" - register: matrix_postgres_migrate_db_to_postgres_additional_queries_result - changed_when: matrix_postgres_migrate_db_to_postgres_additional_queries_result.rc == 0 - -- name: Archive {{ matrix_postgres_db_migration_request.engine_old }} database ({{ matrix_postgres_db_migration_request.src }} -> {{ matrix_postgres_db_migration_request.src }}.backup) # noqa name[template] - ansible.builtin.command: - cmd: "mv {{ matrix_postgres_db_migration_request.src }} {{ matrix_postgres_db_migration_request.src }}.backup" - register: matrix_postgres_migrate_db_to_postgres_move_result - changed_when: matrix_postgres_migrate_db_to_postgres_move_result.rc == 0 - -- name: Inject result - ansible.builtin.set_fact: - devture_playbook_runtime_messages_list: | - {{ - devture_playbook_runtime_messages_list | default([]) - + - [ - "NOTE: Your {{ matrix_postgres_db_migration_request.engine_old }} database file has been imported into Postgres. The original database file has been moved from `{{ matrix_postgres_db_migration_request.src }}` to `{{ matrix_postgres_db_migration_request.src }}.backup`. When you've confirmed that the import went well and everything works, you should be able to safely delete this file." - ] - }} diff --git a/roles/custom/matrix-postgres/tasks/migrate_postgres_data_directory.yml b/roles/custom/matrix-postgres/tasks/migrate_postgres_data_directory.yml deleted file mode 100644 index 062a05c4a..000000000 --- a/roles/custom/matrix-postgres/tasks/migrate_postgres_data_directory.yml +++ /dev/null @@ -1,78 +0,0 @@ ---- - -# We used to store Postgres data directly under `/matrix/postgres` (what is now considered `matrix_postgres_base_path`). -# -# From now on, we expect to store Postgres data one directory below now (`/matrix/postgres/data` - `matrix_postgres_data_path`). -# We wish to use the base directory for other purposes (storing environment variable files, etc.). -# Mixing those with the Postgres data is no good and it leads to Postgres's `initdb` complaining to initialize -# a database in a non-empty directory. -# -# For this reason, we store the Postgres data in `/matrix/postgres/data` and need to relocate any installations -# which still store it in the parent directory (`/matrix/postgres`). -# -# This utility is intentionally not in `tasks/util`, because if it were, it wouldn't be possible -# to include it in other roles via the import_role module: https://docs.ansible.com/ansible/latest/collections/ansible/builtin/import_role_module.html - -- name: Check if old Postgres data directory is used - ansible.builtin.stat: - path: "{{ matrix_postgres_base_path }}/PG_VERSION" - register: result_pg_old_data_dir_stat - -- name: Warn if old Postgres data directory detected - ansible.builtin.debug: - msg: > - Found that you have Postgres data in `{{ matrix_postgres_base_path }}`. - From now on, Postgres data is supposed to be stored in `{{ matrix_postgres_data_path }}` instead. - We'll stop Postgres and relocate the files there for you. - when: "result_pg_old_data_dir_stat.stat.exists" - -# We should stop Postgres first, before building a list of files, -# as to ignore any `postmaster.pid` files, etc. -- name: Ensure matrix-postgres is stopped - ansible.builtin.service: - name: matrix-postgres - state: stopped - daemon_reload: true - when: "result_pg_old_data_dir_stat.stat.exists" - -- name: Find files and directories in old Postgres data path - ansible.builtin.find: - paths: "{{ matrix_postgres_base_path }}" - file_type: any - excludes: ["data"] - register: "result_pg_old_data_dir_find" - when: "result_pg_old_data_dir_stat.stat.exists" - -- name: Ensure new Postgres data path exists - ansible.builtin.file: - path: "{{ matrix_postgres_data_path }}" - state: directory - mode: 0700 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - when: "result_pg_old_data_dir_stat.stat.exists" - -- when: "result_pg_old_data_dir_stat.stat.exists" - block: - - name: Relocate Postgres data files from old directory to new - ansible.builtin.command: - cmd: "mv {{ item.path }} {{ matrix_postgres_data_path }}/{{ item.path | basename }}" - with_items: "{{ result_pg_old_data_dir_find.files }}" - register: matrix_postgres_migrate_postgres_data_directory_move_result - changed_when: matrix_postgres_migrate_postgres_data_directory_move_result.rc == 0 - -# Intentionally not starting matrix-postgres here. -# It likely needs to be updated to point to the new directory. -# In fact, let's even get rid of the outdated service, to ensure no one will start it -# and have it initialize a new database. - -- name: Ensure outdated matrix-postgres.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-postgres.service" - state: absent - when: "result_pg_old_data_dir_stat.stat.exists" - -- name: Ensure systemd reloaded after getting rid of outdated matrix-postgres.service - ansible.builtin.service: - daemon_reload: true - when: "result_pg_old_data_dir_stat.stat.exists" diff --git a/roles/custom/matrix-postgres/tasks/run_vacuum.yml b/roles/custom/matrix-postgres/tasks/run_vacuum.yml deleted file mode 100644 index dfa4be7a3..000000000 --- a/roles/custom/matrix-postgres/tasks/run_vacuum.yml +++ /dev/null @@ -1,96 +0,0 @@ ---- - -# Pre-checks - -- name: Fail if Postgres not enabled - ansible.builtin.fail: - msg: "Postgres via the matrix-postgres role is not enabled (`matrix_postgres_enabled`). Cannot run vacuum." - when: "not matrix_postgres_enabled | bool" - - -# Defaults - -- name: Set postgres_start_wait_time, if not provided - ansible.builtin.set_fact: - postgres_start_wait_time: 15 - when: "postgres_start_wait_time | default('') == ''" - -- name: Set postgres_vacuum_wait_time, if not provided - ansible.builtin.set_fact: - postgres_vacuum_wait_time: "{{ 7 * 86400 }}" - when: "postgres_vacuum_wait_time | default('') == ''" - - -# Actual vacuuming work - -- name: Ensure matrix-postgres is started - ansible.builtin.service: - name: matrix-postgres - state: started - daemon_reload: true - register: matrix_postgres_vacuum_start_result - -- name: Wait a bit, so that Postgres can start - when: matrix_postgres_vacuum_start_result.changed | bool - ansible.builtin.wait_for: - timeout: "{{ postgres_start_wait_time }}" - delegate_to: 127.0.0.1 - become: false - -- ansible.builtin.import_tasks: tasks/detect_existing_postgres_version.yml - -- name: Abort, if no existing Postgres version detected - ansible.builtin.fail: - msg: "Could not find existing Postgres installation" - when: "not matrix_postgres_detected_existing | bool" - -- name: Generate Postgres database vacuum command - ansible.builtin.set_fact: - matrix_postgres_vacuum_command: >- - {{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-postgres-synapse-vacuum - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} - --cap-drop=ALL - --network={{ matrix_docker_network }} - --env-file={{ matrix_postgres_base_path }}/env-postgres-psql - {{ matrix_postgres_docker_image_latest }} - psql -v ON_ERROR_STOP=1 -h matrix-postgres {{ matrix_synapse_database_database }} -c 'VACUUM FULL VERBOSE' - -- name: Note about Postgres vacuum alternative - ansible.builtin.debug: - msg: >- - Running vacuum with the following Postgres ansible.builtin.command: `{{ matrix_postgres_vacuum_command }}`. - If this crashes, you can stop all processes (`systemctl stop matrix-*`), - start Postgres only (`systemctl start matrix-postgres`) - and manually run the above command directly on the server. - -- name: Populate service facts - ansible.builtin.service_facts: - -- ansible.builtin.set_fact: - matrix_postgres_synapse_was_running: "{{ ansible_facts.services['matrix-synapse.service'] | default(none) is not none and ansible_facts.services['matrix-synapse.service'].state == 'running' }}" - -- name: Ensure services are stopped - ansible.builtin.service: - name: "{{ item }}" - state: stopped - daemon_reload: true - with_items: "{{ matrix_postgres_systemd_services_to_stop_for_maintenance_list }}" - -- name: Run Postgres vacuum command - ansible.builtin.command: "{{ matrix_postgres_vacuum_command }}" - async: "{{ postgres_vacuum_wait_time }}" - poll: 10 - register: matrix_postgres_synapse_vacuum_result - failed_when: not matrix_postgres_synapse_vacuum_result.finished or matrix_postgres_synapse_vacuum_result.rc != 0 - changed_when: matrix_postgres_synapse_vacuum_result.finished and matrix_postgres_synapse_vacuum_result.rc == 0 - -# Intentionally show the results -- ansible.builtin.debug: - var: "matrix_postgres_synapse_vacuum_result" - -- name: Ensure services are started - ansible.builtin.service: - name: "{{ item }}" - state: started - daemon_reload: true - with_items: "{{ matrix_postgres_systemd_services_to_stop_for_maintenance_list }}" diff --git a/roles/custom/matrix-postgres/tasks/setup_postgres.yml b/roles/custom/matrix-postgres/tasks/setup_postgres.yml deleted file mode 100644 index bba0d7989..000000000 --- a/roles/custom/matrix-postgres/tasks/setup_postgres.yml +++ /dev/null @@ -1,215 +0,0 @@ ---- - -# -# Tasks related to setting up an internal postgres server -# - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/migrate_postgres_data_directory.yml" - when: matrix_postgres_enabled | bool - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/detect_existing_postgres_version.yml" - when: matrix_postgres_enabled | bool - -# If we have found an existing version (installed from before), we use its corresponding Docker image. -# If not, we install using the latest Postgres. -# -# Upgrading is supposed to be performed separately and explicitly (see `upgrade_postgres.yml`). -- ansible.builtin.set_fact: - matrix_postgres_docker_image_to_use: "{{ matrix_postgres_docker_image_latest if matrix_postgres_detected_version_corresponding_docker_image == '' else matrix_postgres_detected_version_corresponding_docker_image }}" - when: matrix_postgres_enabled | bool - -- name: Abort if on an unsupported Postgres version - ansible.builtin.fail: - msg: "You're on Postgres {{ matrix_postgres_detected_version }}, which is no longer supported. To upgrade, see docs/maintenance-postgres.md" - when: "matrix_postgres_enabled | bool and matrix_postgres_detected_version.startswith('9.')" - -- name: Inject warning if on an old version of Postgres - ansible.builtin.set_fact: - devture_playbook_runtime_messages_list: | - {{ - devture_playbook_runtime_messages_list | default([]) - + - [ - "NOTE: Your setup is on an old Postgres version ({{ matrix_postgres_docker_image_to_use }}), while {{ matrix_postgres_docker_image_latest }} is supported. You can upgrade using --tags=upgrade-postgres" - ] - }} - when: "matrix_postgres_enabled | bool and matrix_postgres_docker_image_to_use != matrix_postgres_docker_image_latest" - -# Even if we don't run the internal server, we still need this for running the CLI -- name: Ensure postgres Docker image is pulled - community.docker.docker_image: - name: "{{ matrix_postgres_docker_image_to_use }}" - source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_postgres_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_postgres_docker_image_force_pull }}" - when: matrix_postgres_enabled | bool - register: result - retries: "{{ devture_playbook_help_container_retries_count }}" - delay: "{{ devture_playbook_help_container_retries_delay }}" - until: result is not failed - -- name: Ensure Postgres paths exist - ansible.builtin.file: - path: "{{ item }}" - state: directory - mode: 0700 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - with_items: - - "{{ matrix_postgres_base_path }}" - - "{{ matrix_postgres_data_path }}" - when: matrix_postgres_enabled | bool - -# We do this as a separate task, because: -# - we'd like to do it for the data path only, not for the base path (which contains root-owned environment variable files we'd like to leave as-is) -# - we need to do it without `mode`, or we risk making certain `.conf` and other files's executable bit to flip to true -- name: Ensure Postgres data path ownership is correct - ansible.builtin.file: - path: "{{ matrix_postgres_data_path }}" - state: directory - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - recurse: true - when: matrix_postgres_enabled | bool - -- name: Ensure Postgres environment variables file created - ansible.builtin.template: - src: "{{ role_path }}/templates/{{ item }}.j2" - dest: "{{ matrix_postgres_base_path }}/{{ item }}" - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - mode: 0640 - with_items: - - "env-postgres-psql" - - "env-postgres-server" - when: matrix_postgres_enabled | bool - -- name: Ensure matrix-postgres-cli script created - ansible.builtin.template: - src: "{{ role_path }}/templates/usr-local-bin/matrix-postgres-cli.j2" - dest: "{{ matrix_local_bin_path }}/matrix-postgres-cli" - mode: 0755 - when: matrix_postgres_enabled | bool - -- name: Ensure matrix-postgres-cli-non-interactive script created - ansible.builtin.template: - src: "{{ role_path }}/templates/usr-local-bin/matrix-postgres-cli-non-interactive.j2" - dest: "{{ matrix_local_bin_path }}/matrix-postgres-cli-non-interactive" - mode: 0755 - when: matrix_postgres_enabled | bool - -- name: Ensure matrix-change-user-admin-status script created - ansible.builtin.template: - src: "{{ role_path }}/templates/usr-local-bin/matrix-change-user-admin-status.j2" - dest: "{{ matrix_local_bin_path }}/matrix-change-user-admin-status" - mode: 0755 - when: matrix_postgres_enabled | bool - -- name: (Migration) Ensure old matrix-make-user-admin script deleted - ansible.builtin.file: - path: "{{ matrix_local_bin_path }}/matrix-make-user-admin" - state: absent - when: matrix_postgres_enabled | bool - -- name: Ensure matrix-postgres-update-user-password-hash script created - ansible.builtin.template: - src: "{{ role_path }}/templates/usr-local-bin/matrix-postgres-update-user-password-hash.j2" - dest: "{{ matrix_local_bin_path }}/matrix-postgres-update-user-password-hash" - mode: 0755 - when: matrix_postgres_enabled | bool - -- name: Ensure matrix-postgres.service installed - ansible.builtin.template: - src: "{{ role_path }}/templates/systemd/matrix-postgres.service.j2" - dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-postgres.service" - mode: 0644 - register: matrix_postgres_systemd_service_result - when: matrix_postgres_enabled | bool - -- name: Ensure systemd reloaded after matrix-postgres.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_postgres_enabled | bool and matrix_postgres_systemd_service_result.changed" - -- ansible.builtin.include_tasks: - file: "{{ role_path }}/tasks/util/create_additional_databases.yml" - apply: - tags: - - always - when: "matrix_postgres_enabled | bool and matrix_postgres_additional_databases|length > 0" - -- name: Check existence of matrix-postgres backup data path - ansible.builtin.stat: - path: "{{ matrix_postgres_data_path }}-auto-upgrade-backup" - register: matrix_postgres_data_backup_path_stat - when: "matrix_postgres_enabled | bool" - -- name: Inject warning if backup data remains - ansible.builtin.set_fact: - devture_playbook_runtime_messages_list: | - {{ - devture_playbook_runtime_messages_list | default([]) - + - [ - "NOTE: You have some Postgres backup data in `{{ matrix_postgres_data_path }}-auto-upgrade-backup`, which was created during the last major Postgres update you ran. If your setup works well after this upgrade, feel free to delete this whole directory." - ] - }} - when: "matrix_postgres_enabled | bool and matrix_postgres_data_backup_path_stat.stat.exists" - - -# -# Tasks related to getting rid of the internal postgres server (if it was previously enabled) -# - -- name: Check existence of matrix-postgres service - ansible.builtin.stat: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-postgres.service" - register: matrix_postgres_service_stat - when: "not matrix_postgres_enabled | bool" - -- name: Ensure matrix-postgres is stopped - ansible.builtin.service: - name: matrix-postgres - state: stopped - daemon_reload: true - when: "not matrix_postgres_enabled | bool and matrix_postgres_service_stat.stat.exists" - -- name: Ensure matrix-postgres.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-postgres.service" - state: absent - when: "not matrix_postgres_enabled | bool and matrix_postgres_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-postgres.service removal - ansible.builtin.service: - daemon_reload: true - when: "not matrix_postgres_enabled | bool and matrix_postgres_service_stat.stat.exists" - -- name: Check existence of matrix-postgres local data path - ansible.builtin.stat: - path: "{{ matrix_postgres_data_path }}" - register: matrix_postgres_data_path_stat - when: "not matrix_postgres_enabled | bool" - -# We just want to notify the user. Deleting data is too destructive. -- name: Inject warning if matrix-postgres local data remains - ansible.builtin.set_fact: - devture_playbook_runtime_messages_list: | - {{ - devture_playbook_runtime_messages_list | default([]) - + - [ - "NOTE: You are not using a local PostgreSQL database, but some old data remains from before in `{{ matrix_postgres_data_path }}`. Feel free to delete it." - ] - }} - when: "not matrix_postgres_enabled | bool and matrix_postgres_data_path_stat.stat.exists" - -- name: Remove Postgres scripts - ansible.builtin.file: - path: "{{ matrix_local_bin_path }}/{{ item }}" - state: absent - with_items: - - matrix-postgres-cli - - matrix-change-user-admin-status - - matrix-postgres-update-user-password-hash - when: "not matrix_postgres_enabled | bool" diff --git a/roles/custom/matrix-postgres/tasks/upgrade_postgres.yml b/roles/custom/matrix-postgres/tasks/upgrade_postgres.yml deleted file mode 100644 index d5f7e6c37..000000000 --- a/roles/custom/matrix-postgres/tasks/upgrade_postgres.yml +++ /dev/null @@ -1,188 +0,0 @@ ---- - -- name: Set default postgres_dump_dir, if not provided - ansible.builtin.set_fact: - postgres_dump_dir: "/tmp" - when: "postgres_dump_dir | default('') == ''" - -- name: Set postgres_dump_name, if not provided - ansible.builtin.set_fact: - postgres_dump_name: "matrix-postgres-dump.sql.gz" - when: "postgres_dump_name | default('') == ''" - -- name: Set postgres_auto_upgrade_backup_data_path, if not provided - ansible.builtin.set_fact: - postgres_auto_upgrade_backup_data_path: "{{ matrix_postgres_data_path }}-auto-upgrade-backup" - when: "postgres_auto_upgrade_backup_data_path | default('') == ''" - -- name: Set postgres_start_wait_time, if not provided - ansible.builtin.set_fact: - postgres_start_wait_time: 15 - when: "postgres_start_wait_time | default('') == ''" - -- name: Set postgres_force_upgrade, if not provided - ansible.builtin.set_fact: - postgres_force_upgrade: false - when: "postgres_force_upgrade | default('') == ''" - -- name: Fail, if trying to upgrade external Postgres database - ansible.builtin.fail: - msg: "Your configuration indicates that you're not using Postgres from this role. There is nothing to upgrade." - when: "not matrix_postgres_enabled | bool" - -- name: Check Postgres auto-upgrade backup data directory - ansible.builtin.stat: - path: "{{ postgres_auto_upgrade_backup_data_path }}" - register: result_auto_upgrade_path - -- name: Abort, if existing Postgres auto-upgrade data path detected - ansible.builtin.fail: - msg: "Detected that a left-over {{ postgres_auto_upgrade_backup_data_path }} exists. You should rename it to {{ matrix_postgres_data_path }} if the previous upgrade went wrong, or delete it if it went well." - when: "result_auto_upgrade_path.stat.exists" - -- ansible.builtin.import_tasks: tasks/detect_existing_postgres_version.yml - -- name: Abort, if no existing Postgres version detected - ansible.builtin.fail: - msg: "Could not find existing Postgres installation" - when: "not matrix_postgres_detected_existing | bool" - -- name: Abort, if already at latest Postgres version - ansible.builtin.fail: - msg: "You are already running the latest Postgres version supported ({{ matrix_postgres_docker_image_latest }}). Nothing to do" - when: "matrix_postgres_detected_version_corresponding_docker_image == matrix_postgres_docker_image_latest and not postgres_force_upgrade" - -- ansible.builtin.debug: - msg: "Upgrading database from {{ matrix_postgres_detected_version_corresponding_docker_image }} to {{ matrix_postgres_docker_image_latest }}" - -- name: Ensure services are stopped - ansible.builtin.service: - name: "{{ item }}" - state: stopped - daemon_reload: true - with_items: "{{ matrix_postgres_systemd_services_to_stop_for_maintenance_list }}" - -- name: Ensure matrix-postgres is started - ansible.builtin.service: - name: matrix-postgres - state: started - daemon_reload: true - -- name: Wait a bit, so that Postgres can start - ansible.builtin.wait_for: - timeout: "{{ postgres_start_wait_time }}" - delegate_to: 127.0.0.1 - become: false - -# We dump all databases, roles, etc. -# -# Because we'll be importing into a new container which initializes the default -# role (`matrix_postgres_connection_username`) and database (`matrix_postgres_db_name`) by itself on startup, -# we need to remove these from the dump, or we'll get errors saying these already exist. -- name: Perform Postgres database dump - ansible.builtin.command: - cmd: >- - {{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-postgres-dump - --log-driver=none - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} - --network={{ matrix_docker_network }} - --env-file={{ matrix_postgres_base_path }}/env-postgres-psql - --entrypoint=/bin/sh - --mount type=bind,src={{ postgres_dump_dir }},dst=/out - {{ matrix_postgres_detected_version_corresponding_docker_image }} - -c "pg_dumpall -h matrix-postgres - {{ '| gzip -c ' if postgres_dump_name.endswith('.gz') else '' }} - > /out/{{ postgres_dump_name }}" - register: matrix_postgres_upgrade_postgres_dump_command_result - changed_when: matrix_postgres_upgrade_postgres_dump_command_result.rc == 0 - tags: - - skip_ansible_lint - -- name: Ensure matrix-postgres is stopped - ansible.builtin.service: - name: matrix-postgres - state: stopped - -- name: Rename existing Postgres data directory - ansible.builtin.command: - cmd: "mv {{ matrix_postgres_data_path }} {{ postgres_auto_upgrade_backup_data_path }}" - register: matrix_postgres_upgrade_postgres_move_command_result - changed_when: matrix_postgres_upgrade_postgres_move_command_result.rc == 0 - -- ansible.builtin.debug: - msg: "NOTE: Your Postgres data directory has been moved from `{{ matrix_postgres_data_path }}` to `{{ postgres_auto_upgrade_backup_data_path }}`. In the event of failure, you can move it back and run the playbook with --tags=setup-postgres to restore operation." - -- ansible.builtin.import_tasks: tasks/setup_postgres.yml - -- name: Ensure matrix-postgres autoruns and is restarted - ansible.builtin.service: - name: matrix-postgres - enabled: true - state: restarted - daemon_reload: true - -- name: Wait a bit, so that Postgres can start - ansible.builtin.wait_for: - timeout: "{{ postgres_start_wait_time }}" - delegate_to: 127.0.0.1 - become: false - -# Starting the database container had automatically created the default -# role (`matrix_postgres_connection_username`) and database (`matrix_postgres_db_name`). -# The dump most likely contains those same entries and would try to re-create them, leading to errors. -# We need to skip over those lines. -- name: Generate Postgres database import command - ansible.builtin.set_fact: - matrix_postgres_import_command: >- - {{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-postgres-import - --log-driver=none - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} - --cap-drop=ALL - --network={{ matrix_docker_network }} - --env-file={{ matrix_postgres_base_path }}/env-postgres-psql - --entrypoint=/bin/sh - --mount type=bind,src={{ postgres_dump_dir }},dst=/in,ro - {{ matrix_postgres_docker_image_latest }} - -c "cat /in/{{ postgres_dump_name }} | - {{ 'gunzip |' if postgres_dump_name.endswith('.gz') else '' }} - grep -vE '{{ matrix_postgres_import_roles_ignore_regex }}' | - grep -vE '{{ matrix_postgres_import_databases_ignore_regex }}' | - psql -v ON_ERROR_STOP=1 -h matrix-postgres" - tags: - - skip_ansible_lint - -# This is a hack. -# See: https://ansibledaily.com/print-to-standard-output-without-escaping/ -# -# We want to run `debug: msg=".."`, but that dumps it as JSON and escapes double quotes within it, -# which ruins the command (`matrix_postgres_import_command`) -- name: Note about Postgres importing - ansible.builtin.set_fact: - dummy: true - with_items: - - >- - Importing Postgres database using the following command: `{{ matrix_postgres_import_command }}`. - If this crashes, you can stop Postgres (`systemctl stop matrix-postgres`), - delete the new database data (`rm -rf {{ matrix_postgres_data_path }}`) - and restore the automatically-made backup (`mv {{ postgres_auto_upgrade_backup_data_path }} {{ matrix_postgres_data_path }}`). - -- name: Perform Postgres database import - ansible.builtin.command: - cmd: "{{ matrix_postgres_import_command }}" - register: matrix_postgres_upgrade_postgres_import_command_result - changed_when: matrix_postgres_upgrade_postgres_import_command_result.rc == 0 - -- name: Delete Postgres database dump file - ansible.builtin.file: - path: "{{ postgres_dump_dir }}/{{ postgres_dump_name }}" - state: absent - -- name: Ensure services are started - ansible.builtin.service: - name: "{{ item }}" - state: started - daemon_reload: true - with_items: "{{ matrix_postgres_systemd_services_to_stop_for_maintenance_list }}" - -- ansible.builtin.debug: - msg: "NOTE: Your old Postgres data directory is preserved at `{{ postgres_auto_upgrade_backup_data_path }}`. You might want to get rid of it once you've confirmed that all is well." diff --git a/roles/custom/matrix-postgres/tasks/util/create_additional_database.yml b/roles/custom/matrix-postgres/tasks/util/create_additional_database.yml deleted file mode 100644 index ce441ee13..000000000 --- a/roles/custom/matrix-postgres/tasks/util/create_additional_database.yml +++ /dev/null @@ -1,41 +0,0 @@ ---- - -# It'd be better if this is belonged to `validate_config.yml`, but it would have to be some loop-within-a-loop there, -# and that's ugly. We also don't expect this to catch errors often. It's more of a defensive last-minute check. -- name: Fail if additional database data appears invalid - ansible.builtin.fail: - msg: "Additional database definition ({{ additional_db }} lacks a required key: {{ item }}" - when: "item not in additional_db" - with_items: "{{ ['name', 'username', 'password'] }}" - -# The SQL statements that we'll run against Postgres are stored in a file that others can't read. -# This file will be mounted into the container and fed to Postgres. -# This way, we avoid passing sensitive data around in CLI commands that other users on the system can see. -- name: Create additional database initialization SQL file for {{ additional_db.name }} - ansible.builtin.template: - src: "{{ role_path }}/templates/sql/init-additional-db-user-and-role.sql.j2" - dest: "/tmp/matrix-postgres-init-additional-db-user-and-role.sql" - mode: 0600 - owner: "{{ matrix_user_uid }}" - group: "{{ matrix_user_gid }}" - -- name: Execute Postgres additional database initialization SQL file for {{ additional_db.name }} - ansible.builtin.command: - cmd: >- - {{ devture_systemd_docker_base_host_command_docker }} run - --rm - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} - --cap-drop=ALL - --env-file={{ matrix_postgres_base_path }}/env-postgres-psql - --network {{ matrix_docker_network }} - --mount type=bind,src=/tmp/matrix-postgres-init-additional-db-user-and-role.sql,dst=/matrix-postgres-init-additional-db-user-and-role.sql,ro - --entrypoint=/bin/sh - {{ matrix_postgres_docker_image_to_use }} - -c - 'psql -h {{ matrix_postgres_connection_hostname }} --file=/matrix-postgres-init-additional-db-user-and-role.sql' - changed_when: true - -- name: Delete additional database initialization SQL file for {{ additional_db.name }} - ansible.builtin.file: - path: /tmp/matrix-postgres-init-additional-db-user-and-role.sql - state: absent diff --git a/roles/custom/matrix-postgres/tasks/util/create_additional_databases.yml b/roles/custom/matrix-postgres/tasks/util/create_additional_databases.yml deleted file mode 100644 index 7fe5713e1..000000000 --- a/roles/custom/matrix-postgres/tasks/util/create_additional_databases.yml +++ /dev/null @@ -1,23 +0,0 @@ ---- - -- name: Ensure matrix-postgres is started - ansible.builtin.service: - name: matrix-postgres - state: started - daemon_reload: true - register: matrix_postgres_service_start_result - -- name: Wait a bit, so that Postgres can start - ansible.builtin.wait_for: - timeout: "{{ matrix_postgres_additional_databases_postgres_start_wait_timeout_seconds }}" - delegate_to: 127.0.0.1 - become: false - when: "matrix_postgres_service_start_result.changed | bool" - -- name: Create additional Postgres user and database - ansible.builtin.include_tasks: "{{ role_path }}/tasks/util/create_additional_database.yml" - with_items: "{{ matrix_postgres_additional_databases }}" - loop_control: - loop_var: additional_db - # Suppress logging to avoid dumping the credentials to the shell - no_log: true diff --git a/roles/custom/matrix-postgres/tasks/validate_config.yml b/roles/custom/matrix-postgres/tasks/validate_config.yml deleted file mode 100644 index a6225632c..000000000 --- a/roles/custom/matrix-postgres/tasks/validate_config.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- - -- name: (Deprecation) Warn about matrix_postgres_use_external usage - ansible.builtin.fail: - msg: > - The `matrix_postgres_use_external` variable defined in your configuration is not used by this playbook anymore! - You'll need to adapt to the new way of using an external Postgres server. - It's a combination of `matrix_postgres_enabled: false` and specifying Postgres connection - details in a few `matrix_postgres_connection_` variables. - See the "Using an external PostgreSQL server (optional)" documentation page. - when: "'matrix_postgres_use_external' in vars" - -# This is separate (from the other required variables below), -# because we'd like to have a friendlier message for our existing users. -- name: Fail if matrix_postgres_connection_password not defined - ansible.builtin.fail: - msg: >- - The playbook no longer has a default Postgres password defined in the `matrix_postgres_connection_password` variable, among lots of other Postgres changes. - You need to perform multiple manual steps to resolve this. - See our changelog for more details: - https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/CHANGELOG.md#breaking-change-postgres-changes-that-require-manual-intervention - when: "matrix_postgres_connection_password == ''" - -- name: Fail if required Postgres settings not defined - ansible.builtin.fail: - msg: >- - You need to define a required configuration setting (`{{ item }}`). - when: "vars[item] == ''" - with_items: - - "matrix_postgres_connection_hostname" - - "matrix_postgres_connection_port" - - "matrix_postgres_connection_username" - - "matrix_postgres_connection_password" - - "matrix_postgres_db_name" - -- name: Fail if Postgres password length exceeded - ansible.builtin.fail: - msg: "The maximum `matrix_postgres_connection_password` length is 99 characters" - when: "matrix_postgres_connection_password | length > 99" diff --git a/roles/custom/matrix-postgres/templates/env-postgres-psql.j2 b/roles/custom/matrix-postgres/templates/env-postgres-psql.j2 deleted file mode 100644 index 220589874..000000000 --- a/roles/custom/matrix-postgres/templates/env-postgres-psql.j2 +++ /dev/null @@ -1,8 +0,0 @@ -#jinja2: lstrip_blocks: "True" -PGUSER={{ matrix_postgres_connection_username }} -PGPASSWORD={{ matrix_postgres_connection_password }} -PGDATABASE={{ matrix_postgres_db_name }} -# Prevent errors like this: -# > could not save history to file "//.psql_history": Permission denied -# .. due to Postgres not being able to write to the filesystem. -PSQL_HISTORY=/dev/null diff --git a/roles/custom/matrix-postgres/templates/env-postgres-server.j2 b/roles/custom/matrix-postgres/templates/env-postgres-server.j2 deleted file mode 100644 index 06feb82a6..000000000 --- a/roles/custom/matrix-postgres/templates/env-postgres-server.j2 +++ /dev/null @@ -1,7 +0,0 @@ -#jinja2: lstrip_blocks: "True" -POSTGRES_USER={{ matrix_postgres_connection_username }} -POSTGRES_PASSWORD={{ matrix_postgres_connection_password }} -POSTGRES_DB={{ matrix_postgres_db_name }} -# Synapse refuses to run if collation is not C. -# See https://github.com/matrix-org/synapse/issues/6722 -POSTGRES_INITDB_ARGS=--lc-collate C --lc-ctype C --encoding UTF8 diff --git a/roles/custom/matrix-postgres/templates/sql/init-additional-db-user-and-role.sql.j2 b/roles/custom/matrix-postgres/templates/sql/init-additional-db-user-and-role.sql.j2 deleted file mode 100644 index a5a3385b6..000000000 --- a/roles/custom/matrix-postgres/templates/sql/init-additional-db-user-and-role.sql.j2 +++ /dev/null @@ -1,19 +0,0 @@ --- `CREATE USER` does not support `IF NOT EXISTS`, so we use this workaround to prevent an error and raise a notice instead. --- Seen here: https://stackoverflow.com/a/49858797 -DO $$ -BEGIN - CREATE USER "{{ additional_db.username }}"; - EXCEPTION WHEN DUPLICATE_OBJECT THEN - RAISE NOTICE 'not creating user "{{ additional_db.username }}", since it already exists'; -END -$$; - --- This is useful for initial user creation (since we don't assign a password above) and for handling subsequent password changes --- TODO - we should escape quotes in the password. -ALTER ROLE "{{ additional_db.username }}" PASSWORD '{{ additional_db.password }}'; - --- This will generate an error on subsequent execution -CREATE DATABASE "{{ additional_db.name }}" WITH LC_CTYPE 'C' LC_COLLATE 'C' OWNER "{{ additional_db.username }}"; - --- This is useful for changing the database owner subsequently -ALTER DATABASE "{{ additional_db.name }}" OWNER TO "{{ additional_db.username }}"; diff --git a/roles/custom/matrix-postgres/templates/systemd/matrix-postgres.service.j2 b/roles/custom/matrix-postgres/templates/systemd/matrix-postgres.service.j2 deleted file mode 100644 index e63267a3e..000000000 --- a/roles/custom/matrix-postgres/templates/systemd/matrix-postgres.service.j2 +++ /dev/null @@ -1,46 +0,0 @@ -#jinja2: lstrip_blocks: "True" -[Unit] -Description=Matrix Postgres server -After=docker.service -Requires=docker.service -DefaultDependencies=no - -[Service] -Type=simple -Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" -ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-postgres 2>/dev/null || true' -ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-postgres 2>/dev/null || true' - -# We need /dev/shm to be larger than the default to allow VACUUM to work. -# See: -# - https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1362 -# - https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1268 -ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-postgres \ - --log-driver=none \ - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ - --cap-drop=ALL \ - --read-only \ - --tmpfs=/tmp:rw,noexec,nosuid,size=100m \ - --tmpfs=/run/postgresql:rw,noexec,nosuid,size=100m \ - --shm-size=256m \ - --network={{ matrix_docker_network }} \ - {% if matrix_postgres_container_postgres_bind_port %} - -p {{ matrix_postgres_container_postgres_bind_port }}:5432 \ - {% endif %} - --env-file={{ matrix_postgres_base_path }}/env-postgres-server \ - --mount type=bind,src={{ matrix_postgres_data_path }},dst=/var/lib/postgresql/data \ - --mount type=bind,src=/etc/passwd,dst=/etc/passwd,ro \ - {% for arg in matrix_postgres_container_extra_arguments %} - {{ arg }} \ - {% endfor %} - {{ matrix_postgres_docker_image_to_use }} \ - postgres {{ matrix_postgres_process_extra_arguments|join(' ') }} - -ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-postgres 2>/dev/null || true' -ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-postgres 2>/dev/null || true' -Restart=always -RestartSec=30 -SyslogIdentifier=matrix-postgres - -[Install] -WantedBy=multi-user.target diff --git a/roles/custom/matrix-postgres/templates/usr-local-bin/matrix-change-user-admin-status.j2 b/roles/custom/matrix-postgres/templates/usr-local-bin/matrix-change-user-admin-status.j2 deleted file mode 100644 index f378a10f5..000000000 --- a/roles/custom/matrix-postgres/templates/usr-local-bin/matrix-change-user-admin-status.j2 +++ /dev/null @@ -1,19 +0,0 @@ -#jinja2: lstrip_blocks: "True" -#!/bin/bash - -if [ $# -ne 2 ]; then - echo "Usage: "$0" <0/1>" - echo "Usage: 0 = non-admin" - echo "Usage: 1 = admin" - exit 1 -fi - -docker run \ - -i \ - --rm \ - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ - --cap-drop=ALL \ - --env-file={{ matrix_postgres_base_path }}/env-postgres-psql \ - --network {{ matrix_docker_network }} \ - {{ matrix_postgres_docker_image_to_use }} \ - psql -h {{ matrix_postgres_connection_hostname }} --dbname={{ matrix_synapse_database_database }} -c "UPDATE users set admin=$2 WHERE name like '@$1:{{ matrix_domain }}'" diff --git a/roles/custom/matrix-postgres/templates/usr-local-bin/matrix-postgres-cli-non-interactive.j2 b/roles/custom/matrix-postgres/templates/usr-local-bin/matrix-postgres-cli-non-interactive.j2 deleted file mode 100644 index 012bb327f..000000000 --- a/roles/custom/matrix-postgres/templates/usr-local-bin/matrix-postgres-cli-non-interactive.j2 +++ /dev/null @@ -1,12 +0,0 @@ -#jinja2: lstrip_blocks: "True" -#!/bin/bash - -docker run \ - --rm \ - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ - --cap-drop=ALL \ - --env-file={{ matrix_postgres_base_path }}/env-postgres-psql \ - --network {{ matrix_docker_network }} \ - {{ matrix_postgres_docker_image_to_use }} \ - psql -h {{ matrix_postgres_connection_hostname }} \ - "$@" diff --git a/roles/custom/matrix-postgres/templates/usr-local-bin/matrix-postgres-cli.j2 b/roles/custom/matrix-postgres/templates/usr-local-bin/matrix-postgres-cli.j2 deleted file mode 100644 index de09a4eb2..000000000 --- a/roles/custom/matrix-postgres/templates/usr-local-bin/matrix-postgres-cli.j2 +++ /dev/null @@ -1,13 +0,0 @@ -#jinja2: lstrip_blocks: "True" -#!/bin/bash - -docker run \ - -it \ - --rm \ - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ - --cap-drop=ALL \ - --env-file={{ matrix_postgres_base_path }}/env-postgres-psql \ - --network {{ matrix_docker_network }} \ - {{ matrix_postgres_docker_image_to_use }} \ - psql -h {{ matrix_postgres_connection_hostname }} \ - "$@" diff --git a/roles/custom/matrix-postgres/templates/usr-local-bin/matrix-postgres-update-user-password-hash.j2 b/roles/custom/matrix-postgres/templates/usr-local-bin/matrix-postgres-update-user-password-hash.j2 deleted file mode 100644 index 0fbf4f21b..000000000 --- a/roles/custom/matrix-postgres/templates/usr-local-bin/matrix-postgres-update-user-password-hash.j2 +++ /dev/null @@ -1,16 +0,0 @@ -#jinja2: lstrip_blocks: "True" -#!/bin/bash - -if [ $# -ne 2 ]; then - echo "Usage: "$0" " - exit 1 -fi - -docker run \ - --rm \ - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ - --cap-drop=ALL \ - --env-file={{ matrix_postgres_base_path }}/env-postgres-psql \ - --network {{ matrix_docker_network }} \ - {{ matrix_postgres_docker_image_to_use }} \ - psql -h {{ matrix_postgres_connection_hostname }} --dbname={{ matrix_synapse_database_database }} -c "UPDATE users set password_hash='$2' WHERE name = '@$1:{{ matrix_domain }}'" diff --git a/roles/custom/matrix-prometheus-nginxlog-exporter/defaults/main.yml b/roles/custom/matrix-prometheus-nginxlog-exporter/defaults/main.yml new file mode 100644 index 000000000..806c751c8 --- /dev/null +++ b/roles/custom/matrix-prometheus-nginxlog-exporter/defaults/main.yml @@ -0,0 +1,51 @@ +--- +# prometheus-nginxlog-exporter exports nginx logs in a prometheus usable format on a `/metrics/ endpoint +# See: https://github.com/martin-helmich/prometheus-nginxlog-exporter/ + +matrix_prometheus_nginxlog_exporter_enabled: true +matrix_prometheus_nginxlog_exporter_version: v1.10.0 + +matrix_prometheus_nginxlog_exporter_container_hostname: 'matrix-prometheus-nginxlog-exporter' +matrix_prometheus_nginxlog_exporter_container_metrics_port: '4040' +matrix_prometheus_nginxlog_exporter_container_syslog_port: '6514' + +matrix_prometheus_nginxlog_exporter_docker_image_arch: ['amd64', 'arm64'] +matrix_prometheus_nginxlog_exporter_docker_image_name_prefix: "{{ 'ghcr.io/martin-helmich/' }}" +matrix_prometheus_nginxlog_exporter_docker_image_tag: "{{ 'latest' if matrix_prometheus_nginxlog_exporter_version == 'master' else matrix_prometheus_nginxlog_exporter_version }}-{{ matrix_architecture }}" +matrix_prometheus_nginxlog_exporter_docker_image: "{{ matrix_prometheus_nginxlog_exporter_docker_image_name_prefix }}prometheus-nginxlog-exporter/exporter:{{ matrix_prometheus_nginxlog_exporter_docker_image_tag }}" +matrix_prometheus_nginxlog_exporter_docker_image_force_pull: "{{ matrix_prometheus_nginxlog_exporter_docker_image.endswith(':latest') }}" +matrix_prometheus_nginxlog_exporter_docker_image_arch_check_enabled: true + +# Controls whether prometheus-nginxlog-exporter metrics should be proxied (exposed) on `matrix.DOMAIN/metrics/nginxlog`. +# This will only take effect if `matrix_nginx_proxy_proxy_matrix_metrics_enabled: true`. +# See the `matrix-nginx-proxy` role for details about enabling `matrix_nginx_proxy_proxy_matrix_metrics_enabled`. +matrix_prometheus_nginxlog_exporter_metrics_proxying_enabled: false + +# matrix_prometheus_nginxlog_exporter_dashboard_urls contains a list of URLs with Grafana dashboard definitions. +# If the Grafana role is enabled, these dashboards will be downloaded. +matrix_prometheus_nginxlog_exporter_dashboard_urls: [] + +matrix_prometheus_nginxlog_exporter_base_path: "{{ matrix_base_data_path }}/prometheus-nginxlog-exporter" +matrix_prometheus_nginxlog_exporter_config_path: "{{ matrix_prometheus_nginxlog_exporter_base_path }}/config" + +matrix_prometheus_nginxlog_exporter_container_network: "{{ matrix_docker_network }}" + +# A list of extra docker arguments to pass to the container +matrix_prometheus_nginxlog_exporter_container_extra_arguments: [] + +# List of systemd services that matrix-prometheus_nginxlog_exporter.service depends on +matrix_prometheus_nginxlog_exporter_systemd_required_services_list: ['docker.service'] + +# List of systemd services that matrix-prometheus_nginxlog_exporter.service wants +matrix_prometheus_nginxlog_exporter_systemd_wanted_services_list: [] + +# Controls whether the matrix-prometheus_nginxlog_exporter container exposes its HTTP port (tcp/4040 in the container). +# +# Takes an ":" or "" value (e.g. "127.0.0.1:4040"), or empty string to not expose. +matrix_prometheus_nginxlog_exporter_container_http_host_bind_port: '' + +# Controls whether the matrix-prometheus_nginxlog_exporter container exposes its SYSLOG port (udp/6514 in the container). +# +# Takes an ":" or "" value (e.g. "127.0.0.1:6514"), or empty string to not expose. +# NOTE: is an UDP connection! +matrix_prometheus_nginxlog_exporter_container_syslog_host_bind_port: '' diff --git a/roles/custom/matrix-prometheus-nginxlog-exporter/examples/grafana.png b/roles/custom/matrix-prometheus-nginxlog-exporter/examples/grafana.png new file mode 100644 index 000000000..49fa02113 Binary files /dev/null and b/roles/custom/matrix-prometheus-nginxlog-exporter/examples/grafana.png differ diff --git a/roles/custom/matrix-prometheus-nginxlog-exporter/examples/metrics.png b/roles/custom/matrix-prometheus-nginxlog-exporter/examples/metrics.png new file mode 100644 index 000000000..b81265268 Binary files /dev/null and b/roles/custom/matrix-prometheus-nginxlog-exporter/examples/metrics.png differ diff --git a/roles/custom/matrix-prometheus-nginxlog-exporter/tasks/inject_into_nginx_proxy.yml b/roles/custom/matrix-prometheus-nginxlog-exporter/tasks/inject_into_nginx_proxy.yml new file mode 100644 index 000000000..15317de09 --- /dev/null +++ b/roles/custom/matrix-prometheus-nginxlog-exporter/tasks/inject_into_nginx_proxy.yml @@ -0,0 +1,31 @@ +--- + +- name: Fail if matrix-nginx-proxy role already executed + ansible.builtin.fail: + msg: >- + Trying to append prometheus-nginxlog-exporter's configuration to matrix-nginx-proxy, + but it's pointless since the matrix-nginx-proxy role is already executed. + To fix this, please change the order of roles in your playbook to make sure that + the matrix-nginx-proxy role is run after the prometheus-nginxlog-exporter role. + when: matrix_nginx_proxy_role_executed | default(False) | bool + +- name: Generate prometheus-nginxlog-exporter's metrics proxying configuration for matrix-nginx-proxy (matrix.DOMAIN/metrics/nginxlog) + ansible.builtin.set_fact: + matrix_prometheus_nginxlog_exporter_matrix_nginx_proxy_metrics_configuration_matrix_domain: | + location /metrics/nginxlog { + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "{{ matrix_prometheus_nginxlog_exporter_container_hostname }}:{{ matrix_prometheus_nginxlog_exporter_container_metrics_port }}"; + proxy_pass http://$backend/metrics; + } + when: matrix_prometheus_nginxlog_exporter_metrics_proxying_enabled | bool and matrix_nginx_proxy_enabled | bool + +- name: Register prometheus-nginxlog-exporter metrics proxying configuration with matrix-nginx-proxy (matrix.DOMAIN/metrics/nginxlog) + ansible.builtin.set_fact: + matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks: | + {{ + matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks | default([]) + + + [matrix_prometheus_nginxlog_exporter_matrix_nginx_proxy_metrics_configuration_matrix_domain] + }} + when: matrix_prometheus_nginxlog_exporter_metrics_proxying_enabled | bool diff --git a/roles/custom/matrix-prometheus-nginxlog-exporter/tasks/main.yml b/roles/custom/matrix-prometheus-nginxlog-exporter/tasks/main.yml new file mode 100644 index 000000000..ad0474604 --- /dev/null +++ b/roles/custom/matrix-prometheus-nginxlog-exporter/tasks/main.yml @@ -0,0 +1,29 @@ +--- + +- tags: + - setup-all + - setup-prometheus-nginxlog-exporter + - install-all + - install-prometheus-nginxlog-exporter + block: + - when: matrix_prometheus_nginxlog_exporter_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" + +- tags: + - setup-all + - setup-prometheus-nginxlog-exporter + - install-all + - install-prometheus-nginxlog-exporter + block: + - when: matrix_prometheus_nginxlog_exporter_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" + + - when: matrix_prometheus_nginxlog_exporter_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" + +- tags: + - setup-all + - setup-prometheus-nginxlog-exporter + block: + - when: not matrix_prometheus_nginxlog_exporter_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" diff --git a/roles/custom/matrix-prometheus-nginxlog-exporter/tasks/setup_install.yml b/roles/custom/matrix-prometheus-nginxlog-exporter/tasks/setup_install.yml new file mode 100644 index 000000000..8d3fe1d49 --- /dev/null +++ b/roles/custom/matrix-prometheus-nginxlog-exporter/tasks/setup_install.yml @@ -0,0 +1,42 @@ +--- + +- name: Ensure matrix-prometheus-nginxlog-exporter image is pulled + community.docker.docker_image: + name: "{{ matrix_prometheus_nginxlog_exporter_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_prometheus_nginxlog_exporter_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_prometheus_nginxlog_exporter_docker_image_force_pull }}" + register: result + retries: "{{ devture_playbook_help_container_retries_count }}" + delay: "{{ devture_playbook_help_container_retries_delay }}" + until: result is not failed + +- name: Ensure prometheus-nginxlog-exporter paths exists + ansible.builtin.file: + path: "{{ item }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - "{{ matrix_prometheus_nginxlog_exporter_base_path }}" + - "{{ matrix_prometheus_nginxlog_exporter_config_path }}" + +- name: Ensure prometheus-nginxlog-exporter.yaml present + ansible.builtin.template: + src: "{{ role_path }}/templates/prometheus-nginxlog-exporter.yaml.j2" + dest: "{{ matrix_prometheus_nginxlog_exporter_config_path }}/prometheus-nginxlog-exporter.yaml" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure prometheus-nginxlog-exporter container network is created + community.general.docker_network: + name: "{{ matrix_prometheus_nginxlog_exporter_container_network }}" + driver: bridge + +- name: Ensure matrix-prometheus-nginxlog-exporter.service installed + ansible.builtin.template: + src: "{{ role_path }}/templates/systemd/matrix-prometheus-nginxlog-exporter.service.j2" + dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-prometheus-nginxlog-exporter.service" + mode: 0644 diff --git a/roles/custom/matrix-prometheus-nginxlog-exporter/tasks/setup_uninstall.yml b/roles/custom/matrix-prometheus-nginxlog-exporter/tasks/setup_uninstall.yml new file mode 100644 index 000000000..93c4aefc1 --- /dev/null +++ b/roles/custom/matrix-prometheus-nginxlog-exporter/tasks/setup_uninstall.yml @@ -0,0 +1,34 @@ +--- + +- name: Check existence of matrix-prometheus-nginxlog-exporter service + ansible.builtin.stat: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-prometheus-nginxlog-exporter.service" + register: matrix_prometheus_nginxlog_exporter_service_stat + +- when: matrix_prometheus_nginxlog_exporter_service_stat.stat.exists | bool + block: + - name: Fail when not cleaning up nginx and prometheus configs + ansible.builtin.fail: + msg: > + This role has added to configs in 'matrix-nginx-proxy', 'matrix-synapse-reverse-proxy-companion' and 'matrix-prometheus'. + Running 'setup-synapse-reverse-proxy-companion' WILL NOT remove those settings from those roles. + Run the playbook again with the `setup-all` tag or all three 'setup-nginx-proxy,setup-synapse-reverse-proxy-companion,setup-prometheus' tags while + 'prometheus_enabled: false' to rebuild their configs. + when: not ('setup-all' in ansible_run_tags or ('setup-nginx-proxy' in ansible_run_tags and 'setup-synapse-reverse-proxy-companion' in ansible_run_tags and 'setup-prometheus' in ansible_run_tags)) + + - name: Ensure matrix-prometheus-nginxlog-exporter is stopped + ansible.builtin.service: + name: matrix-prometheus-nginxlog-exporter + state: stopped + enabled: false + daemon_reload: true + + - name: Ensure matrix-prometheus-nginxlog-exporter.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-prometheus-nginxlog-exporter.service" + state: absent + + - name: Ensure matrix-prometheus-nginxlog-exporter path doesn't exist + ansible.builtin.file: + path: "{{ matrix_prometheus_nginxlog_exporter_base_path }}" + state: absent diff --git a/roles/custom/matrix-prometheus-nginxlog-exporter/tasks/validate_config.yml b/roles/custom/matrix-prometheus-nginxlog-exporter/tasks/validate_config.yml new file mode 100644 index 000000000..2e308736b --- /dev/null +++ b/roles/custom/matrix-prometheus-nginxlog-exporter/tasks/validate_config.yml @@ -0,0 +1,32 @@ +--- + +- name: Fail if Prometheus not enabled + ansible.builtin.fail: + msg: > + You need to set `prometheus_enabled: true` or configure an external Prometheus database + as this roles requires Prometheus for data storage. + when: not prometheus_enabled and not matrix_prometheus_nginxlog_exporter_metrics_proxying_enabled + +- name: Fail if docker image not availble for arch + ansible.builtin.fail: + msg: > + 'prometheus-nginxlog-exporter' docker image is not available for your arch '{{ matrix_architecture }}'. + + We currently do not support building an image using this playbook. + + You can use a custom-build image by setting + 'matrix_prometheus_nginxlog_exporter_docker_image_arch_check_enabled: false' + 'matrix_prometheus_nginxlog_exporter_docker_image: path/to/docker/image:tag' + + or disable 'prometheus-nginxlog-exporter' by setting + 'matrix_prometheus_nginxlog_exporter: false' + + in vars.yml + when: matrix_prometheus_nginxlog_exporter_docker_image_arch_check_enabled and matrix_architecture not in matrix_prometheus_nginxlog_exporter_docker_image_arch + + +- name: Fail if nginx-proxy is not set to proxy metrics while prometheus-nginxlog-exporter is + ansible.builtin.fail: + msg: > + 'matrix_prometheus_nginxlog_exporter_metrics_proxying_enabled' is set but 'matrix_nginx_proxy_proxy_matrix_metrics_enabled' is not + when: matrix_prometheus_nginxlog_exporter_metrics_proxying_enabled | bool and not matrix_nginx_proxy_proxy_matrix_metrics_enabled | bool diff --git a/roles/custom/matrix-prometheus-nginxlog-exporter/templates/grafana/nginx-proxy.json b/roles/custom/matrix-prometheus-nginxlog-exporter/templates/grafana/nginx-proxy.json new file mode 100644 index 000000000..395314fd7 --- /dev/null +++ b/roles/custom/matrix-prometheus-nginxlog-exporter/templates/grafana/nginx-proxy.json @@ -0,0 +1,1705 @@ +{ + "__inputs": [ + { + "name": "DS_PROMETHEUS", + "label": "Prometheus", + "description": "", + "type": "datasource", + "pluginId": "prometheus", + "pluginName": "Prometheus" + } + ], + "__elements": {}, + "__requires": [ + { + "type": "grafana", + "id": "grafana", + "name": "Grafana", + "version": "9.3.1" + }, + { + "type": "datasource", + "id": "prometheus", + "name": "Prometheus", + "version": "1.0.0" + }, + { + "type": "panel", + "id": "timeseries", + "name": "Time series", + "version": "" + } + ], + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": { + "type": "grafana", + "uid": "-- Grafana --" + }, + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "target": { + "limit": 100, + "matchAny": false, + "tags": [], + "type": "dashboard" + }, + "type": "dashboard" + } + ] + }, + "description": "", + "editable": true, + "fiscalYearStartMonth": 0, + "graphTooltip": 0, + "id": 5, + "links": [], + "liveNow": false, + "panels": [ + { + "collapsed": true, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 0 + }, + "id": 23, + "panels": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 0, + "y": 1 + }, + "id": 20, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "builder", + "expr": "sum by(http_x_forwarded_for) (rate(http_response_count_total{status=~\"1.*\", request_host=~\"$request_host\"}[$__rate_interval]))", + "hide": false, + "legendFormat": "__auto", + "range": true, + "refId": "B" + } + ], + "title": "1xx by upstream addr[$request_host]", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 12, + "y": 1 + }, + "id": 21, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "builder", + "exemplar": false, + "expr": "sum by(request_uri) (rate(http_response_count_total{status=~\"1.*\", request_host=~\"$request_host\"}[$__rate_interval]))", + "format": "time_series", + "hide": false, + "instant": true, + "legendFormat": "__auto", + "range": true, + "refId": "B" + } + ], + "title": "1xx by uri [$request_host]", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 0, + "y": 9 + }, + "id": 18, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "builder", + "expr": "sum by(http_x_forwarded_for) (rate(http_response_count_total{status=~\"2.*\", request_host=~\"$request_host\"}[$__rate_interval]))", + "hide": false, + "legendFormat": "__auto", + "range": true, + "refId": "B" + } + ], + "title": "2xx by upstream addr[$request_host]", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 12, + "y": 9 + }, + "id": 19, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "builder", + "exemplar": false, + "expr": "sum by(request_uri) (rate(http_response_count_total{status=~\"2.*\", request_host=~\"$request_host\"}[$__rate_interval]))", + "format": "time_series", + "hide": false, + "instant": true, + "legendFormat": "__auto", + "range": true, + "refId": "B" + } + ], + "title": "2xx by uri [$request_host]", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 0, + "y": 17 + }, + "id": 16, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "builder", + "expr": "sum by(http_x_forwarded_for) (rate(http_response_count_total{status=~\"3.*\", request_host=~\"$request_host\"}[$__rate_interval]))", + "hide": false, + "legendFormat": "__auto", + "range": true, + "refId": "B" + } + ], + "title": "3xx by upstream addr[$request_host]", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 12, + "y": 17 + }, + "id": 17, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "builder", + "exemplar": false, + "expr": "sum by(request_uri) (rate(http_response_count_total{status=~\"3.*\", request_host=~\"$request_host\"}[$__rate_interval]))", + "format": "time_series", + "hide": false, + "instant": true, + "legendFormat": "__auto", + "range": true, + "refId": "B" + } + ], + "title": "3xx by uri [$request_host]", + "type": "timeseries" + } + ], + "title": "1xx - 2xx - 3xx Status Code .....................................................", + "type": "row" + }, + { + "collapsed": false, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 1 + }, + "id": 2, + "panels": [], + "title": "4xx Status Code ......................................................................", + "type": "row" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 0, + "y": 2 + }, + "id": 9, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "builder", + "expr": "sum by(http_x_forwarded_for) (rate(http_response_count_total{status=~\"404\", request_host=~\"$request_host\"}[$__rate_interval]))", + "hide": false, + "legendFormat": "__auto", + "range": true, + "refId": "B" + } + ], + "title": "404 by upstream addr[$request_host]", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 12, + "y": 2 + }, + "id": 6, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "builder", + "exemplar": false, + "expr": "sum by(request_uri) (rate(http_response_count_total{status=~\"404\", request_host=~\"$request_host\"}[$__rate_interval]))", + "format": "time_series", + "hide": false, + "instant": true, + "legendFormat": "__auto", + "range": true, + "refId": "B" + } + ], + "title": "404 by uri [$request_host]", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 0, + "y": 10 + }, + "id": 14, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "builder", + "expr": "sum by(http_x_forwarded_for) (rate(http_response_count_total{status=~\"4.*\", request_host=~\"$request_host\"}[$__rate_interval]))", + "hide": false, + "legendFormat": "__auto", + "range": true, + "refId": "B" + } + ], + "title": "4xx by upstream addr[$request_host]", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 12, + "y": 10 + }, + "id": 15, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "builder", + "exemplar": false, + "expr": "sum by(request_uri) (rate(http_response_count_total{status=~\"4.*\", request_host=~\"$request_host\"}[$__rate_interval]))", + "format": "time_series", + "hide": false, + "instant": true, + "legendFormat": "__auto", + "range": true, + "refId": "B" + } + ], + "title": "4xx by uri [$request_host]", + "type": "timeseries" + }, + { + "collapsed": true, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 18 + }, + "id": 8, + "panels": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 0, + "y": 3 + }, + "id": 10, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "builder", + "expr": "sum by(http_x_forwarded_for, status) (rate(http_response_count_total{status=~\"504|502\", request_host=~\"$request_host\"}[$__rate_interval]))", + "hide": false, + "legendFormat": "__auto", + "range": true, + "refId": "B" + } + ], + "title": "502-504 by upstream addr[$request_host]", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 12, + "y": 3 + }, + "id": 11, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "builder", + "exemplar": false, + "expr": "sum by(request_host, status) (rate(http_response_count_total{status=~\"504|502\", request_host=~\"$request_host\"}[$__rate_interval]))", + "format": "time_series", + "hide": false, + "instant": true, + "legendFormat": "__auto", + "range": true, + "refId": "B" + } + ], + "title": "502-504 by host [$request_host]", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 0, + "y": 11 + }, + "id": 12, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "builder", + "expr": "sum by(http_x_forwarded_for) (rate(http_response_count_total{status=~\"5.*\", request_host=~\"$request_host\"}[$__rate_interval]))", + "hide": false, + "legendFormat": "__auto", + "range": true, + "refId": "B" + } + ], + "title": "5xx by upstream addr[$request_host]", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 12, + "y": 11 + }, + "id": 13, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "builder", + "exemplar": false, + "expr": "sum by(request_host) (rate(http_response_count_total{status=~\"5.*\", request_host=~\"$request_host\"}[$__rate_interval]))", + "format": "time_series", + "hide": false, + "instant": true, + "legendFormat": "__auto", + "range": true, + "refId": "B" + } + ], + "title": "5xx by uri [$request_host]", + "type": "timeseries" + } + ], + "title": "5xx Status Code ......................................................................", + "type": "row" + }, + { + "collapsed": true, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 19 + }, + "id": 27, + "panels": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 0, + "y": 4 + }, + "id": 24, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "builder", + "expr": "sum by(http_x_forwarded_for) (rate(http_response_count_total{status=~\"[6-9]{1}.*\", request_host=~\"$request_host\"}[$__rate_interval]))", + "hide": false, + "legendFormat": "__auto", + "range": true, + "refId": "B" + } + ], + "title": "6xx > by upstream addr[$request_host]", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 12, + "y": 4 + }, + "id": 25, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "builder", + "exemplar": false, + "expr": "sum by(request_uri) (rate(http_response_count_total{status=~\"[6-9]{1}.*\", request_host=~\"$request_host\"}[$__rate_interval]))", + "format": "time_series", + "hide": false, + "instant": true, + "legendFormat": "__auto", + "range": true, + "refId": "B" + } + ], + "title": "6xx > by uri [$request_host]", + "type": "timeseries" + } + ], + "title": "6xx > Status Code ...................................................................", + "type": "row" + } + ], + "refresh": "30s", + "schemaVersion": 37, + "style": "dark", + "tags": [], + "templating": { + "list": [ + { + "current": { + "selected": true, + "text": "Prometheus", + "value": "Prometheus" + }, + "hide": 0, + "includeAll": false, + "multi": false, + "name": "DS_PROMETHEUS", + "options": [], + "query": "prometheus", + "queryValue": "", + "refresh": 1, + "regex": "", + "skipUrlSync": false, + "type": "datasource" + }, + { + "current": {}, + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "definition": "label_values(http_response_count_total, request_host)", + "hide": 0, + "includeAll": true, + "multi": true, + "name": "request_host", + "options": [], + "query": { + "query": "label_values(http_response_count_total, request_host)", + "refId": "StandardVariableQuery" + }, + "refresh": 1, + "regex": "", + "skipUrlSync": false, + "sort": 1, + "type": "query" + } + ] + }, + "time": { + "from": "now-1h", + "to": "now" + }, + "timepicker": {}, + "timezone": "", + "title": "NGINX PROXY", + "uid": "x2_jWNF4k", + "version": 12, + "weekStart": "" +} \ No newline at end of file diff --git a/roles/custom/matrix-prometheus-nginxlog-exporter/templates/nginx-proxy.json b/roles/custom/matrix-prometheus-nginxlog-exporter/templates/nginx-proxy.json new file mode 100644 index 000000000..395314fd7 --- /dev/null +++ b/roles/custom/matrix-prometheus-nginxlog-exporter/templates/nginx-proxy.json @@ -0,0 +1,1705 @@ +{ + "__inputs": [ + { + "name": "DS_PROMETHEUS", + "label": "Prometheus", + "description": "", + "type": "datasource", + "pluginId": "prometheus", + "pluginName": "Prometheus" + } + ], + "__elements": {}, + "__requires": [ + { + "type": "grafana", + "id": "grafana", + "name": "Grafana", + "version": "9.3.1" + }, + { + "type": "datasource", + "id": "prometheus", + "name": "Prometheus", + "version": "1.0.0" + }, + { + "type": "panel", + "id": "timeseries", + "name": "Time series", + "version": "" + } + ], + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": { + "type": "grafana", + "uid": "-- Grafana --" + }, + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "target": { + "limit": 100, + "matchAny": false, + "tags": [], + "type": "dashboard" + }, + "type": "dashboard" + } + ] + }, + "description": "", + "editable": true, + "fiscalYearStartMonth": 0, + "graphTooltip": 0, + "id": 5, + "links": [], + "liveNow": false, + "panels": [ + { + "collapsed": true, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 0 + }, + "id": 23, + "panels": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 0, + "y": 1 + }, + "id": 20, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "builder", + "expr": "sum by(http_x_forwarded_for) (rate(http_response_count_total{status=~\"1.*\", request_host=~\"$request_host\"}[$__rate_interval]))", + "hide": false, + "legendFormat": "__auto", + "range": true, + "refId": "B" + } + ], + "title": "1xx by upstream addr[$request_host]", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 12, + "y": 1 + }, + "id": 21, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "builder", + "exemplar": false, + "expr": "sum by(request_uri) (rate(http_response_count_total{status=~\"1.*\", request_host=~\"$request_host\"}[$__rate_interval]))", + "format": "time_series", + "hide": false, + "instant": true, + "legendFormat": "__auto", + "range": true, + "refId": "B" + } + ], + "title": "1xx by uri [$request_host]", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 0, + "y": 9 + }, + "id": 18, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "builder", + "expr": "sum by(http_x_forwarded_for) (rate(http_response_count_total{status=~\"2.*\", request_host=~\"$request_host\"}[$__rate_interval]))", + "hide": false, + "legendFormat": "__auto", + "range": true, + "refId": "B" + } + ], + "title": "2xx by upstream addr[$request_host]", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 12, + "y": 9 + }, + "id": 19, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "builder", + "exemplar": false, + "expr": "sum by(request_uri) (rate(http_response_count_total{status=~\"2.*\", request_host=~\"$request_host\"}[$__rate_interval]))", + "format": "time_series", + "hide": false, + "instant": true, + "legendFormat": "__auto", + "range": true, + "refId": "B" + } + ], + "title": "2xx by uri [$request_host]", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 0, + "y": 17 + }, + "id": 16, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "builder", + "expr": "sum by(http_x_forwarded_for) (rate(http_response_count_total{status=~\"3.*\", request_host=~\"$request_host\"}[$__rate_interval]))", + "hide": false, + "legendFormat": "__auto", + "range": true, + "refId": "B" + } + ], + "title": "3xx by upstream addr[$request_host]", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 12, + "y": 17 + }, + "id": 17, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "builder", + "exemplar": false, + "expr": "sum by(request_uri) (rate(http_response_count_total{status=~\"3.*\", request_host=~\"$request_host\"}[$__rate_interval]))", + "format": "time_series", + "hide": false, + "instant": true, + "legendFormat": "__auto", + "range": true, + "refId": "B" + } + ], + "title": "3xx by uri [$request_host]", + "type": "timeseries" + } + ], + "title": "1xx - 2xx - 3xx Status Code .....................................................", + "type": "row" + }, + { + "collapsed": false, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 1 + }, + "id": 2, + "panels": [], + "title": "4xx Status Code ......................................................................", + "type": "row" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 0, + "y": 2 + }, + "id": 9, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "builder", + "expr": "sum by(http_x_forwarded_for) (rate(http_response_count_total{status=~\"404\", request_host=~\"$request_host\"}[$__rate_interval]))", + "hide": false, + "legendFormat": "__auto", + "range": true, + "refId": "B" + } + ], + "title": "404 by upstream addr[$request_host]", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 12, + "y": 2 + }, + "id": 6, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "builder", + "exemplar": false, + "expr": "sum by(request_uri) (rate(http_response_count_total{status=~\"404\", request_host=~\"$request_host\"}[$__rate_interval]))", + "format": "time_series", + "hide": false, + "instant": true, + "legendFormat": "__auto", + "range": true, + "refId": "B" + } + ], + "title": "404 by uri [$request_host]", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 0, + "y": 10 + }, + "id": 14, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "builder", + "expr": "sum by(http_x_forwarded_for) (rate(http_response_count_total{status=~\"4.*\", request_host=~\"$request_host\"}[$__rate_interval]))", + "hide": false, + "legendFormat": "__auto", + "range": true, + "refId": "B" + } + ], + "title": "4xx by upstream addr[$request_host]", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 12, + "y": 10 + }, + "id": 15, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "builder", + "exemplar": false, + "expr": "sum by(request_uri) (rate(http_response_count_total{status=~\"4.*\", request_host=~\"$request_host\"}[$__rate_interval]))", + "format": "time_series", + "hide": false, + "instant": true, + "legendFormat": "__auto", + "range": true, + "refId": "B" + } + ], + "title": "4xx by uri [$request_host]", + "type": "timeseries" + }, + { + "collapsed": true, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 18 + }, + "id": 8, + "panels": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 0, + "y": 3 + }, + "id": 10, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "builder", + "expr": "sum by(http_x_forwarded_for, status) (rate(http_response_count_total{status=~\"504|502\", request_host=~\"$request_host\"}[$__rate_interval]))", + "hide": false, + "legendFormat": "__auto", + "range": true, + "refId": "B" + } + ], + "title": "502-504 by upstream addr[$request_host]", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 12, + "y": 3 + }, + "id": 11, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "builder", + "exemplar": false, + "expr": "sum by(request_host, status) (rate(http_response_count_total{status=~\"504|502\", request_host=~\"$request_host\"}[$__rate_interval]))", + "format": "time_series", + "hide": false, + "instant": true, + "legendFormat": "__auto", + "range": true, + "refId": "B" + } + ], + "title": "502-504 by host [$request_host]", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 0, + "y": 11 + }, + "id": 12, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "builder", + "expr": "sum by(http_x_forwarded_for) (rate(http_response_count_total{status=~\"5.*\", request_host=~\"$request_host\"}[$__rate_interval]))", + "hide": false, + "legendFormat": "__auto", + "range": true, + "refId": "B" + } + ], + "title": "5xx by upstream addr[$request_host]", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 12, + "y": 11 + }, + "id": 13, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "builder", + "exemplar": false, + "expr": "sum by(request_host) (rate(http_response_count_total{status=~\"5.*\", request_host=~\"$request_host\"}[$__rate_interval]))", + "format": "time_series", + "hide": false, + "instant": true, + "legendFormat": "__auto", + "range": true, + "refId": "B" + } + ], + "title": "5xx by uri [$request_host]", + "type": "timeseries" + } + ], + "title": "5xx Status Code ......................................................................", + "type": "row" + }, + { + "collapsed": true, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 19 + }, + "id": 27, + "panels": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 0, + "y": 4 + }, + "id": 24, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "builder", + "expr": "sum by(http_x_forwarded_for) (rate(http_response_count_total{status=~\"[6-9]{1}.*\", request_host=~\"$request_host\"}[$__rate_interval]))", + "hide": false, + "legendFormat": "__auto", + "range": true, + "refId": "B" + } + ], + "title": "6xx > by upstream addr[$request_host]", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 12, + "y": 4 + }, + "id": 25, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "builder", + "exemplar": false, + "expr": "sum by(request_uri) (rate(http_response_count_total{status=~\"[6-9]{1}.*\", request_host=~\"$request_host\"}[$__rate_interval]))", + "format": "time_series", + "hide": false, + "instant": true, + "legendFormat": "__auto", + "range": true, + "refId": "B" + } + ], + "title": "6xx > by uri [$request_host]", + "type": "timeseries" + } + ], + "title": "6xx > Status Code ...................................................................", + "type": "row" + } + ], + "refresh": "30s", + "schemaVersion": 37, + "style": "dark", + "tags": [], + "templating": { + "list": [ + { + "current": { + "selected": true, + "text": "Prometheus", + "value": "Prometheus" + }, + "hide": 0, + "includeAll": false, + "multi": false, + "name": "DS_PROMETHEUS", + "options": [], + "query": "prometheus", + "queryValue": "", + "refresh": 1, + "regex": "", + "skipUrlSync": false, + "type": "datasource" + }, + { + "current": {}, + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "definition": "label_values(http_response_count_total, request_host)", + "hide": 0, + "includeAll": true, + "multi": true, + "name": "request_host", + "options": [], + "query": { + "query": "label_values(http_response_count_total, request_host)", + "refId": "StandardVariableQuery" + }, + "refresh": 1, + "regex": "", + "skipUrlSync": false, + "sort": 1, + "type": "query" + } + ] + }, + "time": { + "from": "now-1h", + "to": "now" + }, + "timepicker": {}, + "timezone": "", + "title": "NGINX PROXY", + "uid": "x2_jWNF4k", + "version": 12, + "weekStart": "" +} \ No newline at end of file diff --git a/roles/custom/matrix-prometheus-nginxlog-exporter/templates/prometheus-nginxlog-exporter.yaml.j2 b/roles/custom/matrix-prometheus-nginxlog-exporter/templates/prometheus-nginxlog-exporter.yaml.j2 new file mode 100644 index 000000000..38db07eb8 --- /dev/null +++ b/roles/custom/matrix-prometheus-nginxlog-exporter/templates/prometheus-nginxlog-exporter.yaml.j2 @@ -0,0 +1,57 @@ +listen: + port: {{ matrix_prometheus_nginxlog_exporter_container_metrics_port }} + address: "0.0.0.0" + metrics_endpoint: "/metrics" + +namespaces: + - name: matrix + metrics_override: + preffix: "myprefix" + namespace_label: "namespace" + format: "$log_source $server_name - $upstream_addr - $remote_addr - $remote_user [$time_local] $host \"$request\" $status \"$http_referer\" \"$http_user_agent\" \"$http_x_forwarded_for\"" + # enable to print to console + # print_log: true + source: + syslog: + listen_address: "udp://0.0.0.0:{{ matrix_prometheus_nginxlog_exporter_container_syslog_port }}" + # format options: "rfc3164" ,"rfc5424", "rfc6587", "auto" + format: auto + tags: ["matrix_nginx_proxy", "matrix_nginx_proxy_companion"] + relabel_configs: + - target_label: request_uri + from: request + split: 2 + separator: ' ' + matches: + - regexp: "^([^\\?]+)/(public|bundles|fonts|img|themes|vector-icons|element-icons|d|media).*" + replacement: "$1/$2/" + - regexp: "^([^\\?]+).*/rooms/.*/(event|read_markers|messages|receipt|state|typing|members).*" + replacement: "$1/rooms/:roomid:/$2" + - regexp: "^([^\\?]+).*/(r0|v3)/(sync|pushers|keys|devices|download|sendtodevice).*" + replacement: "$1/:v:/$3" + - regexp: "^([^\\?]+).*/rooms/(.*)/send/(.*)" + replacement: "$1/rooms/:roomid:/send/:command:/:id:" + - regexp: "^([^\\?]+).*/client/unstable/.*" + replacement: "$1/client/unstable/:matrixspec:" + - regexp: "^([^\\?]+).*/presence/.*" + replacement: "$1/presence/:userid:" + - regexp: "^([^\\?]+).*/user/.*" + replacement: "$1/user/:userid:" + - regexp: "^([^\\?]+).*/profile/.*" + replacement: "$1/profile/:userid:" + - regexp: "^([^\\?]+).*/directory/room/.*" + replacement: "$1/directory/room/:roomid:" + - regexp: "^([^\\?]+).*/thumbnail/.*" + replacement: "$1/thumbnail/:domain:/:mxid:" + - regexp: "^([^\\?]+)(.*)" + replacement: "$1" + - target_label: remote_addr + from: remote_addr + - target_label: server_name + from: server_name + - target_label: http_x_forwarded_for + from: http_x_forwarded_for + - target_label: request_host + from: host + - target_label: log_source + from: log_source \ No newline at end of file diff --git a/roles/custom/matrix-prometheus-nginxlog-exporter/templates/systemd/matrix-prometheus-nginxlog-exporter.service.j2 b/roles/custom/matrix-prometheus-nginxlog-exporter/templates/systemd/matrix-prometheus-nginxlog-exporter.service.j2 new file mode 100644 index 000000000..0d01aa217 --- /dev/null +++ b/roles/custom/matrix-prometheus-nginxlog-exporter/templates/systemd/matrix-prometheus-nginxlog-exporter.service.j2 @@ -0,0 +1,46 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description={{ matrix_prometheus_nginxlog_exporter_container_hostname }} +{% for service in matrix_prometheus_nginxlog_exporter_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +{% for service in matrix_prometheus_nginxlog_exporter_systemd_wanted_services_list %} +Wants={{ service }} +{% endfor %} +DefaultDependencies=no + +[Service] +Type=simple +Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" +ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill {{ matrix_prometheus_nginxlog_exporter_container_hostname }} 2>/dev/null || true' +ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm {{ matrix_prometheus_nginxlog_exporter_container_hostname }} 2>/dev/null || true' + + +ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name {{ matrix_prometheus_nginxlog_exporter_container_hostname }} \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --read-only \ + --network={{ matrix_prometheus_nginxlog_exporter_container_network }} \ + {% if matrix_prometheus_nginxlog_exporter_container_http_host_bind_port %} + -p {{ matrix_prometheus_nginxlog_exporter_container_http_host_bind_port }}:{{ matrix_prometheus_nginxlog_exporter_container_metrics_port }} \ + {% endif %} + {% if matrix_prometheus_nginxlog_exporter_container_syslog_host_bind_port %} + -p {{ matrix_prometheus_nginxlog_exporter_container_syslog_host_bind_port }}:{{ matrix_prometheus_nginxlog_exporter_container_syslog_port }}/udp \ + {% endif %} + -v {{ matrix_prometheus_nginxlog_exporter_config_path }}:/etc/prometheus-nginxlog-exporter:z \ + {% for arg in matrix_prometheus_nginxlog_exporter_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_prometheus_nginxlog_exporter_docker_image }} \ + -config-file /etc/prometheus-nginxlog-exporter/prometheus-nginxlog-exporter.yaml + +ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill {{ matrix_prometheus_nginxlog_exporter_container_hostname }} 2>/dev/null || true' +ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm {{ matrix_prometheus_nginxlog_exporter_container_hostname }} 2>/dev/null || true' +Restart=always +RestartSec=30 +SyslogIdentifier={{ matrix_prometheus_nginxlog_exporter_container_hostname }} + +[Install] +WantedBy=multi-user.target diff --git a/roles/custom/matrix-prometheus-node-exporter/defaults/main.yml b/roles/custom/matrix-prometheus-node-exporter/defaults/main.yml deleted file mode 100644 index 9b89519c5..000000000 --- a/roles/custom/matrix-prometheus-node-exporter/defaults/main.yml +++ /dev/null @@ -1,67 +0,0 @@ ---- -# matrix-prometheus-node-exporter is an Prometheus exporter for machine metrics -# See: https://prometheus.io/docs/guides/node-exporter/ -# Project source code URL: https://github.com/prometheus/node_exporter - -matrix_prometheus_node_exporter_enabled: false - -matrix_prometheus_node_exporter_version: v1.4.0 -matrix_prometheus_node_exporter_docker_image: "{{ matrix_container_global_registry_prefix }}prom/node-exporter:{{ matrix_prometheus_node_exporter_version }}" -matrix_prometheus_node_exporter_docker_image_force_pull: "{{ matrix_prometheus_node_exporter_docker_image.endswith(':latest') }}" - -# A list of extra arguments to pass to the container -matrix_prometheus_node_exporter_container_extra_arguments: [] - -# A list of extra arguments to pass to the node_exporter process -# -# Example: -# matrix_prometheus_node_exporter_process_extra_arguments: -# - "--collector.systemd" -# - "--collector.logind" -# -# Note: the above is just an example. Various collectors may require various tweaks to be able to run. -# Running the systemd collector requires the following `matrix_prometheus_node_exporter_container_extra_arguments`: -# - the socket to be mounted as well (`--mount type=bind,src=/var/run/dbus/system_bus_socket,dst=/var/run/dbus/system_bus_socket,ro,bind-propagation=rslave`) -# - (on AppArmor-based distros) disabling AppArmor protection (`--security-opt apparmor=unconfined`) -matrix_prometheus_node_exporter_process_extra_arguments: [] - -# List of systemd services that matrix-prometheus.service depends on -matrix_prometheus_node_exporter_systemd_required_services_list: ['docker.service'] - -# List of systemd services that matrix-prometheus.service wants -matrix_prometheus_node_exporter_systemd_wanted_services_list: [] - -# Controls whether node-exporter metrics should be proxied (exposed) on `matrix.DOMAIN/metrics/node-exporter`. -# This will only work take effect if `matrix_nginx_proxy_proxy_matrix_metrics_enabled: true`. -# See the `matrix-nginx-proxy` role for details about enabling `matrix_nginx_proxy_proxy_matrix_metrics_enabled`. -matrix_prometheus_node_exporter_metrics_proxying_enabled: false - -# Controls whether the matrix-prometheus container exposes its HTTP port (tcp/9100 in the container). -# -# Takes an ":" value (e.g. "127.0.0.1:9100"), just a port number or empty string to not expose. -# -# You likely don't need to do this. See `matrix_prometheus_node_exporter_metrics_proxying_enabled`. -# -# Official recommendations are to run this container with `--net=host`, -# but we don't do that, since it: -# - likely exposes the metrics web server way too publicly (before applying https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1008) -# - or listens on a loopback interface only (--net=host and 127.0.0.1:9100), which is not reachable from another container (like `matrix-prometheus`) -# -# Using `--net=host` and binding to Docker's `matrix` bridge network may be a solution to both, -# but that's trickier to accomplish and won't necessarily work (hasn't been tested). -# -# Not using `--net=host` means that our network statistic reports are likely broken (inaccurate), -# because node-exporter can't see all interfaces, etc. -# For now, we'll live with that, until someone develops a better solution. -matrix_prometheus_node_exporter_container_http_host_bind_port: '' - -# If you are supplying your own NGINX proxy but want to use the provided exporters you will have to supply an ":" value for the containers to bind to on your host. -# If matrix_prometheus_node_exporter_container_http_host_bind_port is set to just a port number, this will default to "127.0.0.1:" -# If matrix_prometheus_node_exporter_container_http_host_bind_port is set to an IP that is not 0.0.0.0 and a port, that ":" value will be used -# Otherwise this value will be empty and you will have to manually configure your NGINX config file. (If you are using the config files generated by this playbook, you will have to edit matrix-domain.conf) -matrix_prometheus_node_exporter_matrix_nginx_proxy_not_enabled_proxy_pass_host: "{{ '127.0.0.1' + matrix_prometheus_node_exporter_container_http_host_bind_port_number_raw if not ':' in matrix_prometheus_node_exporter_container_http_host_bind_port else (matrix_prometheus_node_exporter_container_http_host_bind_port if matrix_prometheus_node_exporter_container_http_host_bind_port.split(':')[0] != '0.0.0.0' else '') }}" - -# matrix_prometheus_node_exporter_dashboard_urls contains a list of URLs with Grafana dashboard definitions. -# If the Grafana role is enabled, these dashboards will be downloaded. -matrix_prometheus_node_exporter_dashboard_urls: - - https://raw.githubusercontent.com/rfrail3/grafana-dashboards/master/prometheus/node-exporter-full.json diff --git a/roles/custom/matrix-prometheus-node-exporter/tasks/init.yml b/roles/custom/matrix-prometheus-node-exporter/tasks/init.yml deleted file mode 100644 index 460ab1373..000000000 --- a/roles/custom/matrix-prometheus-node-exporter/tasks/init.yml +++ /dev/null @@ -1,41 +0,0 @@ ---- - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-prometheus-node-exporter.service'] }}" - when: matrix_prometheus_node_exporter_enabled | bool - -- when: matrix_prometheus_node_exporter_enabled | bool and matrix_prometheus_node_exporter_metrics_proxying_enabled | bool - block: - - name: Fail if matrix-nginx-proxy role already executed - ansible.builtin.fail: - msg: >- - Trying to append node-exporter's reverse-proxying configuration to matrix-nginx-proxy, - but it's pointless since the matrix-nginx-proxy role had already executed. - To fix this, please change the order of roles in your playbook, - so that the matrix-nginx-proxy role would run after the matrix-prometheus-node-exporter role. - when: matrix_nginx_proxy_role_executed | default(False) | bool - - - name: Generate node-exporter metrics proxying configuration for matrix-nginx-proxy (matrix.DOMAIN/metrics/node-exporter) - ansible.builtin.set_fact: - matrix_prometheus_node_exporter_nginx_metrics_configuration_block: | - location /metrics/node-exporter { - {% if matrix_nginx_proxy_enabled | default(False) %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver 127.0.0.11 valid=5s; - set $backend "matrix-prometheus-node-exporter:9100"; - proxy_pass http://$backend/metrics; - {% elif matrix_prometheus_node_exporter_matrix_nginx_proxy_not_enabled_proxy_pass_host != '' %} - proxy_pass http://{{ matrix_prometheus_node_exporter_matrix_nginx_proxy_not_enabled_proxy_pass_host }}/metrics; - {% else %} - return 404 "matrix-nginx-proxy is disabled and no host port was bound to the container, so metrics are unavailable"; - {% endif %} - } - - - name: Register node-exporter metrics proxying configuration with matrix-nginx-proxy (matrix.DOMAIN/metrics/node-exporter) - ansible.builtin.set_fact: - matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks: | - {{ - matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks | default([]) - + - [matrix_prometheus_node_exporter_nginx_metrics_configuration_block] - }} diff --git a/roles/custom/matrix-prometheus-node-exporter/tasks/main.yml b/roles/custom/matrix-prometheus-node-exporter/tasks/main.yml deleted file mode 100644 index 81b0c7022..000000000 --- a/roles/custom/matrix-prometheus-node-exporter/tasks/main.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup.yml" - tags: - - setup-all - - setup-prometheus-node-exporter diff --git a/roles/custom/matrix-prometheus-node-exporter/tasks/setup.yml b/roles/custom/matrix-prometheus-node-exporter/tasks/setup.yml deleted file mode 100644 index 0b0c5704a..000000000 --- a/roles/custom/matrix-prometheus-node-exporter/tasks/setup.yml +++ /dev/null @@ -1,59 +0,0 @@ ---- - -# -# Tasks related to setting up matrix-prometheus-node-exporter -# - -- name: Ensure matrix-prometheus-node-exporter image is pulled - community.docker.docker_image: - name: "{{ matrix_prometheus_node_exporter_docker_image }}" - source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_prometheus_node_exporter_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_prometheus_node_exporter_docker_image_force_pull }}" - when: "matrix_prometheus_node_exporter_enabled | bool" - register: result - retries: "{{ devture_playbook_help_container_retries_count }}" - delay: "{{ devture_playbook_help_container_retries_delay }}" - until: result is not failed - -- name: Ensure matrix-prometheus-node-exporter.service installed - ansible.builtin.template: - src: "{{ role_path }}/templates/systemd/matrix-prometheus-node-exporter.service.j2" - dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-prometheus-node-exporter.service" - mode: 0644 - register: matrix_prometheus_node_exporter_systemd_service_result - when: matrix_prometheus_node_exporter_enabled | bool - -- name: Ensure systemd reloaded after matrix-prometheus.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_prometheus_node_exporter_enabled | bool and matrix_prometheus_node_exporter_systemd_service_result.changed" - -# -# Tasks related to getting rid of matrix-prometheus-node-exporter (if it was previously enabled) -# - -- name: Check existence of matrix-prometheus-node-exporter service - ansible.builtin.stat: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-prometheus-node-exporter.service" - register: matrix_prometheus_node_exporter_service_stat - -- name: Ensure matrix-prometheus-node-exporter is stopped - ansible.builtin.service: - name: matrix-prometheus-node-exporter - state: stopped - enabled: false - daemon_reload: true - register: stopping_result - when: "not matrix_prometheus_node_exporter_enabled | bool and matrix_prometheus_node_exporter_service_stat.stat.exists" - -- name: Ensure matrix-prometheus-node-exporter.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-prometheus-node-exporter.service" - state: absent - when: "not matrix_prometheus_node_exporter_enabled | bool and matrix_prometheus_node_exporter_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-prometheus-node-exporter.service removal - ansible.builtin.service: - daemon_reload: true - when: "not matrix_prometheus_node_exporter_enabled | bool and matrix_prometheus_node_exporter_service_stat.stat.exists" diff --git a/roles/custom/matrix-prometheus-node-exporter/vars/main.yml b/roles/custom/matrix-prometheus-node-exporter/vars/main.yml deleted file mode 100644 index 952dc2050..000000000 --- a/roles/custom/matrix-prometheus-node-exporter/vars/main.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- - -# `matrix_prometheus_node_exporter_container_http_host_bind_port_number_raw` contains the raw port number extracted from `matrix_prometheus_node_exporter_container_http_host_bind_port`, -# which can contain values like this: ('1234', '127.0.0.1:1234', '0.0.0.0:1234') -matrix_prometheus_node_exporter_container_http_host_bind_port_number_raw: "{{ '' if matrix_prometheus_node_exporter_container_http_host_bind_port == '' else (matrix_prometheus_node_exporter_container_http_host_bind_port.split(':')[1] if ':' in matrix_prometheus_node_exporter_container_http_host_bind_port else matrix_prometheus_node_exporter_container_http_host_bind_port) }}" diff --git a/roles/custom/matrix-prometheus-postgres-exporter/defaults/main.yml b/roles/custom/matrix-prometheus-postgres-exporter/defaults/main.yml deleted file mode 100644 index f0cbfede9..000000000 --- a/roles/custom/matrix-prometheus-postgres-exporter/defaults/main.yml +++ /dev/null @@ -1,64 +0,0 @@ ---- -# matrix-prometheus-postgres-exporter is an Prometheus exporter for postgres metrics -# Project source code URL: https://github.com/prometheus-community/postgres_exporter - -matrix_prometheus_postgres_exporter_enabled: false - -matrix_prometheus_postgres_exporter_version: v0.11.1 -matrix_prometheus_postgres_exporter_port: 9187 - -matrix_prometheus_postgres_exporter_docker_image: "quay.io/prometheuscommunity/postgres-exporter:{{ matrix_prometheus_postgres_exporter_version }}" -matrix_prometheus_postgres_exporter_docker_image_force_pull: "{{ matrix_prometheus_postgres_exporter_docker_image.endswith(':latest') }}" - -# A list of extra arguments to pass to the container -matrix_prometheus_postgres_exporter_container_extra_arguments: ["-e PG_EXPORTER_AUTO_DISCOVER_DATABASES=true", - "-e PG_EXPORTER_WEB_LISTEN_ADDRESS=\":{{ matrix_prometheus_postgres_exporter_port }}\"", - "-e DATA_SOURCE_NAME=\"postgresql://{{ matrix_prometheus_postgres_exporter_database_username }}:{{ matrix_prometheus_postgres_exporter_database_password }}@{{ matrix_prometheus_postgres_exporter_database_hostname }}:5432/{{ matrix_prometheus_postgres_exporter_database_name }}?sslmode=disable\""] - -# List of systemd services that matrix-prometheus-postgres-exporter.service depends on -matrix_prometheus_postgres_exporter_systemd_required_services_list: ['docker.service'] - -# List of systemd services that matrix-prometheus-postgres-exporter.service wants -matrix_prometheus_postgres_exporter_systemd_wanted_services_list: [] - -# details for connecting to the database -matrix_prometheus_postgres_exporter_database_username: 'matrix_prometheus_postgres_exporter' -matrix_prometheus_postgres_exporter_database_password: 'some-password' -matrix_prometheus_postgres_exporter_database_hostname: 'matrix-postgres' -matrix_prometheus_postgres_exporter_database_port: 5432 -matrix_prometheus_postgres_exporter_database_name: 'matrix_prometheus_postgres_exporter' - -# Controls whether postgres-exporter metrics should be proxied (exposed) on `matrix.DOMAIN/metrics/postgres-exporter`. -# This will only work take effect if `matrix_nginx_proxy_proxy_matrix_metrics_enabled: true`. -# See the `matrix-nginx-proxy` role for details about enabling `matrix_nginx_proxy_proxy_matrix_metrics_enabled`. -matrix_prometheus_postgres_exporter_metrics_proxying_enabled: false - -# Controls whether the matrix-prometheus container exposes its HTTP port (tcp/9187 in the container). -# -# Takes an ":" value (e.g. "127.0.0.1:9187"), just a port number or an empty string to not expose. -# -# You likely don't need to do this. See `matrix_prometheus_postgres_exporter_metrics_proxying_enabled`. -# -# Official recommendations are to run this container with `--net=host`, -# but we don't do that, since it: -# - likely exposes the metrics web server way too publicly (before applying https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1008) -# - or listens on a loopback interface only (--net=host and 127.0.0.1:9187), which is not reachable from another container (like `matrix-prometheus`) -# -# Using `--net=host` and binding to Docker's `matrix` bridge network may be a solution to both, -# but that's trickier to accomplish and won't necessarily work (hasn't been tested). -# -# Not using `--net=host` means that our network statistic reports are likely broken (inaccurate), -# because node-exporter can't see all interfaces, etc. -# For now, we'll live with that, until someone develops a better solution. -matrix_prometheus_postgres_exporter_container_http_host_bind_port: '' - -# If you are supplying your own NGINX proxy but want to use the provided exporters you will have to supply an ":" value for the containers to bind to on your host. -# If matrix_prometheus_postgres_exporter_container_http_host_bind_port is set to just a port number, this will default to "127.0.0.1:" -# If matrix_prometheus_postgres_exporter_container_http_host_bind_port is set to an IP that is not 0.0.0.0 and a port, that ":" value will be used -# Otherwise this value will be empty and you will have to manually configure your NGINX config file. (If you are using the config files generated by this playbook, you will have to edit matrix-domain.conf) -matrix_prometheus_postgres_exporter_matrix_nginx_proxy_not_enabled_proxy_pass_host: "{{ '127.0.0.1' + matrix_prometheus_postgres_exporter_container_http_host_bind_port_number_raw if not ':' in matrix_prometheus_postgres_exporter_container_http_host_bind_port else (matrix_prometheus_postgres_exporter_container_http_host_bind_port if matrix_prometheus_postgres_exporter_container_http_host_bind_port.split(':')[0] != '0.0.0.0' else '') }}" - -# matrix_prometheus_postgres_exporter_dashboard_urls contains a list of URLs with Grafana dashboard definitions. -# If the Grafana role is enabled, these dashboards will be downloaded. -matrix_prometheus_postgres_exporter_dashboard_urls: - - "https://grafana.com/api/dashboards/9628/revisions/7/download" diff --git a/roles/custom/matrix-prometheus-postgres-exporter/tasks/init.yml b/roles/custom/matrix-prometheus-postgres-exporter/tasks/init.yml deleted file mode 100644 index 20333dce6..000000000 --- a/roles/custom/matrix-prometheus-postgres-exporter/tasks/init.yml +++ /dev/null @@ -1,41 +0,0 @@ ---- - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-prometheus-postgres-exporter.service'] }}" - when: matrix_prometheus_postgres_exporter_enabled | bool - -- when: matrix_prometheus_node_exporter_enabled | bool and matrix_prometheus_node_exporter_metrics_proxying_enabled | bool - block: - - name: Fail if matrix-nginx-proxy role already executed - ansible.builtin.fail: - msg: >- - Trying to append postgres-exporter's reverse-proxying configuration to matrix-nginx-proxy, - but it's pointless since the matrix-nginx-proxy role had already executed. - To fix this, please change the order of roles in your playbook, - so that the matrix-nginx-proxy role would run after the matrix-prometheus-postgres-exporter role. - when: matrix_nginx_proxy_role_executed | default(False) | bool - - - name: Generate postgres-exporter metrics proxying configuration for matrix-nginx-proxy (matrix.DOMAIN/metrics/postgres-exporter) - ansible.builtin.set_fact: - matrix_prometheus_postgres_exporter_nginx_metrics_configuration_block: | - location /metrics/postgres-exporter { - {% if matrix_nginx_proxy_enabled | default(False) %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver 127.0.0.11 valid=5s; - set $backend "matrix-prometheus-postgres-exporter:9187"; - proxy_pass http://$backend/metrics; - {% elif matrix_prometheus_postgres_exporter_matrix_nginx_proxy_not_enabled_proxy_pass_host != '' %} - proxy_pass http://{{ matrix_prometheus_postgres_exporter_matrix_nginx_proxy_not_enabled_proxy_pass_host }}/metrics; - {% else %} - return 404 "matrix-nginx-proxy is disabled and no host port was bound to the container, so metrics are unavailable"; - {% endif %} - } - - - name: Register postgres-exporter metrics proxying configuration with matrix-nginx-proxy (matrix.DOMAIN/metrics/postgres-exporter) - ansible.builtin.set_fact: - matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks: | - {{ - matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks | default([]) - + - [matrix_prometheus_postgres_exporter_nginx_metrics_configuration_block] - }} diff --git a/roles/custom/matrix-prometheus-postgres-exporter/tasks/main.yml b/roles/custom/matrix-prometheus-postgres-exporter/tasks/main.yml deleted file mode 100644 index 434735877..000000000 --- a/roles/custom/matrix-prometheus-postgres-exporter/tasks/main.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup.yml" - tags: - - setup-all - - setup-prometheus-postgres-exporter diff --git a/roles/custom/matrix-prometheus-postgres-exporter/tasks/setup.yml b/roles/custom/matrix-prometheus-postgres-exporter/tasks/setup.yml deleted file mode 100644 index 1ab157994..000000000 --- a/roles/custom/matrix-prometheus-postgres-exporter/tasks/setup.yml +++ /dev/null @@ -1,59 +0,0 @@ ---- - -# -# Tasks related to setting up matrix-prometheus-postgres-exporter -# - -- name: Ensure matrix-prometheus-postgres-exporter image is pulled - community.docker.docker_image: - name: "{{ matrix_prometheus_postgres_exporter_docker_image }}" - source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_prometheus_postgres_exporter_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_prometheus_postgres_exporter_docker_image_force_pull }}" - when: "matrix_prometheus_postgres_exporter_enabled | bool" - register: result - retries: "{{ devture_playbook_help_container_retries_count }}" - delay: "{{ devture_playbook_help_container_retries_delay }}" - until: result is not failed - -- name: Ensure matrix-prometheus-postgres-exporter.service installed - ansible.builtin.template: - src: "{{ role_path }}/templates/systemd/matrix-prometheus-postgres-exporter.service.j2" - dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-prometheus-postgres-exporter.service" - mode: 0644 - register: matrix_prometheus_postgres_exporter_systemd_service_result - when: matrix_prometheus_postgres_exporter_enabled | bool - -- name: Ensure systemd reloaded after matrix-prometheus.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_prometheus_postgres_exporter_enabled | bool and matrix_prometheus_postgres_exporter_systemd_service_result.changed" - -# -# Tasks related to getting rid of matrix-prometheus-postgres-exporter (if it was previously enabled) -# - -- name: Check existence of matrix-prometheus-postgres-exporter service - ansible.builtin.stat: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-prometheus-postgres-exporter.service" - register: matrix_prometheus_postgres_exporter_service_stat - -- name: Ensure matrix-prometheus-postgres-exporter is stopped - ansible.builtin.service: - name: matrix-prometheus-postgres-exporter - state: stopped - enabled: false - daemon_reload: true - register: stopping_result - when: "not matrix_prometheus_postgres_exporter_enabled | bool and matrix_prometheus_postgres_exporter_service_stat.stat.exists" - -- name: Ensure matrix-prometheus-postgres-exporter.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-prometheus-postgres-exporter.service" - state: absent - when: "not matrix_prometheus_postgres_exporter_enabled | bool and matrix_prometheus_postgres_exporter_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-prometheus-postgres-exporter.service removal - ansible.builtin.service: - daemon_reload: true - when: "not matrix_prometheus_postgres_exporter_enabled | bool and matrix_prometheus_postgres_exporter_service_stat.stat.exists" diff --git a/roles/custom/matrix-prometheus-postgres-exporter/vars/main.yml b/roles/custom/matrix-prometheus-postgres-exporter/vars/main.yml deleted file mode 100644 index aed3b2167..000000000 --- a/roles/custom/matrix-prometheus-postgres-exporter/vars/main.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- - -# `matrix_prometheus_postgres_exporter_container_http_host_bind_port_number_raw` contains the raw port number extracted from `matrix_prometheus_postgres_exporter_container_http_host_bind_port`, -# which can contain values like this: ('1234', '127.0.0.1:1234', '0.0.0.0:1234') -matrix_prometheus_postgres_exporter_container_http_host_bind_port_number_raw: "{{ '' if matrix_prometheus_postgres_exporter_container_http_host_bind_port == '' else (matrix_prometheus_postgres_exporter_container_http_host_bind_port.split(':')[1] if ':' in matrix_prometheus_postgres_exporter_container_http_host_bind_port else matrix_prometheus_postgres_exporter_container_http_host_bind_port) }}" diff --git a/roles/custom/matrix-prometheus-services-connect/defaults/main.yml b/roles/custom/matrix-prometheus-services-connect/defaults/main.yml new file mode 100644 index 000000000..f06d8da4e --- /dev/null +++ b/roles/custom/matrix-prometheus-services-connect/defaults/main.yml @@ -0,0 +1,164 @@ +--- + +# matrix-prometheus-services-connect is a role which helps integrate +# the various Matrix services with the Prometheus role. + +# Controls whether Synapse integration should be done +matrix_prometheus_services_connect_synapse_enabled: false + +# Controls whether the synapse rules shall be loaded into Prometheus +matrix_prometheus_services_connect_synapse_rules_enabled: "{{ matrix_prometheus_services_connect_synapse_enabled }}" + +# Controls whether the synapse rules shall be downloaded +matrix_prometheus_services_connect_synapse_rules_download_enabled: "{{ matrix_prometheus_services_connect_synapse_rules_enabled }}" +matrix_prometheus_services_connect_synapse_rules_download_synapse_tag: master +matrix_prometheus_services_connect_synapse_rules_download_src_url: "https://raw.githubusercontent.com/matrix-org/synapse/{{ matrix_prometheus_services_connect_synapse_rules_download_synapse_tag }}/contrib/prometheus/synapse-v2.rules" +matrix_prometheus_services_connect_synapse_rules_download_dir_path: '' +matrix_prometheus_services_connect_synapse_rules_download_owner: '' +matrix_prometheus_services_connect_synapse_rules_download_group: '' + +# Controls whether Synapse shall be scraped +matrix_prometheus_services_connect_scraper_synapse_enabled: false + +# Controls scraping the Synapse processes +matrix_prometheus_services_connect_scraper_synapse_job_name: synapse +matrix_prometheus_services_connect_scraper_synapse_metrics_path: /_synapse/metrics +matrix_prometheus_services_connect_scraper_synapse_scrape_interval: 15s +matrix_prometheus_services_connect_scraper_synapse_scrape_timeout: 15s + +matrix_prometheus_services_connect_scraper_synapse_configs: | + {{ + [{ + 'job_name': matrix_prometheus_services_connect_scraper_synapse_job_name, + 'metrics_path': matrix_prometheus_services_connect_scraper_synapse_metrics_path, + 'scrape_interval': matrix_prometheus_services_connect_scraper_synapse_scrape_interval, + 'scrape_timeout': matrix_prometheus_services_connect_scraper_synapse_scrape_timeout, + 'static_configs': matrix_prometheus_services_connect_scraper_synapse_static_configs, + }] + }} + +matrix_prometheus_services_connect_scraper_synapse_static_configs: | + {{ + (matrix_prometheus_services_connect_scraper_synapse_main_process_static_configs if matrix_prometheus_services_connect_scraper_synapse_main_process_enabled else []) + + + (matrix_prometheus_services_connect_scraper_synapse_workers_static_configs if matrix_prometheus_services_connect_scraper_synapse_workers_enabled else []) + }} + +# Controls whether the Synapse main process shall be scraped +matrix_prometheus_services_connect_scraper_synapse_main_process_enabled: "{{ matrix_prometheus_services_connect_scraper_synapse_enabled }}" + +matrix_prometheus_services_connect_scraper_synapse_main_process_static_configs: | + {{ + [{ + 'targets': [matrix_prometheus_services_connect_scraper_synapse_main_process_static_configs_target], + 'labels': { + 'instance': matrix_prometheus_services_connect_scraper_synapse_main_process_static_configs_instance, + 'job': matrix_prometheus_services_connect_scraper_synapse_main_process_static_configs_job, + 'index': 0, + } + }] + }} +matrix_prometheus_services_connect_scraper_synapse_main_process_static_configs_target: '' +matrix_prometheus_services_connect_scraper_synapse_main_process_static_configs_instance: "{{ matrix_domain }}" +matrix_prometheus_services_connect_scraper_synapse_main_process_static_configs_job: master + +# Controls whether Synapse workers shall be scraped +matrix_prometheus_services_connect_scraper_synapse_workers_enabled: "{{ matrix_prometheus_services_connect_scraper_synapse_enabled and matrix_prometheus_services_connect_scraper_synapse_workers_enabled_list | length > 0 }}" + +matrix_prometheus_services_connect_scraper_synapse_workers_enabled_list: [] + +matrix_prometheus_services_connect_scraper_synapse_workers_static_configs_as_yaml: | + {% for worker in matrix_prometheus_services_connect_scraper_synapse_workers_enabled_list %} + {% if worker.metrics_port != 0 %} + - targets: ['{{ worker.name }}:{{ worker.metrics_port }}'] + labels: + instance: {{ matrix_prometheus_services_connect_scraper_synapse_workers_static_configs_instance | to_json }} + worker_id: {{ worker.id | to_json }} + job: {{ worker.type | to_json }} + app: {{ worker.app | to_json }} + {% endif %} + {% endfor %} + +matrix_prometheus_services_connect_scraper_synapse_workers_static_configs_instance: "{{ matrix_domain }}" + +matrix_prometheus_services_connect_scraper_synapse_workers_static_configs: "{{ [] if matrix_prometheus_services_connect_scraper_synapse_workers_enabled_list | length == 0 else matrix_prometheus_services_connect_scraper_synapse_workers_static_configs_as_yaml | from_yaml }}" + +# Controls whether Postgres (postgres-exporter) shall be scraped +matrix_prometheus_services_connect_scraper_postgres_enabled: false +matrix_prometheus_services_connect_scraper_postgres_job_name: postgres +matrix_prometheus_services_connect_scraper_postgres_metrics_path: /metrics +matrix_prometheus_services_connect_scraper_postgres_scrape_interval: 15s +matrix_prometheus_services_connect_scraper_postgres_scrape_timeout: 15s +matrix_prometheus_services_connect_scraper_postgres_static_configs: "{{ [{'targets': [matrix_prometheus_services_connect_scraper_postgres_static_configs_target]}] }}" +matrix_prometheus_services_connect_scraper_postgres_static_configs_target: '' +# The final scrape config for the Postgers scraper +matrix_prometheus_services_connect_scraper_postgres_scrape_configs: | + {{ + [{ + 'job_name': matrix_prometheus_services_connect_scraper_postgres_job_name, + 'metrics_path': matrix_prometheus_services_connect_scraper_postgres_metrics_path, + 'scrape_interval': matrix_prometheus_services_connect_scraper_postgres_scrape_interval, + 'scrape_timeout': matrix_prometheus_services_connect_scraper_postgres_scrape_timeout, + 'static_configs': matrix_prometheus_services_connect_scraper_postgres_static_configs, + }] + }} + +# Controls whether Hookshot shall be scraped +matrix_prometheus_services_connect_scraper_hookshot_enabled: false +matrix_prometheus_services_connect_scraper_hookshot_job_name: hookshot +matrix_prometheus_services_connect_scraper_hookshot_metrics_path: /metrics +matrix_prometheus_services_connect_scraper_hookshot_scrape_interval: 15s +matrix_prometheus_services_connect_scraper_hookshot_scrape_timeout: 15s +matrix_prometheus_services_connect_scraper_hookshot_static_configs: "{{ [{'targets': [matrix_prometheus_services_connect_scraper_hookshot_static_configs_target]}] }}" +matrix_prometheus_services_connect_scraper_hookshot_static_configs_target: '' +# The final scrape config for the Hookshot scraper +matrix_prometheus_services_connect_scraper_hookshot_scrape_configs: | + {{ + [{ + 'job_name': matrix_prometheus_services_connect_scraper_hookshot_job_name, + 'metrics_path': matrix_prometheus_services_connect_scraper_hookshot_metrics_path, + 'scrape_interval': matrix_prometheus_services_connect_scraper_hookshot_scrape_interval, + 'scrape_timeout': matrix_prometheus_services_connect_scraper_hookshot_scrape_timeout, + 'static_configs': matrix_prometheus_services_connect_scraper_hookshot_static_configs, + }] + }} + +# Controls whether nginxlog shall be scraped +matrix_prometheus_services_connect_scraper_nginxlog_enabled: false +matrix_prometheus_services_connect_scraper_nginxlog_job_name: nginxlog +matrix_prometheus_services_connect_scraper_nginxlog_metrics_path: /metrics +matrix_prometheus_services_connect_scraper_nginxlog_scrape_interval: 15s +matrix_prometheus_services_connect_scraper_nginxlog_scrape_timeout: 15s +matrix_prometheus_services_connect_scraper_nginxlog_static_configs: "{{ [{'targets': [matrix_prometheus_services_connect_scraper_nginxlog_static_configs_target]}] }}" +matrix_prometheus_services_connect_scraper_nginxlog_static_configs_target: '' +# The final scrape config for the nginxlog scraper +matrix_prometheus_services_connect_scraper_nginxlog_scrape_configs: | + {{ + [{ + 'job_name': matrix_prometheus_services_connect_scraper_nginxlog_job_name, + 'metrics_path': matrix_prometheus_services_connect_scraper_nginxlog_metrics_path, + 'scrape_interval': matrix_prometheus_services_connect_scraper_nginxlog_scrape_interval, + 'scrape_timeout': matrix_prometheus_services_connect_scraper_nginxlog_scrape_timeout, + 'static_configs': matrix_prometheus_services_connect_scraper_nginxlog_static_configs, + }] + }} + +# Controls whether media-repo shall be scraped +matrix_prometheus_services_connect_scraper_media_repo_enabled: false +matrix_prometheus_services_connect_scraper_media_repo_job_name: media-repo +matrix_prometheus_services_connect_scraper_media_repo_metrics_path: /metrics +matrix_prometheus_services_connect_scraper_media_repo_scrape_interval: 15s +matrix_prometheus_services_connect_scraper_media_repo_scrape_timeout: 15s +matrix_prometheus_services_connect_scraper_media_repo_static_configs: "{{ [{'targets': [matrix_prometheus_services_connect_scraper_media_repo_static_configs_target]}] }}" +matrix_prometheus_services_connect_scraper_media_repo_static_configs_target: '' +# The final scrape config for the media-repo scraper +matrix_prometheus_services_connect_scraper_media_repo_scrape_configs: | + {{ + [{ + 'job_name': matrix_prometheus_services_connect_scraper_media_repo_job_name, + 'metrics_path': matrix_prometheus_services_connect_scraper_media_repo_metrics_path, + 'scrape_interval': matrix_prometheus_services_connect_scraper_media_repo_scrape_interval, + 'scrape_timeout': matrix_prometheus_services_connect_scraper_media_repo_scrape_timeout, + 'static_configs': matrix_prometheus_services_connect_scraper_media_repo_static_configs, + }] + }} diff --git a/roles/custom/matrix-prometheus-services-connect/tasks/install_synapse_rules.yml b/roles/custom/matrix-prometheus-services-connect/tasks/install_synapse_rules.yml new file mode 100644 index 000000000..78b218aca --- /dev/null +++ b/roles/custom/matrix-prometheus-services-connect/tasks/install_synapse_rules.yml @@ -0,0 +1,14 @@ +--- + +- name: Download synapse-v2.rules + ansible.builtin.get_url: + url: "{{ matrix_prometheus_services_connect_synapse_rules_download_src_url }}" + dest: "{{ matrix_prometheus_services_connect_synapse_rules_download_dir_path }}/synapse-v2.rules" + force: true + mode: 0440 + owner: "{{ matrix_prometheus_services_connect_synapse_rules_download_owner }}" + group: "{{ matrix_prometheus_services_connect_synapse_rules_download_group }}" + register: result + retries: "{{ devture_playbook_help_geturl_retries_count }}" + delay: "{{ devture_playbook_help_geturl_retries_delay }}" + until: result is not failed diff --git a/roles/custom/matrix-prometheus-services-connect/tasks/main.yml b/roles/custom/matrix-prometheus-services-connect/tasks/main.yml new file mode 100644 index 000000000..f2c22b7f4 --- /dev/null +++ b/roles/custom/matrix-prometheus-services-connect/tasks/main.yml @@ -0,0 +1,11 @@ +--- + +- tags: + - setup-all + - setup-prometheus + - setup-prometheus-services-connect + - install-all + - install-prometheus-services-connect + block: + - when: matrix_prometheus_services_connect_synapse_rules_download_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/install_synapse_rules.yml" diff --git a/roles/custom/matrix-prometheus-services-proxy-connect/defaults/main.yml b/roles/custom/matrix-prometheus-services-proxy-connect/defaults/main.yml new file mode 100644 index 000000000..30ef2c130 --- /dev/null +++ b/roles/custom/matrix-prometheus-services-proxy-connect/defaults/main.yml @@ -0,0 +1,27 @@ +--- +# matrix-prometheus-services-proxy-connect is a role which helps integrate +# the various Prometheus roles, which may live outside this Matrix playbook, into it. + + +# Controls whether node-exporter metrics should be proxied (exposed) on `matrix.DOMAIN/metrics/node-exporter`. +# This will only work take effect if `matrix_nginx_proxy_proxy_matrix_metrics_enabled: true`. +# See the `matrix-nginx-proxy` role for details about enabling `matrix_nginx_proxy_proxy_matrix_metrics_enabled`. +matrix_prometheus_services_proxy_connect_prometheus_node_exporter_metrics_proxying_enabled: false + +# If you are supplying your own NGINX proxy but want to use the provided exporters you will have to supply an ":" value for the containers to bind to on your host. +# If prometheus_node_exporter_container_http_host_bind_port is set to just a port number, this will default to "127.0.0.1:" +# If prometheus_node_exporter_container_http_host_bind_port is set to an IP that is not 0.0.0.0 and a port, that ":" value will be used +# Otherwise this value will be empty and you will have to manually configure your NGINX config file. (If you are using the config files generated by this playbook, you will have to edit matrix-domain.conf) +matrix_prometheus_services_proxy_connect_prometheus_node_exporter_matrix_nginx_proxy_not_enabled_proxy_pass_host: "{{ '127.0.0.1' + prometheus_node_exporter_container_http_host_bind_port_number_raw if not ':' in prometheus_node_exporter_container_http_host_bind_port else (prometheus_node_exporter_container_http_host_bind_port if prometheus_node_exporter_container_http_host_bind_port.split(':')[0] != '0.0.0.0' else '') }}" + + +# Controls whether postgres-exporter metrics should be proxied (exposed) on `matrix.DOMAIN/metrics/postgres-exporter`. +# This will only work take effect if `matrix_nginx_proxy_proxy_matrix_metrics_enabled: true`. +# See the `matrix-nginx-proxy` role for details about enabling `matrix_nginx_proxy_proxy_matrix_metrics_enabled`. +matrix_prometheus_services_proxy_connect_prometheus_postgres_exporter_metrics_proxying_enabled: false + +# If you are supplying your own NGINX proxy but want to use the provided exporters you will have to supply an ":" value for the containers to bind to on your host. +# If prometheus_node_exporter_container_http_host_bind_port is set to just a port number, this will default to "127.0.0.1:" +# If prometheus_node_exporter_container_http_host_bind_port is set to an IP that is not 0.0.0.0 and a port, that ":" value will be used +# Otherwise this value will be empty and you will have to manually configure your NGINX config file. (If you are using the config files generated by this playbook, you will have to edit matrix-domain.conf) +matrix_prometheus_services_proxy_connect_prometheus_postgres_exporter_matrix_nginx_proxy_not_enabled_proxy_pass_host: "{{ '127.0.0.1' + prometheus_postgres_exporter_container_http_host_bind_port_number_raw if not ':' in prometheus_postgres_exporter_container_http_host_bind_port else (prometheus_postgres_exporter_container_http_host_bind_port if prometheus_postgres_exporter_container_http_host_bind_port.split(':')[0] != '0.0.0.0' else '') }}" diff --git a/roles/custom/matrix-prometheus-services-proxy-connect/tasks/main.yml b/roles/custom/matrix-prometheus-services-proxy-connect/tasks/main.yml new file mode 100644 index 000000000..ea067bdba --- /dev/null +++ b/roles/custom/matrix-prometheus-services-proxy-connect/tasks/main.yml @@ -0,0 +1,28 @@ +--- + +- name: Fail if matrix-nginx-proxy role executed before matrix-prometheus-services-proxy-connect + when: matrix_nginx_proxy_role_executed | default(False) | bool + ansible.builtin.fail: + msg: >- + Trying to append node-exporter's reverse-proxying configuration to matrix-nginx-proxy, + but it's pointless since the matrix-nginx-proxy role had already executed. + To fix this, please change the order of roles in your playbook, + so that the matrix-nginx-proxy role would run after the matrix-prometheus-services-proxy-connect role. + +- tags: + - setup-all + - setup-nginx-proxy + - install-all + - install-nginx-proxy + block: + - when: prometheus_node_exporter_enabled | bool and matrix_prometheus_services_proxy_connect_prometheus_node_exporter_metrics_proxying_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/prometheus-node-exporter/inject_into_nginx_proxy.yml" + +- tags: + - setup-all + - setup-nginx-proxy + - install-all + - install-nginx-proxy + block: + - when: prometheus_node_exporter_enabled | bool and matrix_prometheus_services_proxy_connect_prometheus_postgres_exporter_metrics_proxying_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/prometheus-postgres-exporter/inject_into_nginx_proxy.yml" diff --git a/roles/custom/matrix-prometheus-services-proxy-connect/tasks/prometheus-node-exporter/inject_into_nginx_proxy.yml b/roles/custom/matrix-prometheus-services-proxy-connect/tasks/prometheus-node-exporter/inject_into_nginx_proxy.yml new file mode 100644 index 000000000..4c86e8aab --- /dev/null +++ b/roles/custom/matrix-prometheus-services-proxy-connect/tasks/prometheus-node-exporter/inject_into_nginx_proxy.yml @@ -0,0 +1,26 @@ +--- + +- name: Generate node-exporter metrics proxying configuration for matrix-nginx-proxy (matrix.DOMAIN/metrics/node-exporter) + ansible.builtin.set_fact: + matrix_prometheus_services_proxy_connect_node_exporter_nginx_metrics_configuration_block: | + location /metrics/node-exporter { + {% if matrix_nginx_proxy_enabled | default(False) %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "{{ prometheus_node_exporter_identifier }}:9100"; + proxy_pass http://$backend/metrics; + {% elif matrix_prometheus_services_proxy_connect_prometheus_node_exporter_matrix_nginx_proxy_not_enabled_proxy_pass_host != '' %} + proxy_pass http://{{ matrix_prometheus_services_proxy_connect_prometheus_node_exporter_matrix_nginx_proxy_not_enabled_proxy_pass_host }}/metrics; + {% else %} + return 404 "matrix-nginx-proxy is disabled and no host port was bound to the container, so metrics are unavailable"; + {% endif %} + } + +- name: Register node-exporter metrics proxying configuration with matrix-nginx-proxy (matrix.DOMAIN/metrics/node-exporter) + ansible.builtin.set_fact: + matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks: | + {{ + matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks | default([]) + + + [matrix_prometheus_services_proxy_connect_node_exporter_nginx_metrics_configuration_block] + }} diff --git a/roles/custom/matrix-prometheus-services-proxy-connect/tasks/prometheus-postgres-exporter/inject_into_nginx_proxy.yml b/roles/custom/matrix-prometheus-services-proxy-connect/tasks/prometheus-postgres-exporter/inject_into_nginx_proxy.yml new file mode 100644 index 000000000..347960818 --- /dev/null +++ b/roles/custom/matrix-prometheus-services-proxy-connect/tasks/prometheus-postgres-exporter/inject_into_nginx_proxy.yml @@ -0,0 +1,26 @@ +--- + +- name: Generate postgres-exporter metrics proxying configuration for matrix-nginx-proxy (matrix.DOMAIN/metrics/postgres-exporter) + ansible.builtin.set_fact: + matrix_prometheus_services_proxy_connect_postgres_exporter_nginx_metrics_configuration_block: | + location /metrics/postgres-exporter { + {% if matrix_nginx_proxy_enabled | default(False) %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "{{ prometheus_postgres_exporter_identifier }}:{{ prometheus_postgres_exporter_port }}"; + proxy_pass http://$backend/metrics; + {% elif matrix_prometheus_services_proxy_connect_prometheus_postgres_exporter_matrix_nginx_proxy_not_enabled_proxy_pass_host != '' %} + proxy_pass http://{{ matrix_prometheus_services_proxy_connect_prometheus_postgres_exporter_matrix_nginx_proxy_not_enabled_proxy_pass_host }}/metrics; + {% else %} + return 404 "matrix-nginx-proxy is disabled and no host port was bound to the container, so metrics are unavailable"; + {% endif %} + } + +- name: Register postgres-exporter metrics proxying configuration with matrix-nginx-proxy (matrix.DOMAIN/metrics/postgres-exporter) + ansible.builtin.set_fact: + matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks: | + {{ + matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks | default([]) + + + [matrix_prometheus_services_proxy_connect_postgres_exporter_nginx_metrics_configuration_block] + }} diff --git a/roles/custom/matrix-prometheus/defaults/main.yml b/roles/custom/matrix-prometheus/defaults/main.yml deleted file mode 100644 index adc903872..000000000 --- a/roles/custom/matrix-prometheus/defaults/main.yml +++ /dev/null @@ -1,82 +0,0 @@ ---- -# matrix-prometheus is an open-source systems monitoring and alerting toolkit -# See: https://github.com/matrix-org/synapse/blob/master/docs/metrics-howto.md -# Project source code URL: https://github.com/prometheus/prometheus - -matrix_prometheus_enabled: false - -matrix_prometheus_version: v2.40.1 -matrix_prometheus_docker_image: "{{ matrix_container_global_registry_prefix }}prom/prometheus:{{ matrix_prometheus_version }}" -matrix_prometheus_docker_image_force_pull: "{{ matrix_prometheus_docker_image.endswith(':latest') }}" - -matrix_prometheus_base_path: "{{ matrix_base_data_path }}/prometheus" -matrix_prometheus_config_path: "{{ matrix_prometheus_base_path }}/config" -matrix_prometheus_data_path: "{{ matrix_prometheus_base_path }}/data" - -# A list of extra arguments to pass to the container -matrix_prometheus_container_extra_arguments: [] - -# List of systemd services that matrix-prometheus.service depends on -matrix_prometheus_systemd_required_services_list: ['docker.service'] - -# List of systemd services that matrix-prometheus.service wants -matrix_prometheus_systemd_wanted_services_list: [] - -# Controls whether the matrix-prometheus container exposes its HTTP port (tcp/9090 in the container). -# -# Takes an ":" or "" value (e.g. "127.0.0.1:9090"), or empty string to not expose. -matrix_prometheus_container_http_host_bind_port: '' - -# A list of default arguments to pass to the prometheus process -matrix_prometheus_process_default_arguments: - - "--config.file=/etc/prometheus/prometheus.yml" - - "--storage.tsdb.path=/prometheus" - - "--web.console.libraries=/usr/share/prometheus/console_libraries" - - "--web.console.templates=/usr/share/prometheus/consoles" - -# A list of extra arguments to pass to the prometheus process -matrix_prometheus_process_extra_arguments: [] - -# holds the final list of process arguments -matrix_prometheus_process_arguments: "{{ matrix_prometheus_process_default_arguments + matrix_prometheus_process_extra_arguments }}" - -# Tells whether the "synapse" scraper configuration is enabled. -matrix_prometheus_scraper_synapse_enabled: false - -# Tells whether to download and load a Synapse rules file -matrix_prometheus_scraper_synapse_rules_enabled: "{{ matrix_prometheus_scraper_synapse_enabled }}" -matrix_prometheus_scraper_synapse_rules_synapse_tag: "master" -matrix_prometheus_scraper_synapse_rules_download_url: "https://raw.githubusercontent.com/matrix-org/synapse/{{ matrix_prometheus_scraper_synapse_rules_synapse_tag }}/contrib/prometheus/synapse-v2.rules" - -matrix_prometheus_scraper_synapse_targets: [] -matrix_prometheus_scraper_synapse_workers_enabled_list: [] - -# Tells whether the "node" scraper configuration is enabled. -# This configuration aims to scrape the current node (this server). -matrix_prometheus_scraper_node_enabled: false - -# Target addresses for the "node" scraper configuration. -# Unless you define this as a non-empty list, it gets populated at runtime with the IP address of `matrix-prometheus-node-exporter` and port 9100. -matrix_prometheus_scraper_node_targets: [] - -# Default prometheus configuration template which covers the generic use case. -# You can customize it by controlling the various variables inside it. -# -# For a more advanced customization, you can extend the default (see `matrix_prometheus_configuration_extension_yaml`) -# or completely replace this variable with your own template. -matrix_prometheus_configuration_yaml: "{{ lookup('template', 'templates/prometheus.yml.j2') }}" - -matrix_prometheus_configuration_extension_yaml: | - # Your custom YAML configuration goes here. - # This configuration extends the default starting configuration (`matrix_prometheus_configuration_yaml`). - # - # You can override individual variables from the default configuration, or introduce new ones. - # - # If you need something more special, you can take full control by - # completely redefining `matrix_prometheus_configuration_yaml`. - -matrix_prometheus_configuration_extension: "{{ matrix_prometheus_configuration_extension_yaml | from_yaml if matrix_prometheus_configuration_extension_yaml | from_yaml is mapping else {} }}" - -# Holds the final configuration (a combination of the default and its extension). -# You most likely don't need to touch this variable. Instead, see `matrix_prometheus_configuration_yaml`. -matrix_prometheus_configuration: "{{ matrix_prometheus_configuration_yaml | from_yaml | combine(matrix_prometheus_configuration_extension, recursive=True) }}" diff --git a/roles/custom/matrix-prometheus/tasks/init.yml b/roles/custom/matrix-prometheus/tasks/init.yml deleted file mode 100644 index 298536730..000000000 --- a/roles/custom/matrix-prometheus/tasks/init.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-prometheus.service'] }}" - when: matrix_prometheus_enabled | bool diff --git a/roles/custom/matrix-prometheus/tasks/main.yml b/roles/custom/matrix-prometheus/tasks/main.yml deleted file mode 100644 index 1a5a37089..000000000 --- a/roles/custom/matrix-prometheus/tasks/main.yml +++ /dev/null @@ -1,23 +0,0 @@ ---- - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup | bool and matrix_prometheus_enabled | bool" - tags: - - setup-all - - setup-prometheus - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_install.yml" - when: "run_setup | bool and matrix_prometheus_enabled | bool" - tags: - - setup-all - - setup-prometheus - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - when: "run_setup | bool and not matrix_prometheus_enabled | bool" - tags: - - setup-all - - setup-prometheus diff --git a/roles/custom/matrix-prometheus/tasks/setup_install.yml b/roles/custom/matrix-prometheus/tasks/setup_install.yml deleted file mode 100644 index 8c18ce664..000000000 --- a/roles/custom/matrix-prometheus/tasks/setup_install.yml +++ /dev/null @@ -1,58 +0,0 @@ ---- - -- name: Ensure matrix-prometheus image is pulled - community.docker.docker_image: - name: "{{ matrix_prometheus_docker_image }}" - source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_prometheus_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_prometheus_docker_image_force_pull }}" - register: result - retries: "{{ devture_playbook_help_container_retries_count }}" - delay: "{{ devture_playbook_help_container_retries_delay }}" - until: result is not failed - -- name: Ensure Prometheus paths exists - ansible.builtin.file: - path: "{{ item }}" - state: directory - mode: 0750 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - with_items: - - "{{ matrix_prometheus_base_path }}" - - "{{ matrix_prometheus_config_path }}" - - "{{ matrix_prometheus_data_path }}" - -- name: Download synapse-v2.rules - ansible.builtin.get_url: - url: "{{ matrix_prometheus_scraper_synapse_rules_download_url }}" - dest: "{{ matrix_prometheus_config_path }}/synapse-v2.rules" - force: true - mode: 0440 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - when: "matrix_prometheus_scraper_synapse_rules_enabled | bool" - register: result - retries: "{{ devture_playbook_help_geturl_retries_count }}" - delay: "{{ devture_playbook_help_geturl_retries_delay }}" - until: result is not failed - -- name: Ensure prometheus.yml installed - ansible.builtin.copy: - content: "{{ matrix_prometheus_configuration | to_nice_yaml(indent=2, width=999999) }}" - dest: "{{ matrix_prometheus_config_path }}/prometheus.yml" - mode: 0644 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - -- name: Ensure matrix-prometheus.service installed - ansible.builtin.template: - src: "{{ role_path }}/templates/systemd/matrix-prometheus.service.j2" - dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-prometheus.service" - mode: 0644 - register: matrix_prometheus_systemd_service_result - -- name: Ensure systemd reloaded after matrix-prometheus.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_prometheus_systemd_service_result.changed | bool" diff --git a/roles/custom/matrix-prometheus/tasks/setup_uninstall.yml b/roles/custom/matrix-prometheus/tasks/setup_uninstall.yml deleted file mode 100644 index 5fe145fc3..000000000 --- a/roles/custom/matrix-prometheus/tasks/setup_uninstall.yml +++ /dev/null @@ -1,26 +0,0 @@ ---- - -- name: Check existence of matrix-prometheus service - ansible.builtin.stat: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-prometheus.service" - register: matrix_prometheus_service_stat - -- name: Ensure matrix-prometheus is stopped - ansible.builtin.service: - name: matrix-prometheus - state: stopped - enabled: false - daemon_reload: true - register: stopping_result - when: "matrix_prometheus_service_stat.stat.exists | bool" - -- name: Ensure matrix-prometheus.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-prometheus.service" - state: absent - when: "matrix_prometheus_service_stat.stat.exists | bool" - -- name: Ensure systemd reloaded after matrix-prometheus.service removal - ansible.builtin.service: - daemon_reload: true - when: "matrix_prometheus_service_stat.stat.exists | bool" diff --git a/roles/custom/matrix-prometheus/tasks/validate_config.yml b/roles/custom/matrix-prometheus/tasks/validate_config.yml deleted file mode 100644 index 3e3863042..000000000 --- a/roles/custom/matrix-prometheus/tasks/validate_config.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- - -- name: Fail if Synapse metrics or Prometheus Node Exporter not enabled - ansible.builtin.fail: - msg: > - You need to enable `matrix_prometheus_scraper_synapse_enabled` and/or `matrix_prometheus_scraper_node_enabled` for Prometheus grab metrics. - when: "not matrix_prometheus_scraper_synapse_enabled and not matrix_prometheus_scraper_node_enabled" diff --git a/roles/custom/matrix-prometheus/templates/prometheus.yml.j2 b/roles/custom/matrix-prometheus/templates/prometheus.yml.j2 deleted file mode 100644 index 83ae8a9a1..000000000 --- a/roles/custom/matrix-prometheus/templates/prometheus.yml.j2 +++ /dev/null @@ -1,66 +0,0 @@ -#jinja2: lstrip_blocks: "True" -global: - scrape_interval: 15s # Set the scrape interval to every 15 seconds. Default is every 1 minute. - evaluation_interval: 15s # Evaluate rules every 15 seconds. The default is every 1 minute. - # scrape_timeout is set to the global default (10s). - -# Load rules once and periodically evaluate them according to the global 'evaluation_interval'. -rule_files: - {% if matrix_prometheus_scraper_synapse_rules_enabled %} - - 'synapse-v2.rules' - {% endif %} - -# A scrape configuration containing exactly one endpoint to scrape: -# Here it's Prometheus itself. -scrape_configs: - # The job name is added as a label `job=` to any timeseries scraped from this config. - - job_name: 'prometheus' - - # Override the global default and scrape targets from this job every 5 seconds. - scrape_interval: 5s - scrape_timeout: 5s - - # metrics_path defaults to '/metrics' - # scheme defaults to 'http'. - - static_configs: - - targets: ['localhost:9090'] - - {% if matrix_prometheus_scraper_synapse_enabled %} - - job_name: 'synapse' - metrics_path: '/_synapse/metrics' - static_configs: - - targets: {{ matrix_prometheus_scraper_synapse_targets|to_json }} - labels: - instance: {{ matrix_domain | to_json }} - job: master - index: 0 - {% for worker in matrix_prometheus_scraper_synapse_workers_enabled_list %} - {% if worker.metrics_port != 0 %} - - targets: ['{{ worker.name }}:{{ worker.metrics_port }}'] - labels: - instance: {{ matrix_domain | to_json }} - worker_id: {{ worker.id | to_json }} - job: {{ worker.type | to_json }} - app: {{ worker.app | to_json }} - {% endif %} - {% endfor %} - {% endif %} - - {% if matrix_prometheus_scraper_node_enabled %} - - job_name: node - static_configs: - - targets: {{ matrix_prometheus_scraper_node_targets|to_json }} - {% endif %} - - {% if matrix_prometheus_scraper_postgres_enabled %} - - job_name: postgres - static_configs: - - targets: {{ matrix_prometheus_scraper_postgres_targets|to_json }} - {% endif %} - - {% if matrix_prometheus_scraper_hookshot_enabled %} - - job_name: hookshot - static_configs: - - targets: {{ matrix_prometheus_scraper_hookshot_targets|to_json }} - {% endif %} diff --git a/roles/custom/matrix-rageshake/defaults/main.yml b/roles/custom/matrix-rageshake/defaults/main.yml new file mode 100644 index 000000000..8cc2f9054 --- /dev/null +++ b/roles/custom/matrix-rageshake/defaults/main.yml @@ -0,0 +1,115 @@ +--- + +# rageshake is a bug report collection service +# Project source code URL: https://github.com/matrix-org/rageshake + +matrix_rageshake_enabled: true + +matrix_rageshake_scheme: https + +# The hostname at which rageshake is served. +matrix_rageshake_hostname: '' + +# The path at which rageshake is exposed. +# This value must either be `/` or not end with a slash (e.g. `/rageshake`). +matrix_rageshake_path_prefix: / + +# There are no stable container image tags yet. +# See: https://github.com/matrix-org/rageshake/issues/69 +matrix_rageshake_version: 1.9.0 + +matrix_rageshake_base_path: "{{ matrix_base_data_path }}/rageshake" +matrix_rageshake_config_path: "{{ matrix_rageshake_base_path }}/config" +matrix_rageshake_data_path: "{{ matrix_rageshake_base_path }}/data" +matrix_rageshake_container_src_files_path: "{{ matrix_rageshake_base_path }}/container-src" + +matrix_rageshake_container_image: "{{ matrix_rageshake_container_image_name_prefix }}matrix-org/rageshake:{{ matrix_rageshake_container_image_tag }}" +matrix_rageshake_container_image_name_prefix: "{{ 'localhost/' if matrix_rageshake_container_image_self_build else matrix_rageshake_container_registry_prefix }}" +matrix_rageshake_container_image_force_pull: "{{ matrix_rageshake_container_image.endswith(':master') }}" +matrix_rageshake_container_image_tag: "{{ matrix_rageshake_version }}" +matrix_rageshake_container_registry_prefix: ghcr.io/ + +matrix_rageshake_container_image_self_build: false +matrix_rageshake_container_image_self_build_repo: "https://github.com/matrix-org/rageshake/" +matrix_rageshake_container_image_self_build_repo_version: "{{ matrix_rageshake_version }}" + +# Controls whether the container exposes its HTTP port (tcp/9110 in the container). +# +# Takes an ":" or "" value (e.g. "127.0.0.1:9110"), or empty string to not expose. +matrix_rageshake_container_http_host_bind_port: '' + +# The base container network. It will be auto-created by this role if it doesn't exist already. +matrix_rageshake_container_network: matrix-rageshake + +# A list of additional container networks that the container would be connected to. +# The role does not create these networks, so make sure they already exist. +# Use this to expose this container to another reverse proxy, which runs in a different container network. +matrix_rageshake_container_additional_networks: [] + +# matrix_rageshake_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container. +# See `../templates/labels.j2` for details. +# +# To inject your own other container labels, see `matrix_rageshake_container_labels_additional_labels`. +matrix_rageshake_container_labels_traefik_enabled: true +matrix_rageshake_container_labels_traefik_docker_network: "{{ matrix_rageshake_container_network }}" +matrix_rageshake_container_labels_traefik_hostname: "{{ matrix_rageshake_hostname }}" +# The path prefix must either be `/` or not end with a slash (e.g. `/rageshake`). +matrix_rageshake_container_labels_traefik_path_prefix: "{{ matrix_rageshake_path_prefix }}" +matrix_rageshake_container_labels_traefik_rule: "Host(`{{ matrix_rageshake_container_labels_traefik_hostname }}`){% if matrix_rageshake_container_labels_traefik_path_prefix != '/' %} && PathPrefix(`{{ matrix_rageshake_container_labels_traefik_path_prefix }}`){% endif %}" +matrix_rageshake_container_labels_traefik_priority: 0 +matrix_rageshake_container_labels_traefik_entrypoints: web-secure +matrix_rageshake_container_labels_traefik_tls: "{{ matrix_rageshake_container_labels_traefik_entrypoints != 'web' }}" +matrix_rageshake_container_labels_traefik_tls_certResolver: default # noqa var-naming + +# Controls which additional headers to attach to all HTTP responses. +# To add your own headers, use `matrix_rageshake_container_labels_traefik_additional_response_headers_custom` +matrix_rageshake_container_labels_traefik_additional_response_headers: "{{ matrix_rageshake_container_labels_traefik_additional_response_headers_auto | combine(matrix_rageshake_container_labels_traefik_additional_response_headers_custom) }}" +matrix_rageshake_container_labels_traefik_additional_response_headers_auto: {} +matrix_rageshake_container_labels_traefik_additional_response_headers_custom: {} + +# matrix_rageshake_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file. +# See `../templates/labels.j2` for details. +# +# Example: +# matrix_rageshake_container_labels_additional_labels: | +# my.label=1 +# another.label="here" +matrix_rageshake_container_labels_additional_labels: '' + +# A list of extra arguments to pass to the container +matrix_rageshake_container_extra_arguments: [] + +# List of systemd services that matrix-rageshake.service depends on +matrix_rageshake_systemd_required_services_list: ["docker.service"] + +# List of systemd services that matrix-rageshake.service wants +matrix_rageshake_systemd_wanted_services_list: [] + +matrix_rageshake_config_api_prefix: "{{ matrix_rageshake_scheme }}://{{ matrix_rageshake_hostname }}{{ matrix_rageshake_path_prefix }}{{ '' if matrix_rageshake_path_prefix == '/' else '/' }}api/" + +# Default Rageshake configuration template which covers the generic use case. +# You can customize it by controlling the various variables inside it. +# +# For a more advanced customization, you can extend the default (see `matrix_rageshake_configuration_extension_yaml`) +# or completely replace this variable with your own template. +matrix_rageshake_configuration_yaml: "{{ lookup('template', 'templates/config.yml.j2') }}" + +matrix_rageshake_configuration_extension_yaml: | + # Your custom YAML configuration for Synapse goes here. + # This configuration extends the default starting configuration (`matrix_rageshake_configuration_yaml`). + # + # You can override individual variables from the default configuration, or introduce new ones. + # + # If you need something more special, you can take full control by + # completely redefining `matrix_rageshake_configuration_yaml`. + # + # Example configuration extension follows: + # + # github_project_mappings: + # my-app: octocat/HelloWorld + +matrix_rageshake_configuration_extension: "{{ matrix_rageshake_configuration_extension_yaml | from_yaml if matrix_rageshake_configuration_extension_yaml | from_yaml is mapping else {} }}" + +# Holds the final Synapse configuration (a combination of the default and its extension). +# You most likely don't need to touch this variable. Instead, see `matrix_rageshake_configuration_yaml`. +matrix_rageshake_configuration: "{{ matrix_rageshake_configuration_yaml | from_yaml | combine(matrix_rageshake_configuration_extension, recursive=True) }}" diff --git a/roles/custom/matrix-rageshake/tasks/install.yml b/roles/custom/matrix-rageshake/tasks/install.yml new file mode 100644 index 000000000..a1db9a877 --- /dev/null +++ b/roles/custom/matrix-rageshake/tasks/install.yml @@ -0,0 +1,77 @@ +--- + +- name: Ensure rageshake paths exist + ansible.builtin.file: + path: "{{ item.path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - path: "{{ matrix_rageshake_config_path }}" + when: true + - path: "{{ matrix_rageshake_data_path }}" + when: true + - path: "{{ matrix_rageshake_container_src_files_path }}" + when: matrix_rageshake_container_image_self_build | bool + when: "item.when | bool" + +- name: Ensure rageshake config file created + ansible.builtin.copy: + content: "{{ matrix_rageshake_configuration | to_nice_yaml(indent=2, width=999999) }}" + dest: "{{ matrix_rageshake_config_path }}/config.yml" + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + mode: 0640 + +- name: Ensure rageshake labels installed + ansible.builtin.template: + src: "{{ role_path }}/templates/labels.j2" + dest: "{{ matrix_rageshake_base_path }}/labels" + mode: 0640 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure rageshake image is pulled + community.docker.docker_image: + name: "{{ matrix_rageshake_container_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_rageshake_container_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_rageshake_container_image_force_pull }}" + when: "not matrix_rageshake_container_image_self_build | bool" + register: result + retries: "{{ devture_playbook_help_container_retries_count }}" + delay: "{{ devture_playbook_help_container_retries_delay }}" + until: result is not failed + +- name: Ensure rageshake repository is present on self-build + ansible.builtin.git: + repo: "{{ matrix_rageshake_container_image_self_build_repo }}" + version: "{{ matrix_rageshake_container_image_self_build_version }}" + dest: "{{ matrix_rageshake_container_src_files_path }}" + force: "yes" + become: true + become_user: "{{ matrix_user_username }}" + register: matrix_rageshake_git_pull_results + when: "matrix_rageshake_container_image_self_build | bool" + +- name: Ensure rageshake container image is built + ansible.builtin.command: + cmd: |- + {{ devture_systemd_docker_base_host_command_docker }} buildx build + --tag={{ matrix_rageshake_container_image }} + --file={{ matrix_rageshake_container_src_files_path }}/Dockerfile + {{ matrix_rageshake_container_src_files_path }} + changed_when: true + when: matrix_rageshake_container_image_self_build | bool + +- name: Ensure rageshake container network is created + community.general.docker_network: + name: "{{ matrix_rageshake_container_network }}" + driver: bridge + +- name: Ensure matrix-rageshake.service installed + ansible.builtin.template: + src: "{{ role_path }}/templates/systemd/matrix-rageshake.service.j2" + dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-rageshake.service" + mode: 0644 diff --git a/roles/custom/matrix-rageshake/tasks/main.yml b/roles/custom/matrix-rageshake/tasks/main.yml new file mode 100644 index 000000000..a211296d0 --- /dev/null +++ b/roles/custom/matrix-rageshake/tasks/main.yml @@ -0,0 +1,20 @@ +--- + +- tags: + - setup-all + - setup-rageshake + - install-all + - install-rageshake + block: + - when: matrix_rageshake_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" + + - when: matrix_rageshake_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/install.yml" + +- tags: + - setup-all + - setup-rageshake + block: + - when: not matrix_rageshake_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/uninstall.yml" diff --git a/roles/custom/matrix-rageshake/tasks/uninstall.yml b/roles/custom/matrix-rageshake/tasks/uninstall.yml new file mode 100644 index 000000000..8f04d9894 --- /dev/null +++ b/roles/custom/matrix-rageshake/tasks/uninstall.yml @@ -0,0 +1,25 @@ +--- + +- name: Check existence of matrix-rageshake service + ansible.builtin.stat: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-rageshake.service" + register: matrix_rageshake_service_stat + +- when: matrix_rageshake_service_stat.stat.exists | bool + block: + - name: Ensure matrix-rageshake is stopped + ansible.builtin.service: + name: matrix-rageshake + state: stopped + enabled: false + daemon_reload: true + + - name: Ensure matrix-rageshake.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-rageshake.service" + state: absent + + - name: Ensure rageshake paths don't exist + ansible.builtin.file: + path: "{{ matrix_rageshake_base_path }}" + state: absent diff --git a/roles/custom/matrix-rageshake/tasks/validate_config.yml b/roles/custom/matrix-rageshake/tasks/validate_config.yml new file mode 100644 index 000000000..b61a486d2 --- /dev/null +++ b/roles/custom/matrix-rageshake/tasks/validate_config.yml @@ -0,0 +1,31 @@ +--- + +- name: Fail if required rageshake settings not defined + ansible.builtin.fail: + msg: > + You need to define a required configuration setting (`{{ item }}`). + when: "vars[item] == ''" + with_items: + - matrix_rageshake_hostname + - matrix_rageshake_path_prefix + - matrix_rageshake_container_network + +- when: matrix_rageshake_container_labels_traefik_enabled | bool + block: + - name: Fail if required rageshake Traefik settings not defined + ansible.builtin.fail: + msg: >- + You need to define a required configuration setting (`{{ item }}`). + when: "vars[item] == ''" + with_items: + - matrix_rageshake_container_labels_traefik_hostname + - matrix_rageshake_container_labels_traefik_path_prefix + + # We ensure it doesn't end with a slash, because we handle both (slash and no-slash). + # Knowing that `matrix_rageshake_container_labels_traefik_path_prefix` does not end with a slash + # ensures we know how to set these routes up without having to do "does it end with a slash" checks elsewhere. + - name: Fail if matrix_rageshake_container_labels_traefik_path_prefix ends with a slash + ansible.builtin.fail: + msg: >- + matrix_rageshake_container_labels_traefik_path_prefix (`{{ matrix_rageshake_container_labels_traefik_path_prefix }}`) must either be `/` or not end with a slash (e.g. `/rageshake`). + when: "matrix_rageshake_container_labels_traefik_path_prefix != '/' and matrix_rageshake_container_labels_traefik_path_prefix[-1] == '/'" diff --git a/roles/custom/matrix-rageshake/templates/config.yml.j2 b/roles/custom/matrix-rageshake/templates/config.yml.j2 new file mode 100644 index 000000000..6b0c2664d --- /dev/null +++ b/roles/custom/matrix-rageshake/templates/config.yml.j2 @@ -0,0 +1,4 @@ +# Default configuration for Rageshake. +# To extend it, use `matrix_rageshake_configuration_extension_yaml`. + +api_prefix: {{ matrix_rageshake_config_api_prefix | to_json }} diff --git a/roles/custom/matrix-rageshake/templates/labels.j2 b/roles/custom/matrix-rageshake/templates/labels.j2 new file mode 100644 index 000000000..cdaf5f6af --- /dev/null +++ b/roles/custom/matrix-rageshake/templates/labels.j2 @@ -0,0 +1,45 @@ +{% if matrix_rageshake_container_labels_traefik_enabled %} +traefik.enable=true + +{% if matrix_rageshake_container_labels_traefik_docker_network %} +traefik.docker.network={{ matrix_rageshake_container_labels_traefik_docker_network }} +{% endif %} + +{% set middlewares = [] %} + +{% if matrix_rageshake_container_labels_traefik_path_prefix != '/' %} +traefik.http.middlewares.matrix-rageshake-slashless-redirect.redirectregex.regex=({{ matrix_rageshake_container_labels_traefik_path_prefix | quote }})$ +traefik.http.middlewares.matrix-rageshake-slashless-redirect.redirectregex.replacement=${1}/ +{% set middlewares = middlewares + ['matrix-rageshake-slashless-redirect'] %} +{% endif %} + +{% if matrix_rageshake_container_labels_traefik_path_prefix != '/' %} +traefik.http.middlewares.matrix-rageshake-strip-prefix.stripprefix.prefixes={{ matrix_rageshake_container_labels_traefik_path_prefix }} +{% set middlewares = middlewares + ['matrix-rageshake-strip-prefix'] %} +{% endif %} + +{% if matrix_rageshake_container_labels_traefik_additional_response_headers.keys() | length > 0 %} +{% for name, value in matrix_rageshake_container_labels_traefik_additional_response_headers.items() %} +traefik.http.middlewares.matrix-rageshake-add-headers.headers.customresponseheaders.{{ name }}={{ value }} +{% endfor %} +{% set middlewares = middlewares + ['matrix-rageshake-add-headers'] %} +{% endif %} + +traefik.http.routers.matrix-rageshake.rule={{ matrix_rageshake_container_labels_traefik_rule }} +{% if matrix_rageshake_container_labels_traefik_priority | int > 0 %} +traefik.http.routers.matrix-rageshake.priority={{ matrix_rageshake_container_labels_traefik_priority }} +{% endif %} +traefik.http.routers.matrix-rageshake.service=matrix-rageshake +{% if middlewares | length > 0 %} +traefik.http.routers.matrix-rageshake.middlewares={{ middlewares | join(',') }} +{% endif %} +traefik.http.routers.matrix-rageshake.entrypoints={{ matrix_rageshake_container_labels_traefik_entrypoints }} +traefik.http.routers.matrix-rageshake.tls={{ matrix_rageshake_container_labels_traefik_tls | to_json }} +{% if matrix_rageshake_container_labels_traefik_tls %} +traefik.http.routers.matrix-rageshake.tls.certResolver={{ matrix_rageshake_container_labels_traefik_tls_certResolver }} +{% endif %} + +traefik.http.services.matrix-rageshake.loadbalancer.server.port=9110 +{% endif %} + +{{ matrix_rageshake_container_labels_additional_labels }} diff --git a/roles/custom/matrix-rageshake/templates/systemd/matrix-rageshake.service.j2 b/roles/custom/matrix-rageshake/templates/systemd/matrix-rageshake.service.j2 new file mode 100644 index 000000000..75006c2d5 --- /dev/null +++ b/roles/custom/matrix-rageshake/templates/systemd/matrix-rageshake.service.j2 @@ -0,0 +1,51 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=Matrix Rageshake Service +{% for service in matrix_rageshake_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +{% for service in matrix_rageshake_systemd_wanted_services_list %} +Wants={{ service }} +{% endfor %} +DefaultDependencies=no + +[Service] +Type=simple +Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" +ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-rageshake 2>/dev/null || true' +ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-rageshake 2>/dev/null || true' + +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ + --rm \ + --name=matrix-rageshake \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --read-only \ + --tmpfs /tmp \ + --network={{ matrix_rageshake_container_network }} \ + --mount type=bind,src={{ matrix_rageshake_config_path }},dst=/config \ + --mount type=bind,src={{ matrix_rageshake_data_path }},dst=/bugs \ + --label-file={{ matrix_rageshake_base_path }}/labels \ + {% for arg in matrix_rageshake_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_rageshake_container_image }} \ + --config /config/config.yml + +{% for network in matrix_rageshake_container_additional_networks %} +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-rageshake +{% endfor %} + +ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-rageshake + +ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-rageshake 2>/dev/null || true' +ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-rageshake 2>/dev/null || true' + +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-rageshake + +[Install] +WantedBy=multi-user.target diff --git a/roles/custom/matrix-redis/defaults/main.yml b/roles/custom/matrix-redis/defaults/main.yml deleted file mode 100644 index 4eefbce4c..000000000 --- a/roles/custom/matrix-redis/defaults/main.yml +++ /dev/null @@ -1,25 +0,0 @@ ---- -# Project source code URL: https://github.com/redis/redis - -matrix_redis_enabled: true - -matrix_redis_connection_password: "" - -matrix_redis_base_path: "{{ matrix_base_data_path }}/redis" -matrix_redis_data_path: "{{ matrix_redis_base_path }}/data" - -matrix_redis_version: 7.0.4-alpine -matrix_redis_docker_image_v6: "{{ matrix_container_global_registry_prefix }}redis:{{ matrix_redis_version }}" -matrix_redis_docker_image_latest: "{{ matrix_redis_docker_image_v6 }}" -matrix_redis_docker_image_to_use: '{{ matrix_redis_docker_image_latest }}' - -matrix_redis_docker_image_force_pull: "{{ matrix_redis_docker_image_to_use.endswith(':latest') }}" - -# A list of extra arguments to pass to the container -matrix_redis_container_extra_arguments: [] - -# Controls whether the matrix-redis container exposes a port (tcp/6379 in the container) -# that can be used to access redis from outside the container -# -# Takes an ":" or "" value (e.g. "127.0.0.1:6379"), or empty string to not expose. -matrix_redis_container_redis_bind_port: "" diff --git a/roles/custom/matrix-redis/tasks/init.yml b/roles/custom/matrix-redis/tasks/init.yml deleted file mode 100644 index 00154b336..000000000 --- a/roles/custom/matrix-redis/tasks/init.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-redis'] }}" - when: matrix_redis_enabled | bool diff --git a/roles/custom/matrix-redis/tasks/main.yml b/roles/custom/matrix-redis/tasks/main.yml deleted file mode 100644 index 1bcac7d6a..000000000 --- a/roles/custom/matrix-redis/tasks/main.yml +++ /dev/null @@ -1,11 +0,0 @@ ---- - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_redis.yml" - when: run_setup | bool - tags: - - setup-all - - setup-redis diff --git a/roles/custom/matrix-redis/tasks/setup_redis.yml b/roles/custom/matrix-redis/tasks/setup_redis.yml deleted file mode 100644 index b1b4c0b5c..000000000 --- a/roles/custom/matrix-redis/tasks/setup_redis.yml +++ /dev/null @@ -1,104 +0,0 @@ ---- - -# -# Tasks related to setting up an internal redis server -# - -- name: Ensure redis Docker image is pulled - community.docker.docker_image: - name: "{{ matrix_redis_docker_image_to_use }}" - source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_redis_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_redis_docker_image_force_pull }}" - when: matrix_redis_enabled | bool - register: result - retries: "{{ devture_playbook_help_container_retries_count }}" - delay: "{{ devture_playbook_help_container_retries_delay }}" - until: result is not failed - -- name: Ensure redis paths exist - ansible.builtin.file: - path: "{{ item }}" - state: directory - mode: 0700 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" - with_items: - - "{{ matrix_redis_base_path }}" - - "{{ matrix_redis_data_path }}" - when: matrix_redis_enabled | bool - -# We do this as a separate task, because: -# - we'd like to do it for the data path only, not for the base path (which contains root-owned environment variable files we'd like to leave as-is) -# - we need to do it without `mode`, or we risk making certain `.conf` and other files's executable bit to flip to true -- name: Ensure redis data path ownership is correct - ansible.builtin.file: - path: "{{ matrix_redis_data_path }}" - state: directory - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" - recurse: true - when: matrix_redis_enabled | bool - -- name: Ensure redis environment variables file created - ansible.builtin.template: - src: "{{ role_path }}/templates/{{ item }}.j2" - dest: "{{ matrix_redis_base_path }}/{{ item }}" - mode: 0644 - with_items: - - "redis.conf" - when: matrix_redis_enabled | bool - -- name: Ensure matrix-redis.service installed - ansible.builtin.template: - src: "{{ role_path }}/templates/systemd/matrix-redis.service.j2" - dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-redis.service" - mode: 0644 - register: matrix_redis_systemd_service_result - when: matrix_redis_enabled | bool - -- name: Ensure systemd reloaded after matrix-redis.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_redis_enabled | bool and matrix_redis_systemd_service_result.changed" - -# -# Tasks related to getting rid of the internal redis server (if it was previously enabled) -# - -- name: Check existence of matrix-redis service - ansible.builtin.stat: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-redis.service" - register: matrix_redis_service_stat - when: "not matrix_redis_enabled | bool" - -- name: Ensure matrix-redis is stopped - ansible.builtin.service: - name: matrix-redis - state: stopped - enabled: false - daemon_reload: true - when: "not matrix_redis_enabled | bool and matrix_redis_service_stat.stat.exists" - -- name: Ensure matrix-redis.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-redis.service" - state: absent - when: "not matrix_redis_enabled | bool and matrix_redis_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-redis.service removal - ansible.builtin.service: - daemon_reload: true - when: "not matrix_redis_enabled | bool and matrix_redis_service_stat.stat.exists" - -- name: Check existence of matrix-redis local data path - ansible.builtin.stat: - path: "{{ matrix_redis_data_path }}" - register: matrix_redis_data_path_stat - when: "not matrix_redis_enabled | bool" - -# We just want to notify the user. Deleting data is too destructive. -- name: Notify if matrix-redis local data remains - ansible.builtin.debug: - msg: "Note: You are not using a local redis instance, but some old data remains from before in `{{ matrix_redis_data_path }}`. Feel free to delete it." - when: "not matrix_redis_enabled | bool and matrix_redis_data_path_stat.stat.exists" diff --git a/roles/custom/matrix-redis/templates/redis.conf.j2 b/roles/custom/matrix-redis/templates/redis.conf.j2 deleted file mode 100644 index 343713566..000000000 --- a/roles/custom/matrix-redis/templates/redis.conf.j2 +++ /dev/null @@ -1,4 +0,0 @@ -#jinja2: lstrip_blocks: "True" -{% if matrix_redis_connection_password %} -requirepass {{ matrix_redis_connection_password }} -{% endif %} diff --git a/roles/custom/matrix-redis/templates/systemd/matrix-redis.service.j2 b/roles/custom/matrix-redis/templates/systemd/matrix-redis.service.j2 deleted file mode 100644 index 5f6699f83..000000000 --- a/roles/custom/matrix-redis/templates/systemd/matrix-redis.service.j2 +++ /dev/null @@ -1,37 +0,0 @@ -#jinja2: lstrip_blocks: "True" -[Unit] -Description=Matrix Redis server -After=docker.service -Requires=docker.service - -[Service] -Type=simple -ExecStartPre=-/usr/bin/docker stop matrix-redis -ExecStartPre=-/usr/bin/docker rm matrix-redis - -ExecStart=/usr/bin/docker run --rm --name matrix-redis \ - --log-driver=none \ - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ - --cap-drop=ALL \ - --read-only \ - --tmpfs=/tmp:rw,noexec,nosuid,size=100m \ - --network={{ matrix_docker_network }} \ - {% if matrix_redis_container_redis_bind_port %} - -p {{ matrix_redis_container_redis_bind_port }}:6379 \ - {% endif %} - --mount type=bind,src={{ matrix_redis_base_path }}/redis.conf,dst=/usr/local/etc/redis/redis.conf,ro \ - --mount type=bind,src={{ matrix_redis_data_path }},dst=/data \ - {% for arg in matrix_redis_container_extra_arguments %} - {{ arg }} \ - {% endfor %} - {{ matrix_redis_docker_image_to_use }} \ - redis-server /usr/local/etc/redis/redis.conf - -ExecStop=-/usr/bin/docker stop matrix-redis -ExecStop=-/usr/bin/docker rm matrix-redis -Restart=always -RestartSec=30 -SyslogIdentifier=matrix-redis - -[Install] -WantedBy=multi-user.target diff --git a/roles/custom/matrix-registration/defaults/main.yml b/roles/custom/matrix-registration/defaults/main.yml index 1e53ae982..c7a45fad0 100644 --- a/roles/custom/matrix-registration/defaults/main.yml +++ b/roles/custom/matrix-registration/defaults/main.yml @@ -52,7 +52,7 @@ matrix_registration_sqlite_database_path_in_container: "/data/db.sqlite3" matrix_registration_database_username: 'matrix_registration' matrix_registration_database_password: 'some-password' -matrix_registration_database_hostname: 'matrix-postgres' +matrix_registration_database_hostname: '' matrix_registration_database_port: 5432 matrix_registration_database_name: 'matrix_registration' diff --git a/roles/custom/matrix-registration/tasks/init.yml b/roles/custom/matrix-registration/tasks/init.yml deleted file mode 100644 index 2b43dffdf..000000000 --- a/roles/custom/matrix-registration/tasks/init.yml +++ /dev/null @@ -1,69 +0,0 @@ ---- -# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 -# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 -- name: Fail if trying to self-build on Ansible < 2.8 - ansible.builtin.fail: - msg: "To self-build the Matrix Registration image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_registration_container_image_self_build and matrix_registration_enabled" - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-registration.service'] }}" - when: matrix_registration_enabled | bool - -- when: matrix_registration_enabled | bool - tags: - - always - block: - - name: Fail if matrix-nginx-proxy role already executed - ansible.builtin.fail: - msg: >- - Trying to append matrix-registration's reverse-proxying configuration to matrix-nginx-proxy, - but it's pointless since the matrix-nginx-proxy role had already executed. - To fix this, please change the order of roles in your playbook, - so that the matrix-nginx-proxy role would run after the matrix-registration role. - when: matrix_nginx_proxy_role_executed | default(False) | bool - - - name: Generate matrix-registration proxying configuration for matrix-nginx-proxy - ansible.builtin.set_fact: - matrix_registration_matrix_nginx_proxy_configuration: | - rewrite ^{{ matrix_registration_public_endpoint }}$ {{ matrix_nginx_proxy_x_forwarded_proto_value }}://$server_name{{ matrix_registration_public_endpoint }}/ permanent; - rewrite ^{{ matrix_registration_public_endpoint }}/$ {{ matrix_nginx_proxy_x_forwarded_proto_value }}://$server_name{{ matrix_registration_public_endpoint }}/register redirect; - - location ~ ^{{ matrix_registration_public_endpoint }}/(.*) { - {% if matrix_nginx_proxy_enabled | default(False) %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver 127.0.0.11 valid=5s; - set $backend "matrix-registration:5000"; - proxy_pass http://$backend/$1; - {% else %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://127.0.0.1:8767/$1; - {% endif %} - - {# - Workaround matrix-registration serving the background image at /static - (see https://github.com/ZerataX/matrix-registration/issues/47) - #} - sub_filter_once off; - sub_filter_types text/css; - sub_filter "/static/" "{{ matrix_registration_public_endpoint }}/static/"; - } - - - name: Register matrix-registration proxying configuration with matrix-nginx-proxy - ansible.builtin.set_fact: - matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: | - {{ - matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks | default([]) - + - [matrix_registration_matrix_nginx_proxy_configuration] - }} - -- name: Warn about reverse-proxying if matrix-nginx-proxy not used - ansible.builtin.debug: - msg: >- - NOTE: You've enabled the matrix-registration tool but are not using the matrix-nginx-proxy - reverse proxy. - Please make sure that you're proxying the `{{ matrix_registration_public_endpoint }}` - URL endpoint to the matrix-registration container. - You can expose the container's port using the `matrix_registration_container_http_host_bind_port` variable. - when: "matrix_registration_enabled | bool and not matrix_nginx_proxy_enabled | default(False) | bool" diff --git a/roles/custom/matrix-registration/tasks/inject_into_nginx_proxy.yml b/roles/custom/matrix-registration/tasks/inject_into_nginx_proxy.yml new file mode 100644 index 000000000..ac8f4c96a --- /dev/null +++ b/roles/custom/matrix-registration/tasks/inject_into_nginx_proxy.yml @@ -0,0 +1,55 @@ +--- + +- name: Fail if matrix-nginx-proxy role already executed + ansible.builtin.fail: + msg: >- + Trying to append matrix-registration's reverse-proxying configuration to matrix-nginx-proxy, + but it's pointless since the matrix-nginx-proxy role had already executed. + To fix this, please change the order of roles in your playbook, + so that the matrix-nginx-proxy role would run after the matrix-registration role. + when: matrix_nginx_proxy_role_executed | default(False) | bool + +- name: Generate matrix-registration proxying configuration for matrix-nginx-proxy + ansible.builtin.set_fact: + matrix_registration_matrix_nginx_proxy_configuration: | + rewrite ^{{ matrix_registration_public_endpoint }}$ {{ matrix_nginx_proxy_x_forwarded_proto_value }}://$server_name{{ matrix_registration_public_endpoint }}/ permanent; + rewrite ^{{ matrix_registration_public_endpoint }}/$ {{ matrix_nginx_proxy_x_forwarded_proto_value }}://$server_name{{ matrix_registration_public_endpoint }}/register redirect; + + location ~ ^{{ matrix_registration_public_endpoint }}/(.*) { + {% if matrix_nginx_proxy_enabled | default(False) %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "matrix-registration:5000"; + proxy_pass http://$backend/$1; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://127.0.0.1:8767/$1; + {% endif %} + + {# + Workaround matrix-registration serving the background image at /static + (see https://github.com/ZerataX/matrix-registration/issues/47) + #} + sub_filter_once off; + sub_filter_types text/css; + sub_filter "/static/" "{{ matrix_registration_public_endpoint }}/static/"; + } + +- name: Register matrix-registration proxying configuration with matrix-nginx-proxy + ansible.builtin.set_fact: + matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: | + {{ + matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks | default([]) + + + [matrix_registration_matrix_nginx_proxy_configuration] + }} + +- name: Warn about reverse-proxying if matrix-nginx-proxy not used + ansible.builtin.debug: + msg: >- + NOTE: You've enabled the matrix-registration tool but are not using the matrix-nginx-proxy + reverse proxy. + Please make sure that you're proxying the `{{ matrix_registration_public_endpoint }}` + URL endpoint to the matrix-registration container. + You can expose the container's port using the `matrix_registration_container_http_host_bind_port` variable. + when: "not matrix_nginx_proxy_enabled | default(False) | bool" diff --git a/roles/custom/matrix-registration/tasks/main.yml b/roles/custom/matrix-registration/tasks/main.yml index 99b89e3da..64843dee2 100644 --- a/roles/custom/matrix-registration/tasks/main.yml +++ b/roles/custom/matrix-registration/tasks/main.yml @@ -1,33 +1,41 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup | bool and matrix_registration_enabled | bool" - tags: +- tags: - setup-all - - setup-matrix-registration + - setup-nginx-proxy + - install-all + - install-nginx-proxy + block: + - when: matrix_registration_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_install.yml" - when: "run_setup | bool and matrix_registration_enabled | bool" - tags: +- tags: - setup-all - setup-matrix-registration + - install-all + - install-matrix-registration + block: + - when: matrix_registration_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" + + - when: matrix_registration_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - when: "run_setup | bool and not matrix_registration_enabled | bool" - tags: +- tags: - setup-all - setup-matrix-registration + block: + - when: not matrix_registration_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/generate_token.yml" - when: "run_setup | bool and matrix_registration_enabled | bool" - tags: +- tags: - generate-matrix-registration-token + block: + - when: matrix_registration_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/generate_token.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/list_tokens.yml" - when: "run_setup | bool and matrix_registration_enabled | bool" - tags: +- tags: - list-matrix-registration-tokens + block: + - when: matrix_registration_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/list_tokens.yml" diff --git a/roles/custom/matrix-registration/tasks/setup_install.yml b/roles/custom/matrix-registration/tasks/setup_install.yml index 04b2db3ef..9278f2ef8 100644 --- a/roles/custom/matrix-registration/tasks/setup_install.yml +++ b/roles/custom/matrix-registration/tasks/setup_install.yml @@ -12,8 +12,11 @@ - when: "matrix_registration_sqlite_database_path_local_stat_result.stat.exists | bool" block: - - ansible.builtin.set_fact: - matrix_postgres_db_migration_request: + - ansible.builtin.include_role: + name: galaxy/com.devture.ansible.role.postgres + tasks_from: migrate_db_to_postgres + vars: + devture_postgres_db_migration_request: src: "{{ matrix_registration_sqlite_database_path_local }}" dst: "{{ matrix_registration_database_connection_string }}" caller: "{{ role_path | basename }}" @@ -26,10 +29,6 @@ - ALTER TABLE tokens ALTER COLUMN ex_date TYPE TIMESTAMP WITHOUT TIME ZONE; additional_psql_statements_db_name: "{{ matrix_registration_database_name }}" - - ansible.builtin.import_role: - name: custom/matrix-postgres - tasks_from: migrate_db_to_postgres - - ansible.builtin.set_fact: matrix_registration_requires_restart: true @@ -103,15 +102,10 @@ src: "{{ role_path }}/templates/systemd/matrix-registration.service.j2" dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-registration.service" mode: 0644 - register: matrix_registration_systemd_service_result - -- name: Ensure systemd reloaded after matrix-registration.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_registration_systemd_service_result.changed | bool" - name: Ensure matrix-registration.service restarted, if necessary ansible.builtin.service: name: "matrix-registration.service" state: restarted + daemon_reload: true when: "matrix_registration_requires_restart | bool" diff --git a/roles/custom/matrix-registration/tasks/setup_uninstall.yml b/roles/custom/matrix-registration/tasks/setup_uninstall.yml index 623db421e..97c144358 100644 --- a/roles/custom/matrix-registration/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-registration/tasks/setup_uninstall.yml @@ -5,27 +5,16 @@ path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-registration.service" register: matrix_registration_service_stat -- name: Ensure matrix-registration is stopped - ansible.builtin.service: - name: matrix-registration - state: stopped - enabled: false - daemon_reload: true - register: stopping_result - when: "matrix_registration_service_stat.stat.exists | bool" +- when: matrix_registration_service_stat.stat.exists | bool + block: + - name: Ensure matrix-registration is stopped + ansible.builtin.service: + name: matrix-registration + state: stopped + enabled: false + daemon_reload: true -- name: Ensure matrix-registration.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-registration.service" - state: absent - when: "matrix_registration_service_stat.stat.exists | bool" - -- name: Ensure systemd reloaded after matrix-registration.service removal - ansible.builtin.service: - daemon_reload: true - when: "matrix_registration_service_stat.stat.exists | bool" - -- name: Ensure matrix-registration Docker image doesn't exist - community.docker.docker_image: - name: "{{ matrix_registration_docker_image }}" - state: absent + - name: Ensure matrix-registration.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-registration.service" + state: absent diff --git a/roles/custom/matrix-registration/tasks/validate_config.yml b/roles/custom/matrix-registration/tasks/validate_config.yml index eb140d31e..167c7c5c7 100644 --- a/roles/custom/matrix-registration/tasks/validate_config.yml +++ b/roles/custom/matrix-registration/tasks/validate_config.yml @@ -3,12 +3,13 @@ - name: Fail if required matrix-registration settings not defined ansible.builtin.fail: msg: > - You need to define a required configuration setting (`{{ item }}`) for using matrix-registration. - when: "vars[item] == ''" + You need to define a required configuration setting (`{{ item.name }}`). + when: "item.when | bool and vars[item.name] == ''" with_items: - - "matrix_registration_shared_secret" - - "matrix_registration_admin_secret" - - "matrix_registration_server_location" + - {'name': 'matrix_registration_shared_secret', when: true} + - {'name': 'matrix_registration_admin_secret', when: true} + - {'name': 'matrix_registration_server_location', when: true} + - {'name': 'matrix_registration_database_hostname', when: "{{ matrix_registration_database_engine == 'postgres' }}"} - name: (Deprecation) Catch and report renamed settings ansible.builtin.fail: diff --git a/roles/custom/matrix-sliding-sync/defaults/main.yml b/roles/custom/matrix-sliding-sync/defaults/main.yml new file mode 100644 index 000000000..cfc55ecd2 --- /dev/null +++ b/roles/custom/matrix-sliding-sync/defaults/main.yml @@ -0,0 +1,91 @@ +--- + +# Sliding Sync Proxy is an implementation of MSC3575 for the new sliding sync + +matrix_sliding_sync_enabled: true + +matrix_sliding_sync_version: v0.99.4 + +matrix_sliding_sync_scheme: https + +# The hostname at which sliding-sync is served. +matrix_sliding_sync_hostname: '' + +# The path at which sliding-sync is served. +# This value must either be `/` or not end with a slash (e.g. `/sliding-sync`). +matrix_sliding_sync_path_prefix: / + +matrix_sliding_sync_base_path: "{{ matrix_base_data_path }}/sliding-sync" + +matrix_sliding_sync_container_image_self_build: false +matrix_sliding_sync_container_image_self_build_repo: https://github.com/matrix-org/sliding-sync +matrix_sliding_sync_container_image_self_build_repo_version: "{{ 'main' if matrix_sliding_sync_version == 'main' else matrix_sliding_sync_version }}" +matrix_sliding_sync_container_src_path: "{{ matrix_sliding_sync_base_path }}/container-src" + +matrix_sliding_sync_container_image: "{{ matrix_sliding_sync_container_image_name_prefix }}matrix-org/sliding-sync:{{ matrix_sliding_sync_container_image_tag }}" +matrix_sliding_sync_container_image_name_prefix: "{{ 'localhost/' if matrix_sliding_sync_container_image_self_build else matrix_sliding_sync_container_image_registry_prefix }}" +matrix_sliding_sync_container_image_tag: "{{ matrix_sliding_sync_version }}" +matrix_sliding_sync_container_image_force_pull: "{{ matrix_sliding_sync_container_image.endswith(':main') }}" +matrix_sliding_sync_container_image_registry_prefix: ghcr.io/ + +# The base container network. It will be auto-created by this role if it doesn't exist already. +matrix_sliding_sync_container_network: matrix-sliding-sync + +# A list of additional container networks that the container would be connected to. +# The role does not create these networks, so make sure they already exist. +# Use this to expose this container to another reverse proxy, which runs in a different container network. +matrix_sliding_sync_container_additional_networks: [] + +# matrix_sliding_sync_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container. +# See `../templates/labels.j2` for details. +# +# To inject your own other container labels, see `matrix_sliding_sync_container_labels_additional_labels`. +matrix_sliding_sync_container_labels_traefik_enabled: true +matrix_sliding_sync_container_labels_traefik_docker_network: "{{ matrix_sliding_sync_container_network }}" +matrix_sliding_sync_container_labels_traefik_hostname: "{{ matrix_sliding_sync_hostname }}" +# The path prefix must either be `/` or not end with a slash (e.g. `/sliding-sync`). +matrix_sliding_sync_container_labels_traefik_path_prefix: "{{ matrix_sliding_sync_path_prefix }}" +matrix_sliding_sync_container_labels_traefik_rule: "Host(`{{ matrix_sliding_sync_container_labels_traefik_hostname }}`){% if matrix_sliding_sync_container_labels_traefik_path_prefix != '/' %} && PathPrefix(`{{ matrix_sliding_sync_container_labels_traefik_path_prefix }}`){% endif %}" +matrix_sliding_sync_container_labels_traefik_priority: 0 +matrix_sliding_sync_container_labels_traefik_entrypoints: web-secure +matrix_sliding_sync_container_labels_traefik_tls: "{{ matrix_sliding_sync_container_labels_traefik_entrypoints != 'web' }}" +matrix_sliding_sync_container_labels_traefik_tls_certResolver: default # noqa var-naming + +# Controls which additional headers to attach to all HTTP responses. +# To add your own headers, use `matrix_sliding_sync_container_labels_traefik_additional_response_headers_custom` +matrix_sliding_sync_container_labels_traefik_additional_response_headers: "{{ matrix_sliding_sync_container_labels_traefik_additional_response_headers_auto | combine(matrix_sliding_sync_container_labels_traefik_additional_response_headers_custom) }}" +matrix_sliding_sync_container_labels_traefik_additional_response_headers_auto: {} +matrix_sliding_sync_container_labels_traefik_additional_response_headers_custom: {} + +# matrix_sliding_sync_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file. +# See `../templates/labels.j2` for details. +# +# Example: +# matrix_sliding_sync_container_labels_additional_labels: | +# my.label=1 +# another.label="here" +matrix_sliding_sync_container_labels_additional_labels: '' + +# A list of extra arguments to pass to the container +matrix_sliding_sync_container_extra_arguments: [] + +# List of systemd services that matrix-sliding-sync-proxy.service depends on +matrix_sliding_sync_systemd_required_services_list: ["docker.service"] + +# List of systemd services that matrix-sliding-sync-proxy.service wants +matrix_sliding_sync_systemd_wanted_services_list: [] + +# Controls the SYNCV3_SERVER environment variable +matrix_sliding_sync_environment_variable_syncv3_server: "{{ matrix_homeserver_url }}" + +# Controls the SYNCV3_SECRET environment variable +matrix_sliding_sync_environment_variable_syncv3_secret: '' + +# Controls the SYNCV3_DB environment variable +matrix_sliding_sync_environment_variable_syncv3_db: 'user={{ matrix_sliding_sync_database_username }} password={{ matrix_sliding_sync_database_password }} host={{ matrix_sliding_sync_database_hostname }} port={{ matrix_sliding_sync_database_port }} dbname={{ matrix_sliding_sync_database_name }} sslmode=disable' + +matrix_sliding_sync_database_username: 'matrix_sliding_sync' +matrix_sliding_sync_database_password: '' +matrix_sliding_sync_database_hostname: '' +matrix_sliding_sync_database_port: 5432 +matrix_sliding_sync_database_name: 'matrix_sliding_sync' diff --git a/roles/custom/matrix-sliding-sync/tasks/install.yml b/roles/custom/matrix-sliding-sync/tasks/install.yml new file mode 100644 index 000000000..cb41cec06 --- /dev/null +++ b/roles/custom/matrix-sliding-sync/tasks/install.yml @@ -0,0 +1,70 @@ +--- + +- name: Ensure matrix-sliding-sync paths exist + ansible.builtin.file: + path: "{{ item.path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - path: "{{ matrix_sliding_sync_base_path }}" + when: true + - path: "{{ matrix_sliding_sync_container_src_path }}" + when: "{{ matrix_sliding_sync_container_image_self_build }}" + when: item.when | bool + +- name: Ensure matrix-sliding-sync support files installed + ansible.builtin.template: + src: "{{ role_path }}/templates/{{ item }}.j2" + dest: "{{ matrix_sliding_sync_base_path }}/{{ item }}" + mode: 0640 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - env + - labels + +- name: Ensure matrix-sliding-sync container image is pulled + community.docker.docker_image: + name: "{{ matrix_sliding_sync_container_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_sliding_sync_container_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_sliding_sync_container_image_force_pull }}" + when: "not matrix_sliding_sync_container_image_self_build | bool" + register: result + retries: "{{ devture_playbook_help_container_retries_count }}" + delay: "{{ devture_playbook_help_container_retries_delay }}" + until: result is not failed + +- when: matrix_sliding_sync_container_image_self_build | bool + block: + - name: Ensure matrix-sliding-sync repository is present on self-build + ansible.builtin.git: + repo: "{{ matrix_sliding_sync_container_image_self_build_repo }}" + version: "{{ matrix_sliding_sync_container_image_self_build_repo_version }}" + dest: "{{ matrix_sliding_sync_container_src_path }}" + force: "yes" + become: true + become_user: "{{ matrix_user_username }}" + register: matrix_sliding_sync_git_pull_results + + - name: Ensure matrix-sliding-sync container image is built + ansible.builtin.command: + cmd: |- + {{ devture_systemd_docker_base_host_command_docker }} buildx build + --tag={{ matrix_sliding_sync_container_image }} + --file={{ matrix_sliding_sync_container_src_path }}/Dockerfile + {{ matrix_sliding_sync_container_src_path }} + changed_when: true + +- name: Ensure matrix-sliding-sync container network is created + community.general.docker_network: + name: "{{ matrix_sliding_sync_container_network }}" + driver: bridge + +- name: Ensure matrix-sliding-sync.service installed + ansible.builtin.template: + src: "{{ role_path }}/templates/systemd/matrix-sliding-sync.service.j2" + dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-sliding-sync.service" + mode: 0644 diff --git a/roles/custom/matrix-sliding-sync/tasks/main.yml b/roles/custom/matrix-sliding-sync/tasks/main.yml new file mode 100644 index 000000000..521f16fe7 --- /dev/null +++ b/roles/custom/matrix-sliding-sync/tasks/main.yml @@ -0,0 +1,20 @@ +--- + +- tags: + - setup-all + - setup-sliding-sync + - install-all + - install-sliding-sync + block: + - when: matrix_sliding_sync_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" + + - when: matrix_sliding_sync_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/install.yml" + +- tags: + - setup-all + - setup-sliding-sync + block: + - when: not matrix_sliding_sync_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/uninstall.yml" diff --git a/roles/custom/matrix-sliding-sync/tasks/uninstall.yml b/roles/custom/matrix-sliding-sync/tasks/uninstall.yml new file mode 100644 index 000000000..8a559cacc --- /dev/null +++ b/roles/custom/matrix-sliding-sync/tasks/uninstall.yml @@ -0,0 +1,25 @@ +--- + +- name: Check existence of matrix-sliding-sync service + ansible.builtin.stat: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-sliding-sync.service" + register: matrix_sliding_sync_service_stat + +- when: matrix_sliding_sync_service_stat.stat.exists | bool + block: + - name: Ensure matrix-sliding-sync is stopped + ansible.builtin.service: + name: matrix-sliding-sync + state: stopped + enabled: false + daemon_reload: true + + - name: Ensure matrix-sliding-sync.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-sliding-sync.service" + state: absent + + - name: Ensure matrix-sliding-sync paths don't exist + ansible.builtin.file: + path: "{{ matrix_sliding_sync_base_path }}" + state: absent diff --git a/roles/custom/matrix-sliding-sync/tasks/validate_config.yml b/roles/custom/matrix-sliding-sync/tasks/validate_config.yml new file mode 100644 index 000000000..5d36403ce --- /dev/null +++ b/roles/custom/matrix-sliding-sync/tasks/validate_config.yml @@ -0,0 +1,11 @@ +--- +- name: Fail if required matrix-sliding-sync settings not defined + ansible.builtin.fail: + msg: > + You need to define a required configuration setting (`{{ item.name }}`). + when: "vars[item] == ''" + with_items: + - matrix_sliding_sync_hostname + - matrix_sliding_sync_path_prefix + - matrix_sliding_sync_database_hostname + - matrix_sliding_sync_environment_variable_syncv3_secret diff --git a/roles/custom/matrix-sliding-sync/templates/env.j2 b/roles/custom/matrix-sliding-sync/templates/env.j2 new file mode 100644 index 000000000..1269bd2a1 --- /dev/null +++ b/roles/custom/matrix-sliding-sync/templates/env.j2 @@ -0,0 +1,4 @@ +SYNCV3_SERVER={{ matrix_sliding_sync_environment_variable_syncv3_server }} +SYNCV3_SECRET={{ matrix_sliding_sync_environment_variable_syncv3_secret }} +SYNCV3_BINDADDR=:8008 +SYNCV3_DB={{ matrix_sliding_sync_environment_variable_syncv3_db }} diff --git a/roles/custom/matrix-sliding-sync/templates/labels.j2 b/roles/custom/matrix-sliding-sync/templates/labels.j2 new file mode 100644 index 000000000..665492499 --- /dev/null +++ b/roles/custom/matrix-sliding-sync/templates/labels.j2 @@ -0,0 +1,45 @@ +{% if matrix_sliding_sync_container_labels_traefik_enabled %} +traefik.enable=true + +{% if matrix_sliding_sync_container_labels_traefik_docker_network %} +traefik.docker.network={{ matrix_sliding_sync_container_labels_traefik_docker_network }} +{% endif %} + +{% set middlewares = [] %} + +{% if matrix_sliding_sync_container_labels_traefik_path_prefix != '/' %} +traefik.http.middlewares.matrix-sliding-sync-slashless-redirect.redirectregex.regex=({{ matrix_sliding_sync_container_labels_traefik_path_prefix | quote }})$ +traefik.http.middlewares.matrix-sliding-sync-slashless-redirect.redirectregex.replacement=${1}/ +{% set middlewares = middlewares + ['matrix-sliding-sync-slashless-redirect'] %} +{% endif %} + +{% if matrix_sliding_sync_container_labels_traefik_path_prefix != '/' %} +traefik.http.middlewares.matrix-sliding-sync-strip-prefix.stripprefix.prefixes={{ matrix_sliding_sync_container_labels_traefik_path_prefix }} +{% set middlewares = middlewares + ['matrix-sliding-sync-strip-prefix'] %} +{% endif %} + +{% if matrix_sliding_sync_container_labels_traefik_additional_response_headers.keys() | length > 0 %} +{% for name, value in matrix_sliding_sync_container_labels_traefik_additional_response_headers.items() %} +traefik.http.middlewares.matrix-sliding-sync-add-headers.headers.customresponseheaders.{{ name }}={{ value }} +{% endfor %} +{% set middlewares = middlewares + ['matrix-sliding-sync-add-headers'] %} +{% endif %} + +traefik.http.routers.matrix-sliding-sync.rule={{ matrix_sliding_sync_container_labels_traefik_rule }} +{% if matrix_sliding_sync_container_labels_traefik_priority | int > 0 %} +traefik.http.routers.matrix-sliding-sync.priority={{ matrix_sliding_sync_container_labels_traefik_priority }} +{% endif %} +traefik.http.routers.matrix-sliding-sync.service=matrix-sliding-sync +{% if middlewares | length > 0 %} +traefik.http.routers.matrix-sliding-sync.middlewares={{ middlewares | join(',') }} +{% endif %} +traefik.http.routers.matrix-sliding-sync.entrypoints={{ matrix_sliding_sync_container_labels_traefik_entrypoints }} +traefik.http.routers.matrix-sliding-sync.tls={{ matrix_sliding_sync_container_labels_traefik_tls | to_json }} +{% if matrix_sliding_sync_container_labels_traefik_tls %} +traefik.http.routers.matrix-sliding-sync.tls.certResolver={{ matrix_sliding_sync_container_labels_traefik_tls_certResolver }} +{% endif %} + +traefik.http.services.matrix-sliding-sync.loadbalancer.server.port=8008 +{% endif %} + +{{ matrix_sliding_sync_container_labels_additional_labels }} diff --git a/roles/custom/matrix-sliding-sync/templates/systemd/matrix-sliding-sync.service.j2 b/roles/custom/matrix-sliding-sync/templates/systemd/matrix-sliding-sync.service.j2 new file mode 100644 index 000000000..ac8d2ffb5 --- /dev/null +++ b/roles/custom/matrix-sliding-sync/templates/systemd/matrix-sliding-sync.service.j2 @@ -0,0 +1,49 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=matrix-sliding-sync +{% for service in matrix_sliding_sync_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +{% for service in matrix_sliding_sync_systemd_wanted_services_list %} +Wants={{ service }} +{% endfor %} +DefaultDependencies=no + +[Service] +Type=simple +Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" +ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-sliding-sync 2>/dev/null || true' +ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-sliding-sync 2>/dev/null || true' + +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ + --rm \ + --name=matrix-sliding-sync \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --read-only \ + --tmpfs /tmp \ + --network={{ matrix_sliding_sync_container_network }} \ + --env-file={{ matrix_sliding_sync_base_path }}/env \ + --label-file={{ matrix_sliding_sync_base_path }}/labels \ + {% for arg in matrix_sliding_sync_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_sliding_sync_container_image }} + +{% for network in matrix_sliding_sync_container_additional_networks %} +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-sliding-sync +{% endfor %} + +ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-sliding-sync + +ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-sliding-sync 2>/dev/null || true' +ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-sliding-sync 2>/dev/null || true' + +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-sliding-sync + +[Install] +WantedBy=multi-user.target diff --git a/roles/custom/matrix-sliding-sync/vars/main.yml b/roles/custom/matrix-sliding-sync/vars/main.yml new file mode 100644 index 000000000..8ec69c087 --- /dev/null +++ b/roles/custom/matrix-sliding-sync/vars/main.yml @@ -0,0 +1,5 @@ +--- + +# Public facing base URL of the Sliding Sync service. +# It should not end with a slash. +matrix_sliding_sync_base_url: "{{ matrix_sliding_sync_scheme }}://{{ matrix_sliding_sync_hostname }}{{ '' if matrix_sliding_sync_path_prefix == '/' else matrix_sliding_sync_path_prefix }}" diff --git a/roles/custom/matrix-sygnal/defaults/main.yml b/roles/custom/matrix-sygnal/defaults/main.yml index 1268d6029..f3c1df4eb 100644 --- a/roles/custom/matrix-sygnal/defaults/main.yml +++ b/roles/custom/matrix-sygnal/defaults/main.yml @@ -1,28 +1,77 @@ --- + # Sygnal is a reference Push Gateway for Matrix. # To make use of it for delivering push notificatins, you'll need to develop/build your own Matrix app. # Project source code URL: https://github.com/matrix-org/sygnal -matrix_sygnal_enabled: false +matrix_sygnal_enabled: true + +# The hostname at which Sygnal is served. +matrix_sygnal_hostname: '' + +# The path at which Sygnal is exposed. +# This value must either be `/` or not end with a slash (e.g. `/sygnal`). +matrix_sygnal_path_prefix: / + +matrix_sygnal_version: v0.12.0 matrix_sygnal_base_path: "{{ matrix_base_data_path }}/sygnal" matrix_sygnal_config_path: "{{ matrix_sygnal_base_path }}/config" matrix_sygnal_data_path: "{{ matrix_sygnal_base_path }}/data" -matrix_sygnal_version: v0.12.0 -matrix_sygnal_docker_image: "{{ matrix_container_global_registry_prefix }}matrixdotorg/sygnal:{{ matrix_sygnal_version }}" -matrix_sygnal_docker_image_force_pull: "{{ matrix_sygnal_docker_image.endswith(':latest') }}" - # List of systemd services that matrix-sygnal.service depends on. matrix_sygnal_systemd_required_services_list: ['docker.service'] # List of systemd services that matrix-sygnal.service wants matrix_sygnal_systemd_wanted_services_list: [] +matrix_sygnal_docker_image: "{{ matrix_sygnal_docker_image_registry_prefix }}matrixdotorg/sygnal:{{ matrix_sygnal_docker_image_tag }}" +matrix_sygnal_docker_image_tag: "{{ matrix_sygnal_version }}" +matrix_sygnal_docker_image_registry_prefix: "{{ matrix_container_global_registry_prefix }}" +matrix_sygnal_docker_image_force_pull: "{{ matrix_sygnal_docker_image.endswith(':latest') }}" + +# The base container network. It will be auto-created by this role if it doesn't exist already. +matrix_sygnal_container_network: "{{ matrix_sygnal_identifier }}" + +# A list of additional container networks that the container would be connected to. +# The role does not create these networks, so make sure they already exist. +# Use this to expose this container to another reverse proxy, which runs in a different container network. +matrix_sygnal_container_additional_networks: [] + # Controls whether the matrix-sygnal container exposes its HTTP port (tcp/6000 in the container). # # Takes an ":" or "" value (e.g. "127.0.0.1:6000"), or empty string to not expose. matrix_sygnal_container_http_host_bind_port: '' +# matrix_sygnal_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container. +# See `../templates/labels.j2` for details. +# +# To inject your own other container labels, see `matrix_sygnal_container_labels_additional_labels`. +matrix_sygnal_container_labels_traefik_enabled: true +matrix_sygnal_container_labels_traefik_docker_network: "{{ matrix_sygnal_container_network }}" +matrix_sygnal_container_labels_traefik_hostname: "{{ matrix_sygnal_hostname }}" +# The path prefix must either be `/` or not end with a slash (e.g. `/sygnal`). +matrix_sygnal_container_labels_traefik_path_prefix: "{{ matrix_sygnal_path_prefix }}" +matrix_sygnal_container_labels_traefik_rule: "Host(`{{ matrix_sygnal_container_labels_traefik_hostname }}`){% if matrix_sygnal_container_labels_traefik_path_prefix != '/' %} && PathPrefix(`{{ matrix_sygnal_container_labels_traefik_path_prefix }}`){% endif %}" +matrix_sygnal_container_labels_traefik_priority: 0 +matrix_sygnal_container_labels_traefik_entrypoints: web-secure +matrix_sygnal_container_labels_traefik_tls: "{{ matrix_sygnal_container_labels_traefik_entrypoints != 'web' }}" +matrix_sygnal_container_labels_traefik_tls_certResolver: default # noqa var-naming + +# Controls which additional headers to attach to all HTTP responses. +# To add your own headers, use `matrix_sygnal_container_labels_traefik_additional_response_headers_custom` +matrix_sygnal_container_labels_traefik_additional_response_headers: "{{ matrix_sygnal_container_labels_traefik_additional_response_headers_auto | combine(matrix_sygnal_container_labels_traefik_additional_response_headers_custom) }}" +matrix_sygnal_container_labels_traefik_additional_response_headers_auto: {} +matrix_sygnal_container_labels_traefik_additional_response_headers_custom: {} + +# matrix_sygnal_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file. +# See `../templates/labels.j2` for details. +# +# Example: +# matrix_sygnal_container_labels_additional_labels: | +# my.label=1 +# another.label="here" +matrix_sygnal_container_labels_additional_labels: '' + # A list of extra arguments to pass to the container matrix_sygnal_container_extra_arguments: [] diff --git a/roles/custom/matrix-sygnal/tasks/init.yml b/roles/custom/matrix-sygnal/tasks/init.yml deleted file mode 100644 index dae7a299c..000000000 --- a/roles/custom/matrix-sygnal/tasks/init.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-sygnal.service'] }}" - when: matrix_sygnal_enabled | bool diff --git a/roles/custom/matrix-sygnal/tasks/setup_install.yml b/roles/custom/matrix-sygnal/tasks/install.yml similarity index 78% rename from roles/custom/matrix-sygnal/tasks/setup_install.yml rename to roles/custom/matrix-sygnal/tasks/install.yml index 27424314f..7ee75a94e 100644 --- a/roles/custom/matrix-sygnal/tasks/setup_install.yml +++ b/roles/custom/matrix-sygnal/tasks/install.yml @@ -1,16 +1,5 @@ --- -- name: Ensure Sygnal image is pulled - community.docker.docker_image: - name: "{{ matrix_sygnal_docker_image }}" - source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_sygnal_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_sygnal_docker_image_force_pull }}" - register: result - retries: "{{ devture_playbook_help_container_retries_count }}" - delay: "{{ devture_playbook_help_container_retries_delay }}" - until: result is not failed - - name: Ensure Sygnal paths exists ansible.builtin.file: path: "{{ item }}" @@ -31,14 +20,32 @@ owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" +- name: Ensure Sygnal labels installed + ansible.builtin.template: + src: "{{ role_path }}/templates/labels.j2" + dest: "{{ matrix_sygnal_base_path }}/labels" + mode: 0640 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure Sygnal image is pulled + community.docker.docker_image: + name: "{{ matrix_sygnal_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_sygnal_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_sygnal_docker_image_force_pull }}" + register: result + retries: "{{ devture_playbook_help_container_retries_count }}" + delay: "{{ devture_playbook_help_container_retries_delay }}" + until: result is not failed + +- name: Ensure Sygnal container network is created + community.general.docker_network: + name: "{{ matrix_sygnal_container_network }}" + driver: bridge + - name: Ensure matrix-sygnal.service installed ansible.builtin.template: src: "{{ role_path }}/templates/systemd/matrix-sygnal.service.j2" dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-sygnal.service" mode: 0644 - register: matrix_sygnal_systemd_service_result - -- name: Ensure systemd reloaded after matrix-sygnal.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_sygnal_systemd_service_result.changed | bool" diff --git a/roles/custom/matrix-sygnal/tasks/main.yml b/roles/custom/matrix-sygnal/tasks/main.yml index b001bb825..a586cbd02 100644 --- a/roles/custom/matrix-sygnal/tasks/main.yml +++ b/roles/custom/matrix-sygnal/tasks/main.yml @@ -1,23 +1,20 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: run_setup | bool - tags: +- tags: - setup-all - setup-sygnal + - install-all + - install-sygnal + block: + - when: matrix_sygnal_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_install.yml" - when: run_setup | bool and matrix_sygnal_enabled | bool - tags: - - setup-all - - setup-sygnal + - when: matrix_sygnal_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/install.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - when: run_setup | bool and not matrix_sygnal_enabled | bool - tags: +- tags: - setup-all - setup-sygnal + block: + - when: not matrix_sygnal_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/uninstall.yml" diff --git a/roles/custom/matrix-sygnal/tasks/setup_uninstall.yml b/roles/custom/matrix-sygnal/tasks/setup_uninstall.yml deleted file mode 100644 index e398f7a99..000000000 --- a/roles/custom/matrix-sygnal/tasks/setup_uninstall.yml +++ /dev/null @@ -1,36 +0,0 @@ ---- - -- name: Check existence of matrix-sygnal service - ansible.builtin.stat: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-sygnal.service" - register: matrix_sygnal_service_stat - -- name: Ensure matrix-sygnal is stopped - ansible.builtin.service: - name: matrix-sygnal - state: stopped - enabled: false - daemon_reload: true - register: stopping_result - when: "matrix_sygnal_service_stat.stat.exists | bool" - -- name: Ensure matrix-sygnal.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-sygnal.service" - state: absent - when: "matrix_sygnal_service_stat.stat.exists | bool" - -- name: Ensure systemd reloaded after matrix-sygnal.service removal - ansible.builtin.service: - daemon_reload: true - when: "matrix_sygnal_service_stat.stat.exists | bool" - -- name: Ensure Sygnal base directory doesn't exist - ansible.builtin.file: - path: "{{ matrix_sygnal_base_path }}" - state: absent - -- name: Ensure Sygnal Docker image doesn't exist - community.docker.docker_image: - name: "{{ matrix_sygnal_docker_image }}" - state: absent diff --git a/roles/custom/matrix-sygnal/tasks/uninstall.yml b/roles/custom/matrix-sygnal/tasks/uninstall.yml new file mode 100644 index 000000000..5f01daf1f --- /dev/null +++ b/roles/custom/matrix-sygnal/tasks/uninstall.yml @@ -0,0 +1,25 @@ +--- + +- name: Check existence of matrix-sygnal service + ansible.builtin.stat: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-sygnal.service" + register: matrix_sygnal_service_stat + +- when: matrix_sygnal_service_stat.stat.exists | bool + block: + - name: Ensure matrix-sygnal is stopped + ansible.builtin.service: + name: matrix-sygnal + state: stopped + enabled: false + daemon_reload: true + + - name: Ensure matrix-sygnal.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-sygnal.service" + state: absent + + - name: Ensure Sygnal base directory doesn't exist + ansible.builtin.file: + path: "{{ matrix_sygnal_base_path }}" + state: absent diff --git a/roles/custom/matrix-sygnal/tasks/validate_config.yml b/roles/custom/matrix-sygnal/tasks/validate_config.yml index 277bd1b2a..1cdf20381 100644 --- a/roles/custom/matrix-sygnal/tasks/validate_config.yml +++ b/roles/custom/matrix-sygnal/tasks/validate_config.yml @@ -1,7 +1,37 @@ --- +- name: Fail if required Sygnal settings not defined + ansible.builtin.fail: + msg: > + You need to define a required configuration setting (`{{ item }}`). + when: "vars[item] == ''" + with_items: + - matrix_sygnal_hostname + - matrix_sygnal_path_prefix + - matrix_sygnal_container_network + +- when: matrix_sygnal_container_labels_traefik_enabled | bool + block: + - name: Fail if required Sygnal Traefik settings not defined + ansible.builtin.fail: + msg: >- + You need to define a required configuration setting (`{{ item }}`). + when: "vars[item] == ''" + with_items: + - matrix_sygnal_container_labels_traefik_hostname + - matrix_sygnal_container_labels_traefik_path_prefix + + # We ensure it doesn't end with a slash, because we handle both (slash and no-slash). + # Knowing that `matrix_sygnal_container_labels_traefik_path_prefix` does not end with a slash + # ensures we know how to set these routes up without having to do "does it end with a slash" checks elsewhere. + - name: Fail if matrix_sygnal_container_labels_traefik_path_prefix ends with a slash + ansible.builtin.fail: + msg: >- + matrix_sygnal_container_labels_traefik_path_prefix (`{{ matrix_sygnal_container_labels_traefik_path_prefix }}`) must either be `/` or not end with a slash (e.g. `/sygnal`). + when: "matrix_sygnal_container_labels_traefik_path_prefix != '/' and matrix_sygnal_container_labels_traefik_path_prefix[-1] == '/'" + - name: Fail if no Sygnal apps defined ansible.builtin.fail: msg: >- Enabling Sygnal requires that you specify at least one app in `matrix_sygnal_apps` - when: "matrix_sygnal_enabled and matrix_sygnal_apps | length == 0" + when: "matrix_sygnal_apps | length == 0" diff --git a/roles/custom/matrix-sygnal/templates/labels.j2 b/roles/custom/matrix-sygnal/templates/labels.j2 new file mode 100644 index 000000000..964805894 --- /dev/null +++ b/roles/custom/matrix-sygnal/templates/labels.j2 @@ -0,0 +1,45 @@ +{% if matrix_sygnal_container_labels_traefik_enabled %} +traefik.enable=true + +{% if matrix_sygnal_container_labels_traefik_docker_network %} +traefik.docker.network={{ matrix_sygnal_container_labels_traefik_docker_network }} +{% endif %} + +{% set middlewares = [] %} + +{% if matrix_sygnal_container_labels_traefik_path_prefix != '/' %} +traefik.http.middlewares.matrix-sygnal-slashless-redirect.redirectregex.regex=({{ matrix_sygnal_container_labels_traefik_path_prefix | quote }})$ +traefik.http.middlewares.matrix-sygnal-slashless-redirect.redirectregex.replacement=${1}/ +{% set middlewares = middlewares + ['matrix-sygnal-slashless-redirect'] %} +{% endif %} + +{% if matrix_sygnal_container_labels_traefik_path_prefix != '/' %} +traefik.http.middlewares.matrix-sygnal-strip-prefix.stripprefix.prefixes={{ matrix_sygnal_container_labels_traefik_path_prefix }} +{% set middlewares = middlewares + ['matrix-sygnal-strip-prefix'] %} +{% endif %} + +{% if matrix_sygnal_container_labels_traefik_additional_response_headers.keys() | length > 0 %} +{% for name, value in matrix_sygnal_container_labels_traefik_additional_response_headers.items() %} +traefik.http.middlewares.matrix-sygnal-add-headers.headers.customresponseheaders.{{ name }}={{ value }} +{% endfor %} +{% set middlewares = middlewares + ['matrix-sygnal-add-headers'] %} +{% endif %} + +traefik.http.routers.matrix-sygnal.rule={{ matrix_sygnal_container_labels_traefik_rule }} +{% if matrix_sygnal_container_labels_traefik_priority | int > 0 %} +traefik.http.routers.matrix-sygnal.priority={{ matrix_sygnal_container_labels_traefik_priority }} +{% endif %} +traefik.http.routers.matrix-sygnal.service=matrix-sygnal +{% if middlewares | length > 0 %} +traefik.http.routers.matrix-sygnal.middlewares={{ middlewares | join(',') }} +{% endif %} +traefik.http.routers.matrix-sygnal.entrypoints={{ matrix_sygnal_container_labels_traefik_entrypoints }} +traefik.http.routers.matrix-sygnal.tls={{ matrix_sygnal_container_labels_traefik_tls | to_json }} +{% if matrix_sygnal_container_labels_traefik_tls %} +traefik.http.routers.matrix-sygnal.tls.certResolver={{ matrix_sygnal_container_labels_traefik_tls_certResolver }} +{% endif %} + +traefik.http.services.matrix-sygnal.loadbalancer.server.port=6000 +{% endif %} + +{{ matrix_sygnal_container_labels_additional_labels }} diff --git a/roles/custom/matrix-sygnal/templates/systemd/matrix-sygnal.service.j2 b/roles/custom/matrix-sygnal/templates/systemd/matrix-sygnal.service.j2 index 646314dfb..49b513cda 100644 --- a/roles/custom/matrix-sygnal/templates/systemd/matrix-sygnal.service.j2 +++ b/roles/custom/matrix-sygnal/templates/systemd/matrix-sygnal.service.j2 @@ -16,15 +16,18 @@ Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-sygnal 2>/dev/null || true' ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-sygnal 2>/dev/null || true' -ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-sygnal \ +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ + --rm \ + --name=matrix-sygnal \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ --env=SYGNAL_CONF=/config/sygnal.yaml \ - --network={{ matrix_docker_network }} \ + --network={{ matrix_sygnal_container_network }} \ {% if matrix_sygnal_container_http_host_bind_port %} -p {{ matrix_sygnal_container_http_host_bind_port }}:6000 \ {% endif %} + --label-file={{ matrix_sygnal_base_path }}/labels \ --mount type=bind,src={{ matrix_sygnal_config_path }},dst=/config \ --mount type=bind,src={{ matrix_sygnal_data_path }},dst=/data \ {% for arg in matrix_sygnal_container_extra_arguments %} @@ -32,8 +35,15 @@ ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name {% endfor %} {{ matrix_sygnal_docker_image }} +{% for network in matrix_sygnal_container_additional_networks %} +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-sygnal +{% endfor %} + +ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-sygnal + ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-sygnal 2>/dev/null || true' ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-sygnal 2>/dev/null || true' + Restart=always RestartSec=30 SyslogIdentifier=matrix-sygnal diff --git a/roles/custom/matrix-synapse-admin/defaults/main.yml b/roles/custom/matrix-synapse-admin/defaults/main.yml index 9f4510b6a..ae912f71f 100644 --- a/roles/custom/matrix-synapse-admin/defaults/main.yml +++ b/roles/custom/matrix-synapse-admin/defaults/main.yml @@ -4,30 +4,141 @@ matrix_synapse_admin_enabled: true +# A path on host where all related files will be saved +matrix_synapse_admin_base_path: "{{ matrix_base_data_path }}/synapse-admin" +matrix_synapse_admin_docker_src_files_path: "{{ matrix_synapse_admin_base_path }}/docker-src" + +# Specifies whether this role will integrate with the matrix-nginx-proxy role +matrix_synapse_admin_nginx_proxy_integration_enabled: false + matrix_synapse_admin_container_image_self_build: false matrix_synapse_admin_container_image_self_build_repo: "https://github.com/Awesome-Technologies/synapse-admin.git" -matrix_synapse_admin_docker_src_files_path: "{{ matrix_base_data_path }}/synapse-admin/docker-src" - -matrix_synapse_admin_version: 0.8.5 +matrix_synapse_admin_version: 0.8.7 matrix_synapse_admin_docker_image: "{{ matrix_synapse_admin_docker_image_name_prefix }}awesometechnologies/synapse-admin:{{ matrix_synapse_admin_version }}" matrix_synapse_admin_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_admin_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_synapse_admin_docker_image_force_pull: "{{ matrix_synapse_admin_docker_image.endswith(':latest') }}" +# The base container network +matrix_synapse_admin_container_network: matrix-synapse-admin + +# A list of additional container networks that the container would be connected to. +# The role does not create these networks, so make sure they already exist. +# Use this to expose this container to a reverse proxy, which runs in a different container network. +matrix_synapse_admin_container_additional_networks: [] + +# Controls whether the matrix-synapse-admin container exposes its HTTP port (tcp/80 in the container). +# +# Takes an ":" or "" value (e.g. "127.0.0.1:8766"), or empty string to not expose. +matrix_synapse_admin_container_http_host_bind_port: '' + # A list of extra arguments to pass to the container matrix_synapse_admin_container_extra_arguments: [] +# matrix_synapse_admin_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container. +# See `../templates/labels.j2` for details. +# +# To inject your own other container labels, see `matrix_synapse_admin_container_labels_additional_labels`. +matrix_synapse_admin_container_labels_traefik_enabled: true +matrix_synapse_admin_container_labels_traefik_docker_network: "{{ matrix_synapse_admin_container_network }}" +matrix_synapse_admin_container_labels_traefik_hostname: "{{ matrix_synapse_admin_hostname }}" +# The path prefix must either be `/` or not end with a slash (e.g. `/synapse-admin`). +matrix_synapse_admin_container_labels_traefik_path_prefix: "{{ matrix_synapse_admin_path_prefix }}" +matrix_synapse_admin_container_labels_traefik_rule: "Host(`{{ matrix_synapse_admin_container_labels_traefik_hostname }}`){% if matrix_synapse_admin_container_labels_traefik_path_prefix != '/' %} && PathPrefix(`{{ matrix_synapse_admin_container_labels_traefik_path_prefix | quote }}`){% endif %}" +matrix_synapse_admin_container_labels_traefik_priority: 0 +matrix_synapse_admin_container_labels_traefik_entrypoints: web-secure +matrix_synapse_admin_container_labels_traefik_tls: "{{ matrix_synapse_admin_container_labels_traefik_entrypoints != 'web' }}" +matrix_synapse_admin_container_labels_traefik_tls_certResolver: default # noqa var-naming + +# Controls which additional headers to attach to all HTTP responses. +# To add your own headers, use `matrix_synapse_admin_container_labels_traefik_additional_response_headers_custom` +matrix_synapse_admin_container_labels_traefik_additional_response_headers: "{{ matrix_synapse_admin_container_labels_traefik_additional_response_headers_auto | combine(matrix_synapse_admin_container_labels_traefik_additional_response_headers_custom) }}" +matrix_synapse_admin_container_labels_traefik_additional_response_headers_auto: | + {{ + {} + | combine ({'X-XSS-Protection': matrix_synapse_admin_http_header_xss_protection} if matrix_synapse_admin_http_header_xss_protection else {}) + | combine ({'X-Frame-Options': matrix_synapse_admin_http_header_frame_options} if matrix_synapse_admin_http_header_frame_options else {}) + | combine ({'X-Content-Type-Options': matrix_synapse_admin_http_header_content_type_options} if matrix_synapse_admin_http_header_content_type_options else {}) + | combine ({'Content-Security-Policy': matrix_synapse_admin_http_header_content_security_policy} if matrix_synapse_admin_http_header_content_security_policy else {}) + | combine ({'Permission-Policy': matrix_synapse_admin_http_header_content_permission_policy} if matrix_synapse_admin_http_header_content_permission_policy else {}) + | combine ({'Strict-Transport-Security': matrix_synapse_admin_http_header_strict_transport_security} if matrix_synapse_admin_http_header_strict_transport_security and matrix_synapse_admin_container_labels_traefik_tls else {}) + }} +matrix_synapse_admin_container_labels_traefik_additional_response_headers_custom: {} + +# matrix_synapse_admin_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file. +# See `../templates/labels.j2` for details. +# +# Example: +# matrix_synapse_admin_container_labels_additional_labels: | +# my.label=1 +# another.label="here" +matrix_synapse_admin_container_labels_additional_labels: '' + # List of systemd services that matrix-synapse-admin.service depends on matrix_synapse_admin_systemd_required_services_list: ['docker.service'] # List of systemd services that matrix-synapse-admin.service wants matrix_synapse_admin_systemd_wanted_services_list: [] -# Controls whether the matrix-synapse-admin container exposes its HTTP port (tcp/80 in the container). +# Specifies the value of the `X-XSS-Protection` header +# Stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. # -# Takes an ":" or "" value (e.g. "127.0.0.1:8766"), or empty string to not expose. -matrix_synapse_admin_container_http_host_bind_port: '' +# Learn more about it is here: +# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection +# - https://portswigger.net/web-security/cross-site-scripting/reflected +matrix_synapse_admin_http_header_xss_protection: "1; mode=block" + +# Specifies the value of the `X-Frame-Options` header which controls whether framing can happen. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options +matrix_synapse_admin_http_header_frame_options: SAMEORIGIN + +# Specifies the value of the `X-Content-Type-Options` header. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options +matrix_synapse_admin_http_header_content_type_options: nosniff + +# Specifies the value of the `Content-Security-Policy` header. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy +matrix_synapse_admin_http_header_content_security_policy: frame-ancestors 'self' + +# Specifies the value of the `Permission-Policy` header. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permission-Policy +matrix_synapse_admin_http_header_content_permission_policy: "{{ 'interest-cohort=()' if matrix_synapse_admin_floc_optout_enabled else '' }}" + +# Specifies the value of the `Strict-Transport-Security` header. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security +matrix_synapse_admin_http_header_strict_transport_security: "max-age=31536000; includeSubDomains{{ '; preload' if matrix_synapse_admin_hsts_preload_enabled else '' }}" -# The path at which Synapse Admin will be exposed on `matrix.DOMAIN` -# (only applies when matrix-nginx-proxy is used). -matrix_synapse_admin_public_endpoint: /synapse-admin +# Controls whether to send a "Permissions-Policy interest-cohort=();" header along with all responses +# +# Learn more about what it is here: +# - https://www.eff.org/deeplinks/2021/03/googles-floc-terrible-idea +# - https://paramdeo.com/blog/opting-your-website-out-of-googles-floc-network +# - https://amifloced.org/ +# +# Of course, a better solution is to just stop using browsers (like Chrome), which participate in such tracking practices. +# See: `matrix_synapse_admin_content_permission_policy` +matrix_synapse_admin_floc_optout_enabled: true + +# Controls if HSTS preloading is enabled +# +# In its strongest and recommended form, the [HSTS policy](https://www.chromium.org/hsts) includes all subdomains, and +# indicates a willingness to be "preloaded" into browsers: +# `Strict-Transport-Security: max-age=31536000; includeSubDomains; preload` +# For more information visit: +# - https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security +# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security +# - https://hstspreload.org/#opt-in +# See: `matrix_synapse_admin_http_header_strict_transport_security` +matrix_synapse_admin_hsts_preload_enabled: false + +# The hostname at which Synapse Admin is served. +# Only works with with Traefik reverse-proxying. +# For matrix-nginx-proxy, `matrix_server_fqn_matrix` is used and this variable has no effect. +matrix_synapse_admin_hostname: "{{ matrix_server_fqn_matrix }}" + +# The path at which Synapse Admin is exposed. +# When matrix-nginx-proxy is used, setting this to values other than `/` will cause configuration mismatches and trouble. +# +# If Traefik is used, the hostname is also configurable - see `matrix_synapse_admin_container_labels_traefik_hostname`. +# This value must either be `/` or not end with a slash (e.g. `/synapse-admin`). +matrix_synapse_admin_path_prefix: /synapse-admin diff --git a/roles/custom/matrix-synapse-admin/tasks/init.yml b/roles/custom/matrix-synapse-admin/tasks/init.yml deleted file mode 100644 index c2b2d05f2..000000000 --- a/roles/custom/matrix-synapse-admin/tasks/init.yml +++ /dev/null @@ -1,60 +0,0 @@ ---- -# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 -# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 -- name: Fail if trying to self-build on Ansible < 2.8 - ansible.builtin.fail: - msg: "To self-build the Synapse Admin image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_synapse_admin_container_image_self_build and matrix_synapse_admin_enabled" - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-synapse-admin.service'] }}" - when: matrix_synapse_admin_enabled | bool - -- when: matrix_synapse_admin_enabled | bool - tags: - - always - block: - - name: Fail if matrix-nginx-proxy role already executed - ansible.builtin.fail: - msg: >- - Trying to append Synapse Admin's reverse-proxying configuration to matrix-nginx-proxy, - but it's pointless since the matrix-nginx-proxy role had already executed. - To fix this, please change the order of roles in your playbook, - so that the matrix-nginx-proxy role would run after the matrix-synapse-admin role. - when: matrix_nginx_proxy_role_executed | default(False) | bool - - - name: Generate Synapse Admin proxying configuration for matrix-nginx-proxy - ansible.builtin.set_fact: - matrix_synapse_admin_matrix_nginx_proxy_configuration: | - rewrite ^{{ matrix_synapse_admin_public_endpoint }}$ {{ matrix_nginx_proxy_x_forwarded_proto_value }}://$server_name{{ matrix_synapse_admin_public_endpoint }}/ permanent; - - location ~ ^{{ matrix_synapse_admin_public_endpoint }}/(.*) { - {% if matrix_nginx_proxy_enabled | default(False) %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver 127.0.0.11 valid=5s; - set $backend "matrix-synapse-admin:80"; - proxy_pass http://$backend/$1; - {% else %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://127.0.0.1:8766/$1; - {% endif %} - } - - - name: Register Synapse Admin proxying configuration with matrix-nginx-proxy - ansible.builtin.set_fact: - matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: | - {{ - matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks | default([]) - + - [matrix_synapse_admin_matrix_nginx_proxy_configuration] - }} - -- name: Warn about reverse-proxying if matrix-nginx-proxy not used - ansible.builtin.debug: - msg: >- - NOTE: You've enabled the Synapse Admin tool but are not using the matrix-nginx-proxy - reverse proxy. - Please make sure that you're proxying the `{{ matrix_synapse_admin_public_endpoint }}` - URL endpoint to the matrix-synapse-admin container. - You can expose the container's port using the `matrix_synapse_admin_container_http_host_bind_port` variable. - when: "matrix_synapse_admin_enabled | bool and not matrix_nginx_proxy_enabled | default(False) | bool" diff --git a/roles/custom/matrix-synapse-admin/tasks/inject_into_nginx_proxy.yml b/roles/custom/matrix-synapse-admin/tasks/inject_into_nginx_proxy.yml new file mode 100644 index 000000000..a06f47a1d --- /dev/null +++ b/roles/custom/matrix-synapse-admin/tasks/inject_into_nginx_proxy.yml @@ -0,0 +1,46 @@ +--- + +- name: Fail if matrix-nginx-proxy role already executed + ansible.builtin.fail: + msg: >- + Trying to append Synapse Admin's reverse-proxying configuration to matrix-nginx-proxy, + but it's pointless since the matrix-nginx-proxy role had already executed. + To fix this, please change the order of roles in your playbook, + so that the matrix-nginx-proxy role would run after the matrix-synapse-admin role. + when: matrix_nginx_proxy_role_executed | default(False) | bool + +- name: Generate Synapse Admin proxying configuration for matrix-nginx-proxy + ansible.builtin.set_fact: + matrix_synapse_admin_matrix_nginx_proxy_configuration: | + rewrite ^{{ matrix_synapse_admin_path_prefix }}$ {{ matrix_nginx_proxy_x_forwarded_proto_value }}://$server_name{{ matrix_synapse_admin_path_prefix }}/ permanent; + + location ~ ^{{ matrix_synapse_admin_path_prefix }}/(.*) { + {% if matrix_nginx_proxy_enabled | default(False) %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "matrix-synapse-admin:80"; + proxy_pass http://$backend/$1; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://127.0.0.1:8766/$1; + {% endif %} + } + +- name: Register Synapse Admin proxying configuration with matrix-nginx-proxy + ansible.builtin.set_fact: + matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: | + {{ + matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks | default([]) + + + [matrix_synapse_admin_matrix_nginx_proxy_configuration] + }} + +- name: Warn about reverse-proxying if matrix-nginx-proxy not used + ansible.builtin.debug: + msg: >- + NOTE: You've enabled the Synapse Admin tool but are not using the matrix-nginx-proxy + reverse proxy. + Please make sure that you're proxying the `{{ matrix_synapse_admin_path_prefix }}` + URL endpoint to the matrix-synapse-admin container. + You can expose the container's port using the `matrix_synapse_admin_container_http_host_bind_port` variable. + when: "not matrix_nginx_proxy_enabled | default(False) | bool" diff --git a/roles/custom/matrix-synapse-admin/tasks/main.yml b/roles/custom/matrix-synapse-admin/tasks/main.yml index 0c6bd942c..da9bdb18c 100644 --- a/roles/custom/matrix-synapse-admin/tasks/main.yml +++ b/roles/custom/matrix-synapse-admin/tasks/main.yml @@ -1,16 +1,29 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always +- tags: + - setup-all + - setup-nginx-proxy + - install-all + - install-nginx-proxy + block: + - when: matrix_synapse_admin_enabled | bool and matrix_synapse_admin_nginx_proxy_integration_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: run_setup | bool - tags: +- tags: - setup-all - setup-synapse-admin + - install-all + - install-synapse-admin + block: + - when: matrix_synapse_admin_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" + + - when: matrix_synapse_admin_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup.yml" - tags: +- tags: - setup-all - setup-synapse-admin + block: + - when: not matrix_synapse_admin_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" diff --git a/roles/custom/matrix-synapse-admin/tasks/setup.yml b/roles/custom/matrix-synapse-admin/tasks/setup.yml deleted file mode 100644 index 56cee4987..000000000 --- a/roles/custom/matrix-synapse-admin/tasks/setup.yml +++ /dev/null @@ -1,88 +0,0 @@ ---- - -# -# Tasks related to setting up matrix-synapse-admin -# - -- name: Ensure matrix-synapse-admin image is pulled - community.docker.docker_image: - name: "{{ matrix_synapse_admin_docker_image }}" - source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_synapse_admin_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_synapse_admin_docker_image_force_pull }}" - when: "matrix_synapse_admin_enabled | bool and not matrix_synapse_admin_container_image_self_build | bool" - register: result - retries: "{{ devture_playbook_help_container_retries_count }}" - delay: "{{ devture_playbook_help_container_retries_delay }}" - until: result is not failed - -- name: Ensure matrix-synapse-admin repository is present when self-building - ansible.builtin.git: - repo: "{{ matrix_synapse_admin_container_image_self_build_repo }}" - dest: "{{ matrix_synapse_admin_docker_src_files_path }}" - version: "{{ matrix_synapse_admin_docker_image.split(':')[1] }}" - force: "yes" - become: true - become_user: "{{ matrix_user_username }}" - register: matrix_synapse_admin_git_pull_results - when: "matrix_synapse_admin_enabled | bool and matrix_synapse_admin_container_image_self_build | bool" - -- name: Ensure matrix-synapse-admin Docker image is built - community.docker.docker_image: - name: "{{ matrix_synapse_admin_docker_image }}" - source: build - force_source: "{{ matrix_synapse_admin_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_synapse_admin_git_pull_results.changed }}" - build: - dockerfile: Dockerfile - path: "{{ matrix_synapse_admin_docker_src_files_path }}" - pull: true - when: "matrix_synapse_admin_enabled | bool and matrix_synapse_admin_container_image_self_build | bool" - -- name: Ensure matrix-synapse-admin.service installed - ansible.builtin.template: - src: "{{ role_path }}/templates/systemd/matrix-synapse-admin.service.j2" - dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-synapse-admin.service" - mode: 0644 - register: matrix_synapse_admin_systemd_service_result - when: matrix_synapse_admin_enabled | bool - -- name: Ensure systemd reloaded after matrix-synapse-admin.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_synapse_admin_enabled | bool and matrix_synapse_admin_systemd_service_result.changed" - -# -# Tasks related to getting rid of matrix-synapse-admin (if it was previously enabled) -# - -- name: Check existence of matrix-synapse-admin service - ansible.builtin.stat: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-synapse-admin.service" - register: matrix_synapse_admin_service_stat - -- name: Ensure matrix-synapse-admin is stopped - ansible.builtin.service: - name: matrix-synapse-admin - state: stopped - enabled: false - daemon_reload: true - register: stopping_result - when: "not matrix_synapse_admin_enabled | bool and matrix_synapse_admin_service_stat.stat.exists" - -- name: Ensure matrix-synapse-admin.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-synapse-admin.service" - state: absent - when: "not matrix_synapse_admin_enabled | bool and matrix_synapse_admin_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-synapse-admin.service removal - ansible.builtin.service: - daemon_reload: true - when: "not matrix_synapse_admin_enabled | bool and matrix_synapse_admin_service_stat.stat.exists" - -- name: Ensure matrix-synapse-admin Docker image doesn't exist - community.docker.docker_image: - name: "{{ matrix_synapse_admin_docker_image }}" - state: absent - when: "not matrix_synapse_admin_enabled | bool" diff --git a/roles/custom/matrix-synapse-admin/tasks/setup_install.yml b/roles/custom/matrix-synapse-admin/tasks/setup_install.yml new file mode 100644 index 000000000..2eefe06f6 --- /dev/null +++ b/roles/custom/matrix-synapse-admin/tasks/setup_install.yml @@ -0,0 +1,63 @@ +--- + +- name: Ensure matrix-synapse-admin path exist + ansible.builtin.file: + path: "{{ matrix_synapse_admin_base_path }}" + state: directory + mode: 0700 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure matrix-synapse-admin labels file is created + ansible.builtin.template: + src: "{{ role_path }}/templates/labels.j2" + dest: "{{ matrix_synapse_admin_base_path }}/labels" + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + mode: 0640 + +- name: Ensure matrix-synapse-admin image is pulled + community.docker.docker_image: + name: "{{ matrix_synapse_admin_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_synapse_admin_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_synapse_admin_docker_image_force_pull }}" + when: not matrix_synapse_admin_container_image_self_build | bool + register: result + retries: "{{ devture_playbook_help_container_retries_count }}" + delay: "{{ devture_playbook_help_container_retries_delay }}" + until: result is not failed + +- name: Ensure matrix-synapse-admin repository is present when self-building + ansible.builtin.git: + repo: "{{ matrix_synapse_admin_container_image_self_build_repo }}" + dest: "{{ matrix_synapse_admin_docker_src_files_path }}" + version: "{{ matrix_synapse_admin_docker_image.split(':')[1] }}" + force: "yes" + become: true + become_user: "{{ matrix_user_username }}" + register: matrix_synapse_admin_git_pull_results + when: matrix_synapse_admin_container_image_self_build | bool + +- name: Ensure matrix-synapse-admin Docker image is built + community.docker.docker_image: + name: "{{ matrix_synapse_admin_docker_image }}" + source: build + force_source: "{{ matrix_synapse_admin_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_synapse_admin_git_pull_results.changed }}" + build: + dockerfile: Dockerfile + path: "{{ matrix_synapse_admin_docker_src_files_path }}" + pull: true + when: matrix_synapse_admin_container_image_self_build | bool + +- name: Ensure matrix-synapse-admin container network is created + community.general.docker_network: + name: "{{ matrix_synapse_admin_container_network }}" + driver: bridge + +- name: Ensure matrix-synapse-admin.service installed + ansible.builtin.template: + src: "{{ role_path }}/templates/systemd/matrix-synapse-admin.service.j2" + dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-synapse-admin.service" + mode: 0644 diff --git a/roles/custom/matrix-synapse-admin/tasks/setup_uninstall.yml b/roles/custom/matrix-synapse-admin/tasks/setup_uninstall.yml new file mode 100644 index 000000000..69820a005 --- /dev/null +++ b/roles/custom/matrix-synapse-admin/tasks/setup_uninstall.yml @@ -0,0 +1,25 @@ +--- + +- name: Check existence of matrix-synapse-admin service + ansible.builtin.stat: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-synapse-admin.service" + register: matrix_synapse_admin_service_stat + +- when: matrix_synapse_admin_service_stat.stat.exists | bool + block: + - name: Ensure matrix-synapse-admin is stopped + ansible.builtin.service: + name: matrix-synapse-admin + state: stopped + enabled: false + daemon_reload: true + + - name: Ensure matrix-synapse-admin.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-synapse-admin.service" + state: absent + + - name: Ensure matrix-synapse-admin directory doesn't exist + ansible.builtin.file: + path: "{{ matrix_synapse_admin_base_path }}" + state: absent diff --git a/roles/custom/matrix-synapse-admin/tasks/validate_config.yml b/roles/custom/matrix-synapse-admin/tasks/validate_config.yml index bf5fe69e1..d02819863 100644 --- a/roles/custom/matrix-synapse-admin/tasks/validate_config.yml +++ b/roles/custom/matrix-synapse-admin/tasks/validate_config.yml @@ -10,3 +10,24 @@ - {'old': 'matrix_synapse_admin_docker_repo', 'new': 'matrix_synapse_admin_container_self_build_repo'} - {'old': 'matrix_synapse_admin_container_self_build', 'new': 'matrix_synapse_admin_container_image_self_build'} - {'old': 'matrix_synapse_admin_container_self_build_repo', 'new': 'matrix_synapse_admin_container_image_self_build_repo'} + - {'old': 'matrix_synapse_admin_public_endpoint', 'new': 'matrix_synapse_admin_path_prefix'} + +- when: matrix_synapse_admin_container_labels_traefik_enabled | bool + block: + - name: Fail if required matrix-synapse-admin Traefik settings not defined + ansible.builtin.fail: + msg: >- + You need to define a required configuration setting (`{{ item }}`). + when: "vars[item] == ''" + with_items: + - matrix_synapse_admin_container_labels_traefik_hostname + - matrix_synapse_admin_container_labels_traefik_path_prefix + + # We ensure it doesn't end with a slash, because we handle both (slash and no-slash). + # Knowing that `matrix_synapse_admin_container_labels_traefik_path_prefix` does not end with a slash + # ensures we know how to set these routes up without having to do "does it end with a slash" checks elsewhere. + - name: Fail if matrix_synapse_admin_container_labels_traefik_path_prefix ends with a slash + ansible.builtin.fail: + msg: >- + matrix_synapse_admin_container_labels_traefik_path_prefix (`{{ matrix_synapse_admin_container_labels_traefik_path_prefix }}`) must either be `/` or not end with a slash (e.g. `/synapse-admin`). + when: "matrix_synapse_admin_container_labels_traefik_path_prefix != '/' and matrix_synapse_admin_container_labels_traefik_path_prefix[-1] == '/'" diff --git a/roles/custom/matrix-synapse-admin/templates/labels.j2 b/roles/custom/matrix-synapse-admin/templates/labels.j2 new file mode 100644 index 000000000..946fd6c98 --- /dev/null +++ b/roles/custom/matrix-synapse-admin/templates/labels.j2 @@ -0,0 +1,45 @@ +{% if matrix_synapse_admin_container_labels_traefik_enabled %} +traefik.enable=true + +{% if matrix_synapse_admin_container_labels_traefik_docker_network %} +traefik.docker.network={{ matrix_synapse_admin_container_labels_traefik_docker_network }} +{% endif %} + +{% set middlewares = [] %} + +{% if matrix_synapse_admin_container_labels_traefik_path_prefix != '/' %} +traefik.http.middlewares.matrix-synapse-admin-slashless-redirect.redirectregex.regex=({{ matrix_synapse_admin_container_labels_traefik_path_prefix | quote }})$ +traefik.http.middlewares.matrix-synapse-admin-slashless-redirect.redirectregex.replacement=${1}/ +{% set middlewares = middlewares + ['matrix-synapse-admin-slashless-redirect'] %} +{% endif %} + +{% if matrix_synapse_admin_container_labels_traefik_path_prefix != '/' %} +traefik.http.middlewares.matrix-synapse-admin-strip-prefix.stripprefix.prefixes={{ matrix_synapse_admin_container_labels_traefik_path_prefix }} +{% set middlewares = middlewares + ['matrix-synapse-admin-strip-prefix'] %} +{% endif %} + +{% if matrix_synapse_admin_container_labels_traefik_additional_response_headers.keys() | length > 0 %} +{% for name, value in matrix_synapse_admin_container_labels_traefik_additional_response_headers.items() %} +traefik.http.middlewares.matrix-synapse-admin-add-headers.headers.customresponseheaders.{{ name }}={{ value }} +{% endfor %} +{% set middlewares = middlewares + ['matrix-synapse-admin-add-headers'] %} +{% endif %} + +traefik.http.routers.matrix-synapse-admin.rule={{ matrix_synapse_admin_container_labels_traefik_rule }} +{% if matrix_synapse_admin_container_labels_traefik_priority | int > 0 %} +traefik.http.routers.matrix-synapse-admin.priority={{ matrix_synapse_admin_container_labels_traefik_priority }} +{% endif %} +{% if middlewares | length > 0 %} +traefik.http.routers.matrix-synapse-admin.middlewares={{ middlewares | join(',') }} +{% endif %} +traefik.http.routers.matrix-synapse-admin.service=matrix-synapse-admin +traefik.http.routers.matrix-synapse-admin.entrypoints={{ matrix_synapse_admin_container_labels_traefik_entrypoints }} +traefik.http.routers.matrix-synapse-admin.tls={{ matrix_synapse_admin_container_labels_traefik_tls | to_json }} +{% if matrix_synapse_admin_container_labels_traefik_tls %} +traefik.http.routers.matrix-synapse-admin.tls.certResolver={{ matrix_synapse_admin_container_labels_traefik_tls_certResolver }} +{% endif %} + +traefik.http.services.matrix-synapse-admin.loadbalancer.server.port=80 +{% endif %} + +{{ matrix_synapse_admin_container_labels_additional_labels }} diff --git a/roles/custom/matrix-synapse-admin/templates/systemd/matrix-synapse-admin.service.j2 b/roles/custom/matrix-synapse-admin/templates/systemd/matrix-synapse-admin.service.j2 index 9bae6e03f..ba56374c4 100644 --- a/roles/custom/matrix-synapse-admin/templates/systemd/matrix-synapse-admin.service.j2 +++ b/roles/custom/matrix-synapse-admin/templates/systemd/matrix-synapse-admin.service.j2 @@ -16,24 +16,34 @@ Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-synapse-admin 2>/dev/null || true' ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-synapse-admin 2>/dev/null || true' -ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-synapse-admin \ +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ + --rm \ + --name=matrix-synapse-admin \ --log-driver=none \ --cap-drop=ALL \ --cap-add=CHOWN \ --cap-add=NET_BIND_SERVICE \ --cap-add=SETUID \ --cap-add=SETGID \ - --network={{ matrix_docker_network }} \ + --network={{ matrix_synapse_admin_container_network }} \ {% if matrix_synapse_admin_container_http_host_bind_port %} -p {{ matrix_synapse_admin_container_http_host_bind_port }}:80 \ {% endif %} + --label-file={{ matrix_synapse_admin_base_path }}/labels \ {% for arg in matrix_synapse_admin_container_extra_arguments %} {{ arg }} \ {% endfor %} {{ matrix_synapse_admin_docker_image }} +{% for network in matrix_synapse_admin_container_additional_networks %} +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-synapse-admin +{% endfor %} + +ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-synapse-admin + ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-synapse-admin 2>/dev/null || true' ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-synapse-admin 2>/dev/null || true' + Restart=always RestartSec=30 SyslogIdentifier=matrix-synapse-admin diff --git a/roles/custom/matrix-synapse-auto-compressor/defaults/main.yml b/roles/custom/matrix-synapse-auto-compressor/defaults/main.yml new file mode 100644 index 000000000..7b5ea54da --- /dev/null +++ b/roles/custom/matrix-synapse-auto-compressor/defaults/main.yml @@ -0,0 +1,64 @@ +--- + +# synapse_auto_compressor tool +# Project source code URL: https://github.com/matrix-org/rust-synapse-compress-state + +matrix_synapse_auto_compressor_enabled: true + +matrix_synapse_auto_compressor_version: v0.1.3 + +matrix_synapse_auto_compressor_base_path: "{{ matrix_base_data_path }}/synapse-auto-compressor" +matrix_synapse_auto_compressor_container_src_files_path: "{{ matrix_synapse_auto_compressor_base_path }}/container-src" + +matrix_synapse_auto_compressor_container_image_self_build: false +matrix_synapse_auto_compressor_container_image_self_build_repo: "https://github.com/matrix-org/rust-synapse-compress-state.git" +matrix_synapse_auto_compressor_container_image_self_build_version: "{{ 'main' if matrix_synapse_auto_compressor_version == 'latest' else matrix_synapse_auto_compressor_version }}" + +matrix_synapse_auto_compressor_container_image: "{{ matrix_synapse_auto_compressor_container_image_name_prefix }}etke.cc/rust-synapse-compress-state:{{ matrix_synapse_auto_compressor_version }}" +matrix_synapse_auto_compressor_container_image_name_prefix: "{{ 'localhost/' if matrix_synapse_auto_compressor_container_image_self_build else 'registry.gitlab.com/' }}" +matrix_synapse_auto_compressor_container_image_force_pull: "{{ matrix_synapse_auto_compressor_container_image.endswith(':latest') }}" + +# The base container network. It will be auto-created by this role if it doesn't exist already. +matrix_synapse_auto_compressor_container_network: matrix-synapse-auto-compressor + +# A list of additional container networks that the container would be connected to. +# The role does not create these networks, so make sure they already exist. +# Use this to expose this container to another reverse proxy, which runs in a different container network. +matrix_synapse_auto_compressor_container_additional_networks: [] + +# A list of extra arguments to pass to the container +matrix_synapse_auto_compressor_container_extra_arguments: [] + +# List of systemd services that matrix-synapse-auto-compressor.service depends on +matrix_synapse_auto_compressor_systemd_required_services_list: ['docker.service'] + +# List of systemd services that matrix-synapse-auto-compressor.service wants +matrix_synapse_auto_compressor_systemd_wanted_services_list: [] + +matrix_synapse_auto_compressor_database_username: 'synapse' +matrix_synapse_auto_compressor_database_password: '' +matrix_synapse_auto_compressor_database_hostname: '' +matrix_synapse_auto_compressor_database_port: 5432 +matrix_synapse_auto_compressor_database_name: 'synapse' + +# connection string to synapse database (postgres only) +matrix_synapse_auto_compressor_synapse_database: 'postgres://{{ matrix_synapse_auto_compressor_database_username | urlencode() }}:{{ matrix_synapse_auto_compressor_database_password | urlencode() }}@{{ matrix_synapse_auto_compressor_database_hostname }}:{{ matrix_synapse_auto_compressor_database_port }}/{{ matrix_synapse_auto_compressor_database_name }}' + +# systemd calendar configuration for the compressor job +matrix_synapse_auto_compressor_calendar: "*-*-* 00:00:00" + +# The number of state groups to work on at once. +# All of the entries from state_groups_state are requested from the database for state groups that are worked on. +# Therefore small chunk sizes may be needed on machines with low memory. +# Note: if the compressor fails to find space savings on the chunk as a whole +# (which may well happen in rooms with lots of backfill in) then the entire chunk is skipped. +matrix_synapse_auto_compressor_chunk_size: 500 + +# CHUNKS_TO_COMPRESS chunks of size CHUNK_SIZE will be compressed. +# The higher this number is set to, the longer the compressor will run for. +matrix_synapse_auto_compressor_chunks_to_compress: 100 + +matrix_synapse_auto_compressor_command: "synapse_auto_compressor -p $POSTGRES_LOCATION -c {{ matrix_synapse_auto_compressor_chunk_size }} -n {{ matrix_synapse_auto_compressor_chunks_to_compress }}" + +# Controls the POSTGRES_LOCATION environment variable +matrix_synapse_auto_compressor_environment_variable_postgres_location: "{{ matrix_synapse_auto_compressor_synapse_database }}" diff --git a/roles/custom/matrix-synapse-auto-compressor/tasks/install.yml b/roles/custom/matrix-synapse-auto-compressor/tasks/install.yml new file mode 100644 index 000000000..be4d5aadb --- /dev/null +++ b/roles/custom/matrix-synapse-auto-compressor/tasks/install.yml @@ -0,0 +1,72 @@ +--- + +- name: Ensure synapse-auto-compressor paths exist + ansible.builtin.file: + path: "{{ item.path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + when: item.when | bool + with_items: + - path: "{{ matrix_synapse_auto_compressor_base_path }}" + when: true + - path: "{{ matrix_synapse_auto_compressor_container_src_files_path }}" + when: "{{ matrix_synapse_auto_compressor_container_image_self_build }}" + +- name: Ensure synapse-auto-compressor labels installed + ansible.builtin.template: + src: "{{ role_path }}/templates/env.j2" + dest: "{{ matrix_synapse_auto_compressor_base_path }}/env" + mode: 0640 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure synapse-auto-compressor image is pulled + community.docker.docker_image: + name: "{{ matrix_synapse_auto_compressor_container_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_synapse_auto_compressor_container_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_synapse_auto_compressor_container_image_force_pull }}" + when: "not matrix_synapse_auto_compressor_container_image_self_build | bool" + register: result + retries: "{{ devture_playbook_help_container_retries_count }}" + delay: "{{ devture_playbook_help_container_retries_delay }}" + until: result is not failed + +- name: Ensure synapse-auto-compressor repository is present on self-build + ansible.builtin.git: + repo: "{{ matrix_synapse_auto_compressor_container_image_self_build_repo }}" + version: "{{ matrix_synapse_auto_compressor_container_image_self_build_version }}" + dest: "{{ matrix_synapse_auto_compressor_container_src_files_path }}" + force: "yes" + become: true + become_user: "{{ matrix_user_username }}" + register: matrix_synapse_auto_compressor_git_pull_results + when: "matrix_synapse_auto_compressor_container_image_self_build | bool" + +- name: Ensure synapse-auto-compressor image is built + community.docker.docker_image: + name: "{{ matrix_synapse_auto_compressor_container_image }}" + source: build + force_source: "{{ matrix_synapse_auto_compressor_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mailer_git_pull_results.changed }}" + build: + dockerfile: Dockerfile + path: "{{ matrix_synapse_auto_compressor_container_src_files_path }}" + pull: true + when: "matrix_synapse_auto_compressor_container_image_self_build | bool" + +- name: Ensure matrix-synapse-auto-compressor container network is created + community.general.docker_network: + name: "{{ matrix_synapse_auto_compressor_container_network }}" + driver: bridge + +- name: Ensure matrix-synapse-auto-compressor systemd service and timer are installed + ansible.builtin.template: + src: "{{ role_path }}/templates/matrix-synapse-auto-compressor.{{ item }}.j2" + dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-synapse-auto-compressor.{{ item }}" + mode: 0644 + with_items: + - service + - timer diff --git a/roles/custom/matrix-synapse-auto-compressor/tasks/main.yml b/roles/custom/matrix-synapse-auto-compressor/tasks/main.yml new file mode 100644 index 000000000..5993e4f9b --- /dev/null +++ b/roles/custom/matrix-synapse-auto-compressor/tasks/main.yml @@ -0,0 +1,20 @@ +--- + +- tags: + - setup-all + - setup-synapse-auto-compressor + - install-all + - install-synapse-auto-compressor + block: + - when: matrix_synapse_auto_compressor_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" + + - when: matrix_synapse_auto_compressor_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/install.yml" + +- tags: + - setup-all + - setup-synapse-auto-compressor + block: + - when: not matrix_synapse_auto_compressor_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/uninstall.yml" diff --git a/roles/custom/matrix-synapse-auto-compressor/tasks/uninstall.yml b/roles/custom/matrix-synapse-auto-compressor/tasks/uninstall.yml new file mode 100644 index 000000000..075f3c101 --- /dev/null +++ b/roles/custom/matrix-synapse-auto-compressor/tasks/uninstall.yml @@ -0,0 +1,29 @@ +--- +- name: Check existence of matrix-synapse-auto-compressor service + ansible.builtin.stat: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-synapse-auto-compressor.service" + register: matrix_synapse_auto_compressor_service_stat + +- when: matrix_synapse_auto_compressor_service_stat.stat.exists | bool + block: + - name: Ensure matrix-synapse-auto-compressor is stopped + ansible.builtin.service: + name: matrix-synapse-auto-compressor + state: stopped + enabled: false + daemon_reload: true + + - name: Ensure matrix-synapse-auto-compressor.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-synapse-auto-compressor.service" + state: absent + + - name: Ensure matrix-synapse-auto-compressor.timer doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-synapse-auto-compressor.timer" + state: absent + + - name: Ensure Matrix synapse-auto-compressor paths don't exist + ansible.builtin.file: + path: "{{ matrix_synapse_auto_compressor_base_path }}" + state: absent diff --git a/roles/custom/matrix-synapse-auto-compressor/tasks/validate_config.yml b/roles/custom/matrix-synapse-auto-compressor/tasks/validate_config.yml new file mode 100644 index 000000000..b0dbfab06 --- /dev/null +++ b/roles/custom/matrix-synapse-auto-compressor/tasks/validate_config.yml @@ -0,0 +1,10 @@ +--- + +- name: Fail if required matrix-synapse-auto-compressor settings not defined + ansible.builtin.fail: + msg: > + You need to define a required configuration setting (`{{ item }}`). + when: "vars[item] == ''" + with_items: + - matrix_synapse_auto_compressor_database_hostname + - matrix_synapse_auto_compressor_database_password diff --git a/roles/custom/matrix-synapse-auto-compressor/templates/env.j2 b/roles/custom/matrix-synapse-auto-compressor/templates/env.j2 new file mode 100644 index 000000000..27fb1dd88 --- /dev/null +++ b/roles/custom/matrix-synapse-auto-compressor/templates/env.j2 @@ -0,0 +1 @@ +POSTGRES_LOCATION={{ matrix_synapse_auto_compressor_environment_variable_postgres_location }} diff --git a/roles/custom/matrix-synapse-auto-compressor/templates/matrix-synapse-auto-compressor.service.j2 b/roles/custom/matrix-synapse-auto-compressor/templates/matrix-synapse-auto-compressor.service.j2 new file mode 100644 index 000000000..f530d5b27 --- /dev/null +++ b/roles/custom/matrix-synapse-auto-compressor/templates/matrix-synapse-auto-compressor.service.j2 @@ -0,0 +1,46 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=Synapse State Auto Compressor +{% for service in matrix_synapse_auto_compressor_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +{% for service in matrix_synapse_auto_compressor_systemd_wanted_services_list %} +Wants={{ service }} +{% endfor %} +DefaultDependencies=no + +[Service] +Type=oneshot +Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" +ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-synapse-auto-compressor 2>/dev/null || true' +ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-synapse-auto-compressor 2>/dev/null || true' + +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ + --rm \ + --name=matrix-synapse-auto-compressor \ + --log-driver=none \ + --cap-drop=ALL \ + --read-only \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --network={{ matrix_synapse_auto_compressor_container_network }} \ + --env-file={{ matrix_synapse_auto_compressor_base_path }}/env \ + --entrypoint=/bin/sh \ + {% for arg in matrix_synapse_auto_compressor_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_synapse_auto_compressor_container_image }} \ + -c '{{ matrix_synapse_auto_compressor_command }}' + +{% for network in matrix_synapse_auto_compressor_container_additional_networks %} +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-synapse-auto-compressor +{% endfor %} + +ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-synapse-auto-compressor + +ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-synapse-auto-compressor 2>/dev/null || true' +ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-synapse-auto-compressor 2>/dev/null || true' +SyslogIdentifier=matrix-synapse-auto-compressor + +[Install] +WantedBy=multi-user.target diff --git a/roles/custom/matrix-synapse-auto-compressor/templates/matrix-synapse-auto-compressor.timer.j2 b/roles/custom/matrix-synapse-auto-compressor/templates/matrix-synapse-auto-compressor.timer.j2 new file mode 100644 index 000000000..1d7b16d33 --- /dev/null +++ b/roles/custom/matrix-synapse-auto-compressor/templates/matrix-synapse-auto-compressor.timer.j2 @@ -0,0 +1,9 @@ +[Unit] +Description=Synapse State Auto Compressor Timer + +[Timer] +Unit=matrix-synapse-auto-compressor.service +OnCalendar={{ matrix_synapse_auto_compressor_calendar }} + +[Install] +WantedBy=timers.target diff --git a/roles/custom/matrix-synapse-reverse-proxy-companion/defaults/main.yml b/roles/custom/matrix-synapse-reverse-proxy-companion/defaults/main.yml new file mode 100644 index 000000000..048ded6bb --- /dev/null +++ b/roles/custom/matrix-synapse-reverse-proxy-companion/defaults/main.yml @@ -0,0 +1,164 @@ +--- + +# matrix-synapse-reverse-proxy companion is a role which brings up a containerized nginx webserver which helps with reverse-proxying to Synapse. +# +# When Synapse is NOT running in worker-mode, reverse-proxying is relatively simple (everything goes to `matrix-synapse:XXXX`). +# +# When Synapse workers are enabled, however, the reverse-proxying configuration is much more complicated. +# Certain requests need to go to certain workers, etc. +# In the past, the main reverse proxy (`matrix-synapse-reverse-proxy-companion`) was handling request routing to the appropriate workers, +# but that only worked well for external requests (from outside of the Matrix server itself). +# +# Without the help of `matrix-synapse-reverse-proxy-companion`, internal services (like Dimension) that would like to talk to Synapse over the container network +# did not have an endpoint for Synapse that they could be pointed to and have it just work. +# If `matrix-synapse-reverse-proxy-companion` was enabled, Dimension could be pointed to its vhost handling Synapse and routing to the appropriate workers, +# but when `matrix-synapse-reverse-proxy-companion` was disabled, this helpful functionality was not available and the best we could do +# is point Dimension to the main Synapse process at `matrix-synapse:XXXX` itself. +# Doing that breaks requests that need to go to specific workers. +# See: https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/2090 +# +# What this role does is, it extracts all the Synapse request routing out of the `matrix-synapse-reverse-proxy-companion` role here, +# and makes the `matrix-synapse-reverse-proxy-companion` container service represent Synapse and route appropriately, +# regardless of whether workers are enabled or disabled. +# All other playbook services can then forget about `matrix-synapse` or `matrix-synapse-whatever-worker`, etc., +# and just use `matrix-synapse-reverse-proxy-companion` as their request destination. + +matrix_synapse_reverse_proxy_companion_enabled: true + +matrix_synapse_reverse_proxy_companion_version: 1.25.1-alpine + +matrix_synapse_reverse_proxy_companion_base_path: "{{ matrix_synapse_base_path }}/reverse-proxy-companion" +matrix_synapse_reverse_proxy_companion_confd_path: "{{ matrix_synapse_reverse_proxy_companion_base_path }}/conf.d" + +# List of systemd services that matrix-synapse-reverse-proxy-companion.service depends on +matrix_synapse_reverse_proxy_companion_systemd_required_services_list: ['docker.service'] + +# List of systemd services that matrix-synapse-reverse-proxy-companion.service wants +matrix_synapse_reverse_proxy_companion_systemd_wanted_services_list: ['matrix-synapse.service'] + +# We use an official nginx image, which we fix-up to run unprivileged. +# An alternative would be an `nginxinc/nginx-unprivileged` image, but +# that is frequently out of date. +matrix_synapse_reverse_proxy_companion_container_image: "{{ matrix_container_global_registry_prefix }}nginx:{{ matrix_synapse_reverse_proxy_companion_version }}" +matrix_synapse_reverse_proxy_companion_container_image_force_pull: "{{ matrix_synapse_reverse_proxy_companion_container_image.endswith(':latest') }}" + +matrix_synapse_reverse_proxy_companion_container_network: "{{ matrix_docker_network }}" + +# A list of additional container networks that matrix-synapse-reverse-proxy-companion would be connected to. +# The playbook does not create these networks, so make sure they already exist. +# +# Use this to expose matrix-synapse-reverse-proxy-companion to another reverse proxy, which runs in a different container network, +# without exposing all other Matrix services to that other reverse-proxy. +# +# For background, see: https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1498 +matrix_synapse_reverse_proxy_companion_container_additional_networks: [] + +# Controls whether the matrix-synapse-reverse-proxy-companion container exposes its HTTP Client-Server API port (tcp/8008 in the container). +# +# Takes an ":" or "" value (e.g. "127.0.0.1:8008"), or empty string to not expose. +matrix_synapse_reverse_proxy_companion_container_client_api_host_bind_port: '' + +# Controls whether the matrix-synapse-reverse-proxy-companion container exposes its HTTP Federation (Server-Server) API port (tcp/8048 in the container). +# +# Takes an ":" or "" value (e.g. "127.0.0.1:8048"), or empty string to not expose. +matrix_synapse_reverse_proxy_companion_container_federation_api_host_bind_port: '' + +# The amount of worker processes and connections +# Consider increasing these when you are expecting high amounts of traffic +# http://nginx.org/en/docs/ngx_core_module.html#worker_connections +matrix_synapse_reverse_proxy_companion_worker_processes: auto +matrix_synapse_reverse_proxy_companion_worker_connections: 1024 + +# Option to disable the access log +matrix_synapse_reverse_proxy_companion_access_log_enabled: true + +# The tmpfs at /tmp needs to be large enough to handle multiple concurrent file uploads. +matrix_synapse_reverse_proxy_companion_tmp_directory_size_mb: "{{ (matrix_synapse_reverse_proxy_companion_federation_api_client_max_body_size_mb | int) * 50 }}" +matrix_synapse_reverse_proxy_companion_tmp_cache_directory_size_mb: "{{ (matrix_synapse_reverse_proxy_companion_synapse_cache_max_size_mb | int) * 2 }}" + +# A list of strings containing additional configuration blocks to add to the nginx server configuration (nginx.conf). +# for big matrixservers to enlarge the number of open files to prevent timeouts +# matrix_synapse_reverse_proxy_companion_additional_configuration_blocks: +# - 'worker_rlimit_nofile 30000;' +matrix_synapse_reverse_proxy_companion_additional_configuration_blocks: [] + +# A list of strings containing additional configuration blocks to add to the nginx event server configuration (nginx.conf). +matrix_synapse_reverse_proxy_companion_event_additional_configuration_blocks: [] + +# A list of strings containing additional configuration blocks to add to the nginx http's server configuration (nginx-http.conf). +matrix_synapse_reverse_proxy_companion_http_additional_server_configuration_blocks: [] + +# To increase request timeout in NGINX using proxy_read_timeout, proxy_connect_timeout, proxy_send_timeout, send_timeout directives +# Nginx Default: proxy_connect_timeout 60s; #Defines a timeout for establishing a connection with a proxied server +# Nginx Default: proxy_send_timeout 60s; #Sets a timeout for transmitting a request to the proxied server. +# Nginx Default: proxy_read_timeout 60s; #Defines a timeout for reading a response from the proxied server. +# Nginx Default: send_timeout 60s; #Sets a timeout for transmitting a response to the client. +# +# For more information visit: +# http://nginx.org/en/docs/http/ngx_http_proxy_module.html +# http://nginx.org/en/docs/http/ngx_http_core_module.html#send_timeout +# https://www.nginx.com/resources/wiki/start/topics/examples/fullexample2/ +# +# Here we are sticking with nginx default values change this value carefully. +matrix_synapse_reverse_proxy_companion_proxy_connect_timeout: 60 +matrix_synapse_reverse_proxy_companion_proxy_send_timeout: 60 +matrix_synapse_reverse_proxy_companion_proxy_read_timeout: 60 +matrix_synapse_reverse_proxy_companion_send_timeout: 60 + +# For OCSP purposes, we need to define a resolver at the `server{}` level or `http{}` level (we do the latter). +# +# Otherwise, we get warnings like this: +# > [warn] 22#22: no resolver defined to resolve r3.o.lencr.org while requesting certificate status, responder: r3.o.lencr.org, certificate: "/matrix/ssl/config/live/.../fullchain.pem" +# +# We point it to the internal Docker resolver, which likely delegates to nameservers defined in `/etc/resolv.conf`. +matrix_synapse_reverse_proxy_companion_http_level_resolver: 127.0.0.11 + +matrix_synapse_reverse_proxy_companion_hostname: "matrix-synapse-reverse-proxy-companion" + +# matrix_synapse_reverse_proxy_companion_client_api_addr specifies the address where the Client-Server API is +matrix_synapse_reverse_proxy_companion_client_api_addr: 'matrix-synapse:{{ matrix_synapse_container_client_api_port }}' +# This needs to be equal or higher than the maximum upload size accepted by Synapse. +matrix_synapse_reverse_proxy_companion_client_api_client_max_body_size_mb: 50 + +# matrix_synapse_reverse_proxy_companion_federation_api_enabled specifies whether reverse proxying for the Federation (Server-Server) API should be done +matrix_synapse_reverse_proxy_companion_federation_api_enabled: true +# matrix_synapse_reverse_proxy_companion_federation_api_addr specifies the address where the Federation (Server-Server) API is +matrix_synapse_reverse_proxy_companion_federation_api_addr: 'matrix-synapse:{{ matrix_synapse_container_federation_api_plain_port }}' +matrix_synapse_reverse_proxy_companion_federation_api_client_max_body_size_mb: "{{ (matrix_synapse_reverse_proxy_companion_client_api_client_max_body_size_mb | int) * 3 }}" + +# A list of strings containing additional configuration blocks to add to the nginx vhost handling the Synapse Client-Server API +matrix_synapse_reverse_proxy_companion_synapse_client_api_additional_server_configuration_blocks: [] + +# A list of strings containing additional configuration blocks to add to the nginx vhost handling the Synapse Federation (Server-Server) API +matrix_synapse_reverse_proxy_companion_synapse_federation_api_additional_server_configuration_blocks: [] + + +# synapse worker activation and endpoint mappings +matrix_synapse_reverse_proxy_companion_synapse_workers_enabled: false +matrix_synapse_reverse_proxy_companion_synapse_workers_list: [] +matrix_synapse_reverse_proxy_companion_synapse_generic_worker_client_server_locations: [] +matrix_synapse_reverse_proxy_companion_synapse_generic_worker_federation_locations: [] +matrix_synapse_reverse_proxy_companion_synapse_stream_writer_typing_stream_worker_client_server_locations: [] +matrix_synapse_reverse_proxy_companion_synapse_stream_writer_to_device_stream_worker_client_server_locations: [] +matrix_synapse_reverse_proxy_companion_synapse_stream_writer_account_data_stream_worker_client_server_locations: [] +matrix_synapse_reverse_proxy_companion_synapse_stream_writer_receipts_stream_worker_client_server_locations: [] +matrix_synapse_reverse_proxy_companion_synapse_stream_writer_presence_stream_worker_client_server_locations: [] +matrix_synapse_reverse_proxy_companion_synapse_media_repository_locations: [] +matrix_synapse_reverse_proxy_companion_synapse_user_dir_locations: [] + + +# synapse content caching +matrix_synapse_reverse_proxy_companion_synapse_cache_enabled: false +matrix_synapse_reverse_proxy_companion_synapse_cache_path: /tmp/synapse-cache +matrix_synapse_reverse_proxy_companion_synapse_cache_keys_zone_name: "STATIC" +matrix_synapse_reverse_proxy_companion_synapse_cache_keys_zone_size: "10m" +matrix_synapse_reverse_proxy_companion_synapse_cache_inactive_time: "48h" +matrix_synapse_reverse_proxy_companion_synapse_cache_max_size_mb: 1024 +matrix_synapse_reverse_proxy_companion_synapse_cache_proxy_cache_valid_time: "24h" + + +# Controls whether matrix-synapse-reverse-proxy-companion trusts an upstream server's X-Forwarded-Proto header. +# The `matrix-synapse-reverse-proxy-companion` does not terminate SSL and always expects to be fronted by another reverse-proxy server (`matrix-nginx-proxy`, etc.). +# As such, it trusts the protocol scheme forwarded by the upstream proxy. +matrix_synapse_reverse_proxy_companion_trust_forwarded_proto: true +matrix_synapse_reverse_proxy_companion_x_forwarded_proto_value: "{{ '$http_x_forwarded_proto' if matrix_synapse_reverse_proxy_companion_trust_forwarded_proto else '$scheme' }}" diff --git a/roles/custom/matrix-synapse-reverse-proxy-companion/tasks/main.yml b/roles/custom/matrix-synapse-reverse-proxy-companion/tasks/main.yml new file mode 100644 index 000000000..680602672 --- /dev/null +++ b/roles/custom/matrix-synapse-reverse-proxy-companion/tasks/main.yml @@ -0,0 +1,20 @@ +--- + +- tags: + - setup-all + - setup-synapse-reverse-proxy-companion + - setup-synapse + - install-all + - install-synapse-reverse-proxy-companion + - install-synapse + block: + - when: matrix_synapse_reverse_proxy_companion_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" + +- tags: + - setup-all + - setup-synapse-reverse-proxy-companion + - setup-synapse + block: + - when: not matrix_synapse_reverse_proxy_companion_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" diff --git a/roles/custom/matrix-synapse-reverse-proxy-companion/tasks/setup_install.yml b/roles/custom/matrix-synapse-reverse-proxy-companion/tasks/setup_install.yml new file mode 100644 index 000000000..83c1e5e3c --- /dev/null +++ b/roles/custom/matrix-synapse-reverse-proxy-companion/tasks/setup_install.yml @@ -0,0 +1,44 @@ +--- + +- name: Ensure matrix-synapse-reverse-proxy-companion paths exist + ansible.builtin.file: + path: "{{ item }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - "{{ matrix_synapse_reverse_proxy_companion_base_path }}" + - "{{ matrix_synapse_reverse_proxy_companion_confd_path }}" + +- name: Ensure matrix-synapse-reverse-proxy-companion configured + ansible.builtin.template: + src: "{{ item.src }}" + dest: "{{ item.dest }}" + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + mode: 0644 + with_items: + - src: "{{ role_path }}/templates/nginx/nginx.conf.j2" + dest: "{{ matrix_synapse_reverse_proxy_companion_base_path }}/nginx.conf" + - src: "{{ role_path }}/templates/nginx/conf.d/nginx-http.conf.j2" + dest: "{{ matrix_synapse_reverse_proxy_companion_confd_path }}/nginx-http.conf" + - src: "{{ role_path }}/templates/nginx/conf.d/matrix-synapse-reverse-proxy-companion.conf.j2" + dest: "{{ matrix_synapse_reverse_proxy_companion_confd_path }}/matrix-synapse-reverse-proxy-companion.conf" + +- name: Ensure matrix-synapse-reverse-proxy-companion nginx container image is pulled + community.docker.docker_image: + name: "{{ matrix_synapse_reverse_proxy_companion_container_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_synapse_reverse_proxy_companion_container_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_synapse_reverse_proxy_companion_container_image_force_pull }}" + register: result + retries: "{{ devture_playbook_help_container_retries_count }}" + delay: "{{ devture_playbook_help_container_retries_delay }}" + until: result is not failed + +- name: Ensure matrix-synapse-reverse-proxy-companion.service installed + ansible.builtin.template: + src: "{{ role_path }}/templates/systemd/matrix-synapse-reverse-proxy-companion.service.j2" + dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-synapse-reverse-proxy-companion.service" + mode: 0644 diff --git a/roles/custom/matrix-synapse-reverse-proxy-companion/tasks/setup_uninstall.yml b/roles/custom/matrix-synapse-reverse-proxy-companion/tasks/setup_uninstall.yml new file mode 100644 index 000000000..7b820b35b --- /dev/null +++ b/roles/custom/matrix-synapse-reverse-proxy-companion/tasks/setup_uninstall.yml @@ -0,0 +1,25 @@ +--- + +- name: Check existence of matrix-synapse-reverse-proxy-companion service + ansible.builtin.stat: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-synapse-reverse-proxy-companion.service" + register: matrix_synapse_reverse_proxy_companion_service_stat + +- when: matrix_synapse_reverse_proxy_companion_service_stat.stat.exists | bool + block: + - name: Ensure matrix-synapse-reverse-proxy-companion.service is stopped + ansible.builtin.service: + name: matrix-synapse-reverse-proxy-companion + state: stopped + enabled: false + daemon_reload: true + + - name: Ensure matrix-synapse-reverse-proxy-companion.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-synapse-reverse-proxy-companion.service" + state: absent + + - name: Ensure matrix-synapse-reverse-proxy-companion data deleted + ansible.builtin.file: + path: "{{ matrix_synapse_reverse_proxy_companion_base_path }}" + state: absent diff --git a/roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/conf.d/matrix-synapse-reverse-proxy-companion.conf.j2 b/roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/conf.d/matrix-synapse-reverse-proxy-companion.conf.j2 new file mode 100644 index 000000000..77f782285 --- /dev/null +++ b/roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/conf.d/matrix-synapse-reverse-proxy-companion.conf.j2 @@ -0,0 +1,208 @@ +#jinja2: lstrip_blocks: "True" + +{% set generic_workers = matrix_synapse_reverse_proxy_companion_synapse_workers_list | selectattr('type', 'equalto', 'generic_worker') | list %} +{% set stream_writer_typing_stream_workers = matrix_synapse_reverse_proxy_companion_synapse_workers_list | selectattr('type', 'equalto', 'stream_writer') | selectattr('stream_writer_stream', 'equalto', 'typing') | list %} +{% set stream_writer_to_device_stream_workers = matrix_synapse_reverse_proxy_companion_synapse_workers_list | selectattr('type', 'equalto', 'stream_writer') | selectattr('stream_writer_stream', 'equalto', 'to_device') | list %} +{% set stream_writer_account_data_stream_workers = matrix_synapse_reverse_proxy_companion_synapse_workers_list | selectattr('type', 'equalto', 'stream_writer') | selectattr('stream_writer_stream', 'equalto', 'account_data') | list %} +{% set stream_writer_receipts_stream_workers = matrix_synapse_reverse_proxy_companion_synapse_workers_list | selectattr('type', 'equalto', 'stream_writer') | selectattr('stream_writer_stream', 'equalto', 'receipts') | list %} +{% set stream_writer_presence_stream_workers = matrix_synapse_reverse_proxy_companion_synapse_workers_list | selectattr('type', 'equalto', 'stream_writer') | selectattr('stream_writer_stream', 'equalto', 'presence') | list %} +{% set media_repository_workers = matrix_synapse_reverse_proxy_companion_synapse_workers_list | selectattr('type', 'equalto', 'media_repository') | list %} +{% set user_dir_workers = matrix_synapse_reverse_proxy_companion_synapse_workers_list | selectattr('type', 'equalto', 'user_dir') | list %} + +{% macro render_worker_upstream(name, workers) %} +{% if workers | length > 0 %} + upstream {{ name }} { + {% for worker in workers %} + server "{{ worker.name }}:{{ worker.port }}"; + {% endfor %} + } +{% endif %} +{% endmacro %} + +{% macro render_locations_to_upstream(locations, upstream_name) %} + {% for location in locations %} + location ~ {{ location }} { + proxy_pass http://{{ upstream_name }}$request_uri; + proxy_set_header Host $host; + } + {% endfor %} +{% endmacro %} + +{% if matrix_synapse_reverse_proxy_companion_synapse_workers_enabled %} + {% if matrix_synapse_reverse_proxy_companion_synapse_cache_enabled %} + proxy_cache_path {{ matrix_synapse_reverse_proxy_companion_synapse_cache_path }} levels=1:2 keys_zone={{ matrix_synapse_reverse_proxy_companion_synapse_cache_keys_zone_name }}:{{ matrix_synapse_reverse_proxy_companion_synapse_cache_keys_zone_size }} inactive={{ matrix_synapse_reverse_proxy_companion_synapse_cache_inactive_time }} max_size={{ matrix_synapse_reverse_proxy_companion_synapse_cache_max_size_mb }}m; + {% endif %} + # Round Robin "upstream" pools for workers + + {% if generic_workers |length > 0 %} + upstream generic_workers_upstream { + # ensures that requests from the same client will always be passed + # to the same server (except when this server is unavailable) + hash $http_x_forwarded_for; + + {% for worker in generic_workers %} + server "{{ worker.name }}:{{ worker.port }}"; + {% endfor %} + } + {% endif %} + + {{ render_worker_upstream('stream_writer_typing_stream_workers_upstream', stream_writer_typing_stream_workers) }} + {{ render_worker_upstream('stream_writer_to_device_stream_workers_upstream', stream_writer_to_device_stream_workers) }} + {{ render_worker_upstream('stream_writer_account_data_stream_workers_upstream', stream_writer_account_data_stream_workers) }} + {{ render_worker_upstream('stream_writer_receipts_stream_workers_upstream', stream_writer_receipts_stream_workers) }} + {{ render_worker_upstream('stream_writer_presence_stream_workers_upstream', stream_writer_presence_stream_workers) }} + + {{ render_worker_upstream('media_repository_workers_upstream', media_repository_workers) }} + + {{ render_worker_upstream('user_dir_workers_upstream', user_dir_workers) }} +{% endif %} + +server { + listen 8008; + server_name {{ matrix_synapse_reverse_proxy_companion_hostname }}; + + server_tokens off; + root /dev/null; + + gzip on; + gzip_types text/plain application/json; + + {% if matrix_synapse_reverse_proxy_companion_synapse_workers_enabled %} + {# Workers redirects BEGIN #} + + {% if generic_workers | length > 0 %} + # https://matrix-org.github.io/synapse/latest/workers.html#synapseappgeneric_worker + {{ render_locations_to_upstream(matrix_synapse_reverse_proxy_companion_synapse_generic_worker_client_server_locations, 'generic_workers_upstream') }} + {% endif %} + + {% if stream_writer_typing_stream_workers | length > 0 %} + # https://matrix-org.github.io/synapse/latest/workers.html#the-typing-stream + {{ render_locations_to_upstream(matrix_synapse_reverse_proxy_companion_synapse_stream_writer_typing_stream_worker_client_server_locations, 'stream_writer_typing_stream_workers_upstream') }} + {% endif %} + + {% if stream_writer_to_device_stream_workers | length > 0 %} + # https://matrix-org.github.io/synapse/latest/workers.html#the-to_device-stream + {{ render_locations_to_upstream(matrix_synapse_reverse_proxy_companion_synapse_stream_writer_to_device_stream_worker_client_server_locations, 'stream_writer_to_device_stream_workers_upstream') }} + {% endif %} + + {% if stream_writer_account_data_stream_workers | length > 0 %} + # https://matrix-org.github.io/synapse/latest/workers.html#the-account_data-stream + {{ render_locations_to_upstream(matrix_synapse_reverse_proxy_companion_synapse_stream_writer_account_data_stream_worker_client_server_locations, 'stream_writer_account_data_stream_workers_upstream') }} + {% endif %} + + {% if stream_writer_receipts_stream_workers | length > 0 %} + # https://matrix-org.github.io/synapse/latest/workers.html#the-receipts-stream + {{ render_locations_to_upstream(matrix_synapse_reverse_proxy_companion_synapse_stream_writer_receipts_stream_worker_client_server_locations, 'stream_writer_receipts_stream_workers_upstream') }} + {% endif %} + + {% if stream_writer_presence_stream_workers | length > 0 %} + # https://matrix-org.github.io/synapse/latest/workers.html#the-presence-stream + {{ render_locations_to_upstream(matrix_synapse_reverse_proxy_companion_synapse_stream_writer_presence_stream_worker_client_server_locations, 'stream_writer_presence_stream_workers_upstream') }} + {% endif %} + + {% if media_repository_workers | length > 0 %} + # https://matrix-org.github.io/synapse/latest/workers.html#synapseappmedia_repository + {% for location in matrix_synapse_reverse_proxy_companion_synapse_media_repository_locations %} + location ~ {{ location }} { + proxy_pass http://media_repository_workers_upstream$request_uri; + proxy_set_header Host $host; + + client_body_buffer_size 25M; + client_max_body_size {{ matrix_synapse_reverse_proxy_companion_client_api_client_max_body_size_mb }}M; + proxy_max_temp_file_size 0; + + {% if matrix_synapse_reverse_proxy_companion_synapse_cache_enabled %} + proxy_buffering on; + proxy_cache {{ matrix_synapse_reverse_proxy_companion_synapse_cache_keys_zone_name }}; + proxy_cache_valid any {{ matrix_synapse_reverse_proxy_companion_synapse_cache_proxy_cache_valid_time }}; + proxy_force_ranges on; + add_header X-Cache-Status $upstream_cache_status; + {% endif %} + } + {% endfor %} + {% endif %} + + {% if user_dir_workers | length > 0 %} + # https://matrix-org.github.io/synapse/latest/workers.html#updating-the-user-directory + {{ render_locations_to_upstream(matrix_synapse_reverse_proxy_companion_synapse_user_dir_locations, 'user_dir_workers_upstream') }} + {% endif %} + {# Workers redirects END #} + {% endif %} + + {% for configuration_block in matrix_synapse_reverse_proxy_companion_synapse_client_api_additional_server_configuration_blocks %} + {{- configuration_block }} + {% endfor %} + + {# Everything else just goes to the API server ##} + location / { + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver {{ matrix_synapse_reverse_proxy_companion_http_level_resolver }} valid=5s; + set $backend "{{ matrix_synapse_reverse_proxy_companion_client_api_addr }}"; + proxy_pass http://$backend; + + proxy_set_header Host $host; + + client_body_buffer_size 25M; + client_max_body_size {{ matrix_synapse_reverse_proxy_companion_client_api_client_max_body_size_mb }}M; + proxy_max_temp_file_size 0; + } +} + +{% if matrix_synapse_reverse_proxy_companion_federation_api_enabled %} +server { + listen 8048; + server_name {{ matrix_synapse_reverse_proxy_companion_hostname }}; + + server_tokens off; + + root /dev/null; + + gzip on; + gzip_types text/plain application/json; + + {% if matrix_synapse_reverse_proxy_companion_synapse_workers_enabled %} + {% if generic_workers | length > 0 %} + # https://matrix-org.github.io/synapse/latest/workers.html#synapseappgeneric_worker + {{ render_locations_to_upstream(matrix_synapse_reverse_proxy_companion_synapse_generic_worker_federation_locations, 'generic_workers_upstream') }} + {% endif %} + {% if media_repository_workers | length > 0 %} + # https://matrix-org.github.io/synapse/latest/workers.html#synapseappmedia_repository + {% for location in matrix_synapse_reverse_proxy_companion_synapse_media_repository_locations %} + location ~ {{ location }} { + proxy_pass http://media_repository_workers_upstream$request_uri; + proxy_set_header Host $host; + + client_body_buffer_size 25M; + client_max_body_size {{ matrix_synapse_reverse_proxy_companion_federation_api_client_max_body_size_mb }}M; + proxy_max_temp_file_size 0; + + {% if matrix_synapse_reverse_proxy_companion_synapse_cache_enabled %} + proxy_buffering on; + proxy_cache {{ matrix_synapse_reverse_proxy_companion_synapse_cache_keys_zone_name }}; + proxy_cache_valid any {{ matrix_synapse_reverse_proxy_companion_synapse_cache_proxy_cache_valid_time }}; + proxy_force_ranges on; + add_header X-Cache-Status $upstream_cache_status; + {% endif %} + } + {% endfor %} + {% endif %} + {% endif %} + + {% for configuration_block in matrix_synapse_reverse_proxy_companion_synapse_federation_api_additional_server_configuration_blocks %} + {{- configuration_block }} + {% endfor %} + + location / { + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver {{ matrix_synapse_reverse_proxy_companion_http_level_resolver }} valid=5s; + set $backend "{{ matrix_synapse_reverse_proxy_companion_federation_api_addr }}"; + proxy_pass http://$backend; + + proxy_set_header Host $host; + + client_body_buffer_size 25M; + client_max_body_size {{ matrix_synapse_reverse_proxy_companion_federation_api_client_max_body_size_mb }}M; + proxy_max_temp_file_size 0; + } +} +{% endif %} diff --git a/roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/conf.d/nginx-http.conf.j2 b/roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/conf.d/nginx-http.conf.j2 new file mode 100644 index 000000000..d53f172dc --- /dev/null +++ b/roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/conf.d/nginx-http.conf.j2 @@ -0,0 +1,13 @@ +#jinja2: lstrip_blocks: "True" +# The default is aligned to the CPU's cache size, +# which can sometimes be too low. +# Thus, we ensure a larger bucket size value is used. +server_names_hash_bucket_size 64; + +{% if matrix_synapse_reverse_proxy_companion_http_level_resolver %} +resolver {{ matrix_synapse_reverse_proxy_companion_http_level_resolver }}; +{% endif %} + +{% for configuration_block in matrix_synapse_reverse_proxy_companion_http_additional_server_configuration_blocks %} + {{- configuration_block }} +{% endfor %} diff --git a/roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/nginx.conf.j2 b/roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/nginx.conf.j2 new file mode 100644 index 000000000..309bb5301 --- /dev/null +++ b/roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/nginx.conf.j2 @@ -0,0 +1,77 @@ +#jinja2: lstrip_blocks: "True" +# This is a custom nginx configuration file that we use in the container (instead of the default one), +# because it allows us to run nginx with a non-root user. +# +# For this to work, the default vhost file (`/etc/nginx/conf.d/default.conf`) also needs to be removed. +# +# The following changes have been done compared to a default nginx configuration file: +# - various temp paths are changed to `/tmp`, so that a non-root user can write to them +# - the `user` directive was removed, as we don't want nginx to switch users + +worker_processes {{ matrix_synapse_reverse_proxy_companion_worker_processes }}; +error_log /var/log/nginx/error.log warn; +pid /tmp/nginx.pid; +{% for configuration_block in matrix_synapse_reverse_proxy_companion_additional_configuration_blocks %} + {{- configuration_block }} +{% endfor %} + +events { + worker_connections {{ matrix_synapse_reverse_proxy_companion_worker_connections }}; +{% for configuration_block in matrix_synapse_reverse_proxy_companion_event_additional_configuration_blocks %} + {{- configuration_block }} +{% endfor %} +} + + +http { + proxy_temp_path /tmp/proxy_temp; + client_body_temp_path /tmp/client_temp; + fastcgi_temp_path /tmp/fastcgi_temp; + uwsgi_temp_path /tmp/uwsgi_temp; + scgi_temp_path /tmp/scgi_temp; + + include /etc/nginx/mime.types; + default_type application/octet-stream; + + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + {% if matrix_synapse_reverse_proxy_companion_access_log_enabled %} + access_log /var/log/nginx/access.log main; + {% endif %} + + {% if matrix_synapse_reverse_proxy_companion_access_log_syslog_integration_enabled %} + log_format prometheus_fmt 'matrix-synapse-reverse-proxy-companion $server_name - $upstream_addr - $remote_addr - $remote_user [$time_local] ' + '$host "$request" ' + '$status "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + access_log syslog:server={{ matrix_synapse_reverse_proxy_companion_access_log_syslog_integration_server_port }},tag=matrix_nginx_proxy_companion prometheus_fmt; + {% endif %} + + {% if not matrix_synapse_reverse_proxy_companion_access_log_enabled and not matrix_synapse_reverse_proxy_companion_access_log_syslog_integration_enabled %} + access_log off; + {% endif %} + + proxy_connect_timeout {{ matrix_synapse_reverse_proxy_companion_proxy_connect_timeout }}; + proxy_send_timeout {{ matrix_synapse_reverse_proxy_companion_proxy_send_timeout }}; + proxy_read_timeout {{ matrix_synapse_reverse_proxy_companion_proxy_read_timeout }}; + send_timeout {{ matrix_synapse_reverse_proxy_companion_send_timeout }}; + + sendfile on; + #tcp_nopush on; + + keepalive_timeout 65; + + server_tokens off; + + #gzip on; + {# Map directive needed for proxied WebSocket upgrades #} + map $http_upgrade $connection_upgrade { + default upgrade; + '' close; + } + + include /etc/nginx/conf.d/*.conf; +} diff --git a/roles/custom/matrix-synapse-reverse-proxy-companion/templates/systemd/matrix-synapse-reverse-proxy-companion.service.j2 b/roles/custom/matrix-synapse-reverse-proxy-companion/templates/systemd/matrix-synapse-reverse-proxy-companion.service.j2 new file mode 100755 index 000000000..125d7f498 --- /dev/null +++ b/roles/custom/matrix-synapse-reverse-proxy-companion/templates/systemd/matrix-synapse-reverse-proxy-companion.service.j2 @@ -0,0 +1,55 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=Synapse reverse-proxy companion +{% for service in matrix_synapse_reverse_proxy_companion_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +{% for service in matrix_synapse_reverse_proxy_companion_systemd_wanted_services_list %} +Wants={{ service }} +{% endfor %} +DefaultDependencies=no + +[Service] +Type=simple +Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" +ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-synapse-reverse-proxy-companion 2>/dev/null || true' +ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-synapse-reverse-proxy-companion 2>/dev/null || true' + +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ + --rm \ + --name=matrix-synapse-reverse-proxy-companion \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --read-only \ + --tmpfs=/tmp:rw,noexec,nosuid,size={{ matrix_synapse_reverse_proxy_companion_tmp_directory_size_mb }}m \ + {% if matrix_synapse_reverse_proxy_companion_synapse_cache_enabled %} + --tmpfs=/tmp/synapse-cache:rw,noexec,nosuid,size={{ matrix_synapse_reverse_proxy_companion_tmp_cache_directory_size_mb }}m\ + {% endif %} + --network={{ matrix_synapse_reverse_proxy_companion_container_network }} \ + {% if matrix_synapse_reverse_proxy_companion_container_client_api_host_bind_port %} + -p {{ matrix_synapse_reverse_proxy_companion_container_client_api_host_bind_port }}:8008 \ + {% endif %} + {% if matrix_synapse_reverse_proxy_companion_container_federation_api_host_bind_port %} + -p {{ matrix_synapse_reverse_proxy_companion_container_federation_api_host_bind_port }}:8048 \ + {% endif %} + --mount type=bind,src={{ matrix_synapse_reverse_proxy_companion_base_path }}/nginx.conf,dst=/etc/nginx/nginx.conf,ro \ + --mount type=bind,src={{ matrix_synapse_reverse_proxy_companion_confd_path }},dst=/etc/nginx/conf.d,ro \ + {{ matrix_synapse_reverse_proxy_companion_container_image }} + +{% for network in matrix_synapse_reverse_proxy_companion_container_additional_networks %} +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-synapse-reverse-proxy-companion +{% endfor %} + +ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-synapse-reverse-proxy-companion + +ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-synapse-reverse-proxy-companion 2>/dev/null || true' +ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-synapse-reverse-proxy-companion 2>/dev/null || true' +ExecReload={{ devture_systemd_docker_base_host_command_docker }} exec matrix-synapse-reverse-proxy-companion /usr/sbin/nginx -s reload +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-synapse-reverse-proxy-companion + +[Install] +WantedBy=multi-user.target diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index 54351256a..48d8e8d98 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -4,6 +4,12 @@ matrix_synapse_enabled: true +matrix_synapse_version: v1.88.0 + +matrix_synapse_username: '' +matrix_synapse_uid: '' +matrix_synapse_gid: '' + matrix_synapse_container_image_self_build: false matrix_synapse_container_image_self_build_repo: "https://github.com/matrix-org/synapse.git" @@ -17,12 +23,41 @@ matrix_synapse_container_image_self_build_repo: "https://github.com/matrix-org/s # - `matrix_synapse_container_image_customizations_dockerfile_body_custom` # - `matrix_synapse_docker_image_customized` # - `matrix_synapse_docker_image_final` -matrix_synapse_container_image_customizations_enabled: "{{ matrix_synapse_ext_synapse_s3_storage_provider_enabled }}" +matrix_synapse_container_image_customizations_enabled: |- + {{ + matrix_synapse_container_image_customizations_s3_storage_provider_installation_enabled + or + matrix_synapse_container_image_customizations_templates_enabled + }} # Controls whether custom build steps will be added to the Dockerfile for installing s3-storage-provider. # The version that will be installed is specified in `matrix_synapse_ext_synapse_s3_storage_provider_version`. matrix_synapse_container_image_customizations_s3_storage_provider_installation_enabled: "{{ matrix_synapse_ext_synapse_s3_storage_provider_enabled }}" +# Controls whether custom build steps will be added to the Dockerfile for customizing the email templates used by Synapse. +# +# Example usage: +# +# ```yml +# matrix_synapse_container_image_customizations_templates_enabled: true +# # The templates are expected to be in a `templates/` subdirectory in +# matrix_synapse_container_image_customizations_templates_in_container_template_files_relative_path: templates/ +# matrix_synapse_container_image_customizations_templates_git_repository_url: git@github.com:organization/repository.git +# matrix_synapse_container_image_customizations_templates_git_repository_branch: main +# matrix_synapse_container_image_customizations_templates_git_repository_keyscan_enabled: true +# matrix_synapse_container_image_customizations_templates_git_repository_keyscan_hostname: github.com +# ``` +# +# See: https://github.com/matrix-org/synapse/blob/develop/docs/templates.md +matrix_synapse_container_image_customizations_templates_enabled: false +matrix_synapse_container_image_customizations_templates_in_container_base_path: /custom-templates +matrix_synapse_container_image_customizations_templates_in_container_template_files_relative_path: '' +matrix_synapse_container_image_customizations_templates_in_container_full_path: "{{ matrix_synapse_container_image_customizations_templates_in_container_base_path }}/{{ matrix_synapse_container_image_customizations_templates_in_container_template_files_relative_path }}" +matrix_synapse_container_image_customizations_templates_git_repository_url: '' +matrix_synapse_container_image_customizations_templates_git_repository_branch: main +matrix_synapse_container_image_customizations_templates_git_repository_keyscan_enabled: false +matrix_synapse_container_image_customizations_templates_git_repository_keyscan_hostname: '' + # matrix_synapse_container_image_customizations_dockerfile_body contains your custom Dockerfile steps # for building your customized Synapse image based on the original (upstream) image (`matrix_synapse_docker_image`). # A `FROM ...` clause is included automatically so you don't have to. @@ -34,28 +69,43 @@ matrix_synapse_container_image_customizations_s3_storage_provider_installation_e # RUN echo 'You do NOT need to include a FROM clause yourself.' matrix_synapse_container_image_customizations_dockerfile_body_custom: '' -matrix_synapse_docker_image: "{{ matrix_synapse_docker_image_name_prefix }}matrixdotorg/synapse:{{ matrix_synapse_docker_image_tag }}" -matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_container_image_self_build else matrix_container_global_registry_prefix }}" -matrix_synapse_version: v1.71.0 +matrix_synapse_docker_image: "{{ matrix_synapse_docker_image_name_prefix }}matrix-org/synapse:{{ matrix_synapse_docker_image_tag }}" +matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_container_image_self_build else matrix_synapse_docker_image_registry_prefix }}" matrix_synapse_docker_image_tag: "{{ matrix_synapse_version }}" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" +matrix_synapse_docker_image_registry_prefix: ghcr.io/ # matrix_synapse_docker_image_customized is the name of the locally built Synapse image # which adds various customizations on top of the original (upstream) Synapse image. # This image will be based on the upstream `matrix_synapse_docker_image` image, only if `matrix_synapse_container_image_customizations_enabled: true`. matrix_synapse_docker_image_customized: "localhost/matrixdotorg/synapse:{{ matrix_synapse_docker_image_tag }}-customized" +# Controls whether the customized image (`matrix_synapse_docker_image_customized`) is to be force-built without layer caching enabled. +# This is useful if you've enabled customizations (e.g. `matrix_synapse_container_image_customizations_templates_enabled`), +# which clone some branch of some repository, and you'd like for each Ansible run to pull new revisions from that branch. +matrix_synapse_docker_image_customized_build_nocache: false + +# Controls whether the customized image (`matrix_synapse_docker_image_customized`) is to be built, even if it already exists. +# Related to: matrix_synapse_docker_image_customized_build_nocache +matrix_synapse_docker_image_customized_force_source: "{{ matrix_synapse_docker_image_customized_build_nocache }}" + # matrix_synapse_docker_image_final holds the name of the Synapse image to run depending on whether or not customizations are enabled. matrix_synapse_docker_image_final: "{{ matrix_synapse_docker_image_customized if matrix_synapse_container_image_customizations_enabled else matrix_synapse_docker_image }} " matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse" + matrix_synapse_docker_src_files_path: "{{ matrix_synapse_base_path }}/docker-src" matrix_synapse_customized_docker_src_files_path: "{{ matrix_synapse_base_path }}/customized-docker-src" matrix_synapse_config_dir_path: "{{ matrix_synapse_base_path }}/config" matrix_synapse_storage_path: "{{ matrix_synapse_base_path }}/storage" matrix_synapse_media_store_path: "{{ matrix_synapse_storage_path }}/media-store" +matrix_synapse_bin_path: "{{ matrix_synapse_base_path }}/bin" + matrix_synapse_ext_path: "{{ matrix_synapse_base_path }}/ext" -matrix_synapse_ext_s3_storage_provider_path: "{{ matrix_synapse_base_path }}/ext/s3-storage-provider" + +matrix_synapse_ext_s3_storage_provider_base_path: "{{ matrix_synapse_base_path }}/ext/s3-storage-provider" +matrix_synapse_ext_s3_storage_provider_bin_path: "{{ matrix_synapse_ext_s3_storage_provider_base_path }}/bin" +matrix_synapse_ext_s3_storage_provider_data_path: "{{ matrix_synapse_ext_s3_storage_provider_base_path }}/data" matrix_synapse_container_client_api_port: 8008 @@ -63,6 +113,14 @@ matrix_synapse_container_federation_api_tls_port: 8448 matrix_synapse_container_federation_api_plain_port: 8048 +# The base container network. It will be auto-created by this role if it doesn't exist already. +matrix_synapse_container_network: "{{ matrix_docker_network }}" + +# A list of additional container networks that the container would be connected to. +# The role does not create these networks, so make sure they already exist. +# Use this to expose this container to another reverse proxy, which runs in a different container network. +matrix_synapse_container_additional_networks: [] + # Controls whether the matrix-synapse container exposes the Client/Server API port (tcp/{{ matrix_synapse_container_client_api_port }} in the container). # # Takes an ":" or "" value (e.g. "127.0.0.1:8008"), or empty string to not expose. @@ -101,15 +159,15 @@ matrix_synapse_container_manhole_api_host_bind_port: '' # Also see `matrix_synapse_container_arguments` matrix_synapse_container_extra_arguments: [] -# matrix_synapse_container_runtime_injected_arguments is a list of extra arguments to pass to the container. -# This list is built during runtime. You're not meant to override this variable. +# matrix_synapse_container_extra_arguments_auto is a list of extra arguments to pass to the container. +# This list is managed by the playbook. You're not meant to override this variable. # If you'd like to inject your own arguments, see `matrix_synapse_container_extra_arguments`. -matrix_synapse_container_runtime_injected_arguments: [] +matrix_synapse_container_extra_arguments_auto: [] # matrix_synapse_container_arguments holds the final list of extra arguments to pass to the container. # You're not meant to override this variable. # If you'd like to inject your own arguments, see `matrix_synapse_container_extra_arguments`. -matrix_synapse_container_arguments: "{{ matrix_synapse_container_extra_arguments + matrix_synapse_container_runtime_injected_arguments }}" +matrix_synapse_container_arguments: "{{ matrix_synapse_container_extra_arguments + matrix_synapse_container_extra_arguments_auto }}" # List of systemd services that matrix-synapse.service depends on matrix_synapse_systemd_required_services_list: ['docker.service'] @@ -117,7 +175,7 @@ matrix_synapse_systemd_required_services_list: ['docker.service'] # List of systemd services that matrix-synapse.service wants matrix_synapse_systemd_wanted_services_list: [] -matrix_synapse_in_container_python_packages_path: "/usr/local/lib/python3.9/site-packages" +matrix_synapse_in_container_python_packages_path: "/usr/local/lib/python3.11/site-packages" # Specifies which template files to use when configuring Synapse. # If you'd like to have your own different configuration, feel free to copy and paste @@ -212,6 +270,13 @@ matrix_synapse_rc_federation: matrix_synapse_federation_rr_transactions_per_room_per_second: 50 +# Controls the templates directory setting. +# +# See: +# - `matrix_synapse_container_image_customizations_templates_enabled` +# - https://github.com/matrix-org/synapse/blob/develop/docs/templates.md +matrix_synapse_templates_custom_template_directory: "{{ matrix_synapse_container_image_customizations_templates_in_container_full_path if matrix_synapse_container_image_customizations_templates_enabled else '' }}" + # Controls whether the TLS federation listener is enabled (tcp/8448). # Only makes sense if federation is enabled (`matrix_synapse_federation_enabled`). # Note that federation may potentially be enabled as non-TLS on `matrix_synapse_container_federation_api_plain_port` as well. @@ -269,6 +334,11 @@ matrix_synapse_limit_profile_requests_to_users_who_share_rooms: false # Defaults to 'true'. matrix_synapse_include_profile_data_on_invite: true + +# User search behaviour +matrix_synapse_user_directory_search_all_users: false +matrix_synapse_user_directory_prefer_local_users: false + # Controls whether people with access to the homeserver can register by themselves. matrix_synapse_enable_registration: false # Controls whether people with access to the homeserver can register by themselves without verification (email/msisdn/token) @@ -306,6 +376,11 @@ matrix_synapse_auto_join_rooms: [] # automatically if they don't already exist. matrix_synapse_autocreate_auto_join_rooms: true +# Controls whether password authentication is allowed +# It may be useful when you've configured OAuth, SAML or CAS and want authentication +# to happen only through them +matrix_synapse_password_config_enabled: true + # Controls password-peppering for Synapse. Not to be changed after initial setup. matrix_synapse_password_config_pepper: "" @@ -371,15 +446,15 @@ matrix_synapse_additional_loggers: [] # Also see `matrix_synapse_app_service_config_files_final` matrix_synapse_app_service_config_files: [] -# matrix_synapse_app_service_runtime_injected_config_files is a list of appservice config files. -# This list is built during runtime. You're not meant to override this variable. +# matrix_synapse_app_service_config_files_auto is a list of appservice config files. +# This list is managed by the playbook. You're not meant to override this variable. # If you'd like to inject your own arguments, see `matrix_synapse_app_service_config_files`. -matrix_synapse_app_service_runtime_injected_config_files: [] +matrix_synapse_app_service_config_files_auto: [] # matrix_synapse_app_service_config_files_final holds the final list of config files to pass to the container. # You're not meant to override this variable. # If you'd like to inject your own arguments, see `matrix_synapse_app_service_config_files`. -matrix_synapse_app_service_config_files_final: "{{ matrix_synapse_app_service_config_files + matrix_synapse_app_service_runtime_injected_config_files }}" +matrix_synapse_app_service_config_files_final: "{{ matrix_synapse_app_service_config_files + matrix_synapse_app_service_config_files_auto }}" # This is set dynamically during execution depending on whether # any password providers have been enabled or not. @@ -548,11 +623,6 @@ matrix_synapse_workers_pusher_workers_metrics_range_start: 19200 # Adjusting this value manually is generally not necessary. matrix_synapse_federation_pusher_instances: [] -# matrix_synapse_start_pushers controls if the main Synapse process should push out notifications or if it should be left to pusher workers (see `matrix_synapse_federation_pusher_instances`). -# This is enabled if workers are disabled, or if they are enabled, but there are no pusher workers. -# Adjusting this value manually is generally not necessary. -matrix_synapse_start_pushers: "{{ not matrix_synapse_workers_enabled or (matrix_synapse_workers_enabled_list | selectattr('type', 'equalto', 'pusher') | list | length == 0) }}" - # matrix_synapse_workers_federation_sender_workers_count controls the number of federation sender workers to spawn. # See https://matrix-org.github.io/synapse/latest/workers.html#synapseappfederation_sender matrix_synapse_workers_federation_sender_workers_count: "{{ matrix_synapse_workers_presets[matrix_synapse_workers_preset]['federation_sender_workers_count'] }}" @@ -563,19 +633,14 @@ matrix_synapse_workers_federation_sender_workers_metrics_range_start: 19400 # Adjusting this value manually is generally not necessary. matrix_synapse_federation_sender_instances: [] -# matrix_synapse_send_federation controls if the main Synapse process should send federation traffic or if it should be left to federation_sender workers (see `matrix_synapse_federation_sender_instances`). -# This is allowed if workers are disabled, or they are enabled, but there are no federation sender workers. -# Adjusting this value manually is generally not necessary. -matrix_synapse_send_federation: "{{ not matrix_synapse_workers_enabled or (matrix_synapse_workers_enabled_list | selectattr('type', 'equalto', 'federation_sender') | list | length == 0) }}" - -matrix_synapse_workers_media_repository_workers_count: "{{ matrix_synapse_workers_presets[matrix_synapse_workers_preset]['media_repository_workers_count'] }}" +matrix_synapse_workers_media_repository_workers_count: "{{ matrix_synapse_workers_presets[matrix_synapse_workers_preset]['media_repository_workers_count'] if not matrix_synapse_ext_media_repo_enabled else 0 }}" matrix_synapse_workers_media_repository_workers_port_range_start: 18551 matrix_synapse_workers_media_repository_workers_metrics_range_start: 19551 # matrix_synapse_enable_media_repo controls if the main Synapse process should serve media repository endpoints or if it should be left to media_repository workers (see `matrix_synapse_workers_media_repository_workers_count`). # This is enabled if workers are disabled, or if they are enabled, but there are no media repository workers. # Adjusting this value manually is generally not necessary. -matrix_synapse_enable_media_repo: "{{ not matrix_synapse_workers_enabled or (matrix_synapse_workers_enabled_list | selectattr('type', 'equalto', 'media_repository') | list | length == 0) }}" +matrix_synapse_enable_media_repo: "{{ not matrix_synapse_ext_media_repo_enabled and (not matrix_synapse_workers_enabled or (matrix_synapse_workers_enabled_list | selectattr('type', 'equalto', 'media_repository') | list | length == 0)) }}" # matrix_synapse_media_instance_running_background_jobs populates the `media_instance_running_background_jobs` Synapse configuration used when Synapse workers are in use (`matrix_synapse_workers_enabled`). # `media_instance_running_background_jobs` is meant to point to a single media-repository worker, which is dedicated to running background tasks that maintain the media repository. @@ -651,9 +716,18 @@ matrix_synapse_run_background_tasks_on: "{{ (matrix_synapse_workers_enabled_list # - { 'id': 'media-repository-0', 'name': 'matrix-synapse-worker-media-repository-0', 'type': 'media_repository', 'port': 18551, 'metrics_port': 19551, 'webserving': true } matrix_synapse_workers_enabled_list: [] -# matrix_synapse_instance_map holds the instance map used for mapping worker names (for certain generic workers only!) to where they live (host, port which handles replication traffic). -# This is populated automatically based on `matrix_synapse_workers_enabled_list` during runtime, so you're not required to tweak it manually. -matrix_synapse_instance_map: {} +# matrix_synapse_instance_map holds the instance map used for mapping worker names (for the main process and certain generic workers only!) to where they live (host, port which handles replication traffic). +# This map starts off being populated with the Synapse main (master) process, +# but will be populated with workers automatically during runtime, based on `matrix_synapse_workers_enabled_list`. +matrix_synapse_instance_map: | + {{ + { + 'main': { + 'host': 'matrix-synapse', + 'port': matrix_synapse_replication_http_port, + }, + } if matrix_synapse_workers_enabled else {} + }} # Redis information matrix_synapse_redis_enabled: false @@ -665,7 +739,7 @@ matrix_synapse_redis_password: "" # # If Redis is available, we prefer to use that, instead of talking over Synapse's custom replication protocol. # -# matrix_synapse_replication_listener_enabled: "{{ matrix_synapse_workers_enabled and not matrix_redis_enabled }}" +# matrix_synapse_replication_listener_enabled: "{{ matrix_synapse_workers_enabled and not redis_enabled }}" # We force-enable this listener for now until we debug why communication via Redis fails. matrix_synapse_replication_listener_enabled: true @@ -681,7 +755,7 @@ matrix_synapse_sentry_dsn: "" # Postgres database information matrix_synapse_database_txn_limit: 0 -matrix_synapse_database_host: "matrix-postgres" +matrix_synapse_database_host: '' matrix_synapse_database_port: 5432 matrix_synapse_database_user: "synapse" matrix_synapse_database_password: "" @@ -698,6 +772,7 @@ matrix_synapse_email_smtp_user: "" matrix_synapse_email_smtp_pass: "" matrix_synapse_email_smtp_require_transport_security: false matrix_synapse_email_notif_from: "Matrix " +matrix_synapse_email_app_name: Matrix matrix_synapse_email_client_base_url: "https://{{ matrix_server_fqn_element }}" matrix_synapse_email_invite_client_location: "https://app.element.io" @@ -714,11 +789,10 @@ matrix_synapse_ext_password_provider_rest_auth_login_profile_name_autofill: fals # Enable this to activate the Shared Secret Auth password provider module. # See: https://github.com/devture/matrix-synapse-shared-secret-auth matrix_synapse_ext_password_provider_shared_secret_auth_enabled: false -matrix_synapse_ext_password_provider_shared_secret_auth_download_url: "https://raw.githubusercontent.com/devture/matrix-synapse-shared-secret-auth/2.0.2/shared_secret_authenticator.py" +matrix_synapse_ext_password_provider_shared_secret_auth_download_url: "https://raw.githubusercontent.com/devture/matrix-synapse-shared-secret-auth/2.0.3/shared_secret_authenticator.py" matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret: "" matrix_synapse_ext_password_provider_shared_secret_auth_m_login_password_support_enabled: true -# We'd like to enable this, but it causes trouble for Element: https://github.com/vector-im/element-web/issues/19605 -matrix_synapse_ext_password_provider_shared_secret_auth_com_devture_shared_secret_auth_support_enabled: false +matrix_synapse_ext_password_provider_shared_secret_auth_com_devture_shared_secret_auth_support_enabled: true matrix_synapse_ext_password_provider_shared_secret_config: "{{ matrix_synapse_ext_password_provider_shared_secret_config_yaml | from_yaml }}" matrix_synapse_ext_password_provider_shared_secret_config_yaml: | shared_secret: {{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret | string | to_json }} @@ -729,6 +803,7 @@ matrix_synapse_ext_password_provider_shared_secret_config_yaml: | matrix_synapse_ext_password_provider_ldap_enabled: false matrix_synapse_ext_password_provider_ldap_uri: "ldap://ldap.mydomain.tld:389" matrix_synapse_ext_password_provider_ldap_start_tls: true +matrix_synapse_ext_password_provider_ldap_mode: "search" matrix_synapse_ext_password_provider_ldap_base: "" matrix_synapse_ext_password_provider_ldap_attributes_uid: "uid" matrix_synapse_ext_password_provider_ldap_attributes_mail: "mail" @@ -795,7 +870,7 @@ matrix_synapse_ext_encryption_config_yaml: | # Installing it requires building a customized Docker image for Synapse (see `matrix_synapse_container_image_customizations_enabled`). # Enabling this will enable customizations and inject the appropriate Dockerfile clauses for installing synapse-s3-storage-provider. matrix_synapse_ext_synapse_s3_storage_provider_enabled: false -matrix_synapse_ext_synapse_s3_storage_provider_version: 1.1.2 +matrix_synapse_ext_synapse_s3_storage_provider_version: 1.2.1 # Controls whether media from this (local) server is stored in s3-storage-provider matrix_synapse_ext_synapse_s3_storage_provider_store_local: true # Controls whether media from remote servers is stored in s3-storage-provider @@ -810,16 +885,30 @@ matrix_synapse_ext_synapse_s3_storage_provider_config_region_name: '' matrix_synapse_ext_synapse_s3_storage_provider_config_endpoint_url: '' matrix_synapse_ext_synapse_s3_storage_provider_config_access_key_id: '' matrix_synapse_ext_synapse_s3_storage_provider_config_secret_access_key: '' +# Enable this to use EC2 instance profile metadata to grab IAM credentials instead of passing credentials directly +# via matrix_synapse_ext_synapse_s3_storage_provider_config_access_key_id and matrix_synapse_ext_synapse_s3_storage_provider_config_secret_access_key +matrix_synapse_ext_synapse_s3_storage_provider_config_ec2_instance_profile: false +matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_enabled: false +matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_key: '' +matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_algo: 'AES256' matrix_synapse_ext_synapse_s3_storage_provider_config_storage_class: STANDARD matrix_synapse_ext_synapse_s3_storage_provider_config_threadpool_size: 40 # matrix_synapse_ext_synapse_s3_storage_provider_update_db_day_count is a day value (number) for the `s3_media_upload update-db` command. # It specifies how old files need to have been inactive to be eligible for migration from the local filesystem to the S3 data store. # By default, we use `0` which says "all files are eligible for migration". matrix_synapse_ext_synapse_s3_storage_provider_update_db_day_count: 0 +# Specifies how often periodic migration (`matrix-synapse-s3-storage-provider-migrate.timer`) will run. +# This is a systemd timer OnCalendar definition. Learn more here: https://man.archlinux.org/man/systemd.time.7#CALENDAR_EVENTS +matrix_synapse_ext_synapse_s3_storage_provider_periodic_migration_schedule: '*-*-* 05:00:00' + +# Specifies whether an external media repository is enabled. +# If it is, the Synapse media repo and media-repo workers will be disabled automatically. +matrix_synapse_ext_media_repo_enabled: false matrix_s3_media_store_enabled: false matrix_s3_media_store_custom_endpoint_enabled: false -matrix_s3_goofys_docker_image: "ewoutp/goofys:latest" +matrix_s3_goofys_docker_image: "{{ matrix_s3_goofys_docker_image_name_prefix }}ewoutp/goofys:latest" +matrix_s3_goofys_docker_image_name_prefix: "docker.io/" matrix_s3_goofys_docker_image_force_pull: "{{ matrix_s3_goofys_docker_image.endswith(':latest') }}" matrix_s3_media_store_custom_endpoint: "your-custom-endpoint" matrix_s3_media_store_bucket_name: "your-bucket-name" @@ -848,7 +937,11 @@ matrix_synapse_room_list_publication_rules: room_id: "*" action: allow -matrix_synapse_default_room_version: "9" +matrix_synapse_default_room_version: "10" + +# Controls whether leaving a room will automatically forget it. +# The upstream default is `false`, but we try to make Synapse less wasteful of resources, so we do things differently. +matrix_synapse_forget_rooms_on_leave: true # Controls the Synapse `spam_checker` setting. # @@ -895,7 +988,8 @@ matrix_synapse_redaction_retention_period: 7d matrix_synapse_user_ips_max_age: 28d -matrix_synapse_rust_synapse_compress_state_docker_image: "registry.gitlab.com/mb-saces/rust-synapse-compress-state:latest" +matrix_synapse_rust_synapse_compress_state_docker_image: "{{ matrix_synapse_rust_synapse_compress_state_docker_image_name_prefix }}mb-saces/rust-synapse-compress-state:latest" +matrix_synapse_rust_synapse_compress_state_docker_image_name_prefix: "registry.gitlab.com/" matrix_synapse_rust_synapse_compress_state_docker_image_force_pull: "{{ matrix_synapse_rust_synapse_compress_state_docker_image.endswith(':latest') }}" matrix_synapse_rust_synapse_compress_state_base_path: "{{ matrix_base_data_path }}/rust-synapse-compress-state" diff --git a/roles/custom/matrix-synapse/tasks/ext/encryption-disabler/setup.yml b/roles/custom/matrix-synapse/tasks/ext/encryption-disabler/setup.yml deleted file mode 100644 index e0e61df8e..000000000 --- a/roles/custom/matrix-synapse/tasks/ext/encryption-disabler/setup.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/ext/encryption-disabler/setup_install.yml" - when: matrix_synapse_ext_encryption_disabler_enabled | bool - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/ext/encryption-disabler/setup_uninstall.yml" - when: "not matrix_synapse_ext_encryption_disabler_enabled | bool" diff --git a/roles/custom/matrix-synapse/tasks/ext/encryption-disabler/setup_install.yml b/roles/custom/matrix-synapse/tasks/ext/encryption-disabler/setup_install.yml index 6ba5946d9..3725545fd 100644 --- a/roles/custom/matrix-synapse/tasks/ext/encryption-disabler/setup_install.yml +++ b/roles/custom/matrix-synapse/tasks/ext/encryption-disabler/setup_install.yml @@ -6,8 +6,8 @@ dest: "{{ matrix_synapse_ext_path }}/matrix_e2ee_filter.py" force: true mode: 0440 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" + owner: "{{ matrix_synapse_uid }}" + group: "{{ matrix_synapse_gid }}" register: result retries: "{{ devture_playbook_help_geturl_retries_count }}" delay: "{{ devture_playbook_help_geturl_retries_delay }}" diff --git a/roles/custom/matrix-synapse/tasks/ext/ldap-auth/setup.yml b/roles/custom/matrix-synapse/tasks/ext/ldap-auth/setup_install.yml similarity index 79% rename from roles/custom/matrix-synapse/tasks/ext/ldap-auth/setup.yml rename to roles/custom/matrix-synapse/tasks/ext/ldap-auth/setup_install.yml index 5d648c848..c13a04044 100644 --- a/roles/custom/matrix-synapse/tasks/ext/ldap-auth/setup.yml +++ b/roles/custom/matrix-synapse/tasks/ext/ldap-auth/setup_install.yml @@ -9,4 +9,3 @@ + [{'name': 'ldap_auth_provider', 'level': 'INFO'}] }} - when: matrix_synapse_ext_password_provider_ldap_enabled | bool diff --git a/roles/custom/matrix-synapse/tasks/ext/mjolnir-antispam/setup.yml b/roles/custom/matrix-synapse/tasks/ext/mjolnir-antispam/setup.yml deleted file mode 100644 index 1a3e097dc..000000000 --- a/roles/custom/matrix-synapse/tasks/ext/mjolnir-antispam/setup.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/ext/mjolnir-antispam/setup_install.yml" - when: matrix_synapse_ext_spam_checker_mjolnir_antispam_enabled | bool - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/ext/mjolnir-antispam/setup_uninstall.yml" - when: "not matrix_synapse_ext_spam_checker_mjolnir_antispam_enabled | bool" diff --git a/roles/custom/matrix-synapse/tasks/ext/mjolnir-antispam/setup_install.yml b/roles/custom/matrix-synapse/tasks/ext/mjolnir-antispam/setup_install.yml index 5d36a2348..f32188080 100644 --- a/roles/custom/matrix-synapse/tasks/ext/mjolnir-antispam/setup_install.yml +++ b/roles/custom/matrix-synapse/tasks/ext/mjolnir-antispam/setup_install.yml @@ -11,7 +11,7 @@ version: "{{ matrix_synapse_ext_spam_checker_mjolnir_antispam_git_version }}" dest: "{{ matrix_synapse_ext_path }}/mjolnir" become: true - become_user: "{{ matrix_user_username }}" + become_user: "{{ matrix_synapse_username }}" - ansible.builtin.set_fact: matrix_synapse_spam_checker: > diff --git a/roles/custom/matrix-synapse/tasks/ext/rest-auth/setup.yml b/roles/custom/matrix-synapse/tasks/ext/rest-auth/setup.yml deleted file mode 100644 index 6df360ce9..000000000 --- a/roles/custom/matrix-synapse/tasks/ext/rest-auth/setup.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/ext/rest-auth/setup_install.yml" - when: matrix_synapse_ext_password_provider_rest_auth_enabled | bool - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/ext/rest-auth/setup_uninstall.yml" - when: "not matrix_synapse_ext_password_provider_rest_auth_enabled | bool" diff --git a/roles/custom/matrix-synapse/tasks/ext/rest-auth/setup_install.yml b/roles/custom/matrix-synapse/tasks/ext/rest-auth/setup_install.yml index 3c4d8cb5d..ad58830a6 100644 --- a/roles/custom/matrix-synapse/tasks/ext/rest-auth/setup_install.yml +++ b/roles/custom/matrix-synapse/tasks/ext/rest-auth/setup_install.yml @@ -11,8 +11,8 @@ dest: "{{ matrix_synapse_ext_path }}/rest_auth_provider.py" force: true mode: 0440 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" + owner: "{{ matrix_synapse_uid }}" + group: "{{ matrix_synapse_gid }}" register: result retries: "{{ devture_playbook_help_geturl_retries_count }}" delay: "{{ devture_playbook_help_geturl_retries_delay }}" diff --git a/roles/custom/matrix-synapse/tasks/ext/s3-storage-provider/init.yml b/roles/custom/matrix-synapse/tasks/ext/s3-storage-provider/init.yml deleted file mode 100644 index 008161cb1..000000000 --- a/roles/custom/matrix-synapse/tasks/ext/s3-storage-provider/init.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-synapse-s3-storage-provider-migrate.timer'] }}" - when: matrix_synapse_ext_synapse_s3_storage_provider_enabled | bool diff --git a/roles/custom/matrix-synapse/tasks/ext/s3-storage-provider/setup.yml b/roles/custom/matrix-synapse/tasks/ext/s3-storage-provider/setup.yml deleted file mode 100644 index aefa49fe4..000000000 --- a/roles/custom/matrix-synapse/tasks/ext/s3-storage-provider/setup.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/ext/s3-storage-provider/validate_config.yml" - when: matrix_synapse_ext_synapse_s3_storage_provider_enabled | bool - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/ext/s3-storage-provider/setup_install.yml" - when: matrix_synapse_ext_synapse_s3_storage_provider_enabled | bool - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/ext/s3-storage-provider/setup_uninstall.yml" - when: not matrix_synapse_ext_synapse_s3_storage_provider_enabled | bool diff --git a/roles/custom/matrix-synapse/tasks/ext/s3-storage-provider/setup_install.yml b/roles/custom/matrix-synapse/tasks/ext/s3-storage-provider/setup_install.yml index 684fb2c99..384f16815 100644 --- a/roles/custom/matrix-synapse/tasks/ext/s3-storage-provider/setup_install.yml +++ b/roles/custom/matrix-synapse/tasks/ext/s3-storage-provider/setup_install.yml @@ -7,34 +7,37 @@ # # Below are additional tasks for setting up various helper scripts, etc. +- name: Ensure s3-storage-provider paths exists + ansible.builtin.file: + path: "{{ item }}" + state: directory + mode: 0750 + owner: "{{ matrix_synapse_uid }}" + group: "{{ matrix_synapse_gid }}" + with_items: + - "{{ matrix_synapse_ext_s3_storage_provider_base_path }}" + - "{{ matrix_synapse_ext_s3_storage_provider_bin_path }}" + - name: Ensure s3-storage-provider env file installed ansible.builtin.template: src: "{{ role_path }}/templates/synapse/ext/s3-storage-provider/env.j2" - dest: "{{ matrix_synapse_ext_s3_storage_provider_path }}/env" + dest: "{{ matrix_synapse_ext_s3_storage_provider_base_path }}/env" mode: 0640 -- name: Ensure s3-storage-provider data path exists - ansible.builtin.file: - path: "{{ matrix_synapse_ext_s3_storage_provider_path }}/data" - state: directory - mode: 0750 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - - name: Ensure s3-storage-provider database.yaml file installed ansible.builtin.template: src: "{{ role_path }}/templates/synapse/ext/s3-storage-provider/database.yaml.j2" - dest: "{{ matrix_synapse_ext_s3_storage_provider_path }}/data/database.yaml" + dest: "{{ matrix_synapse_ext_s3_storage_provider_data_path }}/database.yaml" mode: 0640 - name: Ensure s3-storage-provider scripts installed ansible.builtin.template: - src: "{{ role_path }}/templates/synapse/ext/s3-storage-provider/usr-local-bin/{{ item }}.j2" - dest: "{{ matrix_local_bin_path }}/{{ item }}" + src: "{{ role_path }}/templates/synapse/ext/s3-storage-provider/bin/{{ item }}.j2" + dest: "{{ matrix_synapse_ext_s3_storage_provider_bin_path }}/{{ item }}" mode: 0750 with_items: - - matrix-synapse-s3-storage-provider-shell - - matrix-synapse-s3-storage-provider-migrate + - shell + - migrate - name: Ensure matrix-synapse-s3-storage-provider-migrate.service and timer are installed ansible.builtin.template: @@ -45,8 +48,3 @@ - matrix-synapse-s3-storage-provider-migrate.service - matrix-synapse-s3-storage-provider-migrate.timer register: matrix_synapse_s3_storage_provider_systemd_service_result - -- name: Ensure systemd reloaded after matrix-synapse-s3-storage-provider-migrate.service installation - ansible.builtin.service: - daemon_reload: true - when: matrix_synapse_s3_storage_provider_systemd_service_result.changed | bool diff --git a/roles/custom/matrix-synapse/tasks/ext/s3-storage-provider/setup_uninstall.yml b/roles/custom/matrix-synapse/tasks/ext/s3-storage-provider/setup_uninstall.yml index a828070c9..83e8a0f7d 100644 --- a/roles/custom/matrix-synapse/tasks/ext/s3-storage-provider/setup_uninstall.yml +++ b/roles/custom/matrix-synapse/tasks/ext/s3-storage-provider/setup_uninstall.yml @@ -9,16 +9,7 @@ - matrix-synapse-s3-storage-provider-migrate.service register: matrix_synapse_s3_storage_provider_migrate_sevice_removal -- name: Ensure systemd reloaded after matrix-synapse-s3-storage-provider-migrate.service removal - ansible.builtin.service: - daemon_reload: true - when: matrix_synapse_s3_storage_provider_migrate_sevice_removal.changed | bool - - name: Ensure s3-storage-provider files don't exist ansible.builtin.file: - path: "{{ item }}" + path: "{{ matrix_synapse_ext_s3_storage_provider_base_path }}" state: absent - with_items: - - "{{ matrix_local_bin_path }}/matrix-synapse-s3-storage-provider-shell" - - "{{ matrix_local_bin_path }}/matrix-synapse-s3-storage-provider-migrate" - - "{{ matrix_synapse_ext_s3_storage_provider_path }}" diff --git a/roles/custom/matrix-synapse/tasks/ext/s3-storage-provider/validate_config.yml b/roles/custom/matrix-synapse/tasks/ext/s3-storage-provider/validate_config.yml index d71809fe5..406f186dc 100644 --- a/roles/custom/matrix-synapse/tasks/ext/s3-storage-provider/validate_config.yml +++ b/roles/custom/matrix-synapse/tasks/ext/s3-storage-provider/validate_config.yml @@ -1,5 +1,4 @@ --- - - name: Fail if required s3-storage-provider settings not defined ansible.builtin.fail: msg: >- @@ -8,6 +7,14 @@ with_items: - "matrix_synapse_ext_synapse_s3_storage_provider_config_bucket" - "matrix_synapse_ext_synapse_s3_storage_provider_config_region_name" + - "matrix_synapse_ext_synapse_s3_storage_provider_config_endpoint_url" + +- name: Fail if required s3-storage-provider auth settings not defined when not using an EC2 profile + ansible.builtin.fail: + msg: >- + You need to define a required configuration setting (`{{ item }}`) for using s3-storage-provider. + when: "not matrix_synapse_ext_synapse_s3_storage_provider_config_ec2_instance_profile | bool and vars[item] == ''" + with_items: - "matrix_synapse_ext_synapse_s3_storage_provider_config_access_key_id" - "matrix_synapse_ext_synapse_s3_storage_provider_config_secret_access_key" @@ -15,4 +22,4 @@ ansible.builtin.fail: msg: >- `matrix_synapse_ext_synapse_s3_storage_provider_config_endpoint_url` needs to look like a URL (`http://` or `https://` prefix). - when: "matrix_synapse_ext_synapse_s3_storage_provider_config_endpoint_url != '' and not matrix_synapse_ext_synapse_s3_storage_provider_config_endpoint_url.startswith('http')" + when: "not matrix_synapse_ext_synapse_s3_storage_provider_config_endpoint_url.startswith('http')" diff --git a/roles/custom/matrix-synapse/tasks/ext/setup.yml b/roles/custom/matrix-synapse/tasks/ext/setup.yml deleted file mode 100644 index 6cf1afaa4..000000000 --- a/roles/custom/matrix-synapse/tasks/ext/setup.yml +++ /dev/null @@ -1,15 +0,0 @@ ---- - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/ext/encryption-disabler/setup.yml" - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/ext/rest-auth/setup.yml" - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/ext/shared-secret-auth/setup.yml" - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/ext/ldap-auth/setup.yml" - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/ext/synapse-simple-antispam/setup.yml" - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/ext/mjolnir-antispam/setup.yml" - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/ext/s3-storage-provider/setup.yml" diff --git a/roles/custom/matrix-synapse/tasks/ext/setup_install.yml b/roles/custom/matrix-synapse/tasks/ext/setup_install.yml new file mode 100644 index 000000000..4adb6566a --- /dev/null +++ b/roles/custom/matrix-synapse/tasks/ext/setup_install.yml @@ -0,0 +1,74 @@ +--- + +# encryption-disabler +- tags: + - setup-all + - setup-synapse + - install-all + - install-synapse + block: + - when: matrix_synapse_ext_encryption_disabler_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/encryption-disabler/setup_install.yml" + +# rest-auth +- tags: + - setup-all + - setup-synapse + - install-all + - install-synapse + block: + - when: matrix_synapse_ext_password_provider_rest_auth_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/rest-auth/setup_install.yml" + +# shared-secret-auth +- tags: + - setup-all + - setup-synapse + - install-all + - install-synapse + block: + - when: matrix_synapse_ext_password_provider_shared_secret_auth_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/shared-secret-auth/setup_install.yml" + +# ldap-auth +- tags: + - setup-all + - setup-synapse + - install-all + - install-synapse + block: + - when: matrix_synapse_ext_password_provider_ldap_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/ldap-auth/setup_install.yml" + +# synapse-simple-antispam +- tags: + - setup-all + - setup-synapse + - install-all + - install-synapse + block: + - when: matrix_synapse_ext_spam_checker_synapse_simple_antispam_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/synapse-simple-antispam/setup_install.yml" + +# mjolnir-antispam +- tags: + - setup-all + - setup-synapse + - install-all + - install-synapse + block: + - when: matrix_synapse_ext_spam_checker_mjolnir_antispam_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/mjolnir-antispam/setup_install.yml" + +# s3-storage-provider +- tags: + - setup-all + - setup-synapse + - install-all + - install-synapse + block: + - when: matrix_synapse_ext_synapse_s3_storage_provider_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/s3-storage-provider/validate_config.yml" + + - when: matrix_synapse_ext_synapse_s3_storage_provider_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/s3-storage-provider/setup_install.yml" diff --git a/roles/custom/matrix-synapse/tasks/ext/setup_uninstall.yml b/roles/custom/matrix-synapse/tasks/ext/setup_uninstall.yml new file mode 100644 index 000000000..f584f584d --- /dev/null +++ b/roles/custom/matrix-synapse/tasks/ext/setup_uninstall.yml @@ -0,0 +1,52 @@ +--- + +# encryption-disabler +- tags: + - setup-all + - setup-synapse + block: + - when: not matrix_synapse_ext_encryption_disabler_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/encryption-disabler/setup_uninstall.yml" + +# rest-auth +- tags: + - setup-all + - setup-synapse + block: + - when: not matrix_synapse_ext_password_provider_rest_auth_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/rest-auth/setup_uninstall.yml" + +# shared-secret-auth +- tags: + - setup-all + - setup-synapse + block: + - when: not matrix_synapse_ext_password_provider_shared_secret_auth_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/shared-secret-auth/setup_uninstall.yml" + +# ldap-auth has no uninstall tasks + + +# synapse-simple-antispam +- tags: + - setup-all + - setup-synapse + block: + - when: not matrix_synapse_ext_spam_checker_synapse_simple_antispam_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/synapse-simple-antispam/setup_uninstall.yml" + +# mjolnir-antispam +- tags: + - setup-all + - setup-synapse + block: + - when: not matrix_synapse_ext_spam_checker_mjolnir_antispam_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/mjolnir-antispam/setup_uninstall.yml" + +# s3-storage-provider +- tags: + - setup-all + - setup-synapse + block: + - when: not matrix_synapse_ext_synapse_s3_storage_provider_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/s3-storage-provider/setup_uninstall.yml" diff --git a/roles/custom/matrix-synapse/tasks/ext/shared-secret-auth/setup.yml b/roles/custom/matrix-synapse/tasks/ext/shared-secret-auth/setup.yml deleted file mode 100644 index 6dc385d37..000000000 --- a/roles/custom/matrix-synapse/tasks/ext/shared-secret-auth/setup.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/ext/shared-secret-auth/setup_install.yml" - when: matrix_synapse_ext_password_provider_shared_secret_auth_enabled | bool - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/ext/shared-secret-auth/setup_uninstall.yml" - when: "not matrix_synapse_ext_password_provider_shared_secret_auth_enabled | bool" diff --git a/roles/custom/matrix-synapse/tasks/ext/shared-secret-auth/setup_install.yml b/roles/custom/matrix-synapse/tasks/ext/shared-secret-auth/setup_install.yml index 6dead7360..c974bd2cf 100644 --- a/roles/custom/matrix-synapse/tasks/ext/shared-secret-auth/setup_install.yml +++ b/roles/custom/matrix-synapse/tasks/ext/shared-secret-auth/setup_install.yml @@ -16,8 +16,8 @@ dest: "{{ matrix_synapse_ext_path }}/shared_secret_authenticator.py" force: true mode: 0440 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" + owner: "{{ matrix_synapse_uid }}" + group: "{{ matrix_synapse_gid }}" register: result retries: "{{ devture_playbook_help_geturl_retries_count }}" delay: "{{ devture_playbook_help_geturl_retries_delay }}" diff --git a/roles/custom/matrix-synapse/tasks/ext/synapse-simple-antispam/setup.yml b/roles/custom/matrix-synapse/tasks/ext/synapse-simple-antispam/setup.yml deleted file mode 100644 index 038eea749..000000000 --- a/roles/custom/matrix-synapse/tasks/ext/synapse-simple-antispam/setup.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/ext/synapse-simple-antispam/setup_install.yml" - when: matrix_synapse_ext_spam_checker_synapse_simple_antispam_enabled | bool - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/ext/synapse-simple-antispam/setup_uninstall.yml" - when: "not matrix_synapse_ext_spam_checker_synapse_simple_antispam_enabled | bool" diff --git a/roles/custom/matrix-synapse/tasks/ext/synapse-simple-antispam/setup_install.yml b/roles/custom/matrix-synapse/tasks/ext/synapse-simple-antispam/setup_install.yml index 15fe220ab..e62c62dfe 100644 --- a/roles/custom/matrix-synapse/tasks/ext/synapse-simple-antispam/setup_install.yml +++ b/roles/custom/matrix-synapse/tasks/ext/synapse-simple-antispam/setup_install.yml @@ -16,7 +16,7 @@ version: "{{ matrix_synapse_ext_spam_checker_synapse_simple_antispam_git_version }}" dest: "{{ matrix_synapse_ext_path }}/synapse-simple-antispam" become: true - become_user: "{{ matrix_user_username }}" + become_user: "{{ matrix_synapse_username }}" - ansible.builtin.set_fact: matrix_synapse_modules: > diff --git a/roles/custom/matrix-synapse/tasks/goofys/setup.yml b/roles/custom/matrix-synapse/tasks/goofys/setup.yml deleted file mode 100644 index 2f9eaa870..000000000 --- a/roles/custom/matrix-synapse/tasks/goofys/setup.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/goofys/setup_install.yml" - when: matrix_s3_media_store_enabled | bool - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/goofys/setup_uninstall.yml" - when: "not matrix_s3_media_store_enabled | bool" diff --git a/roles/custom/matrix-synapse/tasks/goofys/setup_install.yml b/roles/custom/matrix-synapse/tasks/goofys/setup_install.yml index 7649beb4c..dd6d3e922 100644 --- a/roles/custom/matrix-synapse/tasks/goofys/setup_install.yml +++ b/roles/custom/matrix-synapse/tasks/goofys/setup_install.yml @@ -1,6 +1,6 @@ --- -- ansible.builtin.import_role: +- ansible.builtin.include_role: name: custom/matrix-base tasks_from: ensure_fuse_installed @@ -27,8 +27,8 @@ path: "{{ matrix_s3_media_store_path }}" state: directory mode: 0750 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" + owner: "{{ matrix_synapse_uid }}" + group: "{{ matrix_synapse_gid }}" when: "not local_path_matrix_s3_media_store_path_stat.failed and not local_path_matrix_s3_media_store_path_stat.stat.exists" - name: Ensure goofys environment variables file created @@ -43,9 +43,3 @@ src: "{{ role_path }}/templates/goofys/systemd/matrix-goofys.service.j2" dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-goofys.service" mode: 0644 - register: matrix_goofys_systemd_service_result - -- name: Ensure systemd reloaded after matrix-goofys.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_goofys_systemd_service_result.changed" diff --git a/roles/custom/matrix-synapse/tasks/goofys/setup_uninstall.yml b/roles/custom/matrix-synapse/tasks/goofys/setup_uninstall.yml index ddfa5cf60..252877dee 100644 --- a/roles/custom/matrix-synapse/tasks/goofys/setup_uninstall.yml +++ b/roles/custom/matrix-synapse/tasks/goofys/setup_uninstall.yml @@ -5,32 +5,21 @@ path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-goofys.service" register: matrix_goofys_service_stat -- name: Ensure matrix-goofys is stopped - ansible.builtin.service: - name: matrix-goofys - state: stopped - enabled: false - daemon_reload: true - register: stopping_result - when: "matrix_goofys_service_stat.stat.exists" +- when: matrix_goofys_service_stat.stat.exists | bool + block: + - name: Ensure matrix-goofys is stopped + ansible.builtin.service: + name: matrix-goofys + state: stopped + enabled: false + daemon_reload: true -- name: Ensure matrix-goofys.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-goofys.service" - state: absent - when: "matrix_goofys_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-goofys.service removal - ansible.builtin.service: - daemon_reload: true - when: "matrix_goofys_service_stat.stat.exists" - -- name: Ensure goofys environment variables file doesn't exist - ansible.builtin.file: - path: "{{ matrix_synapse_config_dir_path }}/env-goofys" - state: absent + - name: Ensure matrix-goofys.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-goofys.service" + state: absent -- name: Ensure Goofys Docker image doesn't exist - community.docker.docker_image: - name: "{{ matrix_s3_goofys_docker_image }}" - state: absent + - name: Ensure goofys environment variables file doesn't exist + ansible.builtin.file: + path: "{{ matrix_synapse_config_dir_path }}/env-goofys" + state: absent diff --git a/roles/custom/matrix-synapse/tasks/import_media_store.yml b/roles/custom/matrix-synapse/tasks/import_media_store.yml index bdd99ca4d..a6c085874 100644 --- a/roles/custom/matrix-synapse/tasks/import_media_store.yml +++ b/roles/custom/matrix-synapse/tasks/import_media_store.yml @@ -66,8 +66,8 @@ - name: Ensure media store permissions are correct (generic case) ansible.builtin.file: path: "{{ matrix_synapse_media_store_path }}" - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" + owner: "{{ matrix_synapse_uid }}" + group: "{{ matrix_synapse_gid }}" recurse: true when: "not matrix_s3_media_store_enabled | bool" diff --git a/roles/custom/matrix-postgres/tasks/import_synapse_sqlite_db.yml b/roles/custom/matrix-synapse/tasks/import_synapse_sqlite_db.yml similarity index 60% rename from roles/custom/matrix-postgres/tasks/import_synapse_sqlite_db.yml rename to roles/custom/matrix-synapse/tasks/import_synapse_sqlite_db.yml index b885ea975..92bd36b42 100644 --- a/roles/custom/matrix-postgres/tasks/import_synapse_sqlite_db.yml +++ b/roles/custom/matrix-synapse/tasks/import_synapse_sqlite_db.yml @@ -1,12 +1,5 @@ --- -# Pre-checks - -- name: Fail if Postgres not enabled - ansible.builtin.fail: - msg: "Postgres via the matrix-postgres role is not enabled (`matrix_postgres_enabled`). Cannot import." - when: "not matrix_postgres_enabled | bool" - - name: Fail if playbook called incorrectly ansible.builtin.fail: msg: "The `server_path_homeserver_db` variable needs to be provided to this playbook, via --extra-vars" @@ -22,48 +15,6 @@ msg: "File cannot be found on the server at {{ server_path_homeserver_db }}" when: "not result_server_path_homeserver_db_stat.stat.exists" - -# Defaults - -- name: Set postgres_start_wait_time, if not provided - ansible.builtin.set_fact: - postgres_start_wait_time: 15 - when: "postgres_start_wait_time | default('') == ''" - - -# Actual import work - -- name: Ensure matrix-postgres is stopped - ansible.builtin.service: - name: matrix-postgres - state: stopped - daemon_reload: true - -- name: Ensure postgres data is wiped out - ansible.builtin.file: - path: "{{ matrix_postgres_data_path }}" - state: absent - -- name: Ensure postgres data path exists - ansible.builtin.file: - path: "{{ matrix_postgres_data_path }}" - state: directory - mode: 0700 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - -- name: Ensure matrix-postgres is started - ansible.builtin.service: - name: matrix-postgres - state: restarted - daemon_reload: true - -- name: Wait a bit, so that Postgres can start - ansible.builtin.wait_for: - timeout: "{{ postgres_start_wait_time }}" - delegate_to: 127.0.0.1 - become: false - # We don't use the `docker_container` module, because using it with `cap_drop` requires # a very recent version, which is not available for a lot of people yet. # @@ -78,7 +29,7 @@ --log-driver=none --user={{ matrix_user_uid }}:{{ matrix_user_gid }} --cap-drop=ALL - --network={{ matrix_docker_network }} + --network={{ matrix_synapse_container_network }} --entrypoint=python --mount type=bind,src={{ matrix_synapse_config_dir_path }},dst=/data --mount type=bind,src={{ matrix_synapse_config_dir_path }},dst=/matrix-media-store-parent/media-store diff --git a/roles/custom/matrix-synapse/tasks/init.yml b/roles/custom/matrix-synapse/tasks/init.yml index 9146936a0..0b1273c16 100644 --- a/roles/custom/matrix-synapse/tasks/init.yml +++ b/roles/custom/matrix-synapse/tasks/init.yml @@ -1,35 +1,18 @@ --- -# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 -# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 -- name: Fail if trying to self-build on Ansible < 2.8 - ansible.builtin.fail: - msg: "To self-build the Synapse image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_synapse_container_image_self_build and matrix_synapse_enabled" # Unless `matrix_synapse_workers_enabled_list` is explicitly defined, # we'll generate it dynamically. - ansible.builtin.include_tasks: "{{ role_path }}/tasks/synapse/workers/init.yml" - when: "matrix_synapse_enabled and matrix_synapse_workers_enabled and matrix_synapse_workers_enabled_list | length == 0" - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-synapse.service'] }}" - when: matrix_synapse_enabled | bool + when: "matrix_synapse_workers_enabled | bool and matrix_synapse_workers_enabled_list | length == 0" - name: Ensure workers are injected into various places ansible.builtin.include_tasks: "{{ role_path }}/tasks/synapse/workers/util/inject_worker.yml" with_items: "{{ matrix_synapse_workers_enabled_list }}" loop_control: loop_var: matrix_synapse_worker_details - when: matrix_synapse_enabled | bool and matrix_synapse_workers_enabled | bool - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-goofys.service'] }}" - when: matrix_s3_media_store_enabled | bool - -- ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/s3-storage-provider/init.yml" - when: matrix_synapse_ext_synapse_s3_storage_provider_enabled | bool + when: matrix_synapse_workers_enabled | bool -- when: matrix_synapse_enabled | bool and matrix_synapse_metrics_proxying_enabled | bool +- when: matrix_synapse_metrics_proxying_enabled | bool block: - name: Fail if matrix-nginx-proxy role already executed ansible.builtin.fail: diff --git a/roles/custom/matrix-synapse/tasks/main.yml b/roles/custom/matrix-synapse/tasks/main.yml index 7068dcefc..743dab5fe 100644 --- a/roles/custom/matrix-synapse/tasks/main.yml +++ b/roles/custom/matrix-synapse/tasks/main.yml @@ -1,57 +1,79 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always +- tags: + - setup-all + - setup-synapse + - install-all + - install-synapse + - setup-synapse-reverse-proxy-companion + - install-synapse-reverse-proxy-companion + - start + - start-all + - start-group + - restart + - restart-all + - restart-group + - stop + - stop-all + - stop-group + block: + - when: matrix_synapse_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/init.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: run_setup | bool and matrix_synapse_enabled | bool - tags: +- tags: - setup-all - setup-synapse + - install-all + - install-synapse + block: + - when: matrix_synapse_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" + + - when: matrix_synapse_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_synapse.yml" - when: run_setup | bool - tags: +- tags: - setup-all - setup-synapse + block: + - when: not matrix_synapse_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/import_media_store.yml" - when: run_synapse_import_media_store | bool - tags: +- tags: - import-synapse-media-store + block: + - when: matrix_synapse_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/import_media_store.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/register_user.yml" - when: run_synapse_register_user | bool and matrix_synapse_enabled | bool - tags: - - register-user - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/self_check_client_api.yml" - delegate_to: 127.0.0.1 - become: false - when: run_self_check | bool - tags: - - self-check +- tags: + - import-synapse-sqlite-db + block: + - when: matrix_synapse_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/import_synapse_sqlite_db.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/self_check_federation_api.yml" - delegate_to: 127.0.0.1 - become: false - when: run_self_check | bool - tags: - - self-check +- tags: + - register-user + block: + - when: matrix_synapse_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/register_user.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/update_user_password.yml" - when: run_synapse_update_user_password | bool and matrix_synapse_enabled | bool - tags: +- tags: - update-user-password + block: + - when: matrix_synapse_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/update_user_password.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/rust-synapse-compress-state/main.yml" - when: run_synapse_rust_synapse_compress_state | bool - tags: +- tags: - rust-synapse-compress-state + block: + - when: matrix_synapse_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/rust-synapse-compress-state/main.yml" + +- tags: + - self-check + block: + - when: matrix_synapse_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/self_check_client_api.yml" -- name: Mark matrix-synapse role as executed - ansible.builtin.set_fact: - matrix_synapse_role_executed: true - tags: - - always + - when: matrix_synapse_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/self_check_federation_api.yml" diff --git a/roles/custom/matrix-synapse/tasks/register_user.yml b/roles/custom/matrix-synapse/tasks/register_user.yml index 817484495..215409593 100644 --- a/roles/custom/matrix-synapse/tasks/register_user.yml +++ b/roles/custom/matrix-synapse/tasks/register_user.yml @@ -28,6 +28,7 @@ when: "start_result.changed" - name: Register user - ansible.builtin.command: "{{ matrix_local_bin_path }}/matrix-synapse-register-user {{ username | quote }} {{ password | quote }} {{ '1' if admin == 'yes' else '0' }}" + ansible.builtin.command: + cmd: "{{ matrix_synapse_bin_path }}/register-user {{ username | quote }} {{ password | quote }} {{ '1' if admin == 'yes' else '0' }}" register: matrix_synapse_register_user_result changed_when: matrix_synapse_register_user_result.rc == 0 diff --git a/roles/custom/matrix-synapse/tasks/rust-synapse-compress-state/compress_room.yml b/roles/custom/matrix-synapse/tasks/rust-synapse-compress-state/compress_room.yml index e5cf8e8ec..7f5e05666 100644 --- a/roles/custom/matrix-synapse/tasks/rust-synapse-compress-state/compress_room.yml +++ b/roles/custom/matrix-synapse/tasks/rust-synapse-compress-state/compress_room.yml @@ -7,9 +7,9 @@ ansible.builtin.set_fact: matrix_synapse_rust_synapse_compress_state_compress_room_command: >- {{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-rust-synapse-compress-state-compress-room - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} + --user={{ matrix_synapse_uid }}:{{ matrix_synapse_gid }} --cap-drop=ALL - --network={{ matrix_docker_network }} + --network={{ matrix_synapse_container_network }} --mount type=bind,src={{ matrix_synapse_rust_synapse_compress_state_base_path }},dst=/work {{ matrix_synapse_rust_synapse_compress_state_docker_image }} {{ matrix_synapse_rust_synapse_compress_state_synapse_compress_state_in_container_path }} -t -o /work/state-compressor.sql @@ -31,15 +31,15 @@ ansible.builtin.set_fact: matrix_synapse_rust_synapse_compress_state_psql_import_command: >- {{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-rust-synapse-compress-state-psql-import - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} + --user={{ devture_postgres_uid }}:{{ devture_postgres_gid }} --cap-drop=ALL - --network={{ matrix_docker_network }} - --env-file={{ matrix_postgres_base_path }}/env-postgres-psql + --network={{ devture_postgres_container_network }} + --env-file={{ devture_postgres_base_path }}/env-postgres-psql --mount type=bind,src={{ matrix_synapse_rust_synapse_compress_state_base_path }},dst=/work,ro --entrypoint=/bin/sh - {{ matrix_postgres_docker_image_latest }} + {{ devture_postgres_container_image_latest }} -c "cat /work/state-compressor.sql | - psql -v ON_ERROR_STOP=1 -h matrix-postgres -d {{ matrix_synapse_database_database }}" + psql -v ON_ERROR_STOP=1 -h {{ devture_postgres_connection_hostname }} -d {{ matrix_synapse_database_database }}" - name: Import compression SQL into Postgres ansible.builtin.command: "{{ matrix_synapse_rust_synapse_compress_state_psql_import_command }}" diff --git a/roles/custom/matrix-synapse/tasks/rust-synapse-compress-state/main.yml b/roles/custom/matrix-synapse/tasks/rust-synapse-compress-state/main.yml index 17124e251..8f781e519 100644 --- a/roles/custom/matrix-synapse/tasks/rust-synapse-compress-state/main.yml +++ b/roles/custom/matrix-synapse/tasks/rust-synapse-compress-state/main.yml @@ -3,8 +3,8 @@ - name: Fail if Postgres not enabled ansible.builtin.fail: - msg: "Postgres via the matrix-postgres role is not enabled (`matrix_postgres_enabled`). Cannot use rust-synapse-compress-state." - when: "not matrix_postgres_enabled | bool" + msg: "Postgres via the com.devture.ansible.role.postgres role is not enabled (`devture_postgres_enabled`). Cannot use rust-synapse-compress-state." + when: "not devture_postgres_enabled | bool" # Defaults @@ -39,8 +39,8 @@ path: "{{ matrix_synapse_rust_synapse_compress_state_base_path }}" state: directory mode: 0750 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" + owner: "{{ matrix_synapse_uid }}" + group: "{{ matrix_synapse_gid }}" - name: Ensure rust-synapse-compress-state image is pulled community.docker.docker_image: @@ -53,17 +53,11 @@ delay: "{{ devture_playbook_help_container_retries_delay }}" until: result is not failed -- name: Generate rust-synapse-compress-state room find command + +- name: Generate rust-synapse-compress-state room find SQL command ansible.builtin.set_fact: matrix_synapse_rust_synapse_compress_state_find_rooms_command: >- - {{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-rust-synapse-compress-state-find-rooms - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} - --cap-drop=ALL - --network={{ matrix_docker_network }} - --env-file={{ matrix_postgres_base_path }}/env-postgres-psql - {{ matrix_postgres_docker_image_latest }} - psql -v ON_ERROR_STOP=1 -h matrix-postgres {{ matrix_synapse_database_database }} -c - 'SELECT array_to_json(array_agg(row_to_json (r))) FROM (SELECT room_id, count(*) AS count FROM state_groups_state GROUP BY room_id HAVING count(*) > {{ matrix_synapse_rust_synapse_compress_state_min_state_groups_required }} ORDER BY count DESC) r;' + {{ devture_postgres_bin_path }}/cli-non-interactive --dbname={{ matrix_synapse_database_database | quote }} -c "SELECT array_to_json(array_agg(row_to_json (r))) FROM (SELECT room_id, count(*) AS count FROM state_groups_state GROUP BY room_id HAVING count(*) > {{ matrix_synapse_rust_synapse_compress_state_min_state_groups_required }} ORDER BY count DESC) r;" - name: Find rooms eligible for compression with rust-synapse-compress-state ansible.builtin.command: "{{ matrix_synapse_rust_synapse_compress_state_find_rooms_command }}" diff --git a/roles/custom/matrix-synapse/tasks/self_check_client_api.yml b/roles/custom/matrix-synapse/tasks/self_check_client_api.yml index 1c03ba5b0..7ec3fb09b 100644 --- a/roles/custom/matrix-synapse/tasks/self_check_client_api.yml +++ b/roles/custom/matrix-synapse/tasks/self_check_client_api.yml @@ -9,6 +9,8 @@ ignore_errors: true check_mode: false when: matrix_synapse_enabled | bool + delegate_to: 127.0.0.1 + become: false - name: Fail if Matrix Client API not working ansible.builtin.fail: diff --git a/roles/custom/matrix-synapse/tasks/self_check_federation_api.yml b/roles/custom/matrix-synapse/tasks/self_check_federation_api.yml index 80ec4fc21..fde73dae0 100644 --- a/roles/custom/matrix-synapse/tasks/self_check_federation_api.yml +++ b/roles/custom/matrix-synapse/tasks/self_check_federation_api.yml @@ -9,6 +9,8 @@ ignore_errors: true check_mode: false when: matrix_synapse_enabled | bool + delegate_to: 127.0.0.1 + become: false - name: Fail if Matrix Federation API not working ansible.builtin.fail: diff --git a/roles/custom/matrix-synapse/tasks/setup_install.yml b/roles/custom/matrix-synapse/tasks/setup_install.yml new file mode 100644 index 000000000..a2185da57 --- /dev/null +++ b/roles/custom/matrix-synapse/tasks/setup_install.yml @@ -0,0 +1,63 @@ +--- + +- name: Ensure Synapse paths exist + ansible.builtin.file: + path: "{{ item.path }}" + state: directory + mode: 0750 + owner: "{{ matrix_synapse_uid }}" + group: "{{ matrix_synapse_gid }}" + with_items: + - {path: "{{ matrix_synapse_config_dir_path }}", when: true} + - {path: "{{ matrix_synapse_ext_path }}", when: true} + - {path: "{{ matrix_synapse_bin_path }}", when: true} + - {path: "{{ matrix_synapse_docker_src_files_path }}", when: "{{ matrix_synapse_container_image_self_build }}"} + - {path: "{{ matrix_synapse_customized_docker_src_files_path }}", when: "{{ matrix_synapse_container_image_customizations_enabled }}"} + + - {path: "{{ matrix_synapse_ext_s3_storage_provider_base_path }}", when: "{{ matrix_synapse_ext_synapse_s3_storage_provider_enabled }}"} + - {path: "{{ matrix_synapse_ext_s3_storage_provider_bin_path }}", when: "{{ matrix_synapse_ext_synapse_s3_storage_provider_enabled }}"} + - {path: "{{ matrix_synapse_ext_s3_storage_provider_data_path }}", when: "{{ matrix_synapse_ext_synapse_s3_storage_provider_enabled }}"} + + # We handle matrix_synapse_media_store_path elsewhere (in ./synapse/setup_install.yml), + # because if it's using Goofys and it's already mounted (from before), + # trying to chown/chmod it here will cause trouble. + when: item.when | bool + +- tags: + - setup-all + - setup-synapse + - install-all + - install-synapse + block: + - ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/setup_install.yml" + + - ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/setup_uninstall.yml" + +- tags: + - setup-all + - setup-synapse + - install-all + - install-synapse + block: + - when: matrix_synapse_workers_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/synapse/workers/setup_install.yml" + +- tags: + - setup-all + - setup-synapse + - install-all + - install-synapse + block: + - ansible.builtin.include_tasks: "{{ role_path }}/tasks/synapse/setup_install.yml" + +- tags: + - setup-all + - setup-synapse + - install-all + - install-synapse + block: + - when: matrix_s3_media_store_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/goofys/setup_install.yml" + + - when: not matrix_s3_media_store_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/goofys/setup_uninstall.yml" diff --git a/roles/custom/matrix-synapse/tasks/setup_synapse.yml b/roles/custom/matrix-synapse/tasks/setup_synapse.yml deleted file mode 100644 index 13a5819e1..000000000 --- a/roles/custom/matrix-synapse/tasks/setup_synapse.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- - -- name: Ensure Synapse paths exist - ansible.builtin.file: - path: "{{ item.path }}" - state: directory - mode: 0750 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - with_items: - - {path: "{{ matrix_synapse_config_dir_path }}", when: true} - - {path: "{{ matrix_synapse_ext_path }}", when: true} - - {path: "{{ matrix_synapse_docker_src_files_path }}", when: "{{ matrix_synapse_container_image_self_build }}"} - - {path: "{{ matrix_synapse_customized_docker_src_files_path }}", when: "{{ matrix_synapse_container_image_customizations_enabled }}"} - - {path: "{{ matrix_synapse_ext_s3_storage_provider_path }}", when: "{{ matrix_synapse_ext_synapse_s3_storage_provider_enabled }}"} - # We handle matrix_synapse_media_store_path elsewhere (in ./synapse/setup_install.yml), - # because if it's using Goofys and it's already mounted (from before), - # trying to chown/chmod it here will cause trouble. - when: "(matrix_synapse_enabled | bool or matrix_s3_media_store_enabled | bool) and item.when" - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/ext/setup.yml" - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/synapse/workers/setup.yml" - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/synapse/setup.yml" - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/goofys/setup.yml" diff --git a/roles/custom/matrix-synapse/tasks/setup_uninstall.yml b/roles/custom/matrix-synapse/tasks/setup_uninstall.yml new file mode 100644 index 000000000..7ce5e13dd --- /dev/null +++ b/roles/custom/matrix-synapse/tasks/setup_uninstall.yml @@ -0,0 +1,27 @@ +--- + +- tags: + - setup-all + - setup-synapse + block: + - ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/setup_uninstall.yml" + +- tags: + - setup-all + - setup-synapse + block: + - when: not matrix_synapse_workers_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/synapse/workers/setup_uninstall.yml" + +- tags: + - setup-all + - setup-synapse + block: + - ansible.builtin.include_tasks: "{{ role_path }}/tasks/synapse/setup_uninstall.yml" + +- tags: + - setup-all + - setup-synapse + block: + - when: not matrix_s3_media_store_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/goofys/setup_uninstall.yml" diff --git a/roles/custom/matrix-synapse/tasks/synapse/setup_install.yml b/roles/custom/matrix-synapse/tasks/synapse/setup_install.yml index 429179de4..7bdf5ddc8 100644 --- a/roles/custom/matrix-synapse/tasks/synapse/setup_install.yml +++ b/roles/custom/matrix-synapse/tasks/synapse/setup_install.yml @@ -14,8 +14,8 @@ path: "{{ matrix_synapse_media_store_path }}" state: directory mode: 0750 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" + owner: "{{ matrix_synapse_uid }}" + group: "{{ matrix_synapse_gid }}" when: "not local_path_media_store_stat.failed and not local_path_media_store_stat.stat.exists" - when: "matrix_synapse_container_image_self_build | bool" @@ -27,7 +27,7 @@ version: "{{ matrix_synapse_docker_image.split(':')[1] }}" force: "yes" become: true - become_user: "{{ matrix_user_username }}" + become_user: "{{ matrix_synapse_username }}" register: matrix_synapse_git_pull_results - name: Check if Synapse Docker image exists @@ -48,6 +48,7 @@ . environment: DOCKER_BUILDKIT: 1 + changed_when: true when: "matrix_synapse_git_pull_results.changed | bool or matrix_synapse_docker_image_check_result.stdout == ''" - name: Ensure Synapse Docker image is pulled @@ -68,23 +69,20 @@ ansible.builtin.template: src: "{{ role_path }}/templates/synapse/customizations/Dockerfile.j2" dest: "{{ matrix_synapse_customized_docker_src_files_path }}/Dockerfile" - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" + owner: "{{ matrix_synapse_uid }}" + group: "{{ matrix_synapse_gid }}" mode: 0640 + register: matrix_synapse_container_image_customizations_dockerfile_result - name: Ensure customized Docker image for Synapse is built community.docker.docker_image: name: "{{ matrix_synapse_docker_image_customized }}" source: build + force_source: "{{ matrix_synapse_container_image_customizations_dockerfile_result.changed or matrix_synapse_docker_image_customized_force_source }}" build: dockerfile: Dockerfile path: "{{ matrix_synapse_customized_docker_src_files_path }}" - pull: true - -- name: Check if a Synapse signing key exists - ansible.builtin.stat: - path: "{{ matrix_synapse_config_dir_path }}/{{ matrix_server_fqn_matrix }}.signing.key" - register: matrix_synapse_signing_key_stat + nocache: "{{ matrix_synapse_docker_image_customized_build_nocache }}" # We do this so that the signing key would get generated. # @@ -94,27 +92,28 @@ # We don't use the `docker_container` module, because using it with `cap_drop` requires # a very recent docker-py version, which is not available for a lot of people yet. - name: Generate initial Synapse config and signing key - ansible.builtin.command: | - docker run - --rm - --name=matrix-config - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} - --cap-drop=ALL - --mount type=bind,src={{ matrix_synapse_config_dir_path }},dst=/data - -e SYNAPSE_CONFIG_PATH=/data/homeserver.yaml - -e SYNAPSE_SERVER_NAME={{ matrix_server_fqn_matrix }} - -e SYNAPSE_REPORT_STATS=no - {{ matrix_synapse_docker_image }} - generate - when: "not matrix_synapse_signing_key_stat.stat.exists" + ansible.builtin.command: + cmd: | + docker run + --rm + --name=matrix-config + --user={{ matrix_synapse_uid }}:{{ matrix_synapse_gid }} + --cap-drop=ALL + --mount type=bind,src={{ matrix_synapse_config_dir_path }},dst=/data + -e SYNAPSE_CONFIG_PATH=/data/homeserver.yaml + -e SYNAPSE_SERVER_NAME={{ matrix_server_fqn_matrix }} + -e SYNAPSE_REPORT_STATS=no + {{ matrix_synapse_docker_image }} + generate + creates: "{{ matrix_synapse_config_dir_path }}/{{ matrix_server_fqn_matrix }}.signing.key" - name: Ensure Synapse homeserver config installed ansible.builtin.copy: content: "{{ matrix_synapse_configuration | to_nice_yaml(indent=2, width=999999) }}" dest: "{{ matrix_synapse_config_dir_path }}/homeserver.yaml" mode: 0644 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" + owner: "{{ matrix_synapse_uid }}" + group: "{{ matrix_synapse_gid }}" - name: Ensure Synapse log config installed ansible.builtin.template: @@ -122,29 +121,28 @@ dest: "{{ matrix_synapse_config_dir_path }}/{{ matrix_server_fqn_matrix }}.log.config" mode: 0644 +- name: Ensure Synapse container network is created + community.general.docker_network: + name: "{{ matrix_synapse_container_network }}" + driver: bridge + - name: Ensure matrix-synapse.service installed ansible.builtin.template: src: "{{ role_path }}/templates/synapse/systemd/matrix-synapse.service.j2" dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-synapse.service" mode: 0644 - register: matrix_synapse_systemd_service_result - -- name: Ensure systemd reloaded after matrix-synapse.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_synapse_systemd_service_result.changed" -- name: Ensure matrix-synapse-register-user script created +- name: Ensure register-user script created ansible.builtin.template: - src: "{{ role_path }}/templates/synapse/usr-local-bin/matrix-synapse-register-user.j2" - dest: "{{ matrix_local_bin_path }}/matrix-synapse-register-user" + src: "{{ role_path }}/templates/synapse/bin/register-user.j2" + dest: "{{ matrix_synapse_bin_path }}/register-user" mode: 0755 - name: Generate sample prometheus.yml for external scraping ansible.builtin.template: src: "{{ role_path }}/templates/synapse/prometheus/external_prometheus.yml.example.j2" dest: "{{ matrix_synapse_base_path }}/external_prometheus.yml.example" - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" + owner: "{{ matrix_synapse_uid }}" + group: "{{ matrix_synapse_gid }}" mode: 0644 when: matrix_synapse_metrics_proxying_enabled | bool diff --git a/roles/custom/matrix-synapse/tasks/synapse/setup_uninstall.yml b/roles/custom/matrix-synapse/tasks/synapse/setup_uninstall.yml index 17fa8a4fa..6b8ae5a01 100644 --- a/roles/custom/matrix-synapse/tasks/synapse/setup_uninstall.yml +++ b/roles/custom/matrix-synapse/tasks/synapse/setup_uninstall.yml @@ -5,36 +5,25 @@ path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-synapse.service" register: matrix_synapse_service_stat -- name: Ensure matrix-synapse is stopped - ansible.builtin.service: - name: matrix-synapse - state: stopped - enabled: false - daemon_reload: true - register: stopping_result - when: "matrix_synapse_service_stat.stat.exists" +- when: matrix_synapse_service_stat.stat.exists | bool + block: + - name: Ensure matrix-synapse is stopped + ansible.builtin.service: + name: matrix-synapse + state: stopped + enabled: false + daemon_reload: true -- name: Ensure matrix-synapse.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-synapse.service" - state: absent - when: "matrix_synapse_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-synapse.service removal - ansible.builtin.service: - daemon_reload: true - when: "matrix_synapse_service_stat.stat.exists" - -- name: Ensure Synapse Docker image doesn't exist - community.docker.docker_image: - name: "{{ item }}" - state: absent - with_items: - - "{{ matrix_synapse_docker_image_final }}" - - "{{ matrix_synapse_docker_image }}" + - name: Ensure Synapse paths don't exist + ansible.builtin.file: + path: "{{ item }}" + state: absent + with_items: + - "{{ devture_systemd_docker_base_systemd_path }}/matrix-synapse.service" + - "{{ matrix_synapse_bin_path }}" -- name: Ensure sample prometheus.yml for external scraping is deleted - ansible.builtin.file: - path: "{{ matrix_synapse_base_path }}/external_prometheus.yml.example" - state: absent - when: "not matrix_synapse_metrics_proxying_enabled | bool" + - name: Ensure sample prometheus.yml for external scraping is deleted + ansible.builtin.file: + path: "{{ matrix_synapse_base_path }}/external_prometheus.yml.example" + state: absent + when: "not matrix_synapse_metrics_proxying_enabled | bool" diff --git a/roles/custom/matrix-synapse/tasks/synapse/workers/init.yml b/roles/custom/matrix-synapse/tasks/synapse/workers/init.yml index d88884d09..68b8f37e3 100644 --- a/roles/custom/matrix-synapse/tasks/synapse/workers/init.yml +++ b/roles/custom/matrix-synapse/tasks/synapse/workers/init.yml @@ -21,7 +21,7 @@ ansible.builtin.set_fact: worker: id: "stream-writer-{{ idx }}-{{ item.stream }}" - # Names must not include understores. Certain stream writer streams (to_device, account_data, ..) do, so we fix them up. + # Names must not include underscores. Certain stream writer streams (to_device, account_data, ..) do, so we fix them up. name: "matrix-synapse-worker-stream-writer-{{ idx }}-{{ item.stream | replace('_', '-') }}" type: 'stream_writer' app: "generic_worker" @@ -46,7 +46,7 @@ id: "federation-sender-{{ item }}" name: "matrix-synapse-worker-federation-sender-{{ item }}" type: 'federation_sender' - app: 'federation_sender' + app: 'generic_worker' webserving: false port: 0 metrics_port: "{{ matrix_synapse_workers_federation_sender_workers_metrics_range_start + item }}" @@ -58,14 +58,13 @@ matrix_synapse_federation_sender_instances: "{{ matrix_synapse_federation_sender_instances + [item.ansible_facts.worker.name] }}" with_items: "{{ matrix_synapse_workers_list_results_federation_sender_workers.results }}" -# This type of worker can only have a count of 1, at most - name: Build pusher workers ansible.builtin.set_fact: worker: id: "pusher-{{ item }}" name: "matrix-synapse-worker-pusher-{{ item }}" type: 'pusher' - app: 'pusher' + app: 'generic_worker' webserving: false port: 0 metrics_port: "{{ matrix_synapse_workers_pusher_workers_metrics_range_start + item }}" diff --git a/roles/custom/matrix-synapse/tasks/synapse/workers/setup.yml b/roles/custom/matrix-synapse/tasks/synapse/workers/setup.yml deleted file mode 100644 index 1458cc0a2..000000000 --- a/roles/custom/matrix-synapse/tasks/synapse/workers/setup.yml +++ /dev/null @@ -1,21 +0,0 @@ ---- - -# A previous version of the worker setup used this. -# This is a temporary cleanup for people who ran that version. -- name: Ensure old matrix-synapse.service.wants directory is gone - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-synapse.service.wants" - state: absent - -# Same. This was part of a previous version of the worker setup. -# No longer necessary. -- name: Ensure matrix-synapse-worker-write-pid script is removed - ansible.builtin.file: - path: "{{ matrix_local_bin_path }}/matrix-synapse-worker-write-pid" - state: absent - -- ansible.builtin.include_tasks: "{{ role_path }}/tasks/synapse/workers/setup_install.yml" - when: "matrix_synapse_enabled | bool and matrix_synapse_workers_enabled | bool" - -- ansible.builtin.include_tasks: "{{ role_path }}/tasks/synapse/workers/setup_uninstall.yml" - when: "not matrix_synapse_workers_enabled | bool" diff --git a/roles/custom/matrix-synapse/tasks/synapse/workers/setup_install.yml b/roles/custom/matrix-synapse/tasks/synapse/workers/setup_install.yml index 74ca6c358..85ddf3b94 100644 --- a/roles/custom/matrix-synapse/tasks/synapse/workers/setup_install.yml +++ b/roles/custom/matrix-synapse/tasks/synapse/workers/setup_install.yml @@ -7,12 +7,16 @@ use_regex: true register: matrix_synapse_workers_current_config_files +- ansible.builtin.set_fact: + matrix_synapse_enabled_worker_names: "{{ matrix_synapse_workers_enabled_list | map(attribute='name') }}" + # This also deletes some things which we need. They will be recreated below. -- name: Ensure previous worker configs are cleaned +- name: Ensure unnecessary worker configs are cleaned ansible.builtin.file: path: "{{ item.path }}" state: absent with_items: "{{ matrix_synapse_workers_current_config_files.files }}" + when: "not ansible_check_mode and (item.path | basename | replace ('worker.', '') | replace('.yaml', '')) not in matrix_synapse_enabled_worker_names" - name: Determine current worker systemd services ansible.builtin.find: @@ -27,13 +31,14 @@ state: stopped enabled: false with_items: "{{ matrix_synapse_workers_current_systemd_services.files }}" - when: "not ansible_check_mode and item.path | basename not in matrix_systemd_services_list" + when: "not ansible_check_mode and (item.path | basename | replace('.service', '')) not in matrix_synapse_enabled_worker_names" - name: Ensure unnecessary worker systemd services are cleaned ansible.builtin.file: path: "{{ item.path }}" state: absent with_items: "{{ matrix_synapse_workers_current_systemd_services.files }}" + when: "not ansible_check_mode and (item.path | basename | replace('.service', '')) not in matrix_synapse_enabled_worker_names" - name: Ensure creation of worker systemd service files and configuration files ansible.builtin.include_tasks: "{{ role_path }}/tasks/synapse/workers/util/setup_files_for_worker.yml" diff --git a/roles/custom/matrix-synapse/tasks/synapse/workers/util/inject_worker.yml b/roles/custom/matrix-synapse/tasks/synapse/workers/util/inject_worker.yml index 4542f19c1..c52777ebd 100644 --- a/roles/custom/matrix-synapse/tasks/synapse/workers/util/inject_worker.yml +++ b/roles/custom/matrix-synapse/tasks/synapse/workers/util/inject_worker.yml @@ -53,7 +53,7 @@ when: "'replication_port' not in matrix_synapse_worker_details" - ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + [matrix_synapse_worker_details.name + '.service'] }}" + devture_systemd_service_manager_services_list_auto: "{{ devture_systemd_service_manager_services_list_auto + [{'name': (matrix_synapse_worker_details.name + '.service'), 'priority': 1100, 'groups': ['matrix', 'homeservers', 'synapse']}] }}" - ansible.builtin.set_fact: matrix_synapse_webserving_workers_systemd_services_list: "{{ matrix_synapse_webserving_workers_systemd_services_list + [matrix_synapse_worker_details.name + '.service'] }}" @@ -61,7 +61,7 @@ # Inject stream writers into the instance map. - ansible.builtin.set_fact: - matrix_synapse_instance_map: "{{ matrix_synapse_instance_map | combine({matrix_synapse_worker_details.name: {'host': matrix_synapse_worker_details.name, 'port': matrix_synapse_worker_details.replication_port}}) }}" + matrix_synapse_instance_map: "{{ matrix_synapse_instance_map | combine({matrix_synapse_worker_details.name: {'host': matrix_synapse_worker_details.name, 'port': matrix_synapse_worker_details.replication_port | int}}) }}" when: matrix_synapse_worker_details.type in matrix_synapse_known_instance_map_eligible_worker_types # Inject pusher instances. diff --git a/roles/custom/matrix-synapse/tasks/synapse/workers/util/setup_files_for_worker.yml b/roles/custom/matrix-synapse/tasks/synapse/workers/util/setup_files_for_worker.yml index 6910445e2..d35094129 100644 --- a/roles/custom/matrix-synapse/tasks/synapse/workers/util/setup_files_for_worker.yml +++ b/roles/custom/matrix-synapse/tasks/synapse/workers/util/setup_files_for_worker.yml @@ -10,8 +10,8 @@ src: "{{ role_path }}/templates/synapse/worker.yaml.j2" dest: "{{ matrix_synapse_config_dir_path }}/{{ matrix_synapse_worker_config_file_name }}" mode: 0644 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" + owner: "{{ matrix_synapse_uid }}" + group: "{{ matrix_synapse_gid }}" - name: Ensure systemd service exists for {{ matrix_synapse_worker_systemd_service_name }} ansible.builtin.template: diff --git a/roles/custom/matrix-synapse/tasks/update_user_password.yml b/roles/custom/matrix-synapse/tasks/update_user_password.yml index 3ddc4b8de..799c15a81 100644 --- a/roles/custom/matrix-synapse/tasks/update_user_password.yml +++ b/roles/custom/matrix-synapse/tasks/update_user_password.yml @@ -10,37 +10,43 @@ msg: "The `password` variable needs to be provided to this playbook, via --extra-vars" when: "password is not defined or password == ''" -- name: Fail if not using matrix-postgres container +- name: Fail if not using integrated Postgres database ansible.builtin.fail: - msg: "This command is working only when matrix-postgres container is being used" - when: "not matrix_postgres_enabled | bool" + msg: "This command is working only when Postgres is installed via the the integrated com.devture.ansible.role.postgres role" + when: "not devture_postgres_enabled | bool" -- name: Ensure matrix-synapse is started +- name: Ensure Postgres is started ansible.builtin.service: - name: matrix-synapse + name: "{{ devture_postgres_identifier }}" state: started daemon_reload: true - register: start_result + register: postgres_start_result -- name: Ensure matrix-postgres is started +- name: Ensure Synapse is started ansible.builtin.service: - name: matrix-postgres + name: matrix-synapse state: started daemon_reload: true - register: postgres_start_result - + register: synapse_start_result -- name: Wait a while, so that Matrix Synapse can manage to start +- name: Wait a while, so that Synapse and/or Postgres can manage to start ansible.builtin.pause: seconds: 7 - when: "start_result.changed or postgres_start_result.changed" + when: "synapse_start_result.changed or postgres_start_result.changed" -- name: Generate password hash +- name: Generate user password hash ansible.builtin.shell: "{{ devture_systemd_docker_base_host_command_docker }} exec matrix-synapse /usr/local/bin/hash_password -c /data/homeserver.yaml -p {{ password | quote }}" register: password_hash changed_when: false +- name: Generate user password-change SQL command + ansible.builtin.set_fact: + matrix_synapse_user_password_change_command: >- + {{ devture_postgres_bin_path }}/cli-non-interactive --dbname={{ matrix_synapse_database_database | quote }} -c "UPDATE users SET password_hash='{{ password_hash.stdout }}' WHERE name = '@{{ username }}:{{ matrix_domain }}'" + - name: Update user password hash - ansible.builtin.command: "{{ matrix_local_bin_path }}/matrix-postgres-update-user-password-hash {{ username | quote }} {{ password_hash.stdout | quote }}" + ansible.builtin.command: + cmd: "{{ matrix_synapse_user_password_change_command }}" register: matrix_synapse_update_user_password_result changed_when: matrix_synapse_update_user_password_result.rc == 0 + failed_when: "matrix_synapse_update_user_password_result.rc != 0 or matrix_synapse_update_user_password_result.stdout != 'UPDATE 1'" diff --git a/roles/custom/matrix-synapse/tasks/validate_config.yml b/roles/custom/matrix-synapse/tasks/validate_config.yml index 0758c88fb..607c75b8c 100644 --- a/roles/custom/matrix-synapse/tasks/validate_config.yml +++ b/roles/custom/matrix-synapse/tasks/validate_config.yml @@ -6,11 +6,15 @@ You need to define a required configuration setting (`{{ item }}`) for using Synapse. when: "vars[item] == ''" with_items: - - "matrix_synapse_macaroon_secret_key" - - "matrix_synapse_database_host" - - "matrix_synapse_database_user" - - "matrix_synapse_database_password" - - "matrix_synapse_database_database" + - matrix_synapse_username + - matrix_synapse_uid + - matrix_synapse_gid + - matrix_synapse_container_network + - matrix_synapse_macaroon_secret_key + - matrix_synapse_database_host + - matrix_synapse_database_user + - matrix_synapse_database_password + - matrix_synapse_database_database - name: Fail if asking for more than 1 instance of single-instance workers ansible.builtin.fail: @@ -59,6 +63,10 @@ - {'old': 'matrix_synapse_workers_frontend_proxy_workers_count', 'new': ''} - {'old': 'matrix_synapse_workers_frontend_proxy_workers_port_range_start', 'new': ''} - {'old': 'matrix_synapse_workers_frontend_proxy_workers_metrics_range_start', 'new': ''} + - {'old': 'matrix_synapse_ext_s3_storage_provider_path', 'new': 'matrix_synapse_ext_s3_storage_provider_base_path'} + - {'old': 'matrix_synapse_send_federation', 'new': ''} + - {'old': 'matrix_synapse_start_pushers', 'new': ''} + - name: (Deprecation) Catch and report renamed settings in matrix_synapse_configuration_extension_yaml ansible.builtin.fail: @@ -68,3 +76,22 @@ when: "item.old in matrix_synapse_configuration_extension" with_items: - {'old': 'federation_ip_range_blacklist', 'new': 'ip_range_blacklist'} + +- when: matrix_synapse_container_image_customizations_templates_enabled | bool + block: + - name: Fail if required `matrix_synapse_container_image_customizations_templates_*` settings not defined + ansible.builtin.fail: + msg: >- + You need to define a required configuration setting (`{{ item }}`) when enabling `matrix_synapse_container_image_customizations_templates_enabled`. + when: "vars[item] == ''" + with_items: + - matrix_synapse_container_image_customizations_templates_git_repository_url + - matrix_synapse_container_image_customizations_templates_git_repository_branch + + - name: Fail if required `matrix_synapse_container_image_customizations_templates_git_repository_keyscan_*` settings not defined + ansible.builtin.fail: + msg: >- + You need to define a required configuration setting (`{{ item }}`) when enabling `matrix_synapse_container_image_customizations_templates_git_repository_keyscan`. + when: "matrix_synapse_container_image_customizations_templates_git_repository_keyscan_enabled | bool and vars[item] == ''" + with_items: + - matrix_synapse_container_image_customizations_templates_git_repository_keyscan_hostname diff --git a/roles/custom/matrix-synapse/templates/goofys/systemd/matrix-goofys.service.j2 b/roles/custom/matrix-synapse/templates/goofys/systemd/matrix-goofys.service.j2 index a1174bced..fea02d479 100644 --- a/roles/custom/matrix-synapse/templates/goofys/systemd/matrix-goofys.service.j2 +++ b/roles/custom/matrix-synapse/templates/goofys/systemd/matrix-goofys.service.j2 @@ -13,11 +13,11 @@ ExecStartPre=-{{ devture_systemd_docker_base_host_command_docker }} rm %n ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name %n \ --log-driver=none \ - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --user={{ matrix_synapse_uid }}:{{ matrix_synapse_gid }} \ --mount type=bind,src=/etc/passwd,dst=/etc/passwd,ro \ --mount type=bind,src=/etc/group,dst=/etc/group,ro \ --mount type=bind,src={{ matrix_s3_media_store_path }},dst=/s3,bind-propagation=shared \ - --security-opt apparmor:unconfined \ + --security-opt apparmor=unconfined \ --cap-add mknod \ --cap-add sys_admin \ --device=/dev/fuse \ diff --git a/roles/custom/matrix-synapse/templates/synapse/usr-local-bin/matrix-synapse-register-user.j2 b/roles/custom/matrix-synapse/templates/synapse/bin/register-user.j2 similarity index 100% rename from roles/custom/matrix-synapse/templates/synapse/usr-local-bin/matrix-synapse-register-user.j2 rename to roles/custom/matrix-synapse/templates/synapse/bin/register-user.j2 diff --git a/roles/custom/matrix-synapse/templates/synapse/customizations/Dockerfile.j2 b/roles/custom/matrix-synapse/templates/synapse/customizations/Dockerfile.j2 index 3919e9557..6257f1985 100644 --- a/roles/custom/matrix-synapse/templates/synapse/customizations/Dockerfile.j2 +++ b/roles/custom/matrix-synapse/templates/synapse/customizations/Dockerfile.j2 @@ -1,7 +1,51 @@ +#jinja2: lstrip_blocks: "True" FROM {{ matrix_synapse_docker_image }} {% if matrix_synapse_container_image_customizations_s3_storage_provider_installation_enabled %} RUN pip install synapse-s3-storage-provider=={{ matrix_synapse_ext_synapse_s3_storage_provider_version }} {% endif %} +{% if matrix_synapse_container_image_customizations_templates_enabled %} +{# +This ugly script below does quite a lot: + - installs git and other dependencies temporarily, just so we could do a shallow-clone + - prepare the SSH config: keyscanning (if enabled), private key (if enabled) + - performs a git shallow clone with just the branch we need + - makes sure the files are owned by the user that will actually run the container later + - removes the `.git` directory to save space, but keeps git revision in `git-revision.txt`, should we need it for debugging + - finally, verifies that the templates path can indeed be found within the base path (sanity check) +#} +{% set dependencies = ['git', 'ssh', 'openssh-client'] %} +RUN \ + {% if matrix_synapse_container_image_customizations_templates_git_repository_ssh_private_key %} + echo '{{ matrix_synapse_container_image_customizations_templates_git_repository_ssh_private_key | b64encode }}' | base64 -d > /custom-templates-private-key && \ + chmod 400 /custom-templates-private-key && \ + {% endif %} + apt-get update && \ + apt-get install --no-install-recommends -y {{ dependencies | join(' ') }} && \ + {% if matrix_synapse_container_image_customizations_templates_git_repository_keyscan_enabled %} + mkdir ~/.ssh && \ + chmod 700 ~/.ssh && \ + ssh-keyscan -t rsa {{ matrix_synapse_container_image_customizations_templates_git_repository_keyscan_hostname }} >> ~/.ssh/known_hosts && \ + {% endif %} + {% if matrix_synapse_container_image_customizations_templates_git_repository_ssh_private_key %}GIT_SSH_COMMAND='ssh -i /custom-templates-private-key'{% endif %} git \ + clone \ + --branch={{ matrix_synapse_container_image_customizations_templates_git_repository_branch }} \ + --depth=1 \ + --single-branch \ + --no-tags \ + {{ matrix_synapse_container_image_customizations_templates_git_repository_url }} \ + {{ matrix_synapse_container_image_customizations_templates_in_container_base_path }} && \ + /bin/sh -c 'cd {{ matrix_synapse_container_image_customizations_templates_in_container_base_path }} && git rev-parse HEAD > git-revision.txt' && \ + rm -rf {{ matrix_synapse_container_image_customizations_templates_in_container_base_path }}/.git && \ + chown -R {{ matrix_synapse_uid }}:{{ matrix_synapse_gid }} {{ matrix_synapse_container_image_customizations_templates_in_container_base_path }} && \ + apt-get autoremove -y {{ dependencies | join(' ') }} && \ + {% if matrix_synapse_container_image_customizations_templates_git_repository_ssh_private_key %} + rm /custom-templates-private-key && \ + {% endif %} + true + +RUN /bin/sh -c 'stat {{ matrix_synapse_container_image_customizations_templates_in_container_base_path }}/{{ matrix_synapse_container_image_customizations_templates_in_container_template_files_relative_path }} || exit 1' +{% endif %} + {{ matrix_synapse_container_image_customizations_dockerfile_body_custom }} diff --git a/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/usr-local-bin/matrix-synapse-s3-storage-provider-migrate.j2 b/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/bin/migrate.j2 similarity index 60% rename from roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/usr-local-bin/matrix-synapse-s3-storage-provider-migrate.j2 rename to roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/bin/migrate.j2 index d48ae1229..5c3a534b5 100644 --- a/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/usr-local-bin/matrix-synapse-s3-storage-provider-migrate.j2 +++ b/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/bin/migrate.j2 @@ -3,11 +3,11 @@ {{ devture_systemd_docker_base_host_command_docker }} run \ --rm \ - --env-file={{ matrix_synapse_ext_s3_storage_provider_path }}/env \ + --env-file={{ matrix_synapse_ext_s3_storage_provider_base_path }}/env \ --mount type=bind,src={{ matrix_synapse_storage_path }},dst=/matrix-media-store-parent,bind-propagation=slave \ - --mount type=bind,src={{ matrix_synapse_ext_s3_storage_provider_path }}/data,dst=/data \ + --mount type=bind,src={{ matrix_synapse_ext_s3_storage_provider_data_path }},dst=/data \ --workdir=/data \ - --network={{ matrix_docker_network }} \ + --network={{ matrix_synapse_container_network }} \ --entrypoint=/bin/bash \ {{ matrix_synapse_docker_image_final }} \ - -c 's3_media_upload update-db $UPDATE_DB_DURATION && s3_media_upload --no-progress check-deleted $MEDIA_PATH && s3_media_upload --no-progress upload $MEDIA_PATH $BUCKET --delete --storage-class $STORAGE_CLASS --endpoint-url $ENDPOINT' + -c 's3_media_upload update-db $UPDATE_DB_DURATION && s3_media_upload --no-progress check-deleted $MEDIA_PATH && s3_media_upload --no-progress upload $MEDIA_PATH $BUCKET --delete --storage-class $STORAGE_CLASS --endpoint-url $ENDPOINT {% if matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_enabled %}--sse-customer-algo $SSE_CUSTOMER_ALGO --sse-customer-key $SSE_CUSTOMER_KEY{% endif %}' diff --git a/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/usr-local-bin/matrix-synapse-s3-storage-provider-shell.j2 b/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/bin/shell.j2 similarity index 71% rename from roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/usr-local-bin/matrix-synapse-s3-storage-provider-shell.j2 rename to roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/bin/shell.j2 index b46e89b73..6f3804cc4 100644 --- a/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/usr-local-bin/matrix-synapse-s3-storage-provider-shell.j2 +++ b/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/bin/shell.j2 @@ -4,10 +4,10 @@ {{ devture_systemd_docker_base_host_command_docker }} run \ -it \ --rm \ - --env-file={{ matrix_synapse_ext_s3_storage_provider_path }}/env \ + --env-file={{ matrix_synapse_ext_s3_storage_provider_base_path }}/env \ --mount type=bind,src={{ matrix_synapse_storage_path }},dst=/matrix-media-store-parent,bind-propagation=slave \ - --mount type=bind,src={{ matrix_synapse_ext_s3_storage_provider_path }}/data,dst=/data \ + --mount type=bind,src={{ matrix_synapse_ext_s3_storage_provider_data_path }},dst=/data \ --workdir=/data \ - --network={{ matrix_docker_network }} \ + --network={{ matrix_synapse_container_network }} \ --entrypoint=/bin/bash \ {{ matrix_synapse_docker_image_final }} diff --git a/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/env.j2 b/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/env.j2 index 6dfcbe418..227fd89e4 100644 --- a/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/env.j2 +++ b/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/env.j2 @@ -1,9 +1,17 @@ +{% if not matrix_synapse_ext_synapse_s3_storage_provider_config_ec2_instance_profile | bool %} AWS_ACCESS_KEY_ID={{ matrix_synapse_ext_synapse_s3_storage_provider_config_access_key_id }} AWS_SECRET_ACCESS_KEY={{ matrix_synapse_ext_synapse_s3_storage_provider_config_secret_access_key }} +{% endif %} AWS_DEFAULT_REGION={{ matrix_synapse_ext_synapse_s3_storage_provider_config_region_name }} ENDPOINT={{ matrix_synapse_ext_synapse_s3_storage_provider_config_endpoint_url }} BUCKET={{ matrix_synapse_ext_synapse_s3_storage_provider_config_bucket }} + +{% if matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_enabled %} +SSE_CUSTOMER_KEY={{ matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_key }} +SSE_CUSTOMER_ALGO={{ matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_algo }} +{% endif %} + STORAGE_CLASS={{ matrix_synapse_ext_synapse_s3_storage_provider_config_storage_class }} MEDIA_PATH=/matrix-media-store-parent/{{ matrix_synapse_media_store_directory_name }} diff --git a/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/media_storage_provider.yaml.j2 b/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/media_storage_provider.yaml.j2 index 97b0f5f2b..97387e55c 100644 --- a/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/media_storage_provider.yaml.j2 +++ b/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/media_storage_provider.yaml.j2 @@ -6,8 +6,15 @@ config: bucket: {{ matrix_synapse_ext_synapse_s3_storage_provider_config_bucket | to_json }} region_name: {{ matrix_synapse_ext_synapse_s3_storage_provider_config_region_name | to_json }} endpoint_url: {{ matrix_synapse_ext_synapse_s3_storage_provider_config_endpoint_url | to_json }} +{% if not matrix_synapse_ext_synapse_s3_storage_provider_config_ec2_instance_profile | bool %} access_key_id: {{ matrix_synapse_ext_synapse_s3_storage_provider_config_access_key_id | to_json }} secret_access_key: {{ matrix_synapse_ext_synapse_s3_storage_provider_config_secret_access_key | to_json }} +{% endif %} + +{% if matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_enabled %} + sse_customer_key: {{ matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_key | to_json }} + sse_customer_algo: {{ matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_algo | to_json }} +{% endif %} storage_class: {{ matrix_synapse_ext_synapse_s3_storage_provider_config_storage_class | to_json }} diff --git a/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/systemd/matrix-synapse-s3-storage-provider-migrate.service.j2 b/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/systemd/matrix-synapse-s3-storage-provider-migrate.service.j2 index 159681a0e..626c83857 100644 --- a/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/systemd/matrix-synapse-s3-storage-provider-migrate.service.j2 +++ b/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/systemd/matrix-synapse-s3-storage-provider-migrate.service.j2 @@ -4,4 +4,4 @@ Description=Migrates locally-stored Synapse media store files to S3 [Service] Type=oneshot Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" -ExecStart={{ matrix_local_bin_path }}/matrix-synapse-s3-storage-provider-migrate +ExecStart={{ matrix_synapse_ext_s3_storage_provider_bin_path }}/migrate diff --git a/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/systemd/matrix-synapse-s3-storage-provider-migrate.timer.j2 b/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/systemd/matrix-synapse-s3-storage-provider-migrate.timer.j2 index 5013c7a81..14473dd7d 100644 --- a/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/systemd/matrix-synapse-s3-storage-provider-migrate.timer.j2 +++ b/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/systemd/matrix-synapse-s3-storage-provider-migrate.timer.j2 @@ -3,7 +3,7 @@ Description=Migrates locally-stored Synapse media store files to S3 [Timer] Unit=matrix-synapse-s3-storage-provider-migrate.service -OnCalendar=*-*-* 05:00:00 +OnCalendar={{ matrix_synapse_ext_synapse_s3_storage_provider_periodic_migration_schedule }} [Install] WantedBy=timers.target diff --git a/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 index 9b02346cf..e12bdb194 100644 --- a/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -141,6 +141,10 @@ allow_public_rooms_over_federation: {{ matrix_synapse_allow_public_rooms_over_fe # default_room_version: {{ matrix_synapse_default_room_version|to_json }} +# Set to true to automatically forget rooms for users when they leave them, either +# normally or via a kick or ban. Defaults to false. +forget_rooms_on_leave: {{ matrix_synapse_forget_rooms_on_leave | to_json }} + # The GC threshold parameters to pass to `gc.set_threshold`, if defined # #gc_thresholds: [700, 10, 10] @@ -555,6 +559,9 @@ templates: # information about using custom templates. # #custom_template_directory: /path/to/custom/templates/ + {% if matrix_synapse_templates_custom_template_directory %} + custom_template_directory: {{ matrix_synapse_templates_custom_template_directory | to_json }} + {% endif %} # List of rooms to exclude from sync responses. This is useful for server # administrators wishing to group users into a room without these users being able @@ -1220,12 +1227,12 @@ oembed: # This homeserver's ReCAPTCHA public key. Must be specified if # enable_registration_captcha is enabled. # -recaptcha_public_key: {{ matrix_synapse_recaptcha_public_key|to_json }} +recaptcha_public_key: {{ matrix_synapse_recaptcha_public_key|string|to_json }} # This homeserver's ReCAPTCHA private key. Must be specified if # enable_registration_captcha is enabled. # -recaptcha_private_key: {{ matrix_synapse_recaptcha_private_key|to_json }} +recaptcha_private_key: {{ matrix_synapse_recaptcha_private_key|string|to_json }} # Uncomment to enable ReCaptcha checks when registering, preventing signup # unless a captcha is answered. Requires a valid ReCaptcha @@ -2238,7 +2245,7 @@ sso: password_config: # Uncomment to disable password login # - #enabled: false + enabled: {{ matrix_synapse_password_config_enabled|to_json }} # Uncomment to disable authentication against the local password # database. This is ignored if `enabled` is false, and is only useful @@ -2344,7 +2351,7 @@ email: # must present a certificate that is valid for 'smtp_host'. If this option # is set to false, TLS will not be used. # - #enable_tls: false + enable_tls: {{ matrix_synapse_email_smtp_enable_tls|to_json }} # notif_from defines the "From" address to use when sending emails. # It must be set if email sending is enabled. @@ -2363,7 +2370,7 @@ email: # subjects. It defaults to 'Matrix'. # #app_name: my_branded_matrix_server - app_name: Matrix + app_name: {{ matrix_synapse_email_app_name | to_json }} # Uncomment the following to enable sending emails for messages that the user # has missed. Disabled by default. @@ -2511,7 +2518,8 @@ password_providers: - module: "ldap_auth_provider.LdapAuthProvider" config: enabled: true - uri: {{ matrix_synapse_ext_password_provider_ldap_uri | string|to_json }} + mode: {{ matrix_synapse_ext_password_provider_ldap_mode | string | to_json }} + uri: {{ matrix_synapse_ext_password_provider_ldap_uri | to_json }} start_tls: {{ matrix_synapse_ext_password_provider_ldap_start_tls|to_json }} base: {{ matrix_synapse_ext_password_provider_ldap_base | string|to_json }} active_directory: {{ matrix_synapse_ext_password_provider_ldap_active_directory|to_json }} @@ -2532,6 +2540,8 @@ password_providers: ## Push ## push: + # enabled: false + # Clients requesting push notifications can either have the body of # the message sent in the notification poke along with other details # like the sender, or just the event ID and room ID (`event_id_only`). @@ -2620,7 +2630,7 @@ user_directory: # Uncomment to return search results containing all known users, even if that # user does not share a room with the requester. # - #search_all_users: true + search_all_users: {{ matrix_synapse_user_directory_search_all_users | to_json }} # Defines whether to prefer local users in search query results. # If True, local users are more likely to appear above remote users @@ -2629,7 +2639,7 @@ user_directory: # Uncomment to prefer local over remote users in user directory search # results. # - #prefer_local_users: true + prefer_local_users: {{ matrix_synapse_user_directory_prefer_local_users | to_json }} # User Consent configuration @@ -2836,12 +2846,6 @@ opentracing: ## Workers ## -# Disables sending of outbound federation transactions on the main process. -# Uncomment if using a federation sender worker. -# -#send_federation: false -send_federation: {{ matrix_synapse_send_federation | to_json }} - # It is possible to run multiple federation sender workers, in which case the # work is balanced across them. # @@ -2859,7 +2863,6 @@ federation_sender_instances: {{ matrix_synapse_federation_sender_instances | to_ {% if matrix_synapse_federation_pusher_instances | length > 0 %} pusher_instances: {{ matrix_synapse_federation_pusher_instances | to_json }} {% endif %} -start_pushers: {{ matrix_synapse_start_pushers | to_json }} # When using workers this should be a map from `worker_name` to the # HTTP replication listener of the worker, if configured. diff --git a/roles/custom/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker.service.j2 b/roles/custom/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker.service.j2 index 3d50ac9bc..4a6a01b78 100644 --- a/roles/custom/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker.service.j2 +++ b/roles/custom/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker.service.j2 @@ -14,14 +14,16 @@ ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_s # Intentional delay, so that the homeserver can manage to start. ExecStartPre={{ matrix_host_command_sleep }} 5 -ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name {{ matrix_synapse_worker_container_name }} \ +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ + --rm \ + --name={{ matrix_synapse_worker_container_name }} \ --log-driver=none \ - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --user={{ matrix_synapse_uid }}:{{ matrix_synapse_gid }} \ --cap-drop=ALL \ --read-only \ --tmpfs=/tmp:rw,noexec,nosuid,size={{ matrix_synapse_tmp_directory_size_mb }}m \ - --network={{ matrix_docker_network }} \ - {% if matrix_synapse_worker_details.port != 0 %} + --network={{ matrix_synapse_container_network }} \ + {% if matrix_synapse_worker_details.port != 0 and matrix_synapse_worker_details.webserving %} --health-cmd 'curl -fSs http://localhost:{{ matrix_synapse_worker_details.port }}/health || exit 1' \ {% else %} --no-healthcheck \ @@ -45,6 +47,11 @@ ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name {{ matrix_synapse_docker_image_final }} \ run -m synapse.app.{{ matrix_synapse_worker_details.app }} -c /data/homeserver.yaml -c /data/{{ matrix_synapse_worker_config_file_name }} +{% for network in matrix_synapse_container_additional_networks %} +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} {{ matrix_synapse_worker_container_name }} +{% endfor %} + +ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach {{ matrix_synapse_worker_container_name }} ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill {{ matrix_synapse_worker_container_name }} 2>/dev/null || true' ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm {{ matrix_synapse_worker_container_name }} 2>/dev/null || true' diff --git a/roles/custom/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 b/roles/custom/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 index 7f6c2336a..bd72f20a9 100644 --- a/roles/custom/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 +++ b/roles/custom/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 @@ -30,13 +30,15 @@ ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_s ExecStartPre={{ matrix_host_command_sleep }} 3 {% endif %} -ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-synapse \ +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ + --rm \ + --name=matrix-synapse \ --log-driver=none \ - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --user={{ matrix_synapse_uid }}:{{ matrix_synapse_gid }} \ --cap-drop=ALL \ --read-only \ --tmpfs=/tmp:rw,noexec,nosuid,size={{ matrix_synapse_tmp_directory_size_mb }}m \ - --network={{ matrix_docker_network }} \ + --network={{ matrix_synapse_container_network }} \ {% if matrix_synapse_container_client_api_host_bind_port %} -p {{ matrix_synapse_container_client_api_host_bind_port }}:{{ matrix_synapse_container_client_api_port }} \ {% endif %} @@ -63,8 +65,15 @@ ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name {{ matrix_synapse_docker_image_final }} \ run -m synapse.app.homeserver -c /data/homeserver.yaml +{% for network in matrix_synapse_container_additional_networks %} +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-synapse +{% endfor %} + +ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-synapse + ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-synapse 2>/dev/null || true' ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-synapse 2>/dev/null || true' + ExecReload={{ devture_systemd_docker_base_host_command_docker }} exec matrix-synapse /bin/sh -c 'kill -HUP 1' Restart=always RestartSec=30 diff --git a/roles/custom/matrix-synapse/templates/synapse/worker.yaml.j2 b/roles/custom/matrix-synapse/templates/synapse/worker.yaml.j2 index 2b0df98dd..18b96a55f 100644 --- a/roles/custom/matrix-synapse/templates/synapse/worker.yaml.j2 +++ b/roles/custom/matrix-synapse/templates/synapse/worker.yaml.j2 @@ -5,15 +5,6 @@ worker_name: {{ matrix_synapse_worker_details.name }} worker_daemonize: false worker_log_config: /data/{{ matrix_server_fqn_matrix }}.log.config -{% if matrix_synapse_replication_listener_enabled %} -worker_replication_host: matrix-synapse -worker_replication_http_port: {{ matrix_synapse_replication_http_port }} -{% endif %} - -{% if matrix_synapse_worker_details.type == 'generic_worker' %} -worker_main_http_uri: http://matrix-synapse:{{ matrix_synapse_container_client_api_port }} -{% endif %} - {% set http_resources = [] %} {% if matrix_synapse_worker_details.type == 'user_dir' %} diff --git a/roles/custom/matrix-synapse/vars/main.yml b/roles/custom/matrix-synapse/vars/main.yml index 4da284106..a12b44017 100644 --- a/roles/custom/matrix-synapse/vars/main.yml +++ b/roles/custom/matrix-synapse/vars/main.yml @@ -3,11 +3,11 @@ matrix_synapse_client_api_url_endpoint_public: "https://{{ matrix_server_fqn_matrix }}/_matrix/client/versions" matrix_synapse_federation_api_url_endpoint_public: "https://{{ matrix_server_fqn_matrix }}:{{ matrix_federation_public_port }}/_matrix/federation/v1/version" -# Tells whether this role had executed or not. Toggled to `true` during runtime. -matrix_synapse_role_executed: false - matrix_synapse_media_store_directory_name: "{{ matrix_synapse_media_store_path | basename }}" +# Optionally: `false` to fully disable tls on outbound smtp +matrix_synapse_email_smtp_enable_tls: true + # A Synapse generic worker can handle both federation and client-server API endpoints. # We wish to split these, as we normally serve federation separately and don't want them mixed up. # @@ -137,6 +137,7 @@ matrix_synapse_workers_generic_worker_endpoints: - ^/_matrix/federation/(v1|v2)/send_leave/ - ^/_matrix/federation/(v1|v2)/invite/ - ^/_matrix/federation/v1/event_auth/ + - ^/_matrix/federation/v1/timestamp_to_event/ - ^/_matrix/federation/v1/exchange_third_party_invite/ - ^/_matrix/federation/v1/user/devices/ - ^/_matrix/key/v2/query @@ -155,7 +156,6 @@ matrix_synapse_workers_generic_worker_endpoints: - ^/_matrix/client/v1/rooms/.*/hierarchy$ - ^/_matrix/client/(v1|unstable)/rooms/.*/relations/ - ^/_matrix/client/v1/rooms/.*/threads$ - - ^/_matrix/client/unstable/org.matrix.msc2716/rooms/.*/batch_send$ - ^/_matrix/client/unstable/im.nheko.summary/rooms/.*/summary$ - ^/_matrix/client/(r0|v3|unstable)/account/3pid$ - ^/_matrix/client/(r0|v3|unstable)/account/whoami$ @@ -164,7 +164,12 @@ matrix_synapse_workers_generic_worker_endpoints: - ^/_matrix/client/(api/v1|r0|v3|unstable)/voip/turnServer$ - ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/event/ - ^/_matrix/client/(api/v1|r0|v3|unstable)/joined_rooms$ + - ^/_matrix/client/v1/rooms/.*/timestamp_to_event$ + - ^/_matrix/client/(api/v1|r0|v3|unstable/.*)/rooms/.*/aliases - ^/_matrix/client/(api/v1|r0|v3|unstable)/search$ + - ^/_matrix/client/(r0|v3|unstable)/user/.*/filter(/|$) + - ^/_matrix/client/(api/v1|r0|v3|unstable)/directory/room/.*$ + - ^/_matrix/client/(r0|v3|unstable)/capabilities$ # Encryption requests # Note that ^/_matrix/client/(r0|v3|unstable)/keys/upload/ requires `worker_main_http_uri` @@ -177,7 +182,9 @@ matrix_synapse_workers_generic_worker_endpoints: # Registration/login requests - ^/_matrix/client/(api/v1|r0|v3|unstable)/login$ - ^/_matrix/client/(r0|v3|unstable)/register$ + - ^/_matrix/client/(r0|v3|unstable)/register/available$ - ^/_matrix/client/v1/register/m.login.registration_token/validity$ + - ^/_matrix/client/(r0|v3|unstable)/password_policy$ # Event sending requests - ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/redact @@ -185,6 +192,7 @@ matrix_synapse_workers_generic_worker_endpoints: - ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/state/ - ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/(join|invite|leave|ban|unban|kick)$ - ^/_matrix/client/(api/v1|r0|v3|unstable)/join/ + - ^/_matrix/client/(api/v1|r0|v3|unstable)/knock/ - ^/_matrix/client/(api/v1|r0|v3|unstable)/profile/ # Start of intentionally-ignored-endpoints diff --git a/roles/custom/matrix-user-creator/defaults/main.yml b/roles/custom/matrix-user-creator/defaults/main.yml index 5c90a1e0f..20aad3d10 100644 --- a/roles/custom/matrix-user-creator/defaults/main.yml +++ b/roles/custom/matrix-user-creator/defaults/main.yml @@ -20,3 +20,6 @@ matrix_user_creator_users_auto: [] # Add your own users here to have them end up in `matrix_user_creator_users` (see `vars/main.yml`) and get automatically created. # For example syntax for this variable, see the documentation for `matrix_user_creator_users` in `vars/main.yml`. matrix_user_creator_users_additional: [] + +# matrix_user_creator_homeserver_start_wait_time_seconds specifies how long to wait after starting the homeserver service and before doing our work. +matrix_user_creator_homeserver_start_wait_time_seconds: 10 diff --git a/roles/custom/matrix-user-creator/tasks/main.yml b/roles/custom/matrix-user-creator/tasks/main.yml index ba20504f7..ff93a4633 100644 --- a/roles/custom/matrix-user-creator/tasks/main.yml +++ b/roles/custom/matrix-user-creator/tasks/main.yml @@ -1,9 +1,10 @@ --- -- when: matrix_user_creator_users | length > 0 - ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup.yml" - tags: +- tags: # This role intentionally doesn't do work on a `setup-all` tag. # If it did, the initial installation (`--tags=setup-all`) would also potentially polute the database with data, # which would make importing a database dump problematic. - ensure-matrix-users-created + block: + - when: matrix_user_creator_users | length > 0 + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup.yml" diff --git a/roles/custom/matrix-user-creator/tasks/setup.yml b/roles/custom/matrix-user-creator/tasks/setup.yml index 73dfd4548..bcf2fd65f 100644 --- a/roles/custom/matrix-user-creator/tasks/setup.yml +++ b/roles/custom/matrix-user-creator/tasks/setup.yml @@ -8,10 +8,6 @@ # Suppress logging to avoid dumping the credentials to the shell no_log: true -- name: Ensure systemd is reloaded before starting the homeserver - ansible.builtin.service: - daemon_reload: true - - name: Ensure homeserver is started before creating Matrix users ansible.builtin.service: name: "matrix-{{ matrix_homeserver_implementation }}.service" @@ -21,7 +17,7 @@ - name: Wait a while, so that the homeserver can manage to start before creating Matrix users ansible.builtin.pause: - seconds: 7 + seconds: "{{ matrix_user_creator_homeserver_start_wait_time_seconds }}" when: matrix_user_registrator_homeserver_start_result.changed | bool - name: Ensure Matrix users are created diff --git a/roles/custom/matrix-user-verification-service/defaults/main.yml b/roles/custom/matrix-user-verification-service/defaults/main.yml new file mode 100644 index 000000000..b553ad12b --- /dev/null +++ b/roles/custom/matrix-user-verification-service/defaults/main.yml @@ -0,0 +1,69 @@ +--- +# Set this to the display name for ansible used in Output e.g. fail_msg +matrix_user_verification_service_ansible_name: "Matrix User Verification Service" + +# Enable by default. This is overwritten in provided group vars. +matrix_user_verification_service_enabled: true + +# Fix version tag +matrix_user_verification_service_version: "v2.0.0" + +# Paths +matrix_user_verification_service_base_path: "{{ matrix_base_data_path }}/user-verification-service" +matrix_user_verification_service_config_path: "{{ matrix_user_verification_service_base_path }}/config" +matrix_user_verification_service_config_env_file: "{{ matrix_user_verification_service_config_path }}/.env" + +# Docker +matrix_user_verification_service_docker_image_name_prefix: "{{ matrix_container_global_registry_prefix }}" +matrix_user_verification_service_docker_image: "{{ matrix_user_verification_service_docker_image_name_prefix }}matrixdotorg/matrix-user-verification-service:{{ matrix_user_verification_service_version }}" +matrix_user_verification_service_docker_image_force_pull: "{{ matrix_user_verification_service_docker_image.endswith(':latest') }}" + +# The base container network. It will be auto-created by this role if it doesn't exist already. +matrix_user_verification_service_container_network: "{{ matrix_docker_network }}" + +# A list of additional container networks that the container would be connected to. +# The role does not create these networks, so make sure they already exist. +# Use this to expose this container to another reverse proxy, which runs in a different container network. +matrix_user_verification_service_container_additional_networks: [] + +matrix_user_verification_service_container_name: "matrix-user-verification-service" +# This will be set in group vars +matrix_user_verification_service_container_http_host_bind_port: '' +matrix_user_verification_service_container_extra_arguments: [] +# Systemd +matrix_user_verification_service_systemd_required_services_list: [] +matrix_user_verification_service_systemd_wanted_services_list: [] +matrix_user_verification_service_systemd_service_basename: "matrix-user-verification-service" +matrix_user_verification_service_systemd_service_name: "{{ matrix_user_verification_service_systemd_service_basename }}.service" + +# Matrix User Verification Service Configuration +## REQUIRED + +# Homeserver client API admin token (synapse only)- Required for the service to verify room membership +matrix_user_verification_service_uvs_access_token: '' + +# homeserver client api url +matrix_user_verification_service_uvs_homeserver_url: "{{ matrix_homeserver_container_url }}" +# disable check for non private ip range of homeserver. e.g. set to `true` if your homeserver domain resolves to a private ip. +matrix_user_verification_service_uvs_disable_ip_blacklist: false + +## OPTIONAL + +# Require an Auth-Token with API calls. If set to false, UVS will reply to any API call. +# The Auth-Token is defined via: matrix_user_verification_service_uvs_auth_token +matrix_user_verification_service_uvs_require_auth: true +# Auth token to protect the API +# If enabled any calls to the provided API endpoints need have the header "Authorization: Bearer TOKEN". +# A Token will be derived from matrix_homeserver_generic_secret_key in group_vars/matrix_servers +matrix_user_verification_service_uvs_auth_token: '' + +# Pin UVS to only check openId Tokens for the matrix_server_name configured by this playbook. +matrix_user_verification_service_uvs_pin_openid_verify_server_name: true +# Matrix server name to verify OpenID tokens against. +# This is not the homeserverURL, but rather the domain in the matrix "user ID" +# UVS can also be instructed to verify against the Matrix server name passed in the token, to enable set to "" +matrix_user_verification_service_uvs_openid_verify_server_name: "{{ matrix_domain }}" + +# Log level +# See choices here: https://github.com/winstonjs/winston#logging-levels +matrix_user_verification_service_uvs_log_level: info diff --git a/roles/custom/matrix-user-verification-service/tasks/main.yml b/roles/custom/matrix-user-verification-service/tasks/main.yml new file mode 100644 index 000000000..1b65f86a6 --- /dev/null +++ b/roles/custom/matrix-user-verification-service/tasks/main.yml @@ -0,0 +1,19 @@ +--- + +- tags: + - setup-all + - setup-user-verification-service + - install-all + - install-user-verification-service + block: + - when: run_setup | bool and matrix_user_verification_service_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" + - when: run_setup | bool and matrix_user_verification_service_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" + +- tags: + - setup-all + - setup-user-verification-service + block: + - when: run_setup | bool and not matrix_user_verification_service_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" diff --git a/roles/custom/matrix-user-verification-service/tasks/setup_install.yml b/roles/custom/matrix-user-verification-service/tasks/setup_install.yml new file mode 100644 index 000000000..54d5d979b --- /dev/null +++ b/roles/custom/matrix-user-verification-service/tasks/setup_install.yml @@ -0,0 +1,42 @@ +--- + +- name: "Ensure Matrix User Verification Service paths exist" + ansible.builtin.file: + path: "{{ item.path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - {path: "{{ matrix_user_verification_service_config_path }}", when: true} + when: item.when | bool + +- name: Ensure Matrix User Verification Service image is pulled + community.docker.docker_image: + name: "{{ matrix_user_verification_service_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_user_verification_service_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_user_verification_service_docker_image_force_pull }}" + register: result + retries: "{{ devture_playbook_help_container_retries_count }}" + delay: "{{ devture_playbook_help_container_retries_delay }}" + until: result is not failed + +- name: Ensure Matrix User Verification Service env file installed + ansible.builtin.template: + src: "{{ role_path }}/templates/.env.j2" + dest: "{{ matrix_user_verification_service_config_env_file }}" + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + mode: 0644 + +- name: Ensure matrix-user-verification-service container network is created + community.general.docker_network: + name: "{{ matrix_user_verification_service_container_network }}" + driver: bridge + +- name: Ensure matrix-user-verification-service.service installed + ansible.builtin.template: + src: "{{ role_path }}/templates/systemd/matrix-user-verification-service.service.j2" + dest: "{{ devture_systemd_docker_base_systemd_path }}/{{ matrix_user_verification_service_systemd_service_name }}" + mode: 0644 diff --git a/roles/custom/matrix-user-verification-service/tasks/setup_uninstall.yml b/roles/custom/matrix-user-verification-service/tasks/setup_uninstall.yml new file mode 100644 index 000000000..b61f9cdd2 --- /dev/null +++ b/roles/custom/matrix-user-verification-service/tasks/setup_uninstall.yml @@ -0,0 +1,25 @@ +--- + +- name: Check existence of matrix-user-verification-service service + ansible.builtin.stat: + path: "{{ devture_systemd_docker_base_systemd_path }}/{{ matrix_user_verification_service_systemd_service_name }}" + register: matrix_user_verification_service_service_stat + +- when: matrix_user_verification_service_service_stat.stat.exists | bool + block: + - name: Ensure matrix-user-verification-service is stopped + ansible.builtin.service: + name: "{{ matrix_user_verification_service_systemd_service_basename }}" + state: stopped + daemon_reload: true + register: stopping_result + + - name: Ensure matrix-user-verification-service.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/{{ matrix_user_verification_service_systemd_service_name }}" + state: absent + + - name: Ensure Matrix user-verification-service paths don't exist + ansible.builtin.file: + path: "{{ matrix_user_verification_service_base_path }}" + state: absent diff --git a/roles/custom/matrix-user-verification-service/tasks/validate_config.yml b/roles/custom/matrix-user-verification-service/tasks/validate_config.yml new file mode 100644 index 000000000..9d7f1be8c --- /dev/null +++ b/roles/custom/matrix-user-verification-service/tasks/validate_config.yml @@ -0,0 +1,25 @@ +--- + +- name: Verify homeserver_url is not empty + ansible.builtin.assert: + that: + - matrix_user_verification_service_uvs_homeserver_url|length > 0 + fail_msg: "Missing variable in {{ matrix_user_verification_service_ansible_name }} role" + +- name: Verify Auth is configured properly or disabled + ansible.builtin.assert: + that: + - matrix_user_verification_service_uvs_access_token|length > 0 or not matrix_user_verification_service_uvs_require_auth|bool + fail_msg: "If Auth is enabled, a valid (non empty) TOKEN must be given in 'matrix_user_verification_service_uvs_access_token'." + +- name: Verify server_name for openid verification is given, if pinning a single server_name is enabled. + ansible.builtin.assert: + that: + - matrix_user_verification_service_uvs_openid_verify_server_name|length > 0 or not matrix_user_verification_service_uvs_pin_openid_verify_server_name|bool + fail_msg: "If pinning a single server_name is enabled, a valid (non empty) server_name must be given in 'matrix_user_verification_service_uvs_openid_verify_server_name'." + +- name: Verify the homeserver implementation is synapse + ansible.builtin.assert: + that: + - matrix_homeserver_implementation == 'synapse' + fail_msg: "The User-Verification-Service requires Synapse as homeserver implementation" diff --git a/roles/custom/matrix-user-verification-service/templates/.env.j2 b/roles/custom/matrix-user-verification-service/templates/.env.j2 new file mode 100644 index 000000000..359eed2a1 --- /dev/null +++ b/roles/custom/matrix-user-verification-service/templates/.env.j2 @@ -0,0 +1,11 @@ +UVS_ACCESS_TOKEN={{ matrix_user_verification_service_uvs_access_token }} +UVS_HOMESERVER_URL={{ matrix_user_verification_service_uvs_homeserver_url }} +UVS_DISABLE_IP_BLACKLIST={{ matrix_user_verification_service_uvs_disable_ip_blacklist }} +UVS_LOG_LEVEL={{ matrix_user_verification_service_uvs_log_level }} +{% if matrix_user_verification_service_uvs_require_auth | bool %} + UVS_AUTH_TOKEN={{ matrix_user_verification_service_uvs_auth_token }} +{% endif %} +{% if matrix_user_verification_service_uvs_pin_openid_verify_server_name | bool %} + UVS_OPENID_VERIFY_SERVER_NAME={{ matrix_user_verification_service_uvs_openid_verify_server_name }} +{% endif %} + diff --git a/roles/custom/matrix-user-verification-service/templates/systemd/matrix-user-verification-service.service.j2 b/roles/custom/matrix-user-verification-service/templates/systemd/matrix-user-verification-service.service.j2 new file mode 100644 index 000000000..683982632 --- /dev/null +++ b/roles/custom/matrix-user-verification-service/templates/systemd/matrix-user-verification-service.service.j2 @@ -0,0 +1,48 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description={{ matrix_user_verification_service_ansible_name }} +{% for service in matrix_user_verification_service_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +{% for service in matrix_user_verification_service_systemd_wanted_services_list %} +Wants={{ service }} +{% endfor %} +DefaultDependencies=no + +[Service] +Type=simple +Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" +ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill {{ matrix_user_verification_service_container_name }} 2>/dev/null' +ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm {{ matrix_user_verification_service_container_name }} 2>/dev/null' + + +ExecStart={{ devture_systemd_docker_base_host_command_docker }} run \ + --rm \ + --name={{ matrix_user_verification_service_container_name }} \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --read-only \ + --network={{ matrix_user_verification_service_container_network }} \ + {% if matrix_user_verification_service_container_http_host_bind_port %} + -p {{ matrix_user_verification_service_container_http_host_bind_port }}:3000 \ + {% endif %} + --mount type=bind,src={{ matrix_user_verification_service_config_env_file }},dst=/app/.env,ro \ + {% for arg in matrix_user_verification_service_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_user_verification_service_docker_image }} + +{% for network in matrix_user_verification_service_container_additional_networks %} +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} {{ matrix_user_verification_service_container_name }} +{% endfor %} + +ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill {{ matrix_user_verification_service_container_name }} 2>/dev/null' +ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm {{ matrix_user_verification_service_container_name }} 2>/dev/null' +Restart=always +RestartSec=30 +SyslogIdentifier={{ matrix_user_verification_service_systemd_service_basename }} + +[Install] +WantedBy=multi-user.target diff --git a/roles/custom/matrix_playbook_migration/defaults/main.yml b/roles/custom/matrix_playbook_migration/defaults/main.yml new file mode 100644 index 000000000..c61e71201 --- /dev/null +++ b/roles/custom/matrix_playbook_migration/defaults/main.yml @@ -0,0 +1,28 @@ +--- + +# Controls if (`matrix_prometheus_node_exporter` -> `prometheus_node_exporter`) validation will run. +matrix_playbook_migration_matrix_prometheus_node_exporter_migration_validation_enabled: true + +# Controls if (`matrix_prometheus_postgres_exporter` -> `prometheus_postgres_exporter`) validation will run. +matrix_playbook_migration_matrix_prometheus_postgres_exporter_migration_validation_enabled: true + +# Controls if (`matrix_backup_borg` -> `backup_borg`) validation will run. +matrix_playbook_migration_matrix_backup_borg_migration_validation_enabled: true + +# Controls if (`matrix_grafana` -> `grafana`) validation will run. +matrix_playbook_migration_matrix_grafana_migration_validation_enabled: true + +# Controls if (`matrix_ntfy` -> `ntfy`) validation will run. +matrix_playbook_migration_matrix_ntfy_migration_validation_enabled: true + +# Controls if (`matrix_redis` -> `redis`) validation will run. +matrix_playbook_migration_matrix_redis_migration_validation_enabled: true + +# Controls if (`matrix_etherpad` -> `etherpad`) validation will run. +matrix_playbook_migration_matrix_etherpad_migration_validation_enabled: true + +# Controls if (`matrix_aux` -> `aux`) validation will run. +matrix_playbook_migration_matrix_aux_migration_validation_enabled: true + +# Controls if (`matrix_jitsi` -> `jitsi`) validation will run. +matrix_playbook_migration_matrix_jitsi_migration_validation_enabled: true diff --git a/roles/custom/matrix_playbook_migration/tasks/cleanup_usr_local_bin.yml b/roles/custom/matrix_playbook_migration/tasks/cleanup_usr_local_bin.yml new file mode 100644 index 000000000..586b5c47e --- /dev/null +++ b/roles/custom/matrix_playbook_migration/tasks/cleanup_usr_local_bin.yml @@ -0,0 +1,26 @@ +--- + +- name: Find leftover matrix scripts in /usr/local/bin + ansible.builtin.find: + path: "/usr/local/bin" + patterns: + - matrix-change-user-admin-status + - matrix-dendrite-create-account + - matrix-make-user-admin + - matrix-postgres-cli + - matrix-postgres-cli-non-interactive + - matrix-postgres-update-user-password-hash + - matrix-remove-all + - matrix-ssl-certificates-renew + - matrix-ssl-lets-encrypt-certificates-renew + - matrix-synapse-register-user + - matrix-synapse-s3-storage-provider-migrate + - matrix-synapse-s3-storage-provider-shell + - matrix-synapse-worker-write-pid + register: matrix_usr_local_bin_files_result + +- name: Ensure /usr/local/bin does not contain matrix scripts + ansible.builtin.file: + path: "{{ item.path }}" + state: absent + with_items: "{{ matrix_usr_local_bin_files_result.files }}" diff --git a/roles/custom/matrix_playbook_migration/tasks/devture_traefik_to_matrix_traefik.yml b/roles/custom/matrix_playbook_migration/tasks/devture_traefik_to_matrix_traefik.yml new file mode 100644 index 000000000..f192cf015 --- /dev/null +++ b/roles/custom/matrix_playbook_migration/tasks/devture_traefik_to_matrix_traefik.yml @@ -0,0 +1,35 @@ +--- + +# This migrates Traefik from the old path (`/devture-traefik`) to the new path (`/matrix/traefik`, controlled by `devture_traefik_base_path`), +# and from the old hardcoded systemd service name (`devture-traefik.service`) to the new one (`matrix-traefik.service`, controlled by `devture_traefik_identifier`). +# +# Here, we merely disable (and stop) the old systemd service and relocate the data (`/devture-traefik` directory). +# The Traefik role itself (running later) will then ensure this data is up-to-date and will set up the new systemd service. + +# It only makes sense to migrate if the identifier or path are different than the default (what we were using before). +- when: "devture_traefik_identifier != 'devture-postgres' or devture_traefik_base_path != '/devture-traefik'" + block: + - name: Check existence of devture-traefik.service systemd service + ansible.builtin.stat: + path: "{{ devture_systemd_docker_base_systemd_path }}/devture-traefik.service" + register: devture_traefik_service_stat + + - when: devture_traefik_service_stat.stat.exists | bool + block: + - name: Ensure devture-traefik.service systemd service is stopped + ansible.builtin.systemd: + name: devture-traefik + state: stopped + enabled: false + daemon_reload: true + + - name: Ensure Traefik directory relocated + ansible.builtin.command: + cmd: "mv /devture-traefik {{ devture_traefik_base_path }}" + creates: "{{ devture_traefik_base_path }}" + removes: "/devture-traefik" + + - name: Ensure Traefik systemd service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/devture-traefik.service" + state: absent diff --git a/roles/custom/matrix_playbook_migration/tasks/main.yml b/roles/custom/matrix_playbook_migration/tasks/main.yml index c346a759b..4dbd3554f 100644 --- a/roles/custom/matrix_playbook_migration/tasks/main.yml +++ b/roles/custom/matrix_playbook_migration/tasks/main.yml @@ -1,5 +1,22 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" +- tags: + - setup-all + - install-all + block: + - ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" + +- tags: + - setup-all + - install-all + block: + - ansible.builtin.include_tasks: "{{ role_path }}/tasks/cleanup_usr_local_bin.yml" + +- when: devture_traefik_enabled | bool tags: - setup-all + - install-all + - setup-traefik + - install-traefik + block: + - ansible.builtin.include_tasks: "{{ role_path }}/tasks/devture_traefik_to_matrix_traefik.yml" diff --git a/roles/custom/matrix_playbook_migration/tasks/validate_config.yml b/roles/custom/matrix_playbook_migration/tasks/validate_config.yml index 0b738a57a..c61a51957 100644 --- a/roles/custom/matrix_playbook_migration/tasks/validate_config.yml +++ b/roles/custom/matrix_playbook_migration/tasks/validate_config.yml @@ -24,3 +24,187 @@ - {'old': 'matrix_container_retries_delay', 'new': 'devture_playbook_help_container_retries_delay'} - {'old': 'matrix_geturl_retries_count', 'new': 'devture_playbook_help_geturl_retries_count'} - {'old': 'matrix_geturl_retries_delay', 'new': 'devture_playbook_help_geturl_retries_delay'} + + - {'old': 'matrix_nginx_proxy_synapse_cache_path', 'new': 'matrix_synapse_reverse_proxy_companion_synapse_cache_path'} + - {'old': 'matrix_nginx_proxy_synapse_cache_enabled', 'new': 'matrix_synapse_reverse_proxy_companion_synapse_cache_enabled'} + + - {'old': 'matrix_docker_installation_enabled', 'new': 'matrix_playbook_docker_installation_enabled'} + - {'old': 'matrix_docker_package_name', 'new': ''} + + - {'old': 'matrix_systemd_services_list', 'new': 'devture_systemd_service_manager_services_list_additional'} + - {'old': 'matrix_common_after_systemd_service_start_wait_for_timeout_seconds', 'new': 'devture_systemd_service_manager_up_verification_delay_seconds'} + - {'old': 'matrix_systemd_services_autostart_enabled', 'new': 'devture_systemd_service_manager_services_autostart_enabled'} + - {'old': 'matrix_prometheus_node_exporter_metrics_proxying_enabled', 'new': 'matrix_prometheus_services_proxy_connect_prometheus_node_exporter_metrics_proxying_enabled'} + - {'old': 'matrix_prometheus_postgres_exporter_metrics_proxying_enabled', 'new': 'matrix_prometheus_services_proxy_connect_prometheus_postgres_exporter_metrics_proxying_enabled'} + - {'old': 'matrix_playbook_traefik_certs_dumper_role_enabled', 'new': 'devture_traefik_certs_dumper_enabled'} + - {'old': 'matrix_playbook_traefik_role_enabled', 'new': 'devture_traefik_enabled'} + + # Most important variables from the old Prometheus role here, for people who miss the changelog entry + - {'old': 'matrix_prometheus_enabled', 'new': 'prometheus_enabled'} + - {'old': 'matrix_prometheus_process_default_arguments', 'new': 'prometheus_process_default_arguments'} + - {'old': 'matrix_prometheus_process_extra_arguments', 'new': 'prometheus_process_extra_arguments'} + - {'old': 'matrix_prometheus_configuration_extension_yaml', 'new': 'prometheus_configuration_extension_yaml'} + - {'old': 'matrix_prometheus_scraper_synapse_enabled', 'new': 'matrix_prometheus_services_connect_synapse_enabled'} + - {'old': 'matrix_prometheus_scraper_synapse_targets', 'new': ''} + - {'old': 'matrix_prometheus_scraper_synapse_workers_enabled_list', 'new': 'matrix_prometheus_services_connect_scraper_synapse_workers_enabled_list'} + - {'old': 'matrix_prometheus_scraper_synapse_rules_synapse_tag', 'new': 'matrix_prometheus_services_connect_synapse_rules_download_synapse_tag'} + - {'old': 'matrix_prometheus_scraper_node_enabled', 'new': 'prometheus_self_node_scraper_enabled'} + - {'old': 'matrix_prometheus_scraper_node_targets', 'new': ''} + - {'old': 'matrix_prometheus_scraper_postgres_enabled', 'new': 'matrix_prometheus_services_connect_scraper_postgres_enabled'} + - {'old': 'matrix_prometheus_scraper_postgres_targets', 'new': ''} + - {'old': 'matrix_prometheus_scraper_hookshot_enabled', 'new': 'matrix_prometheus_services_connect_scraper_hookshot_enabled'} + - {'old': 'matrix_prometheus_scraper_hookshot_targets', 'new': ''} + - {'old': 'matrix_prometheus_scraper_nginxlog_enabled', 'new': 'matrix_prometheus_services_connect_scraper_nginxlog_enabled'} + - {'old': 'matrix_prometheus_scraper_nginxlog_server_port', 'new': 'matrix_prometheus_services_connect_scraper_nginxlog_static_configs_target'} + - {'old': 'matrix_prosody_jitsi_max_participants', 'new': 'jitsi_prosody_max_participants'} + - {'old': 'jitsi_require_well_known', 'new': 'jitsi_web_well_known_element_jitsi_enabled'} + - {'old': 'jitsi_wellknown_element_jitsi_json', 'new': 'jitsi_web_well_known_element_jitsi_json'} + +- name: (Deprecation) Catch and report matrix_postgres variables + ansible.builtin.fail: + msg: |- + The matrix-postgres role in the playbook has been replaced with the com.devture.ansible.role.postgres role (https://github.com/devture/com.devture.ansible.role.postgres). + The new role is pretty much the same, but uses differently named variables. + + The matrix-postgres-backup role in the playbook has been replaced with the com.devture.ansible.role.postgres_backup role (https://github.com/devture/com.devture.ansible.role.postgres_backup). + The new role is pretty much the same, but uses differently named variables. + + Please change your configuration (vars.yml) to rename all `matrix_postgres`-prefixed variables (`matrix_postgres_*` -> `devture_postgres_*`). + + The following variables in your configuration need to be renamed: {{ vars | dict2items | selectattr('key', 'match', 'matrix_postgres_.*') | map (attribute='key') | join(', ') }} + when: "vars | dict2items | selectattr('key', 'match', 'matrix_postgres_.*') | list | items2dict" + +- when: matrix_playbook_migration_matrix_prometheus_node_exporter_migration_validation_enabled | bool + block: + - ansible.builtin.set_fact: + matrix_playbook_migration_matrix_prometheus_node_exporter_migration_vars: |- + {{ vars | dict2items | selectattr('key', 'match', 'matrix_prometheus_node_exporter_.*') | list | items2dict }} + + - name: (Deprecation) Catch and report matrix_prometheus_node_exporter variables + ansible.builtin.fail: + msg: >- + The matrix-prometheus-node-exporter role that used to be part of this playbook has been replaced by https://gitlab.com/etke.cc/roles/prometheus_node_exporter. + The new role is compatible with the old one, but uses different names for its variables. + Please change your configuration (vars.yml) to rename all variables (`matrix_prometheus_node_exporter_` -> `prometheus_node_exporter_`). + We found usage of the following variables: {{ matrix_playbook_migration_matrix_prometheus_node_exporter_migration_vars.keys() | join(', ') }} + when: "matrix_playbook_migration_matrix_prometheus_node_exporter_migration_vars | length > 0" + +- when: matrix_playbook_migration_matrix_prometheus_postgres_exporter_migration_validation_enabled | bool + block: + - ansible.builtin.set_fact: + matrix_playbook_migration_matrix_prometheus_postgres_exporter_migration_vars: |- + {{ vars | dict2items | selectattr('key', 'match', 'matrix_prometheus_postgres_exporter_.*') | list | items2dict }} + + - name: (Deprecation) Catch and report matrix_prometheus_postgres_exporter variables + ansible.builtin.fail: + msg: >- + The matrix-prometheus-postgres-exporter role that used to be part of this playbook has been replaced by https://gitlab.com/etke.cc/roles/prometheus_postgres_exporter. + The new role is compatible with the old one, but uses different names for its variables. + Please change your configuration (vars.yml) to rename all variables (`matrix_prometheus_postgres_exporter_` -> `prometheus_postgres_exporter_`). + We found usage of the following variables: {{ matrix_playbook_migration_matrix_prometheus_postgres_exporter_migration_vars.keys() | join(', ') }} + when: "matrix_playbook_migration_matrix_prometheus_postgres_exporter_migration_vars | length > 0" + +- when: matrix_playbook_migration_matrix_backup_borg_migration_validation_enabled | bool + block: + - ansible.builtin.set_fact: + matrix_playbook_migration_backup_borg_migration_vars: |- + {{ vars | dict2items | selectattr('key', 'match', 'matrix_backup_borg_.*') | list | items2dict }} + + - name: (Deprecation) Catch and report matrix_backup_borg variables + ansible.builtin.fail: + msg: >- + The matrix-backup-borg role that used to be part of this playbook has been replaced by https://gitlab.com/etke.cc/roles/backup_borg. + The new role is compatible with the old one, but uses different names for its variables. + Please change your configuration (vars.yml) to rename all variables (`matrix_backup_borg_` -> `backup_borg_`). + We found usage of the following variables: {{ matrix_playbook_migration_backup_borg_migration_vars.keys() | join(', ') }} + when: "matrix_playbook_migration_backup_borg_migration_vars | length > 0" + +- when: matrix_playbook_migration_matrix_grafana_migration_validation_enabled | bool + block: + - ansible.builtin.set_fact: + matrix_playbook_migration_grafana_migration_vars: |- + {{ vars | dict2items | selectattr('key', 'match', 'matrix_grafana_.*') | list | items2dict }} + + - name: (Deprecation) Catch and report matrix_grafana variables + ansible.builtin.fail: + msg: >- + The matrix-grafana role that used to be part of this playbook has been replaced by https://gitlab.com/etke.cc/roles/grafana. + The new role is compatible with the old one, but uses different names for its variables. + Please change your configuration (vars.yml) to rename all variables (`matrix_grafana_` -> `grafana_`). + We found usage of the following variables: {{ matrix_playbook_migration_grafana_migration_vars.keys() | join(', ') }} + when: "matrix_playbook_migration_grafana_migration_vars | length > 0" + +- when: matrix_playbook_migration_matrix_ntfy_migration_validation_enabled | bool + block: + - ansible.builtin.set_fact: + matrix_playbook_migration_ntfy_migration_vars: |- + {{ vars | dict2items | selectattr('key', 'match', 'matrix_ntfy_.*') | list | items2dict }} + + - name: (Deprecation) Catch and report matrix_ntfy variables + ansible.builtin.fail: + msg: >- + The matrix-ntfy role that used to be part of this playbook has been replaced by https://gitlab.com/etke.cc/roles/ntfy. + The new role is compatible with the old one, but uses different names for its variables. + Please change your configuration (vars.yml) to rename all variables (`matrix_ntfy_` -> `ntfy_`). + We found usage of the following variables: {{ matrix_playbook_migration_ntfy_migration_vars.keys() | join(', ') }} + when: "matrix_playbook_migration_ntfy_migration_vars | length > 0" + +- when: matrix_playbook_migration_matrix_redis_migration_validation_enabled | bool + block: + - ansible.builtin.set_fact: + matrix_playbook_migration_redis_migration_vars: |- + {{ vars | dict2items | selectattr('key', 'match', 'matrix_redis_.*') | list | items2dict }} + + - name: (Deprecation) Catch and report matrix_redis variables + ansible.builtin.fail: + msg: >- + The matrix-redis role that used to be part of this playbook has been replaced by https://gitlab.com/etke.cc/roles/redis. + The new role is compatible with the old one, but uses different names for its variables. + Please change your configuration (vars.yml) to rename all variables (`matrix_redis_` -> `redis_`). + We found usage of the following variables: {{ matrix_playbook_migration_redis_migration_vars.keys() | join(', ') }} + when: "matrix_playbook_migration_redis_migration_vars | length > 0" + +- when: matrix_playbook_migration_matrix_etherpad_migration_validation_enabled | bool + block: + - ansible.builtin.set_fact: + matrix_playbook_migration_etherpad_migration_vars: |- + {{ vars | dict2items | selectattr('key', 'match', 'matrix_etherpad_.*') | list | items2dict }} + + - name: (Deprecation) Catch and report matrix_etherpad variables + ansible.builtin.fail: + msg: >- + The matrix-etherpad role that used to be part of this playbook has been replaced by https://gitlab.com/etke.cc/roles/etherpad. + The new role is compatible with the old one, but uses different names for its variables. + Please change your configuration (vars.yml) to rename all variables (`matrix_etherpad_` -> `etherpad_`). + We found usage of the following variables: {{ matrix_playbook_migration_etherpad_migration_vars.keys() | join(', ') }} + when: "matrix_playbook_migration_etherpad_migration_vars | length > 0" + +- when: matrix_playbook_migration_matrix_aux_migration_validation_enabled | bool + block: + - ansible.builtin.set_fact: + matrix_playbook_migration_aux_migration_vars: |- + {{ vars | dict2items | selectattr('key', 'match', 'matrix_aux_.*') | list | items2dict }} + + - name: (Deprecation) Catch and report matrix_aux variables + ansible.builtin.fail: + msg: >- + The matrix-aux role that used to be part of this playbook has been replaced by https://github.com/mother-of-all-self-hosting/ansible-role-aux. + The new role is compatible with the old one, but uses different names for its variables. + Please change your configuration (vars.yml) to rename all variables (`matrix_aux_` -> `aux_`). + We found usage of the following variables: {{ matrix_playbook_migration_aux_migration_vars.keys() | join(', ') }} + when: "matrix_playbook_migration_aux_migration_vars | length > 0" + +- when: matrix_playbook_migration_matrix_jitsi_migration_validation_enabled | bool + block: + - ansible.builtin.set_fact: + matrix_playbook_migration_jitsi_migration_vars: |- + {{ vars | dict2items | selectattr('key', 'match', 'matrix_jitsi_.*') | list | items2dict }} + + - name: (Deprecation) Catch and report matrix_jitsi variables + ansible.builtin.fail: + msg: >- + The matrix-jitsi role that used to be part of this playbook has been replaced by https://github.com/mother-of-all-self-hosting/ansible-role-jitsi. + The new role is compatible with the old one, but uses different names for its variables. + Please change your configuration (vars.yml) to rename all variables (`matrix_jitsi_` -> `jitsi_`). + We found usage of the following variables: {{ matrix_playbook_migration_jitsi_migration_vars.keys() | join(', ') }} + when: "matrix_playbook_migration_jitsi_migration_vars | length > 0" diff --git a/setup.yml b/setup.yml old mode 100755 new mode 100644 index 5bbda0c1e..0c324700f --- a/setup.yml +++ b/setup.yml @@ -4,24 +4,46 @@ become: true roles: - # Most of the roles below are not distributed with the playbook, but downloaded separately using `ansible-galaxy` via the `make roles` command (see `Makefile`). + # Most of the roles below are not distributed with the playbook, but downloaded separately using `ansible-galaxy` via the `just roles` command (see `justfile`). - role: galaxy/com.devture.ansible.role.playbook_help - role: galaxy/com.devture.ansible.role.systemd_docker_base - role: custom/matrix_playbook_migration + - when: matrix_playbook_docker_installation_enabled | bool + role: galaxy/geerlingguy.docker + vars: + docker_install_compose: false + tags: + - setup-docker + - setup-all + - install-docker + - install-all + + - when: devture_docker_sdk_for_python_installation_enabled | bool + role: galaxy/com.devture.ansible.role.docker_sdk_for_python + tags: + - setup-docker + - setup-all + - install-docker + - install-all + - when: devture_timesync_installation_enabled | bool role: galaxy/com.devture.ansible.role.timesync tags: - setup-timesync - setup-all + - install-timesync + - install-all - custom/matrix-base - custom/matrix-dynamic-dns - custom/matrix-mailer - - custom/matrix-postgres - - custom/matrix-redis + + - role: galaxy/com.devture.ansible.role.postgres + + - galaxy/redis - custom/matrix-corporal - custom/matrix-bridge-appservice-discord - custom/matrix-bridge-appservice-slack @@ -37,9 +59,11 @@ - custom/matrix-bridge-mautrix-instagram - custom/matrix-bridge-mautrix-signal - custom/matrix-bridge-mautrix-telegram + - custom/matrix-bridge-mautrix-gmessages - custom/matrix-bridge-mautrix-whatsapp - custom/matrix-bridge-mautrix-wsproxy - custom/matrix-bridge-mautrix-discord + - custom/matrix-bridge-mautrix-slack - custom/matrix-bridge-mx-puppet-discord - custom/matrix-bridge-mx-puppet-groupme - custom/matrix-bridge-mx-puppet-steam @@ -57,40 +81,66 @@ - custom/matrix-bot-postmoogle - custom/matrix-bot-go-neb - custom/matrix-bot-mjolnir + - custom/matrix-bot-draupnir + - custom/matrix-bot-chatgpt - custom/matrix-cactus-comments + - custom/matrix-rageshake - custom/matrix-synapse + - custom/matrix-synapse-auto-compressor + - custom/matrix-synapse-reverse-proxy-companion - custom/matrix-dendrite - custom/matrix-conduit - custom/matrix-synapse-admin - - custom/matrix-prometheus-node-exporter - - custom/matrix-prometheus-postgres-exporter - - custom/matrix-prometheus - - custom/matrix-grafana + - galaxy/prometheus_node_exporter + - galaxy/prometheus_postgres_exporter + - custom/matrix-prometheus-nginxlog-exporter + - galaxy/prometheus + - galaxy/grafana + - custom/matrix-prometheus-services-connect + - custom/matrix-prometheus-services-proxy-connect - custom/matrix-registration - custom/matrix-client-element - custom/matrix-client-hydrogen - custom/matrix-client-cinny - - custom/matrix-jitsi + - galaxy/jitsi + - custom/matrix-user-verification-service - custom/matrix-ldap-registration-proxy - custom/matrix-ma1sd - custom/matrix-dimension - - custom/matrix-etherpad + - galaxy/etherpad + - custom/etherpad-proxy-connect + - custom/matrix-sliding-sync - custom/matrix-email2matrix - custom/matrix-sygnal - - custom/matrix-ntfy + - galaxy/ntfy - custom/matrix-nginx-proxy - custom/matrix-coturn - - custom/matrix-aux - - custom/matrix-postgres-backup - - custom/matrix-backup-borg + - custom/matrix-media-repo + + - role: galaxy/auxiliary + + - role: galaxy/com.devture.ansible.role.postgres_backup + + - role: galaxy/backup_borg + - custom/matrix-user-creator - custom/matrix-common-after + - role: galaxy/com.devture.ansible.role.container_socket_proxy + + - role: galaxy/com.devture.ansible.role.traefik + + - role: galaxy/com.devture.ansible.role.traefik_certs_dumper + + - when: devture_systemd_service_manager_enabled | bool + role: galaxy/com.devture.ansible.role.systemd_service_manager + # This is pretty much last, because we want it to better serve as a "last known good configuration". # See: https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/2217#issuecomment-1301487601 - when: devture_playbook_state_preserver_enabled | bool role: galaxy/com.devture.ansible.role.playbook_state_preserver tags: - setup-all + - install-all - role: galaxy/com.devture.ansible.role.playbook_runtime_messages